O.3 Error cases in the set-up of TLS sessions

33.2033G Security3GPPAccess security for IP-based servicesTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

O.3.1 Error cases related to TLS

O.3.1.0 General

Errors related to SIP Digest failures are specified in Annex N. However, this clause additionally describes how these shall be treated, related to security setup.

O.3.1.1 User authentication failure

If the UE response does not match with the response calculated by the S-CSCF, the authentication of the user fails at the S-CSCF. The S-CSCF shall send a 4xx Auth_Failure message to the UE, via the P-CSCF. Afterwards, both the UE and the P-CSCF shall close the TLS connection and delete the associated TLS session if one was established.

O.3.1.2 Network authentication failure

If the UE is not able to successfully authenticate the network due to failed validation of the P-CSCF certificate, the UE shall send an alert message to the P-CSCF, which includes the failure information as specified in TLS.

O.3.1.3 Synchronisation failure

When the UE receives the challenge with the stale parameter in the www-Authenticate header set to TRUE, the UE shall retry the REGISTER request with a new encrypted response. The existing TLS session shall be used for the retry.

O.3.1.4 Incomplete authentication

If the UE responds to an authentication challenge from a S- CSCF, but does not receive a reply before the request times out, the UE shall start a new registration procedure if it still requires any IM services.

O.3.2 Error cases related to the Security-Set-Up

The requirements in clauses 7.3.2.1 and 7.3.2.2 apply.