CN104038934B - The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network - Google Patents

The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network Download PDF

Info

Publication number
CN104038934B
CN104038934B CN201410307424.2A CN201410307424A CN104038934B CN 104038934 B CN104038934 B CN 104038934B CN 201410307424 A CN201410307424 A CN 201410307424A CN 104038934 B CN104038934 B CN 104038934B
Authority
CN
China
Prior art keywords
nas
message
mme
mouthfuls
deciphering parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410307424.2A
Other languages
Chinese (zh)
Other versions
CN104038934A (en
Inventor
范慧娟
李磊
肖伟明
余道敏
胡西平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Hong Xin Technological Service Co Ltd
Original Assignee
Wuhan Hong Xin Technological Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Hong Xin Technological Service Co Ltd filed Critical Wuhan Hong Xin Technological Service Co Ltd
Priority to CN201410307424.2A priority Critical patent/CN104038934B/en
Publication of CN104038934A publication Critical patent/CN104038934A/en
Application granted granted Critical
Publication of CN104038934B publication Critical patent/CN104038934B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

A kind of Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network, including extract from S6a mouthfuls the parameter related to NAS decryption and preservation, including authentication token AUTN, random access parameter RAND, expected result parameter XRES and root key Kasme;Pass through MME mouthfuls of S1AP layers of message management user's contexts of S1;By MME mouthfuls of NAS layers of message extractions of S1 parameter related to NAS decryption, decruption key Knasenc is calculated according to step one gained root key Kasme;The cipher text part of encryption message is extracted, is decrypted with reference to the related parameter of decryption.Information of the invention by associating S6a mouthfuls and MME mouthfuls of same users of S1, obtaining the deciphering parameter of complete set is used to decrypt, safe and efficient.

