WO2009117949A1 - A method for enhancing network communication security and a wireless accessing apparatus - Google Patents

A method for enhancing network communication security and a wireless accessing apparatus Download PDF

Info

Publication number
WO2009117949A1
WO2009117949A1 PCT/CN2009/070986 CN2009070986W WO2009117949A1 WO 2009117949 A1 WO2009117949 A1 WO 2009117949A1 CN 2009070986 W CN2009070986 W CN 2009070986W WO 2009117949 A1 WO2009117949 A1 WO 2009117949A1
Authority
WO
WIPO (PCT)
Prior art keywords
channel
channel switching
switching information
mobile terminal
network
Prior art date
Application number
PCT/CN2009/070986
Other languages
French (fr)
Chinese (zh)
Inventor
刘绍峰
郭江
郇海滨
陈颖浩
翁武林
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2009117949A1 publication Critical patent/WO2009117949A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present invention relates to the field of wireless communications, and in particular, to a method for enhancing network communication security and a wireless access device. Background technique
  • ciphertext attack In this attack mode, even if the illegal network intruder does not guess the content of the message, the relationship between the redundancy check code and the message content when the air interface signaling message is encoded may be used to establish a system of equations, and Continuously collect signaling to eliminate the element. If an illegal network intruder collects sufficient signaling messages, it can initiate a ciphertext attack and also crack the session Kc with a high probability.
  • the GSM system In the process of call setup, the GSM system generally allocates a Stand-alone Dedicated Control Channel (SDCCH), and allocates a Traffic Channel (TCH) through a channel assignment command on the SDCCH channel. Therefore, if an illegal network intruder successfully tracks a call of a certain user, it will consider first completing the crack on the SDCCH, and acquiring the information of the TCH channel allocated for the user on the SDCCH, thereby tracking the specific TCH channel, and acquiring User's call information.
  • SDCCH Stand-alone Dedicated Control Channel
  • TCH Traffic Channel
  • the encryption command in the GSM system is sent in clear text, and the encryption command encrypts the wireless connection.
  • the air interface signaling sent after the encryption command is transmitted in cipher text, and the signaling sequence of the transmission usually has certain characteristics. For example, for the calling party, the first downlink signaling after the encryption is completed is likely to be Call Proceeding; for the called party, the first uplink message is likely to be Call Confirmed, and the content of the message is easy to guess. In this way, the attacker may use these messages to conduct plaintext attacks and obtain the cracked plaintext.
  • system message 5bis system message 5ter
  • system message 6 system message 6
  • system message 5bis because the message content is relatively fixed
  • illegal network intruders are more likely to guess.
  • the illegal network intruder can initiate a ciphertext attack, and even if the plaintext is not guessed, sufficient system message data can be collected on a fixed channel within a certain period of time.
  • Frame using the relationship between the redundancy check code and the message content when A5 encrypts the pre-encryption signaling, establishes a system of equations, and solves the key by solving the equation.
  • the technical problem to be solved by the present invention is to provide a method and wireless access device for enhancing network communication security. It can improve the communication security of the hollow port of the GSM network.
  • an embodiment of the present invention provides a method for enhancing network communication security
  • the network is a global mobile communication system GSM network
  • the method includes: communicating with a mobile terminal at a network side
  • the network side sends channel switching information to the mobile terminal according to a preset security policy, where the security policy includes: sending the channel to the terminal periodically or irregularly. Switching information; the mobile terminal performs channel switching according to the channel switching information, and continues the communication on the switched channel.
  • an embodiment of the present invention provides a wireless access device, including: an acquiring unit, configured to acquire channel switching information and a security policy, where the channel switching information is used to indicate that a corresponding mobile terminal performs channel switching, where The security policy includes: sending the channel switching information to the mobile terminal by sending the channel switch timing to the terminal periodically or irregularly.
  • the technical solution provided by the embodiment of the present invention can make the signaling information of the mobile terminal in the GSM network not be fixedly transmitted on a certain physical channel, so that the illegal network intruder cannot collect information for a specific channel, and the efficiency of launching the attack will be Greatly reduced, so the safety of the air interface can be enhanced.
  • FIG. 1 is a schematic flow chart of a specific embodiment of a method for enhancing network communication security in the present invention
  • FIG. 2 is a schematic diagram of a specific embodiment of channel occupancy of channel switching in a cell in the present invention
  • FIG. 3 is a schematic diagram showing the composition of a specific embodiment of a network access device in the present invention. detailed description
  • FIG. 1 it is a schematic flowchart of a specific embodiment of a method for enhancing network communication security according to the present invention.
  • the method includes:
  • the network side sends channel switching information to the mobile terminal according to a preset security policy, where the security policy includes: sending the channel switching information to the terminal periodically or irregularly.
  • the network is a GSM network.
  • the security policy may include: sending the channel switching information to the terminal according to the time parameter, where the time parameter is used to indicate that the network side sends the channel switching information to the mobile terminal periodically or irregularly.
  • the time parameter may include the number of times the channel switching information is sent in one session, the interval time or the specific time, and the like. In the embodiment of the present invention, the number of times is not limited, and may be only one time or multiple times. , As the case may be.
