行動通信全IP網路的安全機制

Abstract

在全球行動通信系統（UMTS）全IP（All-IP）架構中，IP多媒體子系統（IMS）提供IP多媒體服務供行動用戶使用。依照網路的功能，UMTS全IP架構可以分成三個部份：IP多媒體子系統（IMS）、應用與服務網路、以及無線存取網路。透過無線存取網路，行動用戶可以存取IMS提供的IP多媒體服務；而應用與服務網路則提供彈性且有效率的開發平台，供IP多媒體服務的發展與建置。本論文探討UMTS全IP架構裡的安全機制議題，包括：認證、授權、以及保密機制。在提供IP多媒體服務之前，應用與服務網路需要跟IMS完成雙向認證；而為了能安全的存取IP多媒體服務，行動用戶亦需要跟UMTS全IP網路執行認證與保密機制。 在這篇論文的第一部份，我們探討應用與服務網路跟IMS之間的認證授權機制。我們透過開放式服務存取（OSA）來描述應用與服務網路的設計概念；並介紹OSA應用伺服器提供IP多媒體服務之前，所執行的雙向認證流程。 在本論文的第二部份，我們著重在UMTS全IP網路的認證與保密機制。首先，我們探討在無線存取網路裡的認證機制：當透過無線存取網路來接取IP多媒體服務之前，行動用戶需與UMTS全IP網路達成雙向認證。然而，當行動用戶換手（Handoff）時，雙向認證的步驟會產生長時間的延遲，可能會中斷使用中的服務。為了解決這一問題，我們分別在無線區域網路（WLAN）與全球互通微波存取（WiMAX）系統中，研究如何省略不必要的認證步驟。執行完認證機制後，行動用戶還需執行保密機制來確保存取的資料不會被竊取。本論文以點對點加密簡訊服務（SMS）來介紹UMTS全IP網路的保密機制。SMS加密服務提供行動用戶跟應用與服務網路間保密的訊息交換機制。我們在標準的UMTS網路中，實作出二套SMS加密機制，並且評估加密的額外負擔。 以上的研究成果提供讀者在研究UMTS全IP網路裡認證與保密機制的議題上，可供參考之基礎。

The IP Multimedia Core Network Subsystem (IMS) provides the IP multimedia services on the Universal Mobile Telecommunications System (UMTS) all-IP network. According to the network functionalities, the UMTS-all-IP architecture can be partitioned into three categories: IMS network, application and service network, and wireless access networks. Through the wireless access networks, the Mobile Station (MS) can access the IMS network for IP multimedia services. The application and service network supports flexible and efficient approaches for services development and deployment. This dissertation focuses on the authentication and security mechanisms in this UMTS all-IP architecture. Before providing IMS services, the application and service network should perform the authentication mechanism with the IMS network. Moreover, for secure IMS service access, the MS should perform the authentication and security mechanisms with the UMTS-all-IP network. In the first part of this dissertation, we study on the authentication mechanism between the IMS network and the application and service network. We utilize the Open Service Access (OSA) to illustrate the concept of the application and service network, and study how the OSA Application Server (AS) mutually authenticates with OSA Framework before providing services. In the second part of this dissertation, we demonstrate on the authentication and security mechanisms performed in the UMTS all-IP network. First, we study the authentication mechanism in the wireless access network. Before accessing services through the wireless access networks, the MS should authenticate with the UMTS all-IP network. However, the execution of authentication on handoff may incur long delay and result in force-termination for real-time applications. To address this issue, we investigate how to eliminate the non-necessary authentication cost in Wireless Local Area Network (WLAN) and mobile Worldwide Interoperability for Microwave Access (WiMAX). After authentication, the MS should perform the security mechanism for secure service access. Thus we utilize the end-to-end secure Short Message Service (SMS) to illustrate the security mechanism between the MS and the application and service network. We implement two secure SMS mechanisms over the standard SMS network and estimate the encryption overhead. These research results presented in this dissertation can be viewed as a useful foundation for further UMTS all-IP network study in authentication and security mechanisms.