基于AKA的IMS接入认证机制

IP多媒体子系统(IMS)作为3G网络的核心控制平台,其安全问题正面临着严峻的挑战。IMS的接入认证机制的实现作为整个IMS安全方案实施的第一步,是保证IMS系统安全的关键。基于认证和密钥协商(AKA)的IMS接入认证机制是由因特网工程任务组(IETF)制定,并被3GPP采用,广泛应用于3G无线网络的鉴权机制。此机制基于"提问/回答"模式实现对用户的认证和会话密钥的分发,由携带AKA参数的SIP消息在用户设备(UE)和IMS网络认证实体之间进行交互,按照AKA机制进行传输和协商,从而实现用户和网络之间的双向认证,并协商出后续通信所需的安全性密钥对。     

IMS接入认证及密钥分配机制优化方法

用户终端通过通用移动通信系统（UMTS）分组域接入到IP多媒体子系统（IMS）时,UMTS分组域和IMS会分别对用户终端独立地进行两次认证和密钥分配,两次操作过程具有较大的相似性,造成了重复的通信开销,缺乏效率。通过分析IMS认证与密钥分配协议（IMS AKA）过程,发现协议中存在安全漏洞,容易受到伪装攻击。文章提出了一种优化与改进方法ESAKA（Efficient and Security AKA）,在提高IMSAKA效率的同时,可以解决用户终端对S-CSCF的认证及网络端信息传输的安全性。     

基于CPK的IMS认证与密钥协商协议

针对3G及4G网络发展中IMS系统的广泛应用及其AKA认证协议安全强度的不足,在分析CPK及IMSAKA认证机制的基础上,设计了一种基于CPK机制的IMS认证与密钥协商协议。经分析表明,该协议在提高强IMS智能终端的认证强度基础上,为引入额外的通信,并且扩展了IMS系统支持的认证机制。     

基于融合网络的WLAN漫游认证方式研究

在网络融合的趋势下,通过电信网络为WLAN网络提供终端认证将是未来WLAN业务认证的主要方式。为高效、安全地实现网间漫游状态下WLAN的鉴权认证,本研究分析了在网间漫游状态下WLAN的鉴权需求,讨论了鉴权模式、流程和存在的问题,提出了基于EAP SIM/AKA协议的、非中转方式的WLAN漫游认证方案,并进行了验证。实验结果证明该非中转认证方案可以满足终端在漫游状态下实现EAP SIM/AKA认证的需要,同时增强了系统的安全性,降低了投资成本,实现了实时计费。     

IMS客户端认证过程研究

IMS客户端基于IMS网络,是目前网络技术研究的前沿和热点。IMS客户端是最终用户享受IMS技术带来的诸多成果的最直接的表现方式。IMS客户端不同于传统的SIP客户端,其主要区别之一是其更安全的认证机制,它实现了网络与客户端的双重鉴权,从而使使用更加安全可靠。本文通过对已有的终端注册过程进行分析,现场测试保证了数据的真实性和相关理论方法的有效可行性,使读者能够进一步了解其鉴权的过程。为以后的开发者提供参考。     

CDMA接入统一IMS系统研究

统一IMS的研究已成为IMS演进发展的重要趋势,也成为全业务运营商实际IMS网络部署过程中亟需考虑的一大问题。文章在分析CDMA接入统一IMS系统可行性的基础上,给出了统一IMS系统的功能架构,并对CDMA接入统一IMS系统的媒体编解码转换、多接入认证方式以及语音呼叫连续性等关键技术问题进行了探讨,最后指出了统一IMS系统有待继续研究的方向。     

TD-SCDMA网络安全机制探讨

GSMAKA机制存在安全隐患,特别是COMP128算法已公认不安全,为此TD—SCDMA AKA采用了全新机制,比GSM AKA机制安全更有保障,但该机制算法复杂。文章对TD—SCDMA网络安全机制进行了分析,并且考虑到TD—SCDMA与GSM系统将长期共存的现实,对TD—SCDMA与GSM AKA兼容性也进行了分析,为处于TD—SCDMA技术高速发展的现阶段和未来阶段进一步增强网络运营安全提供参考。     

Diameter扩展协议在IMS中的应用分析

IP多媒体子系统(IMS)采用Diameter协议实现网络认证、授权和计费的功能.Diameter协议包括基础协议和扩展应用协议两部分.文章主要分析IMS中的Diameter SIP应用和Diameter信用控制应用两种扩展应用协议,重点探讨如何应用Di-ameter扩展协议进行IMS的认证、授权和在线计费的问题.     