Description

The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network
Technical field
The invention belongs to communication network protocol monitoring analysis field, more particularly to LTE Non-Access Stratums ciphertext decryption method.
Background technology
3GPP Long Term Evolutions (LTE) are as most popular mobile communication technology at present, compared to 3G (Third Generation) Moblie (3G) technology, LTE have more high data rate and safer communication mode, while LTE network structure also there occurs it is very big Change.
LTE wireless access part is only made up of the enhancing node eNodeB (Enhanced Node B) after multiple evolution, Core network part is main by mobile management entity (Mobility Management Entity, MME), gateway (Serving Gateway, S-GW), grouped data network gateway (Packet Date Network Gateway/PDN Gateway, P-GW), Home signature user server (Home Subscriber Server, HSS) and strategy and charging control unit (Policy and Charging Rules Function, PCRF) etc. composition.The signal collecting point of real-time monitoring signaling analysis system in the present invention The part of nodes for being based on LTE core network framework is disposed, mainly by S1-MME (between eNodeB and MME), The interface such as S6a (between HSS and MME), S10, S11 carries out original signaling data collection, then carries out signaling resolution and connects more Mouth association generation call detail record (Call Detail Record, CDR).
LTE system devises double layer security protection mechanism to improve security, and one layer is radio access layer safety, separately One layer is Non-Access Stratum (Non-Access-Stratum, NAS) signaling security.NAS signaling rescue bag contains the integrality to data Protection and ciphering process, integrity protection are the whether perfect mistakes of data of verification transmission, and encipherment protection is to pass through data Certain algorithm is converted into transmitting after ciphertext, therefore receive needs first to carry out after completeness check decrypts again, can just enter one after data Step obtains correct decoded result.The main object of the present invention is:Extract what decryption needed from multiple network interfaces of monitoring Relevant information, completes to decrypt the NAS message of S1-MME interface.
The decryption of NAS message is completed, difficult point is how to obtain complete deciphering parameter, it is specific to need to obtain from S6a interfaces The root key Kasme of decryption is taken, other parameters are obtained, it is necessary to solve following problem from S1-MME interface:How by S6a mouthfuls With the information association of S1-MME mouthfuls of same users, which the deciphering parameter of user be made up of, how to be calculated and Dynamic Maintenance user Deciphering parameter because the parameter in the structure will be obtained from different messages, and these parameters are changes.
The content of the invention
In order to solve the above problems, the present invention proposes a kind of real-time the non-of monitoring signaling analysis system of LTE core network and connect Enter a layer decryption method.
Technical solution of the present invention is a kind of Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network, including following Step,
Step one, the parameter related to NAS decryption and preservation, including authentication token AUTN, random access are extracted from S6a mouthfuls Parameter RAND, expected result parameter XRES and root key Kasme;
Step 2, passes through S1-MME mouthfuls of S1AP layers of message management user's context;
Step 3, by S1-MME mouthfuls of NAS layers of message extraction parameter related to NAS decryption, according to step one gained root Key Kasme calculates decruption key Knasenc;
Step 4, extracts the cipher text part of encryption message, is decrypted with reference to the related parameter of decryption.
Moreover, step one realize it is as follows,
The authentication information message of S6a mouthfuls of capture is to Authentication Information Request/Answer, solution Multigroup authentication vector is separated out, every group of authentication vector includes authentication token AUTN, random access parameter RAND, expected result parameter XRES and root key Kasme;
According to gained authentication vector update memory database, the memory database be used for store AUTN, RAND, XRES with Kasme corresponding relation, using AUTN, RAND and XRES combination in every group of authentication vector as key, in this group of authentication vector Kasme is used as value.
Moreover, it is as follows on the S1AP layer signaling managements user's context realization by S1-MME mouthfuls in second step,
The S1-MME mouthfuls of IP address using MME-UE-S1AP-ID and MME are that key assignments sets up Hash table 1, are using S-TMSI Key assignments sets up Hash table 2, is set up using IMSI for key assignments in Hash table 3, three Hash tables and stores user's context pointer;It is dynamic State safeguards the key assignments of Hash table 1 and Hash table 2 respectively by key of MME-UE-S1AP-ID and S-TMSI, is replaced with new key assignments Old key assignments;S-TMSI and IMSI is stored in user's context, acquiescence fills out complete 1 when no, three Hash tables is set up association;
Wherein, MME-UE-S1AP-ID is mark of the MME sides to UE, and MME is mobile management entity, and S-TMSI is interim shifting Dynamic CUSTOMER ID, IMSI is international mobile subscriber identity.
Moreover, step 3 extracts the gained parameter deposit deciphering parameter data structure related to NAS decryption, the decryption ginseng Number data structures include deciphering parameter KSI, Kasme, context_sate, cipher_algorithm_type, Knasenc, Uplink_nas_sqn, uplink_nas_over_flow, downlink_nas_sqn and downlink_nas_over_flow,
KSI identifies for key group, for identifying root key Kasme;
Context_sate is the state of UE safe contexts, represents NOT CURRENT with 0 respectively, with 1 mark CURRENT;
Cipher_algorithm_type is encryption and the ID of decryption algorithm used;
uplink_nas_sqn、uplink_nas_over_flow、downlink_nas_sqn、downlink_nas_ Over_flow is the sequence number and overflow value of up-downgoing message respectively, is message for calculating up-downgoing COUNT, the COUNT Sequence number.
Moreover, step 3 is by S1-MME mouthfuls of NAS layers of message extraction parametric procedure related to NAS decryption, including it is right Attach Request message Attach Request or tracing section updating request Tau Request processing, to authentication message pair Authentication Request/Response processing, to security mode messages to Security mode Command/ Complete processing, for the processing of S1-MME mouthfuls of other message.
Moreover, asking Attach Request message Attach Request or tracing section updating Tau Request processing, bag Include following steps,
