O23 tls session set up prior to initial registration

Info icon This preview shows pages 86–88. Sign up to view the full content.

View Full Document Right Arrow Icon
O.2.3 TLS session set-up prior to Initial registration The set-up of the TLS session between the UE and the P-CSCF is based on the TLS profile specified in clause O.2.1. Annex H of this specification describes the parameters of RFC 3329 [21] for the set-up of TLS sessions during Initial registration. NOTE 1: The sip-sec-agree negotiation according to RFC 3329 [21] is not used for this TLS variant. The following describes how TLS session set-up is performed prior to the initial registration procedure described in Annex N.2.1.1 (Figure N.1): - Prior to SM1 the UE performs a TLS handshake with the P-CSCF; the UE shall not re-use an existing TLS connection for initial registrations. - After successful establishment of a TLS connection, the UE sends SM1 over this TLS connection. All subsequent messages will be sent over this TLS connection. NOTE 2: Sec-agree is not used as TLS is selected from start. - When P-CSCF receives SM7, the P-CSCF then sends SM8, together with a TLS integrity protection indicator indicating the logical value "authentication pending". - The S-CSCF receives this message as SM9 and treats it according to Annex N. If the authentication of the UE is successful the S-CSCF shall associate the registration with the local state "tls-protected". - When the P-CSCF receives message SM11 (200 OK) it shall associate the UE's IP address and port of the TLS connection with the TLS Session ID, the IMPI and all the successfully registered IMPUs related to that IMPI. From this point on, the P-CSCF shall not accept any SIP signalling messages outside the TLS connection other than messages relating to emergency services in accordance with TS 24.229 [8] and TS 23.167 [31]. - After the UE has received SM12 it shall not accept any SIP signalling messages outside the TLS connection other than messages relating to emergency services in accordance with TS 24.229 [8] and TS 23.167 [31]. An S-CSCF shall accept a REGISTER message with a TLS integrity protection indicator indicating "authentication pending" only if it contains a verifiable Digest value computed over a valid challenge according to Annex N. NOTE 3: The S-CSCF may have a local security policy to treat messages other than initial REGISTER messages, messages relating to emergency services, and error messages, differently depending on whether the registration is associated with the state "tls-protected". 3GPP 3GPP TS 33.203 V12.67.0 (2014-0609) 86 Release 12
Image of page 86

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
O.3 Error cases in the set-up of TLS sessions O.3.1 Error cases related to TLS O.3.1.0 General Errors related to SIP Digest failures are specified in Annex N. However, this clause additionally describes how these shall be treated, related to security setup. O.3.1.1 User authentication failure If the UE response does not match with the response calculated by the S-CSCF, the authentication of the user fails at the S-CSCF. The S-CSCF shall send a 4xx Auth_Failure message to the UE, via the P-CSCF. Afterwards, both the UE and the P-CSCF shall close the TLS connection and delete the associated TLS session if one was established.
Image of page 87
Image of page 88
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern