Subscriber Authentication in the IP Multimedia Subsystem

By Jean-Louis Carrara
The IP Multimedia Subsystem (News - Alert) (IMS) represents a new and exciting era for the mobile telecommunications industry — a converged wireless and fixed network world. Subscribers can use the same services across devices (mobile phones, PCs, office or home networks) and through a number of different channels (WiFi (News - Alert), DSL, LAN, 3G, etc).

But might this new telecommunications era also represent a new era of security headaches for operators? Not if they address the critical issue of user authentication and service security from the start.

Everyone is Talking about IMS

In an IMS network, services like instant messaging, Voice over IP (VoIP), video conferencing and presence management will essentially be always on and “roaming” amongst the subscribers’ devices. For instance, I will be able to look at my list of contacts on my mobile phone and know that a colleague is connected to both his PDA and his PC, and is available for a voice chat or instant messaging, but not video conferencing. Conversely, he can see that I’m connected to my mobile phone and not my PC, and not accepting any incoming calls or instant messages. Sounds great, yes, but these and other new services will require additional security to protect data and networks, and also people and their information. The marketability of such services is dependent on them having the highest level of security.

These services are possible because at its core, the IMS architecture uses the Session Initiation Protocol (News - Alert) (SIP). SIP is used because it provides an easy and open way to set up and control rich media applications over an IP network. Presently it is the most commonly used signally protocol for VoIP.

Giving users the ability to access any service at any time on any device and on any network is clearly attractive and beneficial to both operators and subscribers. However, exchanging voice, video, data and more across a variety of channels and devices presents unique security considerations. Because an IMS network is built around SIP, it follows that the network will carry the same security vulnerabilities as SIP and IP networks as a whole.

For this reason the way the end user will be identified and authenticated is among the most critical aspects of IMS network security. The use of a simple username and a password is simply not enough. Weak and static passwords are too easy to steal and do not ensure the safety of the relationship between the operator and his customer.

Wireless standards bodies 3rd Generation Partnership Project (3GPP) and 3rd Generation Partnership Project 2 (3GPP2) have defined encryption and authentication techniques for IMS, and operators are also implementing firewalls. However, with stolen passwords, a skilled hacker can still make his way into the network. Once inside, the hacker can attack with spoofing, viruses, traffic flooding and denial of services. Attacks like these can shatter users’ confidence with their new services, putting IMS investments in danger.

Interestingly, the authentication security issues operators are facing with IMS networks are easily addressed with existing wireless solutions.

UICC to the Rescue

With the development of digital networks and the GSM family of networks (now the international standard for mobile phones), security and assuring the identity of subscribers has always been a key consideration. It is addressed with a common security framework based on the SIM and now the UICC1, both smart cards. Smart cards have had years of hardening against attacks in their military, government, payment and wireless applications. Now, without the SIM and the UICC, a handset cannot provide services other than emergency calling.

Today, the GSM family of networks accounts for 85 percent of the global mobile market, with more than 2.6 billion users. The SIM and its ability to secure subscribers and their data have played a big part in this continuing success. The proven SIM card technology also secures next-generation mobile networks such as GPRS (General Packet Radio Services) EDGE (Enhanced Data for GSM Evolution), Universal Mobile Telecommunications System (UMTS), High Speed Packet Access (HSPA), and will secure Long Term Evolution (LTE (News - Alert) )2

Proven Authentication Technology Applied to IMS

Why not apply the same technology that has secured the GSM network successfully for more than seventeen years to new IMS networks? The telecommunications industry is asking the same question, and a new technology has been developed to do just that.

The IP Multimedia Services Identity Module (ISIM) is an application running on a UICC. The ISIM is the collection of all of the IMS security data and functions on the UICC that is used to mutually authenticated users on IMS networks. Each subscriber device (wireless or wired) will have its own UICC representing them in the network and will be authenticated from each with the strongest levels of security. The UICC can authenticate connections to access networks (3G, 3.5G, WIFI, WIMAX) and be used to register to an IMS network using SIP protocols.

The ISIM provides authentication computation for SIP authentication. It contains files dedicated to SIP and algorithm for user authentication on the network. The Generic Bootstrap architecture (GBA) is used to authenticate to applications provided in the IMS network. This can be achieved between an end user device and the Application Service (network application function or NAF), or between the end user and an application proxy. Using GBA, the ISIM establishes an encrypted, mutually authenticated SIP session directly with the NAF or application proxy. The result is a unique and direct connection, a sort of “sealed tunnel” that provides end-to-end digital security for both the user and operator of the IMS network.

This process is of course transparent to the subscriber, but they can be confident that their connection to the IMS network is secured with proven technology, and service providers are looking at new solutions to manage and protect their identities on the Web. An added benefit is that they don’t have to remember a number of usernames and passwords for all their devices and services on the IMS network.

Benefits Beyond Authentication

Though authentication is the most critical function of the UICC and ISIM on an IMS network, it’s important to note that UICC can also provide a lot of other useful services. This includes storage and synchronization of the contact book, Quality of Service (QoS) information linked to the user subscription level, or call processing rules.

The presence management and call processing services are amongst the most interesting and appealing for end users, and both can be securely stored and enforced by the UICC. Presence management is the way an end user will manage the visibility other connected persons will have on him or her, while call processing is the way by which the user will manage incoming calls on its different connected and registered devices. The SIP protocol allows setup presence and calling processing rules to combine into rich combined services. For example, the end user can specify that he or she does not appear connected to professional contacts after 8pm, or that calls from personal contacts ring through to her mobile device only.

A Smooth Transition to IMS

The telecommunications industry is just at the beginning of an exciting move to a truly converged communication world. With new networks come new opportunities for attacks and fraud, but it’s not necessary to go through the same pains as the wireless communications industry once did. Looking back at the success of securing wireless networks with the UICC and applying the same proven technology to securing IMS networks allows operators to move past authentication pains. Then they can move into applying the benefits of the network to themselves and their subscribers, including new secure identity services for all of our communications.

Footnotes:

¹ Subscriber identity module and Universal integrated circuit card. The UICC is a multi application hardware platform that can run multiple smart card applications, including telecom applications (SIM, USIM, ISIM, EAP-SIM, etc) and non-telecom applications (contactless payment applications such as MasterCard Paypass, Visa Paywave, but also transit applications, etc.). The SIM in GSM networks ensures that the correct, authorized user is accessing the network. SIM cards securely store the service-subscriber key (IMSI) used to identify a subscriber, and is resistant to tampering. In addition, the SIM contains unique “shared secret” information — an authentication algorithm, the authentication key and other security-related information and functions. These are all used to strongly and mutually authenticate the subscriber and the network to each other.

² ATT first launched HSPA in the USA and both ATT and Verizon (News - Alert) have announced plans to launch LTE networks. For more information on the GSM family of networks, visit www.3Gamericas.org

Jean-Louis Carrara is Vice President, Telecommunications at Gemalto (News - Alert) (www.gemalto.com). He joined Gemalto, the leader in digital security, in 1995 and has been involved in marketing and engineering wireless solutions, SIM and OTA. He is now responsible for enhanced wireless security products and managed services in North America. Carrara is actively involved in the wireless industry, sits on the board 3G Americas and represents Gemalto with telecom media and analysts. Carrara has spoken at events such as Mobile Americas, CTIA (News - Alert) Wireless and CTIA Wireless IT. He holds a master’s degree in engineering from l’Ecole Centrale de Lyon, France and an MBA from the Ellis College of NYIT.

IMS Magazine Table of Contents