Step A01, Attach Request message Attach Request or tracing section updating the request Tau of S1-MME mouthfuls of capture Request, extracts crucial field KSI and is stored in user's context;
Step A02, confirms to whether there is deciphering parameter data structure in relative users context, is then to enter step A03, Otherwise directly return, terminal procedure;
Whether the KSI values extracted in step A03, judgment step A01 are invalid value, are the decryption ginsengs for emptying relative users Number data structure, terminal procedure, otherwise into step A04;
Step A04, the KSI values extracted in step A01 are compared with the KSI in deciphering parameter data structure, equal then phase It can be used for decrypting using the deciphering parameter at family, terminal procedure is unequal then directly to return to the deciphering parameter for deleting relative users Data structure, terminal procedure.
Moreover, the processing to authentication message to Authentication Request/Response, comprises the following steps,
Step B01, the authentication request message Authentication Request of S1-MME mouthfuls of capture, extract field AUTN, RAND and KSI, are stored in user's context;
Step B02, the authentication response message Authentication Response of S1-MME mouthfuls of capture, extract field RES, is stored in user's context;
Step B03, using AUTN, RAND and RES in user's context as key assignments, searches correspondence in memory database Root key Kasme, find then enter step B04, do not find, return, terminal procedure;
Step B04, judges that the deciphering parameter data structure of relative users whether there is, in the absence of then establishment deciphering parameter number 0 is initialized as according to structure, and by each member, deciphering parameter data structure member is directly otherwise initialized as 0;
Step B05, updates the deciphering parameter data structure to relative users, simultaneously by the Kasme found in step B03 KSI step B01 being stored in user's context, which updates, arrives deciphering parameter data structure;
Step B06, terminal procedure.
Moreover, the processing to security mode messages to Security mode Command/Complete, including following step Suddenly,
Step C01, the Security Mode Command message Security mode Command of S1-MME mouthfuls of capture, extract field KSI, Type of ciphering algorithm, Sequence number, obtain critical field, Type of Ciphering algorithm are that encryption algorithm type, Sequence number are sequence number;The safe mould of S1-MME mouthfuls of capture Formula completion message Security mode Complete, extract critical field Sequence number;
Step C02, confirms that the deciphering parameter data structure of relative users is present, and the KSI in deciphering parameter and step C01 The KSI values of middle extraction are equal, and step C03 is entered if being satisfied by, and otherwise directly return, terminal procedure;
Step C03, the field that step C01 is extracted is updated into deciphering parameter data structure, including by Sequence Number is assigned to corresponding uplink_nas_seq or downlink_nas_seq, then by the context_ in deciphering parameter Sate is set to 1, and uplink_nas_over_flow and downlink_nas_over_flow are set into 0;
Step C04, is calculated using the Kasme in deciphering parameter and Type of ciphering algorithm by standard Method HMAC-SHA-256 is derived by decruption key Knasenc, and is stored in deciphering parameter data structure;
Step C05, terminal procedure.
Moreover, the processing of other message for S1-MME mouthfuls, comprises the following steps,
Step D01, other message of S1-MME mouthfuls of capture extract field Security header type, Sequence Number, Security header type are security header type;
Step D02, confirms that the deciphering parameter data structure of relative users is present, exists and then enter step D03, otherwise directly Return, terminal procedure;
Step D03, when Security header type are 2, it is encryption message to represent corresponding message, by step D01 The field Sequence number of extraction, which update, arrives deciphering parameter data structure, when Sequence number are 255 i.e. maximum During value, corresponding uplink_nas_over_flow or downlink_nas_over_flow is overflowed into count value and adds 1, Ran Houjin Enter step D04;When Security header type are other values, it is non-encrypted message, directly returns, terminal procedure;
Step D04, terminal procedure.
Moreover, step 4 realization is as follows,
Confirm that the deciphering parameter data structure in relative users context is present, and context_sate is in deciphering parameter 1;
Calculate COUNT values, including the extraction downlink_nas_over_flow and downlink_nas_ from deciphering parameter Sqn, obtains the corresponding counter NAS_OVERFLOW of message direction, COUNT values is calculated according to following formula,
COUNT=0x00 | NAS_OVERFLOW < < 8 | NAS_SQN
Wherein, NAS_SQN is 8bit sequence number, maximum be 255, NAS_SQN be 8bit sequence number, maximum is 255, NAS_OVERFLOW be 16bit counter, and whenever NAS_SQN reaches maximum, then NAS_OVERFLOW adds 1;
The data and length of the cipher text part in encryption message are extracted, the type of AES is obtained from deciphering parameter It is decrypted with after decruption key Knasenc.
The present invention obtains decryption relevant parameter from different messages, and ensures that the deciphering parameter of active user disappears with to be decrypted Breath is corresponding.For clear message, can directly it parse;For encryption message, it is impossible to directly parse, then obtain ciphertext first Part, then takes out corresponding deciphering parameter and is decrypted, finally call analytical function to parse the message.Including passing through capture The signaling data of S6a interfaces and S1-MME interface sets up user's context respectively, pay special attention on the two interfaces with authentication and The related signaling of safeguard protection process, therefrom extracts the parameter related to Non-Access Stratum decryption.S6a interfaces are responsible for extracting decryption ginseng Root key in number, and the relation of memory database, storage authentication vector and root key is set up, it is responsible for for S1-MME mouthfuls extracting and pushing away Other decryption relevant parameters are led, by associating the information of S6a mouthfuls and S1-MME mouthfuls of same users, the decryption ginseng of complete set are obtained Number is used to decrypt, safe and efficient.
Brief description of the drawings
Fig. 1 is LTE security process figure of the prior art.
Fig. 2 is the NAS enciphering/deciphering schematic diagrames of the embodiment of the present invention.
Fig. 3 is the NAS message decryption processing overall flow figure of the embodiment of the present invention.
Fig. 4 is the embodiment of the present invention to Attach request, the process chart of TAU request message.
