The CALL-ID is the key that lets the S-CSCF know
that this is related to a previous challenge.
The SECURITY-SERVER header is also sent in the challenge. If this is missing, the
device abandons registration and starts all over again by sending a new REGISTER
with a new CALL-ID. The SECURITY-SERVER header identifies the security methods
Security Procedures in the IMS 157
supported. It also identifies the IPsec algorithm to be used, and security association
parameters.
A security association is established between the subscriber device and the P-CSCF
as mentioned earlier. Remember our discussion earlier regarding secure ports at
the P-CSCF. These ports are part of the security association. The P-CSCF uses the data
provided in the REGISTER message to establish the security association after registration
has been successfully completed. The security association helps prevent against
message tampering and replay attacks.
The S-CSCF will be expecting a new REGISTER message containing the necessary
credentials. When the device receives the 401 Unauthorized message, it creates a
new REGISTER message containing the same CALL-ID as the previous REGISTER.
This is so the S-CSCF knows that this is in response to the S-CSCF challenge.
The S-CSCF will then query the HSS for authentication keys for the subscription. The
HSS will then send to the S-CSCF a random number (RAND), expected response (XRES),
cipher key (CK), integrity key (IK), and authentication token (AUTN).
Pages:
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328