  • the above-mentioned sending time can be specified through the list - or it can be generated according to certain rules, such as random production according to a certain probability distribution. Health.
  • the channel switching information may include a channel assignment command, a channel switching command, or other commands, and the channel switching parameter is included in the foregoing command.
  • the mobile terminal can parse out these parameters in the command and perform channel switching based on these parameters.
  • the information of the current session is generally assigned by the channel assignment command during session initialization, and in the subsequent process, when channel switching is required, the channel switching command is used to specify which channel to switch to for the session.
  • the channel assignment command, channel switching command or other command may include specific channel switching parameters in each channel switching, or may include channel switching parameters corresponding to multiple channel switching.
  • the channel switching parameter may include one of a Mobile Allocation Index Offset (MAIO), a Hopping Sequence Number (HSN), and a Training Sequence Code (TSC) parameter.
  • MAIO Mobile Allocation Index Offset
  • HSN Hopping Sequence Number
  • TSC Training Sequence Code
  • channel switching information is transmitted to the mobile terminal, and one or more of the above parameters determined according to the security policy may be included in the channel switching information.
  • the communication signaling and voice of the wireless network and the mobile terminal will be transmitted on different channels or even different frequency points, as shown in FIG.
  • the same vertical square represents the occupancy of different channels in the same period of time
  • the same horizontal square represents the occupation of different time segments of the same channel
  • the thin slash square represents different occupations occupied by different time periods in the session A.
  • Channels, black squares represent different channels occupied by different time periods in Session B.
  • MAIO Mobile allocation index offset (0 to N 1, 6 bits).
  • HSN Hopping sequence (generator) number (0 to 63, 6 bits).
  • TSC Training Sequence Code ( 0 to 7, 3bits).
  • the signaling and voice of the mobile terminal are transmitted on different channels (such as a dedicated control channel and a traffic channel), even if the illegal network intruder cracks the key of the mobile terminal in this session by guessing the plaintext, The above parameters of the mobile terminal are still not known.
  • each The signaling or voice of each mobile terminal on the physical channel is not continuously transmitted, or it is not distinguishable which signaling belongs to the mobile terminal. Therefore, other signaling of the mobile terminal cannot be cracked, and effective monitoring cannot be initiated.
  • the mobile terminal performs channel switching according to channel switching information received by the mobile terminal, and continues the communication on the switched channel. That is, as shown in FIG. 2, the mobile terminal can perform channel switching multiple times during one session, and transmit signaling or data on the switched channel.
  • the network side can be transmitted multiple times (specific number and transmission time, on which channel, etc. can be determined by the security policy).
  • the channel switching information is sent periodically or irregularly, so as shown in FIG. 1
  • the process shown in the process is an iterative process.
  • an embodiment of the present invention further provides a network side device that can notify a mobile terminal to perform channel switching periodically or irregularly, and the device may be a wireless access device in a GSM network, such as a base station.
  • FIG. 3 it is a schematic diagram of a composition of a wireless access device in an embodiment of the present invention.
  • the device includes: an obtaining unit 12, configured to acquire channel switching information and a security policy, where the channel switching information is used to indicate that the corresponding mobile terminal performs channel switching, where the security policy includes: sending the channel to the terminal periodically or irregularly
  • the switching unit 14 is configured to be used according to the obtained terminal during a call of the mobile terminal.
  • the obtaining unit 12 includes a time parameter obtaining subunit, and a time parameter obtaining subunit, configured to obtain a policy for setting a time parameter in the security policy, where the time parameter is used to indicate that the acquiring unit 12 is sent.
  • the method may further include one or more of the following subunits: a first acquiring subunit, configured to acquire a mobile allocation pointer offset parameter in the channel switching information, and a second obtaining subunit, configured to acquire frequency hopping in the channel switching information a sequence number parameter; a third acquisition subunit, configured to acquire a training sequence number parameter in the channel switching information.
  • the channel for communication between the mobile terminal and the network side is not fixed, so that the illegal network intruder cannot collect information for a specific physical channel, and the efficiency of launching the attack is greatly reduced, so that the security of the air interface can be enhanced.
  • the embodiment provided in the present invention is effective for a GSM communication network employing an encryption algorithm in A5's encryption algorithm set (e.g., A51, A52, and A53, etc.).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for enhancing network communication security is provided, and the said network is a global system for mobile communication GSM network, the method includes the following steps: during the communication process between the network side and the mobile terminal, the network side transmits the channel switching information to the mobile terminal according to the pre-configured security tactics, the security tactics includes that the channel switching information is transmitted to the terminal at definite time or indefinite time; the mobile terminal performs the channel switching according to the channel switching information, and continues the communication in the switched channel. A wireless accessing apparatus is also provided in the present invention. When the present invention is used, the communication channel of the mobile terminal in the GSM network can not be fixed in a certain physical channel, thus the illegal network intruder can not aim at the certain channel to collect the information, the efficiency of the attacking is lowered distinctly, thus the security of the air interface is enhanced.