Fig. 5 is the process chart to authentication process message of the embodiment of the present invention.
Fig. 6 is the process chart to safeguard protection procedure message of the embodiment of the present invention.
Embodiment
The present invention is applied in the real-time signaling monitoring system of LTE core network based on software engineering.Below according to accompanying drawing and reality Apply example the present invention is implemented and illustrate.
The general principle of the embodiment of the present invention is:The authentication process of S6a mouthfuls of concern, sets up authentication vector (AV) and root key Relation between Kasme;S1-MME mouthfuls of signaling datas are captured, it is special by the S1AP layer signaling management user's contexts of the interface Authentication and safeguard protection process that Guan Zhu be S1-MME mouthfuls, relevant parameter during being somebody's turn to do be extracted by NAS layers of signaling of the interface and is deposited Enter the deciphering parameter data structure in the user's context, i.e., one a deciphering parameter of user's correspondence;S6a mouthfuls and S1- of association MME mouthfuls of user profile, so that S1-MME mouthfuls of users can find its corresponding root key Kasme, root key Kasme is inserted Deciphering parameter data structure;Root key Kasme passes through canonical algorithm with the AES EEA in deciphering parameter data structure HMAC-SHA-256 is derived by decruption key Knasenc, and the decruption key is together with the deciphering parameter of corresponding user to NAS Ciphertext is decrypted.
Because the problem of premise of decryption first has to solve S6a mouthfuls with S1-MME mouthfuls of user information correlations, the present invention is carried out It is described as follows:
In the prior art LTE system be related to S6a mouthfuls and S1-MME mouthfuls security process it is as shown in Figure 1.Subscriber terminal equipment UE initiates message 101, i.e. attach request (Attach request) or tracing section updating request (TAU request) to MME; MME receives the backward HSS of request and initiates message 102, i.e. authentication information request (Authentication information request);Message 103 is that loopback authentication information replys (Authentication information answer), and HSS is disappearing Responded in breath 103 by one or more authentication vectors (AV), each authentication vector is by random access parameter (RAND), certification Token (AUTN), expected result parameter (XRES) and root key (Kasme) composition;MME sends message 104 to UE, and message 104 is Authentication request (Authentication request) with RAND and AUTN parameters;UE will verify the AUTN received, examine MME is brought by RES by rear generation expected result parameter (RES), and by message 105, message 105 is Authentication Response (Authentication response);MME is if the same reflected by comparing the RES that the XRES and UE of HSS generations are produced Weigh successfully, MME will initiate message 106 and start NAS integrity protection processes, and message 106 is safe mode command (Secutity mode command);Whether UE check continuities are legal, start Confidentiality protection process by sending message 107, thereafter NAS message will be encrypted, while the message may be also encrypted, message 107 is that safe mode completes (Security mode complete)。
The correlating method mentioned in usual data is associated by IMSI (international mobile subscriber identity), and S6a mouthfuls lead to IMSI can be obtained by crossing capture Authentication Information Request message, but S1-MME mouthfuls are difficult to obtain IMSI.Only when user terminal (UE) attachment for the first time or LTE network can not recognize user by temporary identifications (GUTI) And IMSI can be carried when initiating Identity verification process, it is other in the case of it is general only carry GUTI, and what these processes occurred Probability is smaller, thus S1-MME mouthfuls are difficult the relation of IMSI and user profile set up, so be difficult to S6a mouthful by IMSI and S1-MME mouthfuls of associations.The correlating method in the present invention is set forth below:
Authentication vector is close by random access parameter (RAND), authentication token (AUTN), expected result parameter (XRES) and root Key (Kasme) is constituted.Multigroup authentication vector can be carried in S6a mouthfuls of Authentication Information Answer message, And MME can select AUTN and RAND in the original authentication vector of one of which to issue UE progress network authentications.UE according to The parameter of oneself storage and the authentication vector parameter received, calculate RES.By comparing XRES completion nets whether equal with RES Certification of the network to UE, equal then certification success shows that the corresponding root key Kasme of this group of authentication vector can be used for decrypting;Otherwise Authentification failure, UE exits connection.After certification success, the present invention i.e. will by AUTN, RAND and XRES in this group of authentication vector S6a mouthfuls with S1-MME mouthfuls of user information correlation.
In embodiment, the parameter that NAS decryption needs has EEA, KEY, COUNT, BEARER, DIRECTION, LENGTH, can With reference to the NAS enciphering/deciphering procedure charts in Fig. 2, in the figure by taking AES EEA as an example, NAS signaling message is carried out in transmitting terminal Encryption, is decrypted in receiving terminal.One group of the deciphering parameters such as key (KEY), the algorithm (EEA) that receiving terminal passes through acquisition generation is close Key stream (KEYSTREAM BLOCK), the key stream does with the ciphertext (CIPHERTEXT BLOCK) received and obtained after XOR To clear-text message (PLAINTEXT BLOCK).Each parameter in Fig. 2 is illustrated below:
1.EEA is the type of the AES of selection;
2.KEY is the decruption key Knasenc that root key Kasme is derived by calculating, and length is 128bit, and Kasme is 256bit, and the result of its computing is carried out to intercept to obtain low 128bit;
3.COUNT is message SN, itself is 24bit character string, EEA serial algorithms are used in AES When, mend 8bit zero in a high position and constitute 32bit message sequences.
COUNT=0x00 | NAS_OVERFLOW < < 8 | NAS_SQN (1)
Wherein NAS_SQN is 8bit sequence number, maximum be 255, NAS_OVERFLOW be 16bit counter, often When NAS_SQN reaches maximum, then NAS_OVERFLOW adds 1.
COUNT is only when new EPS (grouping system of Evolved Packet System evolution) safe context is set up Just clear 0, and to calculate correspondence COUNT values by up-downgoing message direction respectively;
4.BEARER is 5bit carrying ID, for NAS message, is defaulted as 0;
