JunHyuk Song INTERNET DRAFT ChaeYong Chong 29 June 2001 Samsung Elec. Dongkie Leigh SK telecom Raymond Hsu Qualcomm Inc. Mobile IPv4 Authentication Shared key Generation draft-song-mobile-ipv4-auth-secgeneration-00.txt Status of This Memo Distribution of this memo is unlimited. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at: http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html. Abstract Mobile Node and Home Agent servers used in nowadays can provide authentication and authorization services mostly by the MN-HA and MN-AAA Authentication. However, this kind of Security Association is only possible if Mobile Node previously share the same shared secrets with Home Agent and AAA. Based on the assumption that the SA between Mobile Node and Home AAA is strong, it is possible to use that security association to dynamically update MN-AAA Authentication shared secret and create security associations between the Mobile Node and foreign agent and its home agent. This document specifies the method to dynamically update the shared secret used for MN-AAA extension and create shared secret used for MN-HA extension among Mobile Node, Foreign Agent and Home Agent, based on MN-AAA shared secret, NAI, Foreign Agent IP address and Foreign Agent Challenge. Song et al. Expires 29 December 2001 [Page 1] Internet Draft Mobile IP MN-HA Authentication 29 June 2000 Contents Status of This Memo 1 Abstract 1 1. Introduction.......................................................3 2. The parameters used for Dynamic MN-HA shared secret generation ....3 2.1 Mobile IP Agent Advertisement Challenge Extension.............3 2.2 Network Access Identifier (NAI)...............................4 2.3 MN-AAA shared secret..........................................4 3. MN-AAA shared secret update........................................4 3.1 MN-AAA key update by Mobile Node..............................4 3.2 MN-AAA key update by AAA......................................5 4. MN-HA shared secret creation.......................................5 4.1 MN-HA key creation by Mobile Node.............................5 4.2 MN-HA shared key creation by AAA..............................5 5 Operation description...............................................6 6 Security Considerations.............................................6 Appendix A - 3G Wireless example......................................7 Appendix B - MN-FA shared key consideration...........................8 References............................................................8 Addresses.............................................................9 Song et al. Expires 29 December 2001 [Page 2] 1. Introduction In Mobile IP, AAA servers is in use nowadays to identify and authenticate the mobile node by the Network Access Identifier (NAI) [1] and MN-AAA authenticator [3]. Besides the mobile node is required to have a security association with its home agent [2]. Mobile IP defines an MN-HA authentication extension by which a mobile node can authenticate itself to a home agent. However it is not currently defined how Mobile Node, Home Agent and AAA obtain and update the shared secret used in computing MN-AAA and MN-HA authenticator. Based on the assumption that the SA between Mobile Node and Home AAA is strong, it is possible to use that security association to create security associations between the Mobile Node and its Home Agent. This document specifies the method to dynamically update the shared secret used for MN-AAA extension and create shared secret used for MN-HA extension among Mobile Node, Foreign Agent and Home Agent, based on MN-AAA shared secret, NAI, Foreign Agent IP address and Foreign Agent Challenge. 2. The parameters used for Dynamic MN-HA shared secret generation This section defines the parameters used for MN-HA shared secret generation and MN-AAA shared secret update. 2.1 Mobile IP Agent Advertisement Challenge Extension Currently Foreign Agent Challenge extension [3] is defined and in use for 3G wireless system. That challenge extension is sent with the Agent Advertisement by the Foreign Agent, in order to used by Mobile Node to create the MN-AAA authentication extension for its Mobile IP Registration Request. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Challenge ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: The Challenge Extension [3] Type 24 Length The length of the Challenge value in bytes; SHOULD be at least 4 Challenge A random value that SHOULD be at least 32 bits. The challenge extension is used to give the randomness for dynamic MN-HA shared secret to avoid possible replay attack. Song et al. Expires 29 December 2001 [Page 3] 2.2 Network Access Identifier (NAI) The Network Access Identifier (NAI) is the userID. The Mobile NAI extension in Mobile IP registration request is used for AAA to identify the clients. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | MN-NAI ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: The Mobile Node NAI Extension [9] Type 131 (skippable) Length The length in bytes of the MN-NAI field MN-NAI A string in the NAI format defined in [1] 2.3 MN-AAA shared secret MN-AAA shared secret is the key used to compute MN-AAA authentication extension. 3. MN-AAA shared secret update This section describes how the current MN-AAA shared secret is updated by Mobile Node and AAA. How the initial MN-AAA shared secret is distributed to the Mobile Node and AAA is out of scope of this document 3.1 MN-AAA key update by Mobile Node 1. Mobile Node identifies Foreign Agent Challenge in Mobile IP Agent Advertisement. 2. The mobile node uses the FA Challenge, its own NAI, and the previously assigned MN-AAA shared secret to calculate: Current MN-AAA shared key = HMAC-MD5(Initial MN-AAA-key | FA Challenge | MN NAI | Initial MN-AAA-key) Song et al. Expires 29 December 2001 [Page 4] 3.2 MN-AAA key update by AAA 1. AAA identifies Foreign Agent Challenge and MN's NAI from the AAA message 2. AAA uses the FA Challenge, MN's NAI and the initially assigned MN-AAA shared secret to calculate: Current MN-AAA shared key = HMAC-MD5(Initial MN-AAA-key | FA Challenge | MN NAI | Initial MN-AAA-key) 4. MN-HA shared secret creation This section describes the MN-HA shared secret creation by the Mobile Node and AAA. 4.1 MN-HA key creation by Mobile Node 1. Mobile Node identifies Foreign Agent Challenge in Mobile IP Agent Advertisement. 2. The mobile node uses the FA Challenge, its own NAI, and the currently generated MN-AAA shared secret to calculate: MN-HA shared key = HMAC-MD5(Current MN-AAA-key | FA Challenge | MN NAI | Current MN-AAA-key) 4.2 MN-HA shared key creation by AAA 1. AAA identifies Foreign Agent Challenge and the MN's NAI from the AAA message. 2. AAA calculates uses the FA Challenge, MN's NAI, and the currently generated MN-AAA shared secret to calculate: MN-HA shared key = HMAC-MD5(Current MN-AAA-key | FA Challenge | MN NAI | Current MN-AAA-key) Song et al. Expires 29 December 2001 [Page 5] 5. Operation description Home Agent shall obtain MN-HA shared secret from AAA. The key fetching method varies from RADIUS [7] to DIAMETER [8] and it is out of scope of this document. 6. Security Considerations The key generation method described in this document provides the reasonable level of security by dynamically creating and updating the shared secrets. Since this key generation method depends on already available key materials used in Mobile IP, it does not require new key materials. Foreign Agent Challenge is used to avoid replay attack and enhance the security. Therefore the weakest point of this scheme is on the security of the shared secret for MN-AAA. Since the MN-AAA shared secret is dynamically updated for every MIP registration after it assigned first time, therefore the risk of exposing the MN-AAA shared secret is minimal. Song et al. Expires 29 December 2001 [Page 6] Appendix A - 3G Wireless Example In 3GPP2 Wireless system, both RADIUS and DIAMETER is supported as the AAA protocols. This document suggests a method of dynamically creating and maintaining the shared secrets for MN-AAA and MN-HA authentication. This is especially beneficial for the case of dynamic HA allocation. In 3G wireless systems, if each Mobile Node and Home Agent has the same static shared secret for MN-HA authentication, it would be problematic for dynamic HA allocation because each HA generally has no knowledge of all the MN-HA shared secrets. On the other hand, configuring all the HAs with all the MN-HA shared