9 Authentication
34.229-13GPPInternet Protocol (IP) multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP)Part 1: Protocol conformance specificationRelease 16TSUser Equipment (UE) conformance specification
9.1 Invalid Behaviour – MAC Parameter Invalid
9.1.1 Definition
To test that the UE when receiving a 401 (Unauthorized) response with an invalid MAC value to its initial REGISTER request behaves correctly. This procedure is described in 3GPP TS 24.229 [10] clause 5.1.1.5.
9.1.2 Conformance requirement
[TS 24.229, clause 5.1.1.5.1]
Authentication is performed during initial registration. A UE can be re-authenticated during subsequent reregistrations, deregistrations or registrations of additional public user identities. When the network requires authentication or re-authentication of the UE, the UE will receive a 401 (Unauthorized) response to the REGISTER request.
On receiving a 401 (Unauthorized) response to the REGISTER request, the UE shall:
1) extract the RAND and AUTN parameters;
2) check the validity of a received authentication challenge, as described in 3GPP TS 33.203 [19] i.e. the locally calculated XMAC must match the MAC parameter derived from the AUTN part of the challenge; and the SQN parameter derived from the AUTN part of the challenge must be within the correct range; and
…
[TS 24.229 Rel-12, clause 5.1.1.5.3]
If, in a 401 (Unauthorized) response, either the MAC or SQN is incorrect the UE shall respond with a further REGISTER indicating to the S-CSCF that the challenge has been deemed invalid as follows:
– in the case where the UE deems the MAC parameter to be invalid the subsequent REGISTER request shall contain no "auts" Authorization header field parameter and an empty "response" Authorization header field parameter, i.e. no authentication challenge response;
– in the case where the UE deems the SQN to be out of range, the subsequent REGISTER request shall contain the "auts" Authorization header field parameter (see 3GPP TS 33.102 [18]).
NOTE: In the case of the SQN being out of range, a "response" Authorization header field parameter can be included by the UE, based on the procedures described in RFC 3310 [49].
Whenever the UE detects any of the above cases, the UE shall:
– send the REGISTER request using an existing set of security associations, if available (see 3GPP TS 33.203 [19]);
– populate a new Security-Client header field within the REGISTER request and associated contact address, set to specify the security mechanisms it supports, the IPsec layer algorithms for integrity and confidentiality protection it supports and the parameters needed for the new security association setup. These parameters shall contain new values for spi_uc, spi_us and port_uc; and
– not create a temporary set of security associations.
9.1.3 Test purpose
1) To verify that after receiving a 401 (Unauthorized) response for the initial REGISTER sent, the UE checks that the locally calculated XMAC matches the MAC parameter derived from the AUTN part of the challenge.
2) If the value of MAC derived from the AUTN part of the 401 (Unauthorized) response received by the UE does not match the value of locally calculated XMAC:
– the UE responds with a further REGISTER indicating that the challenge has been deemed invalid; and
– this subsequent REGISTER request contains no "auts” Authorization header field parameter and an empty "response" Authorization header field parameter, i.e. no authentication challenge response; and
– the UE populates a new Security-Client header field within the REGISTER request and associated contact address, set to specify the security mechanism it supports, the IPsec layer algorithms it supports and the parameters needed for the new security association setup. These parameters contain new values for spi_uc, spi_us and port_uc; and
– the UE does not create a temporary set of security associations.
9.1.4 Method of test
Initial conditions
UE contains either ISIM and USIM applications or only USIM application on UICC. UE is not registered to IMS services, but executed the generic test procedure in Annex C.2 up to step 3.
SS is configured with the shared secret key of IMS AKA algorithm, related to the IMS private user identity (IMPI) configured on the UICC card equipped into the UE. SS is able to perform AKAv1-MD5 authentication algorithm for that IMPI, according to 3GPP TS 33.203 [14] clause 6.1 and RFC 3310 [17]. SS is listening to SIP default port 5060 for both UDP and TCP protocols.
Test procedure
1) IMS registration is initiated on the UE. SS waits for the UE to send an initial REGISTER request, in accordance to 3GPP TS 24.229 [10], clause 5.1.1.2
2) SS responds to the initial REGISTER request with an invalid 401 Unauthorized response, headers populated as follows:
a) To, From, Via, CSeq, Call-ID and Content-Length headers according to RFC 3261 [15] clauses 8.2.6.2 and 20.14; and
b) WWW-Authentication header with AKAv1-MD5 authentication challenge according to 3GPP TS 24.229 [10], clause 5.4.1.2.1 and RFC 3310 [17] clause 3; except that the MAC value in AUTN should be incorrect
c) Security-Server header according to 3GPP TS 24.229 [10], clause 5.2.2 and RFC 3329 [21] clause 2.