5.DIRECTION represents the transmission direction of this NAS message to be decrypted, and 1bit, 0 expression upstream message, 1 expression is descending Message, regulation UE to MME directions are up;LENGTH is the length of NAS message to be decrypted, and unit is bit.
It is the NAS message decryption processing idiographic flow that the present embodiment is provided referring to Fig. 3, for the sake of ease of implementation, under The NAS decryption methods of the present invention will be discussed in detail in face in units of interface, the step of according to the flow chart.
Step one, the parameter related to NAS decryption and preservation, including AUTN, RAND, XRES, Kasme are extracted from S6a mouthfuls. To set up the relation between authentication vector (AV) and root key Kasme, mainly extracted from S6a mouthfuls of message and decrypt phase with NAS The parameter of pass.
On the interface message related to NAS decryption have Authentication Information Request and Authentication Information Answer, concrete operations are as follows:
The first step, the authentication information message of S6a mouthfuls of capture is to Authentication Information Request/ Answer, parses authentication vector AUTN, RAND, XRES, Kasme.
Second step, preserves the analysis result of the first step, can use database realizing.Those skilled in the art can be voluntarily Memory database is set up using prior art selection, it is proposed that use Redis memory databases.Because authorization data amount is small, and it is More rapidly, the present embodiment pre-establishes Redis memory databases to read-write data, storage AUTN, RAND, XRES and Kasme's Corresponding relation.Message Authentication Information Answer contain multigroup authentication vector, with every group of authentication vector AUTN, RAND and XRES combination as key, the Kasme in this group of authentication vector is used as value.So, the embodiment of the present invention and existing There is technology different, with AUTN and RAND, XRES together as associate field, realization associates S6a mouthfuls with S1-MME mouthfuls.
The first step is parsed after authentication vector, you can update Redis memory databases.The database is emptied, that is, is removed The authentication vector that secondary authentication process is preserved, database is stored in by the authentication vector extracted during this.
3rd step, terminates the process.
Step 2, passes through S1-MME mouthfuls of S1AP layers of message management user's context.
The packet of S1-MME mouthfuls of analysis, according to the analysis before the present invention, the message that the interface carries IMSI is less, difficult To set up associating for IMSI and user profile, and most of message (UE-associated signalling) related to user Mark MME-UE-S1AP-ID of the MME sides to UE, only beep-page message (PAGING) and initial UE message (INITIAL can be carried UE MESSAGE) without MME-UE-S1AP-ID, but S-TMSI or IMSI can be carried.S-TMSI is temporarily moved subscriber identification Code, is IMSI interim " representative ".Therefore S1-MME mouthfuls can be set up using MME-UE-S1AP-ID and MME IP address for key assignments Hash table 1, is that key assignments sets up Hash table 2 using S-TMSI, is that key assignments is set up in Hash table 3, three Hash tables using IMSI Store user's context pointer.
S-TMSI is often to change the value on a temporary mark, network;MME-UE-S1AP-ID is in a S1 connection In be constant, but when being reconnected after S1 Connection Releases, the value can change.Therefore the present embodiment Dynamic Maintenance is respectively with MME- UE-S1AP-ID and S-TMSI is the Hash table 1 of key and the key assignments of Hash table 2, and old key assignments is replaced with new key assignments.
S-TMSI and IMSI must be stored in user's context, acquiescence fills out complete 1 when no, so that three Hash tables can be built Vertical association.Illustrated below by taking renewals of the S-TMSI for the Hash table 2 of key assignments as an example:
When i.e. carrying MME-UE-S1AP-ID carries S-TMSI again in message, MME-UE-S1AP-ID and MME are first passed through IP address is that key assignments searches Hash table 1, and a key assignments then newly-built Hash node is not found;Find the key assignments and then extract corresponding S-TMSI (fixing tentatively as old S-TMSI) and the S-TMSI (fixing tentatively as new S-TMSI) that current message is carried in user's context compares Compared with, copy corresponding user context information in old S-TMSI Hash node to new S-TMSI Hash node if unequal, Then nodes of the old S-TMSI in Hash table 2 is replaced with new S-TMSI Hash node;It is equal then without update Hash table 2 key Value.
Step 3, by S1-MME mouthfuls of NAS layers of message extraction parameter related to NAS decryption, according to obtained by step one Kasme, calculates decruption key Knasenc.Kasme is maintained in Redis memory databases by the step of embodiment one, this Step obtains Kasme from Redis memory databases.
On the interface message related to NAS decryption mainly have Authentication Request, Authentication Response, Security mode command, Security mode complete etc..
When it is implemented, those skilled in the art can preserve the data structure of relevant parameter with sets itself.In embodiment, Deciphering parameter data structure nas_uncipher_parameter is defined as follows with C language:
Wherein, KSI is 3bit key group mark, for identifying root key Kasme, is carried by comparing in encryption message KSI and corresponding decryption Parameters data structure in KSI, whether can use the root key Kasme that judges in current decryption parameter To decrypt this message;Context_sate is the state of UE safe contexts, has two states, is represented respectively with 0 NOTCURRENT (non-present), with 1 mark CURRENT (current);Cipher_algorithm_type is AES ID, solution Close is also the algorithm;Knasenc is the decruption key obtained eventually through calculating, uplink_nas_sqn, uplink_nas_ Over_flow, downlink_nas_sqn, downlink_nas_over_flow are the sequence number of up-downgoing message respectively and overflow Go out value, for calculating up-downgoing COUNT.
In order to set up and safeguard above-mentioned deciphering parameter data structure, S1-MME mouthfuls need to pay special attention to attachment in step 3 With the authentication during tracing section updating and safeguard protection process.The processing for related news is described in detail below:
1) to message Attach Request or Tau Request processing, referring specifically to Fig. 4:
The first step, the Attach Request message or Tau Request message of S1-MME mouthfuls of capture extract field KSI, The critical field KSI of extraction is stored in user's context;
Second step, confirms that the deciphering parameter data structure of the user is present, i.e., with the presence or absence of decryption in the user's context Parameters data structure, is then to enter the 3rd step, otherwise directly returns, terminal procedure;
