3G Authentication Procedure (SAI)

MS/UE MSC/VLR HLR AuC

Location Update Request

Send Authentication Info (SAI)
Authentication Info Required

Authentication Info Response

Authentication Info Response
IEs: RAND, SRES, Kc & IMSI
Authentication Request IEs: RAND, SRES, Kc & IMSI

IEs: RAND

Authentication Response

IE: SRES
1. UE sends Location Update Request message to MSC/VLR including IMSI as UE permanent ID.

2. MSC/VLR sends SAI (Send Authentication Info) to HLR, including IMSI as UE Identity. (This is the request for Authentication Triplet).

3. HLR first check the database to validate the IMSI and sends Authentication Info Required including IMSI to AuC.

4. AuC check the Ki (integrity Key) from IMSI and using Pseudo Random Number Generator Algorithm, AuC Generates 128 bits long RAND value.

5. Using RAND and Ki, AuC generates 32 bits long SRES (Signed Response) and Kc (Ciphering Key). AuC uses A3 Encryption Algorithm to generate it.

6. Using RAND, Ki and A8 Encryption Algorithm, AuC Generates 64 bits long Kc.

7. AuC prepare Authentication Info Response and sends it to HLR including IMSI, RAND, SRES and Kc.

8. MSC/VLR extracts the parameters SRES and Kc, stores these and Prepares Authentication Request message for Mutual Authentication.

9. MSC/VLR sends Authentication Request including RAND value to MS / UE

10. MS already has Ki, A3 & A8 Algorithms, stored in SIM. So using RAND and Ki, MS/UE generates SRES and Kc respectively.

11.MS then sends Authentication Response to MSC/VLR including SRES Value.

12.MSC/VLR compares and validates whether AuC (HLR) generated SRES is equal to MS/UE generated SRES or not. If both are same, then Authentication will be
successful.
IMS Registration & Authentication
Procedure
UE P-CSCF I-CSCF HSS/AuC S-CSCF

1. SM: Regester (IMPI) 2. Cx: (UAR) User

Authorisation Request
S-CSCF
3. Cx: (UAA) User
Selection
Authorisation Answer
Procedure

4. SM: REGISTER (IMPI)

5. Cx: Multimedia Authentication

Request (IMPI)

6. Cx: Multimedia Authentication

Answer (AV, 1….n)

7. SM: 401 Unauthorised (RAND, AUTH) Selection one AV

8. Register (IMPI, RES) Store (IMPI,

9. Cx: UAR IMSI

S-CSCF Address 10. Cx: UAA

11. Register (IMPI, RES)

RES = XRES
12. Cx: Server Assignment
Request

13. Cx: Server Assignment

Answer
14. SM: 200 AUTH_OK

IMS Authentication Procedure

1. UE sends Initial SIP REGISTER message with its IMPI (IP Multimedia Private Identity) as Permanent Identity to I-CSCF via P-CSCF (using UDP or TCP).

1. IEs in SIP REGISTER message

1. IMPI as UE ID

2. Port Number (default port is 5060 for SIP)

3. Request URI

4. IP address of P-CSCF (P-CSCF adds it’s own IP address to Via Header field)

2. As I-CSCF does not have any knowledge about assignments of user profiles to specific S-CSCFs, it needs to find out to which S-CSCF it should forward the
REGISTER request.

1. So I-CSCF performs S-CSCF Selection Procedure with HSS

2. I-CSCF sends Cx: User Authorisation Request (UAR) to HSS.

3. HSS performs Authorisation checks whether the I-CSCF is allowed to query Authorisation status of the user.

3. HSS sends Cx: User Authorisation Answer (UAA) to I-CSCF

1. In positive case HSS will provide required capabilities for S-CSCF selection or stored address of S-CSCF.

2. If capabilities for S-CSCF are received, then I-CSCF selects the suitable S-CSCF.

3. After selecting S-CSCF, I-CSCF adds an address of S-CSCF and inserts its own IP address in REGISTER message.
4. I-CSCF sends REGISTER message to selected S-CSCF