Description

一种增强网络通讯安全性的方法和无线接入设备 本申请要求于 2008年 3月 24日提交中国专利局、申请号为 200810026974.1、 发明名称为 "一种增强网络通讯安全性的方法和无线接入设备" 的中国专利申 请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Method for enhancing network communication security and wireless access device The application is submitted to the Chinese Patent Office on March 24, 2008, and the application number is 200810026974.1, and the invention name is "a method for enhancing network communication security and wireless connection." The priority of the Chinese patent application is incorporated herein by reference. Technical field
本发明涉及无线通讯领域, 尤其涉及一种增强网络通讯安全性的方法和无 线接入设备。 背景技术  The present invention relates to the field of wireless communications, and in particular, to a method for enhancing network communication security and a wireless access device. Background technique
目前, 在全球移动通讯系统 ( Global System for Mobile Communications , GSM ) 中空口的加密算法大部分为 A51算法。 该算法的破解算法现在主要有两 大类:  At present, most of the encryption algorithms in the Global System for Mobile Communications (GSM) air interface are A51 algorithms. The algorithm's cracking algorithm now has two main categories:
a、 明文攻击, 这种攻击模式需要攻击者截获需要的数据帧, 而且在解密之 前知道这些帧的内容, 然后利用加密前、 后的数据组成的明密文比对进行破解。 如果下行协议消息的规律比较固定, 则非法网络侵入者猜测成功的可能性就会 很大, 将会以较高的概率破解通信密钥 (Communication Key, Kc ), 从而对会 话安全造成严重的影响。  a. Plaintext attack. This attack mode requires the attacker to intercept the required data frames, and know the contents of these frames before decryption, and then use the ciphertext comparison composed of the data before and after encryption to crack. If the law of the downlink protocol message is relatively fixed, the possibility of the illegal network intruder guessing success will be great, and the communication key (Kc) will be cracked with a high probability, which will seriously affect the session security. .
b、 密文攻击, 这种攻击模式中, 非法网络侵入者即使不猜测消息的内容, 也可以利用空口信令消息编码时冗余校验码与消息内容之间的关系, 建立方程 组, 并不断收集信令来进行消元。 如果非法网络侵入者收集齐足够的信令消息, 就可以发起密文攻击, 也会以较高的概率破解会话 Kc。  b. ciphertext attack. In this attack mode, even if the illegal network intruder does not guess the content of the message, the relationship between the redundancy check code and the message content when the air interface signaling message is encoded may be used to establish a system of equations, and Continuously collect signaling to eliminate the element. If an illegal network intruder collects sufficient signaling messages, it can initiate a ciphertext attack and also crack the session Kc with a high probability.
GSM系统在呼叫建立过程中,一般首先分配独立专用控制信道(Stand-alone Dedicated Control Channel, SDCCH ), 在 SDCCH信道上通过信道指配命令完成 业务信道(Traffic Channel, TCH ) 的分配。 因此, 非法网络侵入者如果向成功 跟踪某个用户的呼叫, 会考虑首先在 SDCCH上完成破解, 并在 SDCCH上获取 到为该用户分配的 TCH信道的信息, 进而跟踪到特定的 TCH信道, 获取用户 的通话信息。  In the process of call setup, the GSM system generally allocates a Stand-alone Dedicated Control Channel (SDCCH), and allocates a Traffic Channel (TCH) through a channel assignment command on the SDCCH channel. Therefore, if an illegal network intruder successfully tracks a call of a certain user, it will consider first completing the crack on the SDCCH, and acquiring the information of the TCH channel allocated for the user on the SDCCH, thereby tracking the specific TCH channel, and acquiring User's call information.
在 GSM系统中的加密命令是以明文方式下发,该加密命令加密的是无线接 口上该加密命令后的信令, 在加密命令以后发送的空口信令都是以密文方式进 行传送的, 并且, 通常情况下传输的信令顺序具有一定特征。 例如, 对于主叫, 加密完成后的第一条下行信令很可能是 Call Proceeding; 对于被叫, 第一条上行 消息很可能是 Call Confirmed, 并且消息的内容易于猜测。 这样攻击者就有可能 利用这些消息进行明文攻击, 获得破解的明密文。 The encryption command in the GSM system is sent in clear text, and the encryption command encrypts the wireless connection. After the encryption command is sent, the air interface signaling sent after the encryption command is transmitted in cipher text, and the signaling sequence of the transmission usually has certain characteristics. For example, for the calling party, the first downlink signaling after the encryption is completed is likely to be Call Proceeding; for the called party, the first uplink message is likely to be Call Confirmed, and the content of the message is easy to guess. In this way, the attacker may use these messages to conduct plaintext attacks and obtain the cracked plaintext.
在 TCH信道上,根据协议, 网络侧会周期地在 TCH伴随的 SACCH信道上 向手机下发系统消息, 包括: 系统消息 5、 系统消息 5bis、 系统消息 5ter、 系统 消息 6。 这些消息可能被非法网络侵入者利用发起明文攻击。 例如系统消息 5、 系统消息 5bis、 系统消息 5ter, 由于消息内容相对固定, 非法网络侵入者比较容 易猜测。 另外由于这些消息都是在相对固定的信道上周期下发, 非法网络侵入 者可发起密文攻击, 即使不进行猜测明文, 也可以在一定的时间内在固定的信 道上收集齐足够的系统消息数据帧,利用 A5加密前信令编码时冗余校验码与消 息内容之间的关系, 建立方程组, 通过解方程破解密钥。  On the TCH channel, according to the protocol, the network side periodically sends system messages to the mobile phone on the SACCH channel accompanied by the TCH, including: system message 5, system message 5bis, system message 5ter, system message 6. These messages may be exploited by illegal network intruders to initiate plaintext attacks. For example, system message 5, system message 5bis, system message 5ter, because the message content is relatively fixed, illegal network intruders are more likely to guess. In addition, since these messages are sent periodically on a relatively fixed channel, the illegal network intruder can initiate a ciphertext attack, and even if the plaintext is not guessed, sufficient system message data can be collected on a fixed channel within a certain period of time. Frame, using the relationship between the redundancy check code and the message content when A5 encrypts the pre-encryption signaling, establishes a system of equations, and solves the key by solving the equation.