3rd step, whether be " 111 ", " 111 " represent that the Kasme of KSI marks is if judging the KSI values extracted in the first step Invalid value, it is impossible to for decrypting;If the KSI is " 111 ", the deciphering parameter data structure of the user is emptied, terminal procedure, Otherwise the 4th step is entered;
4th step, by the KSI (KSI above extracted in the KSI values extracted in the first step and deciphering parameter data structure Value) compare, it is equal, illustrate that the deciphering parameter of the user can be used to decrypt, terminal procedure, it is unequal that then directly return deletion should The deciphering parameter data structure of user, terminal procedure.First time extract deciphering parameter during, attach request or Tau request message is the message most started, but after the process of first time extraction deciphering parameter terminates, the user just has Complete deciphering parameter data structure, if be then received again by attach request or tau request, pass through and extracts The KSI of the message, if KSI be virtual value, behind encryption message decryption can directly with present it is existing decryption join Count to decrypt.
2) to the processing of Authentication Request/Response message pair, referring specifically to Fig. 5:
The first step, S1-MME mouthful of Authentication Request message of capture, extraction field AUTN, RAND and KSI, is stored in user's context;
Second step, the Authentication Response message of S1-MME mouthfuls of capture extracts field RES, is stored in use In the context of family;
3rd step, using AUTN, RAND and RES in user's context as key assignments, is searched in Redis memory databases Corresponding root key Kasme, finds and then enters the 4th step, do not find, return, terminal procedure;
4th step, judges that the deciphering parameter data structure of the user whether there is, in the absence of then establishment deciphering parameter data Structure, and each member is initialized as 0, deciphering parameter data structure member is directly otherwise initialized as 0;
5th step, the deciphering parameter data structure to the user is updated by the Kasme found in the 3rd step, while by the The KSI that one step is stored in user's context, which updates, arrives deciphering parameter data structure;
6th step, terminal procedure;
3) to the processing of Security mode Command/Complete message pair, referring specifically to Fig. 6:
The first step, the Security mode Command message of S1-MME mouthfuls of capture extracts field KSI, Type of Ciphering algorithm (encryption algorithm type), Sequence number (sequence number), obtain critical field;Capture S1- MME mouthfuls of Security mode Complete message, extracts critical field Sequence number;
Second step, confirms that the deciphering parameter data structure of the user is present, and carried in the KSI and the first step in deciphering parameter The KSI values taken are equal, and the 3rd step is entered if being satisfied by, and otherwise directly return, terminal procedure;
3rd step, the field that the first step is extracted is updated into deciphering parameter data structure, is noted Sequence Number is assigned to corresponding uplink_nas_seq or downlink_nas_seq, then by the context_ in deciphering parameter Sate is set to 1, by uplink_nas_over_flow and downlink_nas_over_flow (the i.e. corresponding NAS_ of message direction OVERFLOW) it is set to 0;
4th step, passes through canonical algorithm using the Kasme in deciphering parameter and Type of ciphering algorithm HMAC-SHA-256 is derived by decruption key Knasenc, and is deposited into deciphering parameter data structure;
5th step, terminal procedure.
4) for the processing of S1-MME mouthfuls of other message
It is the message unrelated with subscription authentication and safeguard protection process for such message, the present embodiment is disappeared by extracting Field Sequence number in breath update the corresponding field in deciphering parameter data structure, to calculate decryption COUNT values.Comprise the following steps that:
The first step, S1-MME mouthfuls of such message of capture, extraction field Security header type (security header type), Sequence number;
Second step, confirms that the deciphering parameter data structure of the user is present, exists and then enter the 3rd step, otherwise directly return Return, terminal procedure;
3rd step, when Security header type are 2, it is encryption message to represent the message, and the first step is extracted Field Sequence number update arrive deciphering parameter data structure, when Sequence number be 255 i.e. maximum when, Corresponding uplink_nas_over_flow or downlink_nas_over_flow are overflowed into count value and add 1, subsequently into the Four steps;When Security header type are other values, it is non-encrypted message, directly returns, terminal procedure;
4th step, terminal procedure.
Step 4, extracts the cipher text part of encryption message, is decrypted with reference to deciphering parameter.
By above the step of, the present embodiment completes the extraction and renewal of all deciphering parameters, below will be according to decryption Ciphertext is decrypted parameter.For convenience of description, it is assumed that current crypto message is downstream message, on utilizing decryption in step 4 The specific decryption step that NAS ciphertexts are decrypted together with the deciphering parameter of corresponding user for key is as follows:
1. confirm that the deciphering parameter data structure in the user's context is present, and context_sate is in deciphering parameter 1, as CURRENT states can then continue decryption, otherwise return, and terminate decrypting process;
2. COUNT values are calculated, including the extraction downlink_nas_over_flow and downlink_ from deciphering parameter Nas_sqn, COUNT values are calculated according to formula (1);
3. the data and length (i.e. LENGTH) of the cipher text part in the message are extracted, with reference to Fig. 2 NAS in the present invention Input needed for enciphering/deciphering procedure chart, is decrypted after obtaining corresponding information from deciphering parameter.Wherein, mainly including EEA It is the type of the AES of selection, is obtained according to cipher_algorithm_type in deciphering parameter, KEY is decruption key Knasenc.And depending on the transmission direction of BEARER=0, DIRECTION according to this NAS message to be decrypted.
Specific embodiment described herein is only to spirit explanation for example of the invention.Technology neck belonging to of the invention The technical staff in domain can be made various modifications or supplement to described specific embodiment or be replaced using similar mode Generation, but without departing from the spiritual of the present invention or surmount scope defined in appended claims.

