Content for TR 33.926 Word version: 19.1.0

1… 4… 5… 6… A… B… C… D… E… F… G… H… I… J… K… L… M… N… O… P… Q… R… S… T… U… V… W… X… Y…

O Aspects specific to the IMS network product classes |R17| p. 74

O.1 Network product class description for the IMS p. 74

O.1.1 Introduction p. 74

This Annex covers the aspects specific to the IMS network products with specific threats.

O.1.2 Minimum set of functions defining the IMS network product classes p. 74

As part of the IMS network products, it is expected that the IMS network product classes (e.g. P-CSCF) contains IMS network product classes application, a set of running processes (typically more than one) executing the software package for the IMS network product functions and OAM functions that are specific to the IMS network product model. Functionalities specific to the IMS network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.226.

O.2 Assets and threats specific to the P-CSCF p. 74

O.2.1 Critical assets p. 74

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the P-CSCF to be protected are:

P-CSCF Application;
IMS signalling;
Security data, i.e. cryptographic materials for Gm, Mw, Mx, and Iq interfaces
The interfaces of the P-CSCF to be protected and which are within SECAM scope:
- Gm interface between the P-CSCF and UE
- Mw interface between the P-CSCF and the C-CSCF/I-CSCF
- Mx interface between the P-CSCF and IBCF
- Iq interface between the P-CSCF and IMS AGW
- Console interface, for local access: local interface on the P-CSCF
- OAM interface, for remote access: interface between the P-CSCF and the OAM system
NOTE 1:
The detailed interfaces of the P-CSCF class are described in clause 4 of the present document.
P-CSCF Software: binary code or executable code

NOTE 2:
P-CSCF files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, P-CSCF application, user plane security mechanism, or cryptographic materials.

O.2.2 Threats related to set-up of security associations p. 75

O.2.2.1 High-priority algorithm selection p. 75

Threat name: High-priority algorithm selection
Threat Category: Tampering of data, Information Disclosure, Denial of Service
Threat Description: If the P-CSCF does not select the highest priority algorithm combination on its own list which is also supported by the UE to protect the messages between the P-CSCF and the UE, the P-CSCF could end up using a weaker algorithm forcing the system into a lowered security level making the system easily attacked and/or compromised.
Threatened Asset: IMS signalling

O.2.2.2 Bidding down on security association set-up p. 75

Threat name: Bidding down on security association set-up
Threat Category: Tampering of data, Information Disclosure, Denial of Service
Threat Description: If the P-CSCF does not check whether the integrity and encryption algorithms list, SPI_P and Port_P received in SM7 is identical with the corresponding parameters sent in SM6, and check whether SPI_U and Port_U received in SM7 are identical with those received in SM1, the attacker can force the system to reduce the security level by tampering the integrity and encryption algorithms list. Then, weaker security algorithms may be selected, which will make the system easily attacked. Tampering the SPI will cause the negotiated SA cannot be indexed. As a result, the following security association fails to be established, leading to Denial of Service attack. The port number is generally used to identify different applications. Tampering the Port_P number by the attacker will cause messages to be sent to the UE or P-CSCF through the tampered port. These messages including some sensitive parameters may be leaked to another application, which is not intended to receive this message.
Threatened Asset: IMS signalling, security data

O.2.3 Threats related to IMS signalling transport p. 75

Threat name: No protection or weak protection for IMS signalling data.
Threat Category: Tampering, Information Disclosure.
Threat Description: The following behaviours may lead to bidding down attacks
- If the protection implemented for the IMS signalling over Gm interface uses the wrong security profile, which may contain weak security algorithms or protocol versions known to be vulnerable, the level of the security of the IMS signalling data may be degraded and fail to fulfil the required security.
- If the P-CSCF policy requires confidentiality, then all UEs with no encryption support would be denied access to the IMS network. For example, if the UE sends the NULL encryption algorithm to the P-CSCF in SM1, and the SM1 message is not denied by the P-CSCF, the following negotiated SA between UE and P-CSCF may be established without confidentiality protection, which disobeys the P-CSCF policy requiring confidentiality. Hence, the following IMS signalling data will be leaked.
Threatened Asset: IMS signalling data.

O.2.4 Threats related to SPI allocation p. 75

Threat name: Same SPIs between UE and P-CSCF.
Threat Category: Information disclosure, Denial of service.
Threat Description: If the P-CSCF selects the same SPIs as received in the Security-setup-line from the UE, the attacker could reflect the old messages back to P-CSCF. Since the UE and the P-CSCF use the same key for inbound and outbound traffic, the P-CSCF will decrypt the reflected messages correctly with the same key, and perform the following operation accordingly. Hence, the P-CSCF will suffer reflection attacks. The information may leak within the response message as required by the reflected message, or the ongoing services may be interrupted. The attack is also applicable on the UE side.
Threatened Asset: IMS signalling, P-CSCF application.

O.3 Assets and threats specific to the S-CSCF p. 76

O.3.1 Critical assets p. 76

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the S-CSCF to be protected are:

S-CSCF Application;
IMS signalling;
Security data, i.e. cryptographic materials for Mw, Mx, Mm, Mg, ISC, Cx, Dx, Mr, and Mi interfaces
The interfaces of the S-CSCF to be protected and which are within SECAM scope:
- Mw interface between the S-CSCF and I-CSCF/P-CSCF
- Mx interface between the S-CSCF and IBCF
- Mm interface between the S-CSCF and IP multimedia network
- Mg interface between the S-CSCF and MGCF
- ISC interface between the S-CSCF and AS
- Cx interface between the S-CSCF and HSS
- Dx interface between the S-CSCF and SLF
- Mr interface between the S-CSCF and MRFC
- Mi interface between the S-CSCF and BGCF
- Console interface, for local access: local interface on the P-CSCF
- OAM interface, for remote access: interface between the P-CSCF and the OAM system
NOTE 1:
The detailed interfaces of the S-CSCF class are described in clause 4 of the present document.
S-CSCF Software: binary code or executable code

NOTE 2:
S-CSCF files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, S-CSCF application, user plane security mechanism, or cryptographic materials.

O.3.2 Threats related to de-registration during the authentication p. 76

Threat name: No de-registration during the authentication.
Threat Category: Denial-of-service attack.
Threat Description: Assume that a legal UE has already been registered into the IMS network with the IMPU. An attacker could try to register an already registered IMPU and respond with an incorrect authentication response in order to make the HN de-register the IMPU of the legal UE. In this case, the legal UE will be de-registered in the HSS. Therefore, the attacker could open up a potential denial-of-service attack deny a legitimate user access to the system.
Threatened Asset: Sufficient Processing Capacity.

O.3.3 Threats related to authenticated re-registration p. 77

O.3.3.1 Unprotected register message p. 77

Threat name: Unprotected REGISTER messages
Threat Category: Tampering of data, Information Disclosure, Denial of Service
Threat Description: If the S-CSCF does not authenticate the user by means of the AKA protocol in case of the UE sends unprotected REGISTER messages, the attacker without a legal certificates, or pre-shared key could be able to access the network. The data and resources stored in the network may be exposed to an attacker, making the system easily attacked and/or compromised.
Threatened Asset: S-CSCF Application, Security data

O.3.3.2 No resynchronization p. 77

Threat name: No resynchronization
Threat Reference: Denial of Service
Threat Description: In the synchronization failure scenario, after receiving the CM4 message from HSS, the UE may not be able to access to the network if no new authentication procedure is triggered by the S-CSCF, i.e. the UE is given no opportunity to resynchronize with the network. This can result in waste of system resources and deny a legitimate user access to the system.
Threatened Asset: Sufficient Processing Capacity

O.4 Assets and threats specific to the I-CSCF p. 77

O.4.1 Critical assets p. 77

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the I-CSCF to be protected are:

I-CSCF Application
IMS signalling, the Address of the S-CSCF, Charging data records
Security data, i.e. cryptographic materials for Mw, Cx, Mx, Ma, and Mm interfaces
The interfaces of the I-CSCF to be protected and which are within SECAM scope:
- Mw interface between the I-CSCF and S-CSCF/P-CSCF
- Cx interface between the I-CSCF and the HSS and SLF
- Mx interface between the I-CSCF and the IBCF
- Ma interface between the I-CSCF and AS
- Mm interface between the I-CSCF and IP Multimedia Networks
- Console interface, for local access: local interface on the I-CSCF
- OAM interface, for remote access: interface between the I-CSCF and the OAM system
NOTE 1:
The detailed interfaces of the I-CSCF class are described in clause 4 of the present document.
I-CSCF Software: binary code or executable code

NOTE 2:
I-CSCF files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, I-CSCF application, user plane security mechanism, or cryptographic materials.

O.4.2 Threats related to network hiding p. 78

O.4.2.1 encryption in network hiding p. 78

Threat name: Encryption in network hiding
Threat Category: Spoofing identity, Tampering of data, Information Disclosure
Threat Description: In casse of the network hiding mechanism is used and the operator policy states that the topology shall be hidden, if the encryption of the hiding information elements is not performed when the I-CSCF forwards SIP Request or Response messages outside the hiding network's domain, and the decryption of the hiding information elements is not performed when the I-CSCF receives a SIP Request or Response message from the outside of the hiding network's domain, the identities of the SIP proxies and the topology of the hiding network will not be protected, and an attacker can read or modify these information elements.
Threatened Asset: IMS signalling

O.5 Assets and threats specific to the IBCF p. 78

O.5.1 Critical assets p. 78

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the IBCF to be protected are:

IBCF Application
IMS signalling, Network configuration hiding, Charging data records
Security data, i.e. cryptographic materials for Mx, Cs, Ix, and Ici interfaces
The interfaces of the IBCF to be protected and which are within SECAM scope:
- Mx interface between the IBCF and S-CSCF/P-CSCF/I-CSCF/BGCF
- Ms interface between the IBCF and the AS
- Ix interface between the IBCF and the TrGW
- Ici interface between the IBCF and IP Multimedia Networks
- Console interface, for local access: local interface on the IBCF
- OAM interface, for remote access: interface between the IBCF and the OAM system
NOTE 1:
The detailed interfaces of the IBCF class are described in clause 4 of the present document.
IBCF Software: binary code or executable code

NOTE 2:
IBCF files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, IBCF application, user plane security mechanism, or cryptographic materials.

O.5.2 Threats related to network hiding p. 79

O.5.2.1 encryption in network hiding p. 79

Threat name: Encryption in network hiding
Threat Category: Spoofing identity, Tampering of data, Information Disclosure
Threat Description: In cases of the encryption of the hiding information as network hiding mechanism is used and the operator policy states that the topology shall be hidden, and the encryption of the hiding information elements is not performed when the IBCF forwards SIP Request or Response messages outside the hiding network's domain, and the decryption of the hiding information elements is not performed when the IBCF receives a SIP Request or Response message from the outside of the hiding network's domain, the identities of the SIP proxies and the topology of the hiding network will not be protected, and an attacker can read or modify these information elements.
Threatened Asset: IMS signalling

O.5.2.2 replacement in network hiding p. 79

Threat name: Replacement in network hiding
Threat Category: Spoofing identity, Tampering of data, Information Disclosure
Threat Description: In cases of the replacement of the hiding information as network hiding mechanism is used and the operator policy states that the topology shall be hidden, and the hiding information elements are not replaced to constant values when the IBCF forwards SIP Request or Response messages outside the hiding network's domain, and the constant values are not replaced to the hiding information elements when the IBCF receives a SIP Request or Response message from the outside of the hiding network's domain, the identities of the SIP proxies and the topology of the hiding network will not be protected, and an attacker can read or modify these information elements.
Threatened Asset: IMS signalling

O.6 Assets and threats specific to the AS p. 79

O.6.1 Critical assets p. 79

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the AS deployed in the user's home network to be protected are:

AS Application
IM service data
Security data, i.e. cryptographic materials for Ma, Ms, ISC, Rc, Cr, Sh, and Dh interfaces
The interfaces of the IBCF to be protected and which are within SECAM scope:
- Ma interface between the AS and I-CSCF
- Ms interface between the AS and the IBCF
- ISC interface between the AS and S-CSCF
- Rc interface between the AS and MRB
- Cr interface between the AS and MRFC
- Sh interface between the AS and HSS
- Dh interface between the AS and SLF
- Console interface, for local access: local interface on the AS
- OAM interface, for remote access: interface between the AS and the OAM system
NOTE 1:
The detailed interfaces of the AS class are described in clause 4 of the present document.
AS Software: binary code or executable code

NOTE 2:
AS files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, AS application, user plane security mechanism, or cryptographic materials.

O.6.2 Threats related to authorization p. 80

O.6.2.1 No user authorization p. 80

Threat name: No user identity authorization
Threat Category: Elevation of privilege
Threat Description: It was described that once the AS have tried to verify the identity of the user, the AS either has a verified identity of the user or it considers the user as anonymous. If the AS configured that anonymous user is not allowed, does not reject the anonymous service request, the attacker could request functioanlity using the anonymous idenity without any authorization.
Threatened Asset: IMS signalling, security data

O.6.2.2 No ID privacy p. 80

Threat name: No ID privacy
Threat Category: Information Disclosure
Threat Description: It was described where privacy is required, in any initial request for a dialog or request for a standalone transaction, the AS shall set a display-name of the From header field to "Anonymous"and set an addr-spec of the From header field to Anonymous User Identity. If the AS does not set the ID to anonymous, the content of the From header field will be leaked.
Threatened Asset: IMS signalling, security data

O.7 Assets and threats specific to the MRFC p. 80

O.7.1 Critical assets p. 80

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the MRFC to be protected are:

MRFC Application
Media stream resource, Charging data records
Security data, i.e. cryptographic materials for Mp, Mr, and Cr/Mr' interfaces
The interfaces of the MRFC to be protected and which are within SECAM scope:
- Mp interface between the MRFC and MRFP
- Mr interface between the MRFC and the S-CSCF
- Cr/Mr' interface between the MRFC and AS
- Console interface, for local access: local interface on the MRFC
- OAM interface, for remote access: interface between the MRFC and the OAM system
NOTE 1:
The detailed interfaces of the MRFC class are described in clause 4 of the present document.
MRFC Software: binary code or executable code

NOTE 2:
MRFC files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, MRFC application, user plane security mechanism, or cryptographic materials.