secrets in an administration domain raises concerns in security and scalability. +--------------+ +--------------+ | |------------------->| | | AAAF | | AAAH | | |<-------------------| | +--------------+ +--------------+ ^ | ^ | | | | | | v | v +-----+ +--------------+ +--------------+ | | | | | | | MS |----->| PDSN/FA |------------------->| Home Agent | | |<-----| |<-------------------| | +-----+ +--------------+ +--------------+ Figure 3 (3G Wireless Network) If this scheme applied to the 3GPP2 Wireless Network in figure 3, the Mobile station (MS) shall update its pre-assigned MN-AAA shared secret by running HMAC-MD5 with input of its NAI, Foreign Agent Challenge, and the MN-AAA key. Then MS shall create the MN-HA shared secret by running HMAC-MD5 with input of its NAI, Foreign Agent challenge, and newly generated MN-AAA key. When AAAH receives the AAA message, relayed from AAAF, AAAH shall update the MN-AAA shared secret for that MS by using the same parameters from the AAA message. Upon completing the MN-AAA authentication, AAAH shall generate the MN-HA shared secret by using the same parameters that the MS used. How Home Agent obtain that shared secret for MN-HA is up to AAA protocol. In the case of using the RADIUS protocol, Home Agent shall send the Access Request message to fetch MN-HA shared secret. In the case of using DIAMETER protocol, the MN-HA Shared Secret will be sent to HA by the HAR message. [10] Song et al. Expires 29 December 2001 [Page 7] Appendix B - MN-FA shared key consideration Mobile Node and AAA now can easily derive MN-FA shared key by running the HMAC-MD5 with input of MN-AAA shared secret, FA's IP address, MN's NAI. This method has better scalability and less administrative effort than provisioning MN-FA shared secrets. In face it is administrative prohibitive to provision all MNs and FAs with static shared secrets. References [1] B. Aboba and M. Beadles. The Network Access Identifier. Request for Comments (Proposed Standard) 2486, Internet Engineering Task Force, December 1999. [2] C. Perkins. IP Mobility Support. Request for Comments (Proposed Standard) 2002, Internet Engineering Task Force, October 1996. [3] P. Calhoun and C. E. Perkins. Mobile IP Foreign Agent Challenge/Response Extension. Request for Comments (Proposed Standard) 3012, Internet Engineering Task Force, December 2000. [4] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. Request for Comments (Informational) 2104, Internet Engineering Task Force, February 1997. [5] P. Calhoun and C. E. Perkins. AAA Registration Keys for Mobile IP Internet Draft, Internet Engineering Task Force. draft-ietf-mobileip-aaa-key-06.txt (work in progress) December 2001. [6] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. Request for Comments (Informational) 2104, Internet Engineering Task Force, February 1997. Song et al. Expires 29 December 2001 [Page 8] [7] C. Rigney, A. Rubens, W. Simpson, and S. Willens. Remote Authentication Dial In User Service (RADIUS). Request for Comments (Proposed Standard) 2865, Internet Engineering Task Force, June 2000. [8] P. Calhoun, A. Rubens, H. Akhtar, and E. Guttman. DIAMETER Base Protocol (work in progress). Internet Draft, Internet Engineering Task Force. draft-ietf-aaa-diameter-03.txt, May 2001. [9] P. Calhoun and C. E. Perkins. Mobile IP Network Access Identifier Extension for IPv4. Request for Comments (Proposed Standard) 2794, Internet Engineering Task Force, March 2000 [10] P. Calhoun and C. E. Perkins. Diamter Mobile IP Extensions Internet Draft, Internet Engineering Task Force. draft-ietf-aaa-diameter-mobileip-01.txt Addresses Questions about this memo can be directed to the authors: JUNHYUK SONG DongKie Leigh SAMSUNG ELECTRONICS. SK TELECOM Mobile Development Team Core Network Development Team Network Systems Division Network R&D Center Phone: +82-31-779-6822 Phone +82-2-829-4640 Email: santajun@lycos.co.kr Email: galahad@netsgo.com FAX: +82-31-7798769 FAX:+82-2-829-4612 Raymond Hsu CHAE YONG CHONG Qualcomm Inc. SAMSUNG ELECTRONICS. Corporate R&D Mobile Development Team Phone: 1-858-651-3623 Network Systems Division Email: rhsu@qualcomm.com Phone: +82-31-779-6822 FAX: 1-858-658-5006 Email:cychong@samsung.com Song et al. Expires 29 December 2001 [Page 9]