The Universal Mobile Telecommunications System is one of the new ‘third generation’ 3Gmobile cellularcommunication systems. UMTS builds on the success of the ‘second generation’ GSM system. One of the factors in the success of GSM has been its security features. New services introduced in UMTS require new security features to protect them. In addition, certain real and perceived shortcomings of GSM security need to be addressed in UMTS.
UMTS provides mutual authentication between the UMTS subscriber, represented by a smart card application known as the USIM, and the network in the following sense 'Subscriber authentication': the serving network corroborates the identity of the subscriber and 'Network authentication': the subscriber corroborates that he is connected to a serving network that is authorised, by the subscribers home network, to provide ??
Signalling data integrity and origin authentication
Integrity algorithm agreement: the mobile station and the serving network can securely negotiate the integrity algorithm that they use.
Integrity key agreement: the mobile and the network agree on an integrity key that they may use subsequently; this provides entity authentication.
User traffic confidentiality
Ciphering algorithm agreement: the mobile station and the network can securely negotiate ciphering algorithm that they use.
Cipher key agreement: the mobile station and the network agree on a cipher key that they may use.
Confidentiality of user and signalling data: neither user data nor sensitive signalling data can be overheard on the radio access interface.
Network domain security
The term ‘network domain security’ in the 3G covers security of the communication between network elements. In particular, the mobile station is not affected by network domain security. The two communicating network elements may both be in the same network administrated by a mobile operator or they may belong to two different networks.
MAPSEC
The basic idea of MAPSEC can be described as follows. The plaintext MAP message is encrypted and the result is put into a ‘container’ in another MAP message. At the same time a cryptographic checksum, i.e. a message authentication code covering the original message, is included in the new MAP message. To be able to use encryption and message authentication codes, keys are needed. MAPSEC has borrowed the notion of a security association from IPsec.
A 3G IMS subscriber has one IP multimedia private identity and at least one IP multimedia public identity. To participate in multimedia sessions, an IMS subscriber must register at least one IMPU with the IMS. The private identity is used only for authentication purposes.
