Chapter 12 - Security in the IMS docx

Chapter 12

Security in the IMS

IMS security is divided into access security (specified in 3GPP TS 33.203 [28]) and

network security (specified in 3GPP TS 33.210 [29]). Access security (which we describe

in Section 12.1) includes authentication of users and the network, and protection of the

traffic between the IMS terminal and the network. Network security (which we describe

in Section 12.2) deals with traffic protection between network nodes, which may belong to

the same or to different operators.

The IMS started originally supporting IPsec for both access and network security

(we described IPsec in Section 11.6). Later, support for TLS was added to both access

and network (we described TLS in Section 11.3). In addition, HTTP Digest Access

Authentication and the HTTP Digest Access Authentication using Authentication and Key

Agreement (AKA) are also supported (see Section 11.1). Early deployments of IMS used

a simplified customized security solution which leveraged authentication at the GPRS level

(specified in the Technical Report 3GPP TR 33.978 [20]). Finally, a variation of the early

IMS security solution has been customized for the fixed IMS access in the so-called NASS￾IMS bundled authentication. We expect new security mechanisms to be added in later IMS

releases. The following sections address all of these security aspects.

12.1 Access Security

A user accessing the IMS first needs to be authenticated and then authorized to use IMS before

they can use any IMS services. The authentication and authorization may generally lead to

the establishment of IPsec security associations between the IMS terminal and the P-CSCF,

a TLS connection between them, or it may lead to a link between the specific IP-CAN and

the IMS. This process is piggybacked to the current IMS registration process. The S-CSCF,

armed with the authentication vectors downloaded from the HSS (Home Subscriber Server),

authenticates and authorizes the user. The S-CSCF delegates the role of establishing the

access security association to/from the IMS terminal to the P-CSCF. This security association

can either be an IPsec connection, a TLS connection, or leveraged from the IP-CAN. During

the authentication process the user also authenticates the network to make sure that they are

not speaking to a forged network.

ıa- ´ Martın´

The 3G IP Multimedia Subsystem (IMS): Merging the Internet and the Cellular Worlds Third Edition

Gonzalo Camarillo and Miguel A. Garc

© 2008 John Wiley & Sons, Ltd. ISBN: 978- 0- 470- 51662- 1