3) SS waits for the UE to send a second Registration message indicating that the received 401 Unauthorized message was invalid
4) SS sends an invalid 401 Unauthorized message, same as in step 2)
5) SS waits for the UE to send a third Registration message indicating that the received 401 Unauthorized message was invalid
6) – 12) SS completes the registration procedure (to get the UE in a stable state at the end of the test case).
Expected sequence
|
Step |
Direction |
Message |
Comment |
|
|
UE |
SS |
|||
|
1 |
🡪 |
REGISTER |
UE sends initial registration for IMS services. |
|
|
2 |
🡨 |
401 Unauthorized |
The SS responds with an invalid AKAv1-MD5 authentication challenge with an invalid MAC value. |
|
|
3 |
🡪 |
REGISTER |
REGISTER request: – contains no AUTS directive and an empty response directive, i.e. no authentication challenge response – UE populates a new Security-Client header set to specify the security mechanism it supports, the IPsec layer algorithms it supports and the parameters needed for the new security association setup |
|
|
4 |
🡨 |
401 Unauthorized |
The SS responds with an invalid AKAv1-MD5 authentication challenge with an invalid MAC value. |
|
|
5 |
🡪 |
REGISTER |
REGISTER request: – contains no AUTS directive and an empty response directive, i.e. no authentication challenge response – UE populates a new Security-Client header set to specify the security mechanism it supports, the IPsec layer algorithms it supports and the parameters needed for the new security association setup |
|
|
6 |
🡨 |
401 Unauthorized |
The SS responds with a valid AKAv1-MD5 authentication challenge and security mechanisms supported by the network. |
|
|
7 |
🡪 |
REGISTER |
UE completes the security negotiation procedures, sets up a temporary set of SAs and uses those for sending another REGISTER with AKAv1-MD5 credentials. |
|
|
8 |
🡨 |
200 OK |
The SS responds with 200 OK. |
|
|
9 |
🡪 |
SUBSCRIBE |
UE subscribes to its registration event package. |
|
|
10 |
🡨 |
200 OK |
The SS responds SUBSCRIBE with 200 OK |
|
|
11 |
🡨 |
NOTIFY |
The SS sends initial NOTIFY for registration event package, containing full registration state information for the registered public user identity in the XML body |
|
|
12 |
🡪 |
200 OK |
The UE responds the NOTIFY with 200 OK |
|
Specific message contents
REGISTER (Step 1)
Use the default message “REGISTER” in annex A.1.1 with condition A1.
401 UNAUTHORIZED (Steps 2 and 4)
Use the default message “401 Unauthorized for REGISTER” in annex A.1.2 with the following exceptions:
|
Header/param |
Value/remark |
|---|---|
|
WWW-Authenticate |
|
|
nonce |
Base 64 encoding of RAND and AUTN, incorrect MAC value is used to generate |
REGISTER (Steps 3 and 5)
Use the default message “REGISTER” in annex A.1.1 with condition A1 with the following exceptions:
|
Header/param |
Value/remark |
|---|---|
|
CSeq |
|
|
value |
The value sent in the previous REGISTER message + 1 (incremented) |
|
Call-ID |
|
|
callid |
The same value as in REGISTER in Step 1 |
|
Authorization |
|
|
response |
It shall be present but empty |
|
auth-param |
If present it shall not contain the auts directive |
|
nonce-count |
value or presence of the parameter not to be checked |
|
Security-Client |
|
|
spi-c |
new SPI number of the inbound SA at the protected client port, must be different from the value used in step 1 (and step 3 when in step 5) |
|
spi-s |
new SPI number of the inbound SA at the protected server port, must be different from the value used in step 1 (and step 3 when in step 5) |
|
port-c |
new protected client port needed for the setup of new pairs of security associations, must be different from the value used in step 1 (and step 3 when in step 5) |
9.1.5 Test requirements
SS shall check in step 3 and 5 that in accordance to the 3GPP TS 24.229 [10] clause 5.1.1.5
– the UE responds with a further REGISTER indicating to the S-CSCF that the challenge has been deemed invalid; and
– sends the REGISTER request using no security associations; and
– the REGISTER request contains no AUTS directive and an empty response directive, i.e. no authentication challenge; and
– populates a new Security-Client header within the REGISTER request, set to specify the security mechanism it supports, the IPsec layer algorithms it supports and the parameters needed for the new security association setup; and
– does not create a temporary set of security associations.
9.2 Invalid Behaviour – SQN out of range
9.2.1 Definition
To test that the UE when receiving a 401 (Unauthorized) response with SQN out of range to its initial REGISTER request behaves correctly. This procedure is described in 3GPP TS 24.229 [10] clause 5.1.1.5.
To test after a failed authentication attempt that the UE when receiving a valid 401 (Unauthorized) response to its initial REGISTER request behaves correctly. This procedure is described in 24.229 [10] clause 5.1.1.5.
9.2.2 Conformance requirement
[TS 24.229, clause 5.1.1.5.1]
Authentication is performed during initial registration. A UE can be re-authenticated during subsequent reregistrations, deregistrations or registrations of additional public user identities. When the network requires authentication or re-authentication of the UE, the UE will receive a 401 (Unauthorized) response to the REGISTER request.
On receiving a 401 (Unauthorized) response to the REGISTER request, the UE shall:
1) extract the RAND and AUTN parameters;
2) check the validity of a received authentication challenge, as described in 3GPP TS 33.203 [19] i.e. the locally calculated XMAC must match the MAC parameter derived from the AUTN part of the challenge; and the SQN parameter derived from the AUTN part of the challenge must be within the correct range; and
…
[TS 24.229 Rel-12, clause 5.1.1.5.3]
If, in a 401 (Unauthorized) response, either the MAC or SQN is incorrect the UE shall respond with a further REGISTER indicating to the S-CSCF that the challenge has been deemed invalid as follows:
– in the case where the UE deems the MAC parameter to be invalid the subsequent REGISTER request shall contain no "auts" Authorization header field parameter and an empty "response" Authorization header field parameter, i.e. no authentication challenge response;
– in the case where the UE deems the SQN to be out of range, the subsequent REGISTER request shall contain the "auts" Authorization header field parameter (see 3GPP TS 33.102 [18]).
NOTE: In the case of the SQN being out of range, a "response" Authorization header field parameter can be included by the UE, based on the procedures described in RFC 3310 [49].
Whenever the UE detects any of the above cases, the UE shall:
– send the REGISTER request using an existing set of security associations, if available (see 3GPP TS 33.203 [19]);
– populate a new Security-Client header field within the REGISTER request and associated contact address, set to specify the security mechanisms it supports, the IPsec layer algorithms for integrity and confidentiality protection it supports and the parameters needed for the new security association setup. These parameters shall contain new values for spi_uc, spi_us and port_uc; and
– not create a temporary set of security associations.
9.2.3 Test purpose
1) To verify that after receiving a 401 (Unauthorized) response for the initial REGISTER sent, the UE checks that the SQN parameter derived from the AUTN part of the authentication challenge is within the correct range.
2) If the value of SQN derived from the AUTN part of the 401 (Unauthorized) received by the UE is out of range:
– the UE responds with a further REGISTER indicating that the challenge has been deemed invalid; and
– this subsequent REGISTER request contains no "auts” Authorization header field parameter and an empty "response" Authorization header field parameter, i.e. no authentication challenge response; and
– the UE populates a new Security-Client header field within the REGISTER request and associated contact address, set to specify the security mechanism it supports, the IPsec layer algorithms it supports and the parameters needed for the new security association setup. These parameters contain new values for spi_uc, spi_us and port_uc; and
– the UE does not create a temporary set of security associations.
3) To verify after a failed authentication attempt if the UE receives a valid 401 (Unauthorized) message from the network in response to the Register request sent, the UE is able to perform the authentication and registration successfully.
9.2.4 Method of test
Initial conditions
UE contains either ISIM and USIM applications or only USIM application on UICC. UE is not registered to IMS services, but has discovered the SS as P-CSCF by executing the generic test procedure in Annex C.2 up to step 3.
SS is configured with the shared secret key of IMS AKA algorithm, related to the IMS private user identity (IMPI) configured on the UICC card equipped into the UE. SS is able to perform AKAv1-MD5 authentication algorithm for that IMPI, according to 3GPP TS 33.203 [14] clause 6.1 and RFC 3310 [17]. SS is listening to SIP default port 5060 for both UDP and TCP protocols.
Test procedure
1) IMS registration is initiated on the UE. SS waits for the UE to send an initial REGISTER request, in accordance to 3GPP TS 24.229 [10], clause 5.1.1.2
2) SS responds to the initial REGISTER request with an invalid 401 Unauthorized response, headers populated as follows:
a) To, From, Via, CSeq, Call-ID and Content-Length headers according to RFC 3261 [15] clauses 8.2.6.2 and 20.14; and
b) WWW-Authentication header with AKAv1-MD5 authentication challenge according to 3GPP TS `24.229 [10], clause 5.4.1.2.1 and RFC 3310 [17] clause 3; except that the SQN value in AUTN should be out of range
c) Security-Server header according to 3GPP TS 24.229 [10], clause 5.2.2 and RFC 3329 [21] clause 2.