固网接入IMS的解决方案

IMS是3GPP在其R5版本中提出的支持IP多媒体业务的子系统，是一种基于全IP分组传送的与接入无关的网络架构。分析了IMS在固网接入方面的发展演进策略，对TISPAN引入NASS、RACS等子系统用以完成用户认证、保证网络的安全以及实现对固定网络接入环境的承载资源控制进行了阐述。最后以VoIP为例，描述了通过固网接入IMS时对VoIP业务实施接纳控制机制的具体消息流程。     

基于P2P技术的AKA认证机制研究

移动互联网中基于AKA认证的现有架构容易导致单点失效,服务器遭受恶意注册攻击,而且3GPP—AKA协议本身存在安全缺陷,文章对原有认证模型进行改进,提出基于P2P架构的认证服务器部署方案,同时改进AKA的认证流程,最后对本方案的安全性进行分析。     

Reducing Signaling Traffic for the Authentication and Key Agreement Procedure in an IP Multimedia Subsystem

In the IP multimedia subsystem (IMS) of UMTS, two authentication procedures are necessary for IMS subscribers before accessing IMS services: (i) packet-switch domain authentication using the authentication and key agreement of the 3rd Generation Partnership Projects (3GPP AKA), and (ii) IMS authentication using IMS AKA. However, since IMS AKA is based on 3GPP AKA, almost all of the operations are the same. Besides, IMS AKA needs two round-trips to carry out. Therefore, it is inefficient that almost all involved steps in IMS AKA are duplicated. Therefore, we propose a one-pass IMS AKA instead of IMS AKA. The one-pass IMS AKA can keep the security properties of IMS AKA, such as mutual authentication and key agreement. Furthermore, the one-pass IMS AKA not only has at least 45% improvement over IMS AKA in terms of authentication signaling, but also has 76.5% improvement over IMS AKA in terms of storage space.     

Performance evaluation of an authentication solution for IMS services access

The IP Multimedia Subsystem (IMS) is an access-independent, IP based, service control architecture. Users’ authentication to the IMS takes place through the AKA (Authentication and Key Agreement) protocol, while Generic Bootstrapping Architecture (GBA) is used to authenticate users before accessing the multimedia services over HTTP. In this paper, we focus on the performance analysis of an IMS Service Authentication solution that we proposed and that employs the Identity Based Cryptography (IBC) to personalize each user access. We carry out the implementation of this solution on top of an emulated IMS architecture and evaluate its performance through different clients’ access scenarios. Performance results indicate that increase in the number of clients does not influence the average processing time and the average consumed resources of the GBA entities during the authentication. We also notice that the Bootstrapping Server Function (BSF) presents a bottleneck during the service authentication which helps in giving some guidelines for the GBA entities deployment.     

一种改进的高效鲁棒的3GPP AKA协议

针对3G鉴权与密钥协商协议（3GPP AKA）中存在的安全缺陷,结合攻击者可能发起的攻击提出了一种可以防止重定向攻击,利用存在安全漏洞的网络发起的主动攻击,SQN同步缺陷和用户身份信息泄露的改进协议（ER AKA,Efficient and Robust Authentication and Key Agreement）,并对其安全性和效率进行了分析,分析表明通过该协议可以以较少的存储资源和计算资源为代价有效的解决上述安全性问题并减少3G系统中安全性处理的信令交互次数。     

One-pass GPRS and IMS authentication procedure for UMTS

Universal Mobile Telecommunications System (UMTS) supports Internet protocol (IP) multimedia services through IP multimedia core network subsystem (IMS). Since the IMS information is delivered through the general packet radio service (GPRS) transport network, a UMTS mobile station (MS) must activate GPRS packet data protocol (PDP) context before it can register to the IMS network. In the Third-Generation Partnership Project (3GPP) specifications, authentication is performed at both the GPRS and the IMS networks before an MS can access the IMS services. We observe that many steps in this 3GPP "two-pass" authentication procedure are identical. Based on our observation, this paper proposes an one-pass authentication procedure that only needs to perform GPRS authentication. At the IMS level, authentication is implicitly performed in IMS registration. Our approach may save up to 50% of the IMS registration/authentication traffic, as compared with the 3GPP two-pass procedure. We formally prove that the one-pass procedure correctly authenticate the IMS users.     

IMS-Based Centralized Service Continuity

The IP Multimedia Subsystem (IMS) has been selected as a telecommunication industrial standard for the signal processing in the heterogeneous access networks. It is also brought up to handle the mobility management. However, the mobility of the user equipment (UE) may disrupt or even intermittently disconnect an ongoing real-time session, which heavily affects the satisfaction of the users. Therefore, how to reduce the service disruption time gets more and more important. This paper first proposes a centralized service continuity scheme, abbreviated as CSC, in IMS-based networks. The CSC treats handover as a service in the IMS network. Its architecture and operation are based on service invocation. The service continuity procedure is performed by an application server called CSC AS. The CSC AS can carry out the third-party call control for fast session re-establishment by initiating two INVITE requests concurrently. In addition, a variant of the CSC, denoted by CSC*, is derived by adopting the E-IMS AKA with one-pass authentication for achieving the acceleration of IMS registration during the handover. Analytical results show that both schemes could shorten the handover latency significantly, as compared with the standard IMS-based service continuity.     

3G认证和密钥分配协议的形式化分析及改进

介绍了第三代移动通信系统所采用的认证和密钥分配(AKA)协议,网络归属位置寄存器/访问位置寄存器(HLR/VLR)对用户UE(用户设备)的认证过程和用户UE对网络HLR/VLR的认证过程分别采用了两种不同的认证方式,前者采用基于"询问-应答"式的认证过程,后者采用基于"知识证明"式的认证过程.使用BAN形式化逻辑分析方法分别对这两种认证过程进行了分析,指出在假定HLR与VLR之间系统安全的前提下,基于"知识证明"式的认证过程仍然存在安全漏洞.3GPP采取基于顺序号的补充措施;同时,文中指出了另一种改进方案.