The S-CSCF
will check the AUTHORIZATION header to see if this subscriber has been through the
registration process already. If the header contains the INTEGRITY parameter with a
value of NO, then the S-CSCF will challenge the subscriber.
This is not a fail-safe method, so it is usually advisable for the network to proceed
with challenging the subscriber device even if the INTEGRITY parameter does indicate
a previous registration. Any REGISTER coming from the device should be treated
as suspect, to prevent unauthorized access to the network.
The S-CSCF responds to the first REGISTER message with the response 401
Unauthorized. Before sending the response, the S-CSCF then queries the HSS for
security credentials. The HSS then sends via DIAMETER the random number (RAND)
and authentication token (AUTN), as well as the expected response (XRES). The RAND
parameter contains the cipher key (CK) and the integrity key (IK). The S-CSCF then
sends this information in the 401 Unauthorized challenge to the device. The device
then compares the MAC in the AUTN header with a value stored within the device
(in the ISIM).
When the device receives the 401 Unauthorized response, it uses the MAC parameter
in the AUTN header, calculates XMAC, and verifies the two matches. The value is
then sent along with other credentials in a new REGISTER message carrying the same
CALL-ID as the first REGISTER.
Pages:
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327