Claims (1)

1. a kind of Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network, it is characterised in that:Comprise the following steps,
Step one, the parameter related to NAS decryption and preservation, including authentication token AUTN, random access parameter are extracted from S6a mouthfuls RAND, expected result parameter XRES and root key Kasme;
Step one realize it is as follows,
The authentication information message of S6a mouthfuls of capture is parsed to Authentication Information Request/Answer Multigroup authentication vector, every group of authentication vector include authentication token AUTN, random access parameter RAND, expected result parameter XRES and Root key Kasme;
According to gained authentication vector update memory database, the memory database be used for store AUTN, RAND, XRES with Kasme corresponding relation, using AUTN, RAND and XRES combination in every group of authentication vector as key, in this group of authentication vector Kasme is used as value;
Step 2, passes through S1-MME mouthfuls of S1AP layers of message management user's context;
It is as follows on the S1AP layer signaling managements user's context realization by S1-MME mouthfuls in step 2,
The S1-MME mouthfuls of IP address using MME-UE-S1AP-ID and MME are that key assignments sets up Hash table 1, are key assignments using S-TMSI Hash table 2 is set up, is set up using IMSI for key assignments in Hash table 3, three Hash tables and stores user's context pointer;
The key assignments of Dynamic Maintenance Hash table 1 respectively by key of MME-UE-S1AP-ID and S-TMSI and Hash table 2, with new key Value replaces old key assignments;S-TMSI and IMSI is stored in user's context, acquiescence fills out complete 1 when no, make three Hash table foundation Association;
Wherein, MME-UE-S1AP-ID is mark of the MME sides to UE, and MME is mobile management entity, and S-TMSI is interim mobile use Family identification code, IMSI is international mobile subscriber identity;
Step 3, by S1-MME mouthfuls of NAS layers of message extraction parameter related to NAS decryption, according to step one gained root key Kasme calculates decruption key Knasenc;
Step 3 extracts the gained parameter deposit deciphering parameter data structure related to NAS decryption, the deciphering parameter data knot Structure includes deciphering parameter KSI, Kasme, context_sate, cipher_algorithm_type, Knasenc, uplink_ Nas_sqn, uplink_nas_over_flow, downlink_nas_sqn and downlink_nas_over_flow,
KSI identifies for key group, for identifying root key Kasme;
Context_sate is the state of UE safe contexts, represents NOT CURRENT with 0 respectively, with 1 mark CURRENT;
Cipher_algorithm_type is encryption and the ID of decryption algorithm used;
uplink_nas_sqn、uplink_nas_over_flow、downlink_nas_sqn、downlink_nas_over_ Flow is the sequence number and overflow value of up-downgoing message respectively, is message sequence for calculating up-downgoing COUNT, the COUNT Number;Step 3 is by S1-MME mouthfuls of NAS layers of message extraction parametric procedure related to NAS decryption, including attach request is disappeared Attach Request or tracing section updating request Tau Request processing are ceased, to authentication message to Authentication Request/Response processing, the processing to security mode messages to Security mode Command/Complete, For the processing of S1-MME mouthfuls of other message;
Processing to Attach Request message Attach Request or tracing section updating request Tau Request, including following step Suddenly,
Step A01, Attach Request message Attach Request or tracing section updating the request Tau of S1-MME mouthfuls of capture Request, extracts crucial field KSI and is stored in user's context;
Step A02, confirms to whether there is deciphering parameter data structure in relative users context, is then to enter step A03, otherwise Directly return, terminal procedure;
Whether the KSI values extracted in step A03, judgment step A01 are invalid value, are the deciphering parameter numbers for emptying relative users According to structure, terminal procedure, otherwise into step A04;
Step A04, the KSI values extracted in step A01 are compared with the KSI in deciphering parameter data structure, equal, are mutually applied The deciphering parameter at family can be used for decrypting, and terminal procedure is unequal then directly to return to the deciphering parameter data for deleting relative users Structure, terminal procedure;
Processing to authentication message to Authentication Request/Response, comprises the following steps,
Step B01, the authentication request message Authentication Request of S1-MME mouthfuls of capture, extraction field AUTN, RAND and KSI, is stored in user's context;
Step B02, the authentication response message Authentication Response of S1-MME mouthfuls of capture, extract field RES, protect It is stored in user's context;
Step B03, using AUTN, RAND and RES in user's context as key assignments, searches corresponding in memory database Key Kasme, finds and then enters step B04, do not find, return, terminal procedure;
Step B04, judges that the deciphering parameter data structure of relative users whether there is, in the absence of then establishment deciphering parameter data knot Structure, and each member is initialized as 0, deciphering parameter data structure member is directly otherwise initialized as 0;
Step B05, the deciphering parameter data structure to relative users is updated by the Kasme found in step B03, while will step The KSI that rapid B01 is stored in user's context, which updates, arrives deciphering parameter data structure;
Step B06, terminal procedure;
Processing to security mode messages to Security mode Command/Complete, comprises the following steps,
Step C01, the Security Mode Command message Security mode Command of S1-MME mouthfuls of capture, extraction field KSI, Type of ciphering algorithm, Sequence number, obtain critical field, Type of ciphering Algorithm is that encryption algorithm type, Sequence number are sequence number;The safe mode completion message of S1-MME mouthfuls of capture Security mode Complete, extract critical field Sequence number;
Step C02, confirms that the deciphering parameter data structure of relative users is present, and the KSI in deciphering parameter in step C01 with carrying The KSI values taken are equal, and step C03 is entered if being satisfied by, and otherwise directly return, terminal procedure;
Step C03, the field that step C01 is extracted is updated into deciphering parameter data structure, including by Sequence number Corresponding uplink_nas_seq or downlink_nas_seq are assigned to, then the context_sate in deciphering parameter is set to 1, uplink_nas_over_flow and downlink_nas_over_flow are set to 0;
Step C04, passes through canonical algorithm using the Kasme in deciphering parameter and Type of ciphering algorithm HMAC-SHA-256 is derived by decruption key Knasenc, and is stored in deciphering parameter data structure;
Step C05, terminal procedure;
For the processing of S1-MME mouthfuls of other message, comprise the following steps,
Step D01, other message of S1-MME mouthfuls of capture extract field Security header type, Sequence Number, Security header type are security header type;
Step D02, confirms that the deciphering parameter data structure of relative users is present, exists and then enter step D03, otherwise directly return Return, terminal procedure;
Step D03, when Security header type are 2, it is encryption message to represent corresponding message, and step D01 is extracted Field Sequence number update arrive deciphering parameter data structure, when Sequence number be 255 i.e. maximum when, Corresponding uplink_nas_over_flow or downlink_nas_over_flow is overflowed into count value and adds 1, subsequently into step Rapid D04;When Security header type are other values, it is non-encrypted message, directly returns, terminal procedure;
Step D04, terminal procedure;
Step 4, extracts the cipher text part of encryption message, is decrypted with reference to the related parameter of decryption,
Step 4 realization is as follows,
Confirm that the deciphering parameter data structure in relative users context is present, and context_sate is 1 in deciphering parameter;
COUNT values, including the extraction downlink_nas_over_flow and downlink_nas_sqn from deciphering parameter are calculated, The corresponding counter NAS_OVERFLOW of message direction is obtained, COUNT values are calculated according to following formula,
COUNT=0x00 | NAS_OVERFLOW < < 8 | NAS_SQN
Wherein, NAS_SQN is 8bit sequence number, maximum be 255, NAS_SQN be 8bit sequence number, maximum is 255, NAS_OVERFLOW is 16bit counter, and whenever NAS_SQN reaches maximum, then NAS_OVERFLOW adds 1;
The data and length of the cipher text part in encryption message are extracted, the type that AES is obtained from deciphering parameter is conciliate It is decrypted after key Knasenc.
CN201410307424.2A 2014-06-30 2014-06-30 The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network Active CN104038934B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410307424.2A CN104038934B (en) 2014-06-30 2014-06-30 The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410307424.2A CN104038934B (en) 2014-06-30 2014-06-30 The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network