5. As the user is not Authorised so S-CSCF does not have a valid Authentication Vector (AV) array for UE.

1. Therefore, S-CSCF retrieves Authentication data from the HSS.

2. S-CSCF sends Cx: Multimedia Authentication Request (MAR) to HSS for obtaining AV for this UE.

6. HSS Generates

1. RAND- A Random number for Random Challenge

2. XRES- Expected Response (or Result)

3. AUTHHSS- Network (HSS) Authentication Token

4. IK- Integrity Key

5. CK- Cyphering Key

6. Authentication Schema [ IMS Authentication and Key Agreement (AKA) ]

7. HSS creates AVs and sends Cx: Multimedia Authentication Answer (MAA) to S-CSCF including multiple AVs

8. AVs contain RAND, AUTH, XRES, IK and CK.

7. S-CSCF selects next unused AV from the ordered AV Array as AV in a particular S-CSCF are used on a first-in / first-out basis.

1. In order to authenticate the UE, S-CSCF rejects the initial REGISTER request from the user.

2. S-CSCF challenges the UE by sending 401_Unauthorised response to P-CSCF via I-CSCF.

3. This message includes RAND, AUTN, IK, CK for P-CSCF.

4. P-CSCF extracts IK and CK and stores these two Security Key. Both IK and CK are used for IP security (IPsec) Security Association between UE and P-
CSCF.

5. P-CSCF forwards 401_Unauthorised message to UE containing RAND and AUTH token which includes MAC and SQN generated by HSS.

8. After receiving 401_Unauthorised response, UE passes the received parameters to ISIM (or USIM) application. To verify AUTH to Authenticate the network, UE:

1. Calculates XMAC and checks that whether XMAC=MAC or not

2. Then checks if the SQN is in the correct range.

3. If both these checks are successful the UE can be sure that the Authentication data are received from Home Network only (HSS).

4. UE Calculates the RES value based on the received RAND.

5. UE Calculates the IK, which is then shared between the P-CSCF

6. UE Calculates the CK if signalling ciphering is required.

7. UE uses RES to calculate an Authentication Response and generates second REGISTER message.
 8. UE sends second REGISTER (IMPI & RES) message to P-CSCF vis IPSec Security Association.

9. Therefore, P-CSCF adds the ‘integrity-protected’ field value ‘yes’ to Authorisation Header field and sends REGISTER request towards I-CSCF.

9. I-CSCF queries the HSS to find the address of the S-CSCF by sending UAR.

10. HSS responds back with UAA message to I-CSCF with S-CSCF Address.

11. I-CSCF forwards REGISTER (IMPI & RES) to the S-CSCF.

1. S-CSCF receives request, extract RES value and checks whether RES = XRES

2. If result is positive, the authentication and key agreement exchange is successfully completed.

12. S-CSCF sends a Server Assignment Request (SAR), over the Cx interface, to inform HSS about which S-CSCF will serve the UE.

13. HSS stores Address of S-CSCF and sends the user’s profile through a Server Assignment Answer (SAA) message over the Cx interface.

14. After retrieved user profile from HSS, S-CSCF sends a SIP 200 AUTH_OK message to UE.
EPS Authentication Procedure
When a UE requests for access to an LTE network, then mutual authentication between UE & Network is conducted
using EPS AKA (Authentication Key Agreement) procedure.

1. UE sends Attach Request to MME including IMSI as UE Identity.

2. After decoding Attach Request message, MME performs EPS AKA Procedure which consists of two steps:
!Acquisition of Authentication Vector (AV) from HSS
!Mutual Authentication between UE and MME

3. MME sends Authentication Information Request message to HSS, requesting Authentication Vector(s) (AV) for the
UE, including IEs:
!IMSI
!SN ID (Serving Network ID)
!n = no of AV that MME requests to HSS.
!Network Type

4. After receiving Authentication Info Request, HSS generates multiple AV (s) using EPS AKA Algorithm.
5. AV-Authentication Vector Generation:
! First HSS generates SQN and RAND by Random Number Generation Algorithm.
! Using LTE K, SQN, RAND and AMF parameters AuC generates MAC (Message Authentication Code).
! Using LTE Master Key (LTE K) and RAND, by Crypto Function, HSS generates
! XRES- Expected Response
! AS-Anonymity Key
! CK- Cipher Key
! IK- Integrity Key

6. From AK, SQN, MAC & AMF (Authentication Management Function) parameters, AuC generates
AUTHHSS - Network Authentication Token.

