2G/3G Authentication with

SIM cards:
usage & roaming basics for
the Internet challenged
Michael Haberler
Internet Foundation Austria

outline
a SIM card mini-tutorial
features, protocol flow, usage, production, addressing
UMTS authentication and key agreement
principles and protocol flow
the universal integrated circuit card (UICC)
USIM app
how 2G, 3G roaming works
over the air (OTA) loading of UICC apps
example: X.509 certificate download
(U)SIMs and Internet access authentication
how SIMs and RADIUS roaming works
(U)SIMs and SIP authentication
what the SIP server does
How the parameter logistics works
a bonus business model thrown in
summary

whats a 2G SIM card
crypto smart card as per ISO 7816
access protected by a PIN code(s) (card holder verification)
fixed storage of subscriber identity IMSI (international mobile
subscriber identity) GSM MAC address
E.164 number to IMSI mapping at the operator only
safe storage for shared secret - accessible only through CHAP
operation
not broken as of today except for most stupid CHAP algorithm known
CHAP algorithm in hardware
operator chooses algorithm
tree structured filesystem
stream, record, cyclic record files
can be readonly, read/write or none at all (for the key)
some permission hierarchy

how are SIM cards produced
unprogrammed chips are personalized and closed
(parameters written & sealed)
mass product - $5-$7 apiece at 1000+
GEMplus, Giesecke & Devrient ....
everybody can have SIMs made even Mom&Pop ISP
not everybody may
roam with other cellular operators
use the GSM algorithm A3/A8 you wouldnt want it anyway
must be member of GSM association for that
having your own algorithm in a chip mask is a circa
$50K+ affair
for testing & development unprogrammed castrated
chips used (XOR algorithm for CHAP...)

how are (U)SIM cards accessed
2G, 3G use
builtin reader in the mobile handset
for Internet use:
maybe builtin in PDA, PC (e.g.DELL)
external USB token 20$ apiece
re-use a mobile SIM card via Bluetooth SIG SIM Access
Profile (only if roaming against 2G/3G operator)
read 3G (U)SIM Security Reuse by Peripheral
Decices on local interfaces contains some threat
analysis

SIM usage in 2G authentication
2G GSM
handset
keys
access request present IMSI
present challenge (RAND)
send RESP (challenge response)
Authentication
Center
shared secret

IMSI structure
T0207420-98
MCC MNC MSIN
IMSI
MCC Mobile CountryCode
MNC Mobile NetworkCode
MSIN Mobile Subscriber IdentificationNumber
IMSI International Mobile Subscriber Identity
Three
digits
Twotothree
digits
Maximum of ten
digits
Maximum of fifteendigits
MCC/MNC uniquely designates an operator and his authentication center
when roaming, MCC/MNC tells the visiting network where to route the
authentication request
this is done via SS7 MAP (mobile application part)

what is OTA (over the air) loading?
SIM cards are writable by mobile equipment
if authenticated to network
if instructed by operator over the air
if file/directory is writable
example: ISIM X.509 certificate bootstrap
AKA authenticated:
let user visit PKI portal
download certificates through HTTP/Digest mechanism
certificates are stored in record structured files, as ar CA certifcates
The Air can also be an IP connection
download of executable applets possible
SIM Toolkit, USAT (USIM Application toolkit)
bytecode instructions sent encrypted by 3DES, stored on card
regularly used in 2G networks today for functionality upgrades
& parameter download



UMTS authentication and key
agreement (AKA)
substantially improved over 2G SIM
protection against replay, MITM attacks
sports also network-to-user authentication
more complex algorithm
compatibility functions 2G network/3G
card, 3G network/2G card

3G AKA authentication flow
3G UMTS
handset
keys
access request present IMSI
challenge RAND || AUTN token
send RESP (challenge response)
Authentication
Center
shared secret,
Sequence numbers
result:
Cipher key
Integrity key

whats the universal integrated
circuit card (UICC) about
generic support mechanism for multiple
applications on one card
2G,3G authentication become applications
selected as needed
USIM application implements AKA
2G SIM app implements 2G CHAP
additional apps possible (ISIM, PKI certificate
storage etc)
ISIM is pretty close to SIP client needs!!
mobile equipment chooses application

using (U)SIMs for Internet
access authentication
embed flow in EAP and tunnel in RADIUS
between 802.1x supplicant in client and RADIUS
EAP backend using EAP-SIM or EAP-AKA
RADIUS server MAY gateway to SS7 MAP and
roam
WiFi network looks like a GSM roaming partner
example: WiFi roaming through www.togewanet.com
OR RADIUS server access an ISP-style database
for keys
ISP is the SIM card issuer!

using (U)SIM for SIP authentication
speak HTTP/AKA (RFC3310) between SIP UA and proxy
proxy translates into EAP-AKA-in-RADIUS
RFC specified only for AKA (3G auth)
no mapping of EAP-SIM onto HTTP/SIM for 2G auth
bad almost all networks today use 2G auth which
breaks SIP authentication through GSM/UMTS operators
we need to address this and spec HTTP/SIM

how 2G roaming works
mobile equipment presents IMSI
visited network looks at MCC,MNC part of IMSI
if no roaming agreement, drop him
otherwise send access request thru SS7 MAP to home
network
the home network verifies IMSI and sends a triplet:
(challenge, expected response, cipher key) authentication
vector
visited network presents challenge, reads response
if (response == expected response), service user
the triplet is essentially an access ticket
note no replay detection these fellows seem to trust each
other

how 3G roaming works
not much different from 3G, just more
parameters needed for AKA
triplets become quintets

how the 2G/3G user ids (IMSIs) are
mapped to RADIUS authentication:
take mobile country code, mobile network code
use them to create a realm
Example
IMSI = 232011234567890
means mcc=232 (Austria) mnc=01 (Mobilkom)
resulting realm
mnc01.mcc232.owlan.org
resulting RADIUS user
232011234567890@mnc01.mcc232.owlan.org
routing to Radius servers decided by subdomain
convention established by Nokia
Nokia owns owlan.org domain pro-bono
from thereon this is vanilla RADIUS roaming
but its just fine if we call it mnc01.mcc232.visionNG.org if that
sounds better, realms just gotta be unique

how does 2G/3G address
logistics work
if you are a service provider and have E.164
ranges, get a MNC from your MCC
administrator (FCC, regulator...)
the E.164 range might also be, for example,
from visionNG (+87810 ff) MCC = 901
this doesnt mean youre part of 2G/3G
roaming yet contracts & regulatory
prerequisites needed
but the addressing is all set to go!!

a bonus business model thrown in:
combine a SIP-based iTSP with a Mobile Virtual
Network Operator (MVNO)
an MVNO has authentication, billing, customers, numbers,
but the radio network is outsourced from somewhere else
issue (U)SIM cards which work both in a 2/3G
handset AND as WiFi/SIP auth tokens note the
same card authenticates both uses!
leave choice to user how to connect Internet or
cellular using the same E.164 number

Summary
2G/3G has a strong/very strong authentication architecture
it is almost copy & paste for iTSP use at WiFi access, WiFi
roaming acces, SIP and other levels (TBD!)
it can serve to solve the X.509 certificate distribution problem
operator model (2G/3G home network, ISP home network) has
no impact on Internet-side terminals
numbering & addressing resources are compatible and available
(maybe not obviously so)
the Internet could become the biggest (U)SIM authenticated
mobile network ever to roam with 2G/3G land