Publications (2)

Publication Number Publication Date
CN104038934A CN104038934A (en) 2014-09-10
CN104038934B true CN104038934B (en) 2017-08-08

Family

ID=51469492

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410307424.2A Active CN104038934B (en) 2014-06-30 2014-06-30 The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network

Country Status (1)

Country Link
CN (1) CN104038934B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704755B (en) * 2014-11-24 2021-03-05 中兴通讯股份有限公司 Signaling monitoring method and system
CN107005842B (en) * 2014-12-02 2019-12-24 华为技术有限公司 Authentication method, related device and system in wireless communication network
CN104640107B (en) * 2014-12-09 2019-01-15 北京电旗通讯技术股份有限公司 NAS layers of ciphertext recognition methods of S1-MME interface in a kind of multiplex roles cooperation decryption LTE
CN105246099A (en) * 2015-10-27 2016-01-13 合肥浩瀚深度信息技术有限公司 Association method of S1-MME (Mobility Management Entity) interface and S11 interface signaling procedure under LTE (Long Term Evolution) system interior non-switching scene
CN106961681A (en) * 2017-02-10 2017-07-18 北京浩瀚深度信息技术股份有限公司 Multiplex roles cipher key processing method and device inside a kind of LTE system
CN109120572A (en) * 2017-06-22 2019-01-01 中兴通讯股份有限公司 SIP signaling decryption method, device, system and computer readable storage medium
CN108495279B (en) * 2018-03-09 2020-02-14 北京全路通信信号研究设计院集团有限公司 LTE-M signaling analysis method and system
CN109327864A (en) * 2018-11-07 2019-02-12 杭州迪普科技股份有限公司 Flow processing method, device, equipment and storage medium
CN109982260B (en) * 2019-03-08 2021-01-26 杭州迪普科技股份有限公司 Signaling decryption method and device, electronic equipment and machine-readable storage medium
CN112822674A (en) * 2020-12-29 2021-05-18 联想未来通信科技(重庆)有限公司 Decryption method and device of NAS (network attached storage) message
WO2022198671A1 (en) * 2021-03-26 2022-09-29 华为技术有限公司 Communication method and apparatus

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102300210A (en) * 2011-09-01 2011-12-28 重庆中天重邮通信技术有限公司 Method for decrypting cipher text of long term evolution (LTE) non-access stratum and signaling monitoring device
CN102438241A (en) * 2011-12-30 2012-05-02 北京中创信测科技股份有限公司 Device and method for decrypting NAS (Network Attached Storage) signaling in LTE (Long Term Evolution) protocol monitoring analysis

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120159151A1 (en) * 2010-12-21 2012-06-21 Tektronix, Inc. Evolved Packet System Non Access Stratum Deciphering Using Real-Time LTE Monitoring

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102300210A (en) * 2011-09-01 2011-12-28 重庆中天重邮通信技术有限公司 Method for decrypting cipher text of long term evolution (LTE) non-access stratum and signaling monitoring device
CN102438241A (en) * 2011-12-30 2012-05-02 北京中创信测科技股份有限公司 Device and method for decrypting NAS (Network Attached Storage) signaling in LTE (Long Term Evolution) protocol monitoring analysis

Also Published As

Publication number Publication date
CN104038934A (en) 2014-09-10

Similar Documents

Publication Publication Date Title
CN104038934B (en) The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network
CN102438241B (en) To NAS signaling decryption device and method in a kind of LTE protocol monitoring analysis
Van Den Broek et al. Defeating IMSI catchers
CN104754581B (en) A kind of safety certifying method of the LTE wireless networks based on public-key cryptosystem
CN103763319B (en) Method for safely sharing mobile cloud storage light-level data
CN102300210B (en) LTE Non-Access Stratum ciphertext decryption methods and its monitoring signaling device
Choudhury et al. Enhancing user identity privacy in LTE
CN108809637A (en) The car-ground communication Non-Access Stratum authentication key agreement methods of LTE-R based on mixed cipher
CN109076339A (en) The unified certification frame of heterogeneous network
CN106714152B (en) Key distribution and receiving method, first key management center and first network element
CN108683510A (en) A kind of user identity update method of encrypted transmission
CN100488281C (en) Method for acquring authentication cryptographic key context from object base station
CN108809635A (en) Anchor key generation method, equipment and system
CN103441983A (en) Information protection method and device based on link layer discovery protocol
CN113228721A (en) Communication method and related product
CN107295508A (en) A kind of LTE network entity authentication and key updating method
CN107046548A (en) A kind of packet filtering method under secret protection
CN101938741A (en) Method, system and device for mutual authentication
CN101860863A (en) Enhanced encryption and integrity protection method
CN101699890A (en) 3G-WLAN authentication method
CN106209384B (en) Use the client terminal of security mechanism and the communication authentication method of charging unit
CN101005489A (en) Method for protecting mobile communication system network safety
CN106714153B (en) Key distribution, generation and reception method and related device
CN108023884A (en) A kind of encryption method of Networks and information security
CN104602231B (en) A kind of method and apparatus of more new pre-shared key

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant