IMS AKA Protected traffic and Authentication


AKA Services include:


AKA protected traffic with IPsec

AKA requires all traffic between a UE (3G/4G/LTE terminal) and a P-CSCF during a session to be sent on specific IPsec protected channels.

AKA uses the IMS Gm interface (SIP protocol) for communication between a UE and a P-CSCF. Both sides have a Client port and a Server port.

Session registrations are performed with the SIP REGISTER request message.

The UE starts the AKA session registration on an unprotected channel between the UE and the P-CSCF.

The AKA session registration establishes two IPsec protected channels between the UE and the P-CSCF.

IPsec channels for IMS AKA traffic
Figure F-24: IPsec channels for IMS AKA protected traffic (UDP or TCP)

The Security-Client, Security-Server, and Security-Verify headers are used to establish protected port pairs between UE and P-CSCF.

The information about port numbers etc. on the UE side is passed to the P-CSCF side in the Security-Client header.

The information about port numbers etc. on the P-CSCF side is passed to the UE side in the Security-Server header.

The UE calculates the keys used by IPsec based on the challenge information in the WWW-Authenticate header from the S-CSCF and long term secret (K).

The Security settings (keys etc) are stored in a Security Associations (SA) and identified by Security Parameters Indexes (SPI).

The IMS Gm interface supports two alternative transports protocols TCP and UDP.

The IPsec protected channels are used differently depending on used transport protocol.


AKA protected traffic using TCP protocol

IMS AKA protected traffic using TCP

Figure F-25: IMS AKA protected traffic using TCP

For the TCP protocol IPsec channel 1 is used for request messages from UE to P-CSCF and response messages from P-CSCF to UE.

IPsec channel 2 is used for request messages from P-CSCF to UE and response messages from UE to P-CSCF.

To top of page


AKA protected traffic using UDP protocol

IMS AKA protected traffic using UDP
Figure F-26: IMS AKA protected traffic using UDP

For the UDP protocol IPsec channel 1 is used for all traffic from UE to P-CSCF. IPsec channel 2 is used for all traffic from P-CSCF to UE.

To top of page


Authentication with AKA

AKA provides mutual authentication of UE and the servicing IMS system.

The UE authenticates the S-CSCF based on information in the 401 response message headers and locally stored information.

The UE acknowledges authentication of the S-CSCF with an authenticated Register message.

The UE gets authenticated by the S-CSCF based on information in the authenticated Register message and information stored in the HSS.

The S-CSCF acknowledges authentication of the UE with the 200 OK response message.

The IPsec protected channels replace the need for authentication of subsequent SIP request messages from the UE during a registration (except for Register), since they are transmitted on secured channels only open to the authenticated UE.

To top of page