O.8 Assets and threats specific to the IMS AGW p. 81

O.8.1 Critical assets p. 81

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the IMS AGW to be protected are:

IMS AGW Application;
Media stream resource;
Security data, i.e. cryptographic materials for Iq and Mp interfaces
The interfaces of the IMS AGW to be protected and which are within SECAM scope:
- Iq interface between the IMS AGW and P-CSCF
- Mb interface between the IMS AGW and IMS MGW
- Console interface, for local access: local interface on the IMS AGW
- OAM interface, for remote access: interface between the IMS AGW and the OAM system
NOTE 1:
The detailed interfaces of the IMS AGW class are described in clause 4 of the present document.
IMS AGW Software: binary code or executable code

NOTE 2:
IMS AGW files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, IMS AGW application, user plane security mechanism, or cryptographic materials.

O.9 Assets and threats specific to the MRFP p. 81

O.9.1 Critical assets p. 81

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the MRFP to be protected are:

MRFP Application
Media stream resource
Security data, i.e. cryptographic materials for Mp interface
The interfaces of the MRFP to be protected and which are within SECAM scope:
- Mp interface between the MRFC and MRFP
- Console interface, for local access: local interface on the MRFP
- OAM interface, for remote access: interface between the MRFP and the OAM system
NOTE 1:
The detailed interfaces of the MRFP class are described in clause 4 of the present document.
MRFP Software: binary code or executable code

NOTE 2:
MRFP files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, MRFP application, user plane security mechanism, or cryptographic materials.

O.10 Assets and threats specific to the IMS MGW p. 82

O.10.1 Critical assets p. 82

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the IMS MGW to be protected are:

IMS MGW Application;
Media stream resource;
Security data, i.e. cryptographic materials for Mn, Mb, and CS interfaces
The interfaces of the IMS MGW to be protected and which are within SECAM scope:
- Mn interface between the IMS MGW and MGCF
- Mb interface between the IMS MGW and MRFP/IMS AGW
- CS interface between the IMS MGW and CS Network
- Console interface, for local access: local interface on the IMS AGW
- OAM interface, for remote access: interface between the IMS MGW and the OAM system
NOTE 1:
The detailed interfaces of the IMS MGW class are described in clause 4 of the present document.
IMS MGW Software: binary code or executable code

NOTE 2:
IMS MGW files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, IMS MGW application, user plane security mechanism, or cryptographic materials.

O.11 Assets and threats specific to the TrGW p. 82

O.11.1 Critical assets p. 82

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the TrGW to be protected are:

TrGW Application;
Media stream resource;
Security data, i.e. cryptographic materials for Ix and Izi interfaces
The interfaces of the TrGW to be protected and which are within SECAM scope:
- Ix interface between the TrGW and IBCF
- Izi interface between the TrGW and IP Multimedia Network
- Console interface, for local access: local interface on the TrGW
- OAM interface, for remote access: interface between the TrGW and the OAM system
NOTE 1:
The detailed interfaces of the TrGW class are described in clause 4 of the present document.
TrGW Software: binary code or executable code

NOTE 2:
TrGW files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, TrGW application, user plane security mechanism, or cryptographic materials.

O.12 Assets and threats specific to the MGCF p. 83

O.12.1 Critical assets p. 83

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the IMS AGW to be protected are:

MGCF Application;
Media stream resource;
Security data, i.e. cryptographic materials for Mg, Mj, CS, and Mn interfaces
The interfaces of the MGCF to be protected and which are within SECAM scope:
- Mg interface between the MGCF and I-CSCF
- Mj interface between the MGCF and BGCF
- CS interface between the MGCF and CS Network
- Mn interface between the MGCF and IM MGW
- Console interface, for local access: local interface on the IMS AGW
- OAM interface, for remote access: interface between the IMS AGW and the OAM system
NOTE 1:
The detailed interfaces of the IMS AGW class are described in clause 4 of the present document.
IMS AGW Software: binary code or executable code

NOTE 2:
IMS AGW files may be any file owned by a user (root user as well as non-root users), including user account data and credentials, log data, configuration data, OS files, IMS AGW application, user plane security mechanism, or cryptographic materials.