7. Using SQN, SN ID, CK, IK, HSS derives KASME (KASME= Key Access Security Management Entity).

8. Finally HSS generates AVs which contain the parameters:

!RAND- Random Number
!XRES- Expected Response
!AUTNHSS, - Network Authentication Token
!KASME - Key Access Security Management Entity
9. HSS sends Authentication Info Response to MME including multiple AVs which contain RAND, AUTH,
XRES and KASME

10.MME sends Authentication Request to UE so that UE which contains IEs:

! RAND
! AUTNHSS
!KSIASME = Index for KASME

11. After receiving Authentication Request from MME, UE first generates SQN.

12. UE NAS layer delivers RAND and AUTH token to USIM. Using EPS AKA Algorithm, RAND & with
stored LTE Key (K), USIM derives:
!RES - Response
! AK-Anonymity Key
! CK- Cipher Key
! IK- Integrity Key

13. Using LTE K, SQN, RAND, AMF and AK parameters, USIM generates XMAC (Expected Message
Authentication Code).
14. Using SQN, SN ID, CK, IK, Key Derivation Function derives KASME.

15.UE then verify, MAC == XMAC and also verify whether SQN is in the correct range. If MAC == XMAC
and SQN is in Correct Range, then HSS is Authenticated successfully.

16. Then UE stores KSIASME as an index of KASME.

17. After that, UE sends Authentication Response including RES to MME, so that MME can
Authenticate the UE.

18. Upon reception of Authentication Response, MME compares the RES value received from UE &
XRES value that received from HSS, to Authenticate UE.

19. If RES = XRES, then Authentication is successful.

SS&/Sigtran Check EIR Call Flow
MS/UE MSC/VLR EIR HLR

Registration Procedure
MAP: Check IMEI (IMEI)

MAP: Check IMEI ACK

1. Suppose MS roams into a new serving MSC/VLR area, and begins the registration procedure with CS Core Network via Base Station.

2. In the Network with EIR, before sending a location update request to HLR, MSC/VLR sends a MAP_CHECK_IMEI message to EIR requesting EIR processing
including IMEI or IMSI (O).

3. EIR retrieves the IMEI and/or IMSI from the message and searches the EIR information in the DB for a match of IMEI.

4. This search may result in IMEI being on one or more of the White, Gray, or Black Lists, or it may result in an invalid or unknown IMEI.

5. Based on search result, EIR returns a MAP_CHECK_IMEI_ACK containing either the Equipment Status (IMEI allowed or not allowed), or a User Error (invalid or
unknown IMEI).

6. MSC either rejects or completes the registration attempt, depending on the information returned from EIR.
5G Authentication Procedure
SEAF: Security Anchor Function

SUCI: Subscription Concealed Identifier

SUPI: Subscription Permanent Identifier

HE AV: Home Environment Authentication Vector

256 SHA: 256 bits Secure Hashing Algorithm

Notification Manager
1. The ADM uses trigger definitions which are loaded to the ADM as “trigger definition templates”. That is used to configure the client to support NTF.

2. These templates contain basic trigger definitions, additional placeholders (for the tenant), receiving client, application (or LDAP user) and DSA.

3. The standard notification information is defined via ADM.

4. ADM generates final trigger definitions for One-NDS Directory and Subscription Data for NTF by replacing variables with values required for actual deployment.

5. The registration information for triggers is stored in the directory.

6. NTF essentially acts as a hub for SOAP messages.

7. It receives SOAP messages from NDS (triggers) or applications (commands, e.g. from PGW) and sends them to the intended recipients.

8. Distribution Modes:

9. Messages can be distributed in two modes: Multi-cast and Round-robin.

10.In Distribution Modes

11.Muti-Cast: each message is sent to all servers that have subscribed to the notification.

12. In Round Robin: Message is sent to only one of a group of subscribed servers; each subsequent message of the same type is sent to the next server in the group
in turn.

13.