1. Essentials Guide
  2. Oracle USM Supporting the IMS Core
  3. IMS-AKA Support
  4. Authentication Success

Authentication Success

When using IMS-AKA, successful registration of a UA consists of registering at least one IMPU and the IMPI authenticated within IMS. The UA begins this process by sending it REGISTER request to the P-CSCF properly specifying IMS-AKA authentication. IMS then performs standard procedures to identify the appropriate S-CSCF. Upon receipt of the REGISTER, the S-CSCF checks for the presence of an authentication vector. If it is present the S-CSCF issues the authentication challenge; if not, it requests authentication vector(s) from the HSS. Note that the Oracle Communications Unified Session Manager allows you to request multiple authentication vectors via configuration. The HSS provides the following components within an authentication vector:

  • RAND—random number
  • XRES—expected response
  • CK—cipher key
  • IK—integrity key
  • AUTN—authentication token

The MAR provided to the S-CSCF differ from that of SIP digest authentication requests as follows:

  • The SIP-Number-Auth-Items AVP specifies the number of authentication vectors, which is equal to the home-subscriber-server's num-auth-vectors setting.
  • The SIP-Authentication-Scheme AVP specifies the authentication scheme, Digest-AKAv1-MD5.

At this point, the Oracle Communications Unified Session Manager can send the authentication challenge to the UA. If multiple authentication vectors were provided by the HSS, the Oracle Communications Unified Session Manager can independently authenticate the UA until the pool is exhausted. The S-CSCF stores the RAND it sends to the UA to resolve future synchronization errors, if any. No authentication vector can be used more than once. This is validated by the ISIM, using a sequence number (SQN).

When a P-CSCF receives an authentication challenge, it removes and stores the CK and the IK. The P-CSCF forward the rest of the information to the UA.

The UA is responsible for verifying the home network. Having received the AUTN from the P-CSCF, the UA derives MAC and SQN values. Verifying both of these, the UA next generates a response including a shared secret and the RAND received in the challenge. The UA also computes the CK and IK.

Upon receipt of this response, IMS provides the message to the S-CSCF, which determines that the XRES is correct. If so, it registers the IPMU and, via IMS sends the 200 OK back to the UA.