在本发明创造过程中, 发明人发现上述背景技术中, 由于加密完成以后的 用户信令交互仍然在原信道上进行, 同时加密完成以后部分消息的内容易于猜 测, 并且中央处理器( Central Processing Unit, CPU ) /现场可编程门阵列 ( Field Programmable Gate Array, FPGA )的运算处理能力越来越强, 价格也不断降低, 使得非法网络侵入者发起明密文攻击的成本越来越低,破解 GSM A51算法变得 曰益可能, 这严重的影响到了 GSM的空口的安全性。 虽然采用 GSM中更新的 A53加密算法能够提升 GSM的安全性,但是现网上大量的手机及设备由于硬件、 软件的限制都还不支持 A53算法,因此 ^艮多大的 GSM的运营商都要求采用不改 变 A51算法和现网移动终端的前提下, 提升 GSM的安全性。 发明内容  In the creation process of the present invention, the inventors have found that in the above background art, since the user signaling interaction after the encryption is completed is still performed on the original channel, and the content of the partial message is easy to guess after the encryption is completed, and the central processing unit (Central Processing Unit, CPU) / Field Programmable Gate Array (FPGA) has more and more powerful processing power and lower price, which makes the cost of illegal network hackers launching ciphertext attacks lower and lower. Crack GSM A51 The algorithm has become more beneficial, which seriously affects the security of the GSM air interface. Although the A53 encryption algorithm updated in GSM can improve the security of GSM, a large number of mobile phones and devices on the Internet do not support the A53 algorithm due to hardware and software limitations. Therefore, the operators of GSM are required to adopt no change. Under the premise of the A51 algorithm and the existing mobile terminal, the security of GSM is improved. Summary of the invention
本发明所要解决的技术问题在于, 提供一种用于增强网络通讯安全性的方 法和无线接入设备。 可以达到提高 GSM网络中空口的通讯安全性。  The technical problem to be solved by the present invention is to provide a method and wireless access device for enhancing network communication security. It can improve the communication security of the hollow port of the GSM network.
为了解决上述技术问题, 一方面, 本发明的实施例提供了一种增强网络通 讯安全性的方法, 所述网络为全球移动通讯系统 GSM网络, 所述方法包括: 在 网络侧与移动终端通信过程中, 所述网络侧根据预设的安全策略发送信道切换 信息至所述移动终端, 所述安全策略包括: 向终端定时或不定时发送所述信道 切换信息; 所述移动终端根据所述信道切换信息进行信道切换, 并在切换后的 信道上继续进行所述通信。。 In order to solve the above technical problem, in one aspect, an embodiment of the present invention provides a method for enhancing network communication security, the network is a global mobile communication system GSM network, and the method includes: communicating with a mobile terminal at a network side The network side sends channel switching information to the mobile terminal according to a preset security policy, where the security policy includes: sending the channel to the terminal periodically or irregularly. Switching information; the mobile terminal performs channel switching according to the channel switching information, and continues the communication on the switched channel. .
另一方面, 本发明的实施例提供了一种无线接入设备, 包括: 获取单元, 用于获取信道切换信息和安全策略, 所述信道切换信息用于指示相应的移动终 端进行信道切换, 所述安全策略包括: 向终端定时或不定时发送所述信道切换 不定时的发送所述信道切换信息至所述移动终端。  In another aspect, an embodiment of the present invention provides a wireless access device, including: an acquiring unit, configured to acquire channel switching information and a security policy, where the channel switching information is used to indicate that a corresponding mobile terminal performs channel switching, where The security policy includes: sending the channel switching information to the mobile terminal by sending the channel switch timing to the terminal periodically or irregularly.
采用本发明实施例提供的技术方案,可以使 GSM网络中的移动终端的信令 信息不固定在某一物理信道上传送, 这样非法网络侵入者就无法针对特定信道 收集信息, 发起攻击的效率将大大降低, 因此可以增强空口的安全性。 附图说明  The technical solution provided by the embodiment of the present invention can make the signaling information of the mobile terminal in the GSM network not be fixedly transmitted on a certain physical channel, so that the illegal network intruder cannot collect information for a specific channel, and the efficiency of launching the attack will be Greatly reduced, so the safety of the air interface can be enhanced. DRAWINGS
图 1 是本发明中一种增强网络通讯安全性的方法的一个具体实施例的流程 示意图;  1 is a schematic flow chart of a specific embodiment of a method for enhancing network communication security in the present invention;
图 2是本发明中在一个小区内进行信道切换的信道占用情况的一个具体实 施例的示意图;  2 is a schematic diagram of a specific embodiment of channel occupancy of channel switching in a cell in the present invention;
图 3是本发明中一种网络接入设备的一个具体实施例的组成示意图。 具体实施方式  3 is a schematic diagram showing the composition of a specific embodiment of a network access device in the present invention. detailed description
下面参考附图对本发明的实施例进行描述。 参见图 1 , 为本发明中一种增强 网络通讯安全性的方法的一个具体实施例的流程示意图。 该方法包括:  Embodiments of the present invention are described below with reference to the accompanying drawings. Referring to FIG. 1 , it is a schematic flowchart of a specific embodiment of a method for enhancing network communication security according to the present invention. The method includes:
101、 网络侧根据预设的安全策略发送信道切换信息至所述移动终端, 所述 安全策略包括: 向终端定时或不定时发送所述信道切换信息。 其中, 所述网络 为 GSM网络。  The network side sends channel switching information to the mobile terminal according to a preset security policy, where the security policy includes: sending the channel switching information to the terminal periodically or irregularly. The network is a GSM network.
在本发明的实施例中, 该安全策略中具体可包括根据时间参数向终端发送 所述信道切换信息, 该时间参数用于指明网络侧定时或不定时向所述移动终端 发送所述信道切换信息的时刻。 如, 在该时间参数中可包括在一次会话中发送 信道切换信息的次数, 间隔时间或具体时刻等, 在本发明实施例中对该次数没 有限制, 可以仅有 1 次, 也可以有多次, 视具体情况而定。 上述的发送时刻可 以通过列表——指定, 也可以根据一定规则产生, 如按一定的概率分布随机产 生。 In an embodiment of the present invention, the security policy may include: sending the channel switching information to the terminal according to the time parameter, where the time parameter is used to indicate that the network side sends the channel switching information to the mobile terminal periodically or irregularly. Moment. For example, the time parameter may include the number of times the channel switching information is sent in one session, the interval time or the specific time, and the like. In the embodiment of the present invention, the number of times is not limited, and may be only one time or multiple times. , As the case may be. The above-mentioned sending time can be specified through the list - or it can be generated according to certain rules, such as random production according to a certain probability distribution. Health.
其中, 信道切换信息可以包括信道指配命令、 信道切换命令或其他命令, 在上述的命令中包括信道切换参数。 移动终端可以解析出命令中的这些参数并 根据这些参数进行信道切换。 在会话初始化时一般通过信道指配命令指配当前 会话的信息, 而在其后的过程中, 当需要进行信道切换时, 则是通过信道切换 命令指定将要切换到哪个信道进行会话。  The channel switching information may include a channel assignment command, a channel switching command, or other commands, and the channel switching parameter is included in the foregoing command. The mobile terminal can parse out these parameters in the command and perform channel switching based on these parameters. The information of the current session is generally assigned by the channel assignment command during session initialization, and in the subsequent process, when channel switching is required, the channel switching command is used to specify which channel to switch to for the session.
上述信道指配命令、 信道切换命令或其他命令中可包括每次信道切换中的 具体的信道切换参数, 或可以包括多次信道切换对应的信道切换参数。 该信道 切换参数可包括移动分配指针偏移(Mobile Allocation Index Offset, MAIO )、 跳 频序歹 ij号 ( Hopping Sequence Number, HSN )以及训练序列号 ( Training Sequence Code, TSC )参数中的一种或多种。  The channel assignment command, channel switching command or other command may include specific channel switching parameters in each channel switching, or may include channel switching parameters corresponding to multiple channel switching. The channel switching parameter may include one of a Mobile Allocation Index Offset (MAIO), a Hopping Sequence Number (HSN), and a Training Sequence Code (TSC) parameter. A variety.
在本发明的实施例中, 向移动终端发送信道切换信息, 在该信道切换信息 中可包括根据安全策略确定的上述这些参数中的一个或多个。 这样, 在同一会 话中的不同的时刻, 无线网络与移动终端的通讯信令和语音将会在不同的信道 上, 甚至不同的频点上发送, 如图 2所示。 图 2中, 同一纵向的方块代表同一 段时间不同的信道的占用情况, 同一横向的方块代表同一信道不同时间段的占 用情况, 细斜杠方块则代表为会话 A中不同时间段占用的不同的信道, 黑方块 则代表会话 B中不同时间段占用的不同的信道。  In an embodiment of the invention, channel switching information is transmitted to the mobile terminal, and one or more of the above parameters determined according to the security policy may be included in the channel switching information. Thus, at different times in the same session, the communication signaling and voice of the wireless network and the mobile terminal will be transmitted on different channels or even different frequency points, as shown in FIG. In FIG. 2, the same vertical square represents the occupancy of different channels in the same period of time, the same horizontal square represents the occupation of different time segments of the same channel, and the thin slash square represents different occupations occupied by different time periods in the session A. Channels, black squares represent different channels occupied by different time periods in Session B.
上述三种参数的取值范围可参考如下:  The range of values of the above three parameters can be referred to as follows:
MAIO: Mobile allocation index offset (0 to N 1, 6 bits)。  MAIO: Mobile allocation index offset (0 to N 1, 6 bits).
HSN: Hopping sequence (generator) number (0 to 63, 6 bits)。  HSN: Hopping sequence (generator) number (0 to 63, 6 bits).
TSC: Training Sequence Code ( 0 to 7, 3bits)。  TSC: Training Sequence Code ( 0 to 7, 3bits).
由于这些参数的下发都是通过加密后的信令发送的, 非法网络侵入者如果 不知道这些参数, 就无法获知下一个时刻下一个加密信令将在哪个信道上发送, 也就无法发起攻击。在一个小区中,这些参数的可能的组合共有 8(TSC) *64(HSN) *3(MAI0) *8(channel) =12288种之多, 所以非法网络侵入者也不可能通过猜测 参数获知下一时刻信令会在哪个信道上发送。  Since the sending of these parameters is sent through the encrypted signaling, if the illegal network intruder does not know these parameters, it cannot know which channel the next encrypted signaling will be sent at the next moment, and the attack cannot be launched. . In a cell, the possible combinations of these parameters are 8 (TSC) * 64 (HSN) * 3 (MAI0) * 8 (channel) = 12288, so illegal network intruders are not likely to know by guessing parameters. On which channel the signaling will be sent at a time.
另外一方面, 由于移动终端的信令和语音分散在不同的信道(如专用控制 信道和业务信道)上发送, 即使非法网络侵入者通过猜测明文方式破解了移动 终端本次会话的密钥, 但是还是无法获知移动终端的上述这些参数。 由于每个 物理信道上每个移动终端的信令或语音都不是连续发送的, 还是区分不了哪些 信令是属于该移动终端的, 因此无法破解该移动终端的其他信令, 也无法发起 有效的监听。 On the other hand, since the signaling and voice of the mobile terminal are transmitted on different channels (such as a dedicated control channel and a traffic channel), even if the illegal network intruder cracks the key of the mobile terminal in this session by guessing the plaintext, The above parameters of the mobile terminal are still not known. As each The signaling or voice of each mobile terminal on the physical channel is not continuously transmitted, or it is not distinguishable which signaling belongs to the mobile terminal. Therefore, other signaling of the mobile terminal cannot be cracked, and effective monitoring cannot be initiated.
102、 所述移动终端根据其接收的信道切换信息进行信道切换, 并在切换后 的信道上继续进行所述通信。 即, 如图 2所示, 在一次会话过程中移动终端可 以多次进行信道切换, 在切换后的信道上传输信令或数据。  102. The mobile terminal performs channel switching according to channel switching information received by the mobile terminal, and continues the communication on the switched channel. That is, as shown in FIG. 2, the mobile terminal can perform channel switching multiple times during one session, and transmit signaling or data on the switched channel.
同时, 需要说明的是在一次会话中, 网络侧可以多次(具体次数和发送时 刻, 在哪个信道上发送等都可由安全策略进行确定) 定时或不定时的发送信道 切换信息, 所以如图 1中所示的流程是个可反复进行的过程。  At the same time, it should be noted that in one session, the network side can be transmitted multiple times (specific number and transmission time, on which channel, etc. can be determined by the security policy). The channel switching information is sent periodically or irregularly, so as shown in FIG. 1 The process shown in the process is an iterative process.
相应的, 本发明的实施例还提供了一种可定时或不定时通知移动终端进行 信道切换的网络侧设备, 该设备可以是 GSM网络中的无线接入设备, 如基站。 如图 3 所示, 为本发明实施例中的无线接入设备的一种组成示意图。 该设备包 括: 获取单元 12, 用于获取信道切换信息和安全策略, 所述信道切换信息用于 指示相应的移动终端进行信道切换, 所述安全策略包括: 向终端定时或不定时 发送所述信道切换信息; 发送单元 14, 用于在移动终端通话过程中根据所述获 端。  Correspondingly, an embodiment of the present invention further provides a network side device that can notify a mobile terminal to perform channel switching periodically or irregularly, and the device may be a wireless access device in a GSM network, such as a base station. As shown in FIG. 3, it is a schematic diagram of a composition of a wireless access device in an embodiment of the present invention. The device includes: an obtaining unit 12, configured to acquire channel switching information and a security policy, where the channel switching information is used to indicate that the corresponding mobile terminal performs channel switching, where the security policy includes: sending the channel to the terminal periodically or irregularly The switching unit 14 is configured to be used according to the obtained terminal during a call of the mobile terminal.
其中, 所述获取单元 12包括时间参数获取子单元, 时间参数获取子单元, 用于获取所述安全策略中设定时间参数的策略, 所述时间参数用于指明所述发 所述获取单元 12还可包括下述子单元中一个或多个: 第一获取子单元, 用 于获取信道切换信息中的移动分配指针偏移参数; 第二获取子单元, 用于获取 信道切换信息中的跳频序列号参数; 第三获取子单元, 用于获取信道切换信息 中的训练序列号参数。  The obtaining unit 12 includes a time parameter obtaining subunit, and a time parameter obtaining subunit, configured to obtain a policy for setting a time parameter in the security policy, where the time parameter is used to indicate that the acquiring unit 12 is sent. The method may further include one or more of the following subunits: a first acquiring subunit, configured to acquire a mobile allocation pointer offset parameter in the channel switching information, and a second obtaining subunit, configured to acquire frequency hopping in the channel switching information a sequence number parameter; a third acquisition subunit, configured to acquire a training sequence number parameter in the channel switching information.
在本实施例中对上述信息、 策略和参数的定义和解释与前述方法中的一致。 在本发明的实施例中, 移动终端与网络侧通讯的信道不固定, 这样非法网 络侵入者就无法针对特定的物理信道收集信息, 发起攻击的效率将大大降低, 因此可以增强空口的安全性。本发明中提供的实施例对于采用 A5的加密算法集 (如 A51、 A52以及 A53等) 中的加密算法的 GSM通讯网络都是有效的。  The definition and interpretation of the above information, policies, and parameters in this embodiment are consistent with those in the foregoing methods. In the embodiment of the present invention, the channel for communication between the mobile terminal and the network side is not fixed, so that the illegal network intruder cannot collect information for a specific physical channel, and the efficiency of launching the attack is greatly reduced, so that the security of the air interface can be enhanced. The embodiment provided in the present invention is effective for a GSM communication network employing an encryption algorithm in A5's encryption algorithm set (e.g., A51, A52, and A53, etc.).
以上所揭露的仅为本发明的实施例而已, 当然不能以此来限定本发明之权 利范围, 因此依本发明权利要求所作的等同变化, 仍属本发明所涵盖的范围 The above is only the embodiment of the present invention, and of course, the right to the present invention cannot be limited thereby. The scope of the invention is therefore within the scope of the invention.

Claims

权 利 要 求 Rights request
1、 一种增强网络通讯安全性的方法, 所述网络为全球移动通讯系统 GSM 网络, 其特征在于, 所述方法包括:  A method for enhancing network communication security, the network being a global mobile communication system GSM network, wherein the method comprises:
在网络侧与移动终端通信过程中, 所述网络侧根据预设的安全策略发送信 道切换信息至所述移动终端, 所述安全策略包括: 向终端定时或不定时发送所 述信道切换信息;  In the process of the network side communicating with the mobile terminal, the network side sends the channel switching information to the mobile terminal according to the preset security policy, where the security policy includes: sending the channel switching information to the terminal periodically or irregularly;
所述移动终端根据所述信道切换信息进行信道切换, 并在切换后的信道上 继续进行所述通信。  The mobile terminal performs channel switching according to the channel switching information, and continues the communication on the switched channel.
2、 如权利要求 1所述的方法, 其特征在于, 所述向终端定时或不定时发送 所述信道切换信息包括: 2. The method according to claim 1, wherein the transmitting the channel switching information to the terminal periodically or irregularly comprises:
根据时间参数向终端发送所述信道切换信息, 其中, 所述时间参数用于指  Transmitting, by the time parameter, the channel switching information to the terminal, where the time parameter is used to refer to
3、 如权利要求 2所述的方法, 其特征在于, 所述信道切换信息包括信道指 配命令或信道切换命令。 3. The method of claim 2, wherein the channel switching information comprises a channel assignment command or a channel switch command.
4、 如权利要求 3所述的方法, 其特征在于, 所述信道指配命令或信道切换 命令中包括信道切换参数, 所述信道切换参数包括移动分配指针偏移、 跳频序 列号以及训练序列号参数中的一种或多种。 The method according to claim 3, wherein the channel assignment command or the channel handover command includes a channel handover parameter, and the channel handover parameter includes a mobile allocation pointer offset, a frequency hopping sequence number, and a training sequence. One or more of the number parameters.
5、 如权利要求 1至 4中任一项所述的方法, 其特征在于, 所述信道包括专 用控制信道或 /和业务信道。 The method of any of claims 1 to 4, wherein the channel comprises a dedicated control channel or/and a traffic channel.
6、 一种无线接入设备, 其特征在于, 所述设备包括: A wireless access device, the device comprising:
获取单元, 用于获取信道切换信息和安全策略, 所述信道切换信息用于指 示相应的移动终端进行信道切换, 所述安全策略包括: 向终端定时或不定时发 送所述信道切换信息;  An acquiring unit, configured to acquire channel switching information and a security policy, where the channel switching information is used to indicate that the corresponding mobile terminal performs channel switching, where the security policy includes: sending the channel switching information to the terminal periodically or irregularly;
发送单元, 用于在移动终端通话过程中根据所述获取单元获取的安全策略 定时或不定时的发送所述信道切换信息至所述移动终端。 a sending unit, configured to acquire a security policy according to the acquiring unit during a call of the mobile terminal The channel switching information is sent to the mobile terminal periodically or irregularly.
7、 如权利要求 6所述的设备, 其特征在于, 所述获取单元包括: 时间参数获取子单元, 用于获取所述安全策略中设定时间参数的策略, 所 切换信息的时刻。 The device according to claim 6, wherein the acquiring unit comprises: a time parameter obtaining subunit, configured to acquire a policy for setting a time parameter in the security policy, and a time at which the information is switched.
8、 如权利要求 6或 7所述的设备, 其特征在于, 所述获取单元还包括下述 子单元中一个或多个: The device according to claim 6 or 7, wherein the obtaining unit further comprises one or more of the following subunits:
第一获取子单元, 用于获取信道切换信息中的移动分配指针偏移参数; 第二获取子单元, 用于获取信道切换信息中的跳频序列号参数;  a first acquiring subunit, configured to acquire a mobile allocation pointer offset parameter in the channel switching information, and a second acquiring subunit, configured to acquire a frequency hopping sequence number parameter in the channel switching information;
第三获取子单元, 用于获取信道切换信息中的训练序列号参数。  And a third acquiring subunit, configured to acquire a training sequence number parameter in the channel switching information.
PCT/CN2009/070986 2008-03-24 2009-03-24 A method for enhancing network communication security and a wireless accessing apparatus WO2009117949A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2008100269741A CN101277528B (en) 2008-03-24 2008-03-24 Method for reinforcing network communication security and wireless access equipment
CN200810026974.1 2008-03-24

Publications (1)

Publication Number Publication Date
WO2009117949A1 true WO2009117949A1 (en) 2009-10-01

Family

ID=39996457

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070986 WO2009117949A1 (en) 2008-03-24 2009-03-24 A method for enhancing network communication security and a wireless accessing apparatus

Country Status (2)

Country Link
CN (1) CN101277528B (en)
WO (1) WO2009117949A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101277528B (en) * 2008-03-24 2012-02-22 华为技术有限公司 Method for reinforcing network communication security and wireless access equipment
WO2013060227A1 (en) * 2011-10-27 2013-05-02 华为技术有限公司 Channel associated system message transmission method and base transceiver station

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5535425A (en) * 1994-03-01 1996-07-09 Fujitsu Limited Channel switching control in mobile telecommunication system
CN1269953A (en) * 1997-07-04 2000-10-11 艾利森电话股份有限公司 Method and arrangement relating to radio communication systems
JP2001346243A (en) * 2000-06-05 2001-12-14 Denso Corp Wireless communication terminal and wireless communication system
CN1482832A (en) * 2002-09-10 2004-03-17 ��Ϊ�������޹�˾ Method for safety switching of mobile terminal between wireless local net access nodes
CN1725663A (en) * 2004-07-22 2006-01-25 艾勒博科技股份有限公司 Wireless communication system and channel changing method thereof
JP2007288739A (en) * 2006-04-20 2007-11-01 Ntt Docomo Inc Mobile communication terminal and channel switching control method
CN101277528A (en) * 2008-03-24 2008-10-01 华为技术有限公司 Method for reinforcing network communication security and wireless access equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5535425A (en) * 1994-03-01 1996-07-09 Fujitsu Limited Channel switching control in mobile telecommunication system
CN1269953A (en) * 1997-07-04 2000-10-11 艾利森电话股份有限公司 Method and arrangement relating to radio communication systems
JP2001346243A (en) * 2000-06-05 2001-12-14 Denso Corp Wireless communication terminal and wireless communication system
CN1482832A (en) * 2002-09-10 2004-03-17 ��Ϊ�������޹�˾ Method for safety switching of mobile terminal between wireless local net access nodes
CN1725663A (en) * 2004-07-22 2006-01-25 艾勒博科技股份有限公司 Wireless communication system and channel changing method thereof
JP2007288739A (en) * 2006-04-20 2007-11-01 Ntt Docomo Inc Mobile communication terminal and channel switching control method
CN101277528A (en) * 2008-03-24 2008-10-01 华为技术有限公司 Method for reinforcing network communication security and wireless access equipment

Also Published As

Publication number Publication date
CN101277528A (en) 2008-10-01
CN101277528B (en) 2012-02-22

Similar Documents

Publication Publication Date Title
Thantharate et al. Secure5G: A deep learning framework towards a secure network slicing in 5G and beyond
AU2010201991B2 (en) Method and apparatus for security protection of an original user identity in an initial signaling message
Zou et al. A survey on wireless security: Technical challenges, recent advances, and future trends
JP4475377B2 (en) Wireless communication system, common key management server, and wireless terminal device
Rupprecht et al. Call me maybe: Eavesdropping encrypted {LTE} calls with {ReVoLTE}
CN101631309B (en) Method, device and system for authenticating terminal based on home base station network
WO2010127539A1 (en) Method and system for authenticating accessing to stream media service
CN105577365A (en) Key consultation method and device for user' access to WLAN
CN108235300B (en) Method and system for protecting user data security of mobile communication network
EP2263395B1 (en) Improving security in telecommunications systems
CN101166177B (en) A method and system for initialization signaling transmission at non access layer
CN104010310A (en) Heterogeneous network unified authentication method based on physical layer safety
Sharma et al. Detection and prevention of de-authentication attack in real-time scenario
CN102833739A (en) Method, device and system for transmitting initial non access stratum messages
WO2009117949A1 (en) A method for enhancing network communication security and a wireless accessing apparatus
Saedy et al. Ad Hoc M2M Communications and security based on 4G cellular system
US20040032858A1 (en) Method for handling ciphering status in a wireless network
CN102497634B (en) Method for strengthening network communication security and wireless access device
CN101252785B (en) Wireless communication method, system and base station
CN102612027B (en) Safety transmission method of data in wireless communication system
Peter et al. A secure dynamic cryptographic and encryption protocol for wireless networks
Rajavelsamy et al. Novel Differentiated Integrity Protection for Enhancing Performance of Beyond 5G Systems
EP2381613B1 (en) Enhancing security of communication systems
Sudhakar et al. Group Anonymous D2D Authenticated Key Exchange Protocol for Mobile Networks
CN105101184A (en) Mobile terminal communication method and system based on bluetooth encryption

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09724555

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09724555

Country of ref document: EP

Kind code of ref document: A1