3) SS waits for the UE to send a second Registration message indicating that the received 401 Unauthorized message was invalid
4) SS sends a valid 401 Unauthorized message to the UE
5) SS waits for the UE to send a Registration request using the temporary set of security associations to protect the message. The Registration request shall contain the valid answer to the authentication challenge in 401 Unauthorized sent in the previous step
6) Continue test execution with the Generic test procedure in Annex C.2, step 7, sent over the same temporary set of security associations that the UE used for sending the REGISTER request
Expected sequence
|
Step |
Direction |
Message |
Comment |
|
|
UE |
SS |
|||
|
1 |
🡪 |
REGISTER |
UE sends initial registration for IMS services. |
|
|
2 |
🡨 |
401 Unauthorized |
The SS responds with an invalid AKAv1-MD5 authentication challenge with SQN out of range. |
|
|
3 |
🡪 |
REGISTER |
REGISTER request: – contains AUTS directive – UE populates a new Security-Client header set to specify the security mechanism it supports, the IPsec layer algorithms it supports and the parameters needed for the new security association setup. |
|
|
4 |
🡨 |
401 Unauthorized |
This is a valid 401 (Unauthorized) message. |
|
|
5 |
🡪 |
REGISTER |
Message is sent using the temporary set of security associations to protect the message. Contains the valid answer to the authentication challenge sent in the 401 (Unauthorized) message. |
|
|
6 |
🡨🡪 |
Continue with Annex C.2 step 7 |
Execute the Generic test procedure Annex C.2 steps 7-11 in order to get the UE in a stable registered state. |
|
Specific message contents
REGISTER (Step 1)
Use the default message “REGISTER” in annex A.1.1 with condition A1.
401 UNAUTHORIZED (Step 2)
Use the default message “401 Unauthorized for REGISTER” in annex A.1.2 with the following exceptions:
|
Header/param |
Value/remark |
|---|---|
|
WWW-Authenticate |
|
|
nonce |
Base 64 encoding of RAND and AUTN, generated with SQN out of range with the AMF information field set to AMFRESYNCH value to trigger SQN re-synchronisation procedure in test ISIM/USIM, see TS 34.108 clause 8.1.2.2. |
REGISTER (Step 3)
Use the default message “REGISTER” in annex A.1.1 with condition A1 with the following exceptions:
|
Header/param |
Value/remark |
|---|---|
|
CSeq |
|
|
value |
The value sent in the previous REGISTER message + 1 (incremented) |
|
Call-ID |
|
|
callid |
The same value as in REGISTER in Step 1 |
|
Authorization |
|
|
nonce |
Same value as the opaque value in the previous 401 UNAUTHORIZED message |
|
opaque |
Same value as the opaque value in the previous 401 UNAUTHORIZED message |
|
response |
parameter may exist, but value not to be checked |
|
auth-param |
auts= “auts-value”, auts-value not to be checked |
|
nonce-count |
value or presence of the parameter not to be checked |
|
Security-Client |
|
|
spi-c |
new SPI number of the inbound SA at the protected client port, must be different from the value used in step 1 |
|
spi-s |
new SPI number of the inbound SA at the protected server port, must be different from the value used in step 1 |
|
port-c |
new protected client port needed for the setup of new pairs of security associations, must be different from the value used in step 1 |
REGISTER (Step 5)
Use the default message “REGISTER” in annex A.1.1 with condition A2.
9.2.5 Test requirements
SS shall check in step 3 that in accordance to the 3GPP TS 24.229 [10] clause 5.1.1.5
– the UE responds with a further REGISTER indicating to the S-CSCF that the challenge has been deemed invalid; and
– sends the REGISTER request using no security associations; and
– the REGISTER request contains "auts” Authorization header field parameter; and
– populates a new Security-Client header within the REGISTER request, set to specify the security mechanism it supports, the IPsec layer algorithms it supports and the parameters needed for the new security association setup; and
– does not create a temporary set of security associations.
SS shall check in step 5 that in accordance to the 3GPP TS 24.229 [10] clause 5.1.1.5
– the UE sets up the temporary set of security associations between the ports announced in Security-Client header (UE) in the REGISTER request and Security-Server header (SS) in the 401 Unauthorized response; and
– sends the Registration request using the temporary set of security associations to protect the message.