2 the client shall include the security client header

Info icon This preview shows pages 53–57. Sign up to view the full content.

View Full Document Right Arrow Icon
2 The client shall include the Security-Client header in the first protected request. In other words, the first protected request shall include both Security-Verify and Security-Client header fields. 3 The server shall check that the content of Security-Client headers received in previous steps (1 and 2) are the same. Mech-parameters: Of the mech-parameters, only preference is relevant when the mechanism-name has the value "tls". 3GPP 3GPP TS 33.203 V12.67.0 (2014-0609) 53 Release 12
Image of page 53

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Preference: As defined in RFC 3329 [21]. Algorithm: Defines the authentication algorithm. The algorithm parameter is mandatory. Protocol: Defines the IPsec protocol. May have a value "ah" or "esp". If no Protocol parameter is present, the value will be "esp". NOTE 1: According to clause 6 only "esp" (RFC 4303 [54]) is allowed for use in IMS. Mode: Defines the mode in which the IPsec protocol is used. May have a value "trans" for transport mode, and value "tun" for tunneling mode. If no Mode parameter is present, the value will be "trans". NOTE 2: According to clause 6.3 ESP integrity shall be applied in transport mode i.e. only "trans" is allowed for use in IMS. Encrypt-algorithm: If present, defines the encryption algorithm. The value "aes-cbc" refers to the algorithm defined in IETF RFC 3602 [22]. If no Encrypt-algorithm parameter is present, the algorithm will be "null". Spi-c: Defines the SPI number of the inbound SA at the protected client port. Spi-s: Defines the SPI number of the inbound SA at the protected server port. Port-c: Defines the protected client port. Port-s: Defines the protected server port. It is assumed that the underlying IPsec implementation supports selectors that allow all transport protocols supported by SIP to be protected with a single SA. 3GPP 3GPP TS 33.203 V12.67.0 (2014-0609) 54 Release 12
Image of page 54
Annex I (normative): Key expansion functions for IPsec ESP Integrity Keys: If the selected authentication algorithm is HMAC-MD5-96 then IK ESP = IK IM . If the selected authentication algorithm is HMAC-SHA-1-96 then IK ESP is obtained from IK IM by appending 32 zero bits to the end of IK IM to create a 160-bit string. Encryption Keys: Divide CK IM into two blocks of 64 bits each: CK IM = CK IM1 || CK IM2 Where CKIM1 are the 64 most significant bits and CKIM2 are the 64 least significant bits. The key for DES-EDE3-CBC is then defined to be: CK ESP = CK IM1 || CK IM2 || CK IM1 , after adjusting parity bits to comply with RFC 2451 [20]. If selected encryption algorithm is AES-CBC as specified in RFC 3602 [22] with 128 bit key then CK ESP = CK IM 3GPP 3GPP TS 33.203 V12.67.0 (2014-0609) 55 Release 12
Image of page 55

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Annex J (informative): Recommendations to protect the IMS from UEs bypassing the P-CSCF After the UE does a successful SIP REGISTER with the P-CSCF, malicious UE could try to send SIP messages directly to the S-CSCF. This could imply that the UE would be able to bypass the integrity protection provided by IPsec ESP between the UE and the P-CSCF.
Image of page 56
Image of page 57
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern