LTE SN Serving Network HE Home Environment AN
- Slides: 58
LTE之安全架構概要 縮寫說明 SN: Serving Network HE: Home Environment AN: Access Network ME: Mobile Equipment USIM: Universal Subscriber Identity Module 5
LTE之安全架構說明 • 上頁的安全架構圖定義五種原件間連線之集合的安全特性 – 網路存取安全 Network access security (I) – 網路域安全 Network domain security (II) – 用戶域安全 User domain security (III) – 應用域安全 Application domain security (IV) – 安全的可視性及可配置性 Visibility and configurability of security (V) 6
EPS加密演算法 • 使用 128位元的金鑰 (Null ciphering algorithm除外) • 以 4位元的識別碼去決定EPS加密演算法(EPS Encryption Algorithm;EEA) 識別碼 EPS加密演算法 0000 EEA 0 0001 128 -EEA 1 SNOW 3 G based algorithm 0010 128 -EEA 2 AES based algorithm 0011 128 -EEA 3 ZUC based algorithm 說明 Null ciphering algorithm 12
EPS完證性演算法 • 使用 128位元的金鑰 (Null integrity protection algorithm除外) • 以 4位元的識別碼去決定EPS完整性演算法(EPS Integrity Algorithm;EEA) 識別碼 EPS完整性演算法 0000 EIA 0 0001 128 -EIA 1 SNOW 3 G based algorithm 0010 128 -EIA 2 AES based algorithm 0011 128 -EIA 3 ZUC based algorithm 說明 Null integrity protection algorithm 13
UE與EPC原件之間的安全程序 • • Authentication and key agreement EPS Key hierarchy LTE保密性機制 LTE完整性機制 18
AKA之流程概要(1/2) ME/USIM e. NB MME NAS attach request HSS/Au. C Authentication data request NAS authentication request (AUTN, RAND, KSIASME) NAS authentication response (RES) 20 Authentication data response
AKA之流程概要(2/2) ME/USIM e. NB MME NAS Security Mode Command (confidentiality and integrity algorithms) NAS Security Mode Complete S 1 AP Initial Context Setup RRC Security Mode Command (confidentiality and integrity algorithms) RRC Security Mode Complete 21 HSS/Au. C
Successful EPS AKA authentication ME/USIM MME User authentication request (RAND, AUTN, KSIASME ) User authentication response (RES) 22
Distribution of authentication data from HE to MME HE Authentication data request IMSI, SN identity, Network Type Authentication data response EPS-Authentication Vector (s) 23
User identity query MME HE Identity Request Identity Response (IMSI) 24
Distribution of IMSI and authentication data within one serving network domain MMEo GUTIo || Complete TAU message IMSI || authentication data 縮寫說明 GUTI: Globally Unique Temporary Identity IMSI: International Mobile Subscriber Identity TAU: Tracking Area Update 25
Distribution of IMSI and authentication data within one serving network domain (Cont. ) • 此 程 序 的 目 的 在 讓 previously visited MME (MMEn)提 供 authentication data給 同 一 個 serving network domain 下 的 newly visited MME (MMEn) • MMEn首 先 傳 送 ME/USIM的 GUTIo與 所 收 到 的 TAU message. • MMEo由資料庫搜尋使用者的資訊,並回傳對應的IMSI與 authentication data給MMEn • MMEn即可使用authentication data後續與ME/USIM做身份 認證與金鑰協定 26
EPS金鑰的產生 (for network nodes) 縮寫說明 KDF: Key Derivation Function NH: Next Hop 29
EPS金鑰的產生 (for ME) 縮寫說明 KDF: Key Derivation Function NH: Next Hop 30
非存取層安全模式命令程序 MME ME Start integrity protection NAS Security Mode Command (e. KSI, UE security capabilities, Ciphering algorithm, Integrity algorithm, [IMEISV request, ] [NONCEUE , NONCEMME, ] NAS-MAC) Start uplink ciphering Verify NAS SMC integrity. If successful, start ciphering/ deciphering and integrity protection and send NAS Security Mode Complete ([IMEISV, ] NAS-MAC) Start downlink ciphering 35
存取層安全模式命令程序 e. NB ME Start RRC integrity protection AS Security Mode Command (Integrity algorithm, Ciphering algorithm, MAC-I) Start RRC/UP downlink ciphering Verify AS SMC integrity. If successful, start RRC integrity protection, RRC/UP downlink deciphering, and send AS Security Mode Complete (MAC-I) Start RRC/UP uplink ciphering 39 Start RRC/UP uplink deciphering
換手之金鑰處理 縮寫說明 NH: Next Hop parameter NCC: NH Chaining Counter PCI: Physical Cell Identity 43
週期性的區域驗證之訊號程序 ME e. NB Counter Check Response Optionally release connection or report to MME or O&M server 45
週期性的區域驗證之訊號程序 (Cont. ) • e. NB首 先 送 出 Counter check request訊 息 , 此 訊 息 包 括 PDCP COUNT values • 當UE收到 Counter check request, UE比對e. NB所傳送的 PDCP COUNT values與 其 radio bearers的 PDCP COUNT values,然後回傳回傳Counter Check Response 訊息 • 若e. NB收到的counter check response訊息不含任何PDCP COUNT values,就結束此程序 • 若e. NB收到的counter check response 包含一個或多個PDCP COUNT values時 , e. NB就 會 釋 放 連 結 或 將 不 同 PDCP COUNT values的資訊回報給serving MME或O&M伺服器。 此回報可用來做流量分析以偵測是否有遭受到攻擊 47
參考資料 • ETSI TS 133 102 V 12. 2. 0 (2015 -01). Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); 3 G security; Security architecture (3 GPP TS 33. 102 version 12. 2. 0 Release 12) • ETSI TS 133. 401 V 13. 1. 0 (2016 -01). Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; 3 GPP System Architecture Evolution (SAE); Security architecture (3 GPP TS 33. 401 version 13. 1. 0 Release 13) 48
附錄: 3 GPP之安全性標準參考 LTE Security Lawful Interception Key Derivation Function: Backhaul Security Relay Node Security Home e. Node. B Security: 3 GPP TS 33. 401 3 GPP TS 33. 106 3 GPP TS 33. 220 3 GPP TS 33. 310 3 GPP TS 33. 816 3 GPP TS 33. 320 3 GPP TS 33. 402 3 GPP TS 33. 107 3 GPP TS 33. 108 49
- Lte network architecture
- Serving network
- Serving network
- Sd-wan advantages and disadvantages
- Mobility mode
- Transmit diversity in lte
- Paging in lte
- Frame structure in lte
- Breaking lte on layer two
- Lte attach procedure
- Lte τεστ προσομοιωσης
- Vo ltez
- S criteria in lte
- Tactical lte
- Congress of vienna simulation
- Lte nas procedures
- Fronthaul and backhaul transport
- Ns3 tutorialspoint
- Lte inspecteur
- V lte symbol on phone
- Gpp lte means
- 172 0 0 1
- Gpp lte meaning
- Physical layer in lte
- V0 lte
- V0 lte
- System architecture evolution
- Gpp lte
- Dtch lte
- Dtch lte
- V0 lte
- Financial environment in business environment
- Virtual home environment
- Virtual home environment
- Complete each sentence with the appropriate pronoun
- Home care
- Perbedaan home care dan home visit
- Mobile home exchange
- Plurals of flower
- Softly and tenderly jesus is calling
- Oak springs rv park
- What did you say
- Jr rabbin imam pretre
- She said that, home economics stands for the ideal home.
- Home sweet home survive crash
- Cisco open network environment resources
- Oracle network environment configuration
- Global environment for network innovations
- Tom anderson university of washington
- Global environment for network innovations
- Wine label
- What is serving
- Mr biv ritz carlton
- Joy of serving god
- These are mental templates by which we organize our worlds
- 2 oz visual
- How to carry two plates in one hand
- Crumbing down is a task carried out
- Sequence of service restaurant adalah