WO2018001278A1 - Base station redirection method and base station redirection device - Google Patents

Base station redirection method and base station redirection device Download PDF

Info

Publication number
WO2018001278A1
WO2018001278A1 PCT/CN2017/090598 CN2017090598W WO2018001278A1 WO 2018001278 A1 WO2018001278 A1 WO 2018001278A1 CN 2017090598 W CN2017090598 W CN 2017090598W WO 2018001278 A1 WO2018001278 A1 WO 2018001278A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
security level
message
redirection
module
Prior art date
Application number
PCT/CN2017/090598
Other languages
French (fr)
Chinese (zh)
Inventor
黄琳
张婉桥
杨卿
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201610509881.9A external-priority patent/CN106211157B/en
Priority claimed from CN201610509773.1A external-priority patent/CN106060826A/en
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2018001278A1 publication Critical patent/WO2018001278A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/14Reselecting a network or an air interface
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning

Definitions

  • the present invention relates to the field of communication security technologies, and in particular, to a base station redirection method and a base station redirection device.
  • the redirection means that the network side informs the user equipment (UE) of the base station by the redirection command, so that the UE searches the base station according to the information and accesses the base station.
  • UE user equipment
  • the UE when the UE is connected to a certain base station, if the base station load is too high, a redirection instruction is sent to the UE, so that the UE accesses the base station with a lower load. However, due to the defect of the communication protocol, the UE may also receive a redirection instruction from the pseudo base station. If the base station is connected to the base station to which the pseudo base station redirection command is directed, the UE may have a great security risk.
  • the technical problem to be solved by the present invention is how to timely and effectively control the program running by the script.
  • a base station redirection method comprising:
  • the base station redirection method when receiving the packet, further includes:
  • a base station redirection apparatus including:
  • a packet receiving module configured to receive a packet redirected by the first base station to the second base station
  • a search module configured to search for a third base station other than the first base station and the second base station when the message receiving module receives a message redirected to the second base station;
  • a connection establishing module is configured to establish a communication connection with the third base station.
  • a base station redirection method including:
  • the first base station fails to pass the authentication, when the packet redirected from the first base station to the second base station is received, searching for the third base station other than the first base station and the second base station;
  • a base station redirection apparatus including:
  • An authentication module configured to authenticate the first base station
  • a search module configured to: when the first base station fails to pass the authentication, search for the first base station and the first when receiving a message redirected from the first base station to the second base station a third base station other than the second base station;
  • connection module configured to establish a communication connection with the third base station.
  • computer program comprising computer readable code, when said computer readable code is run on a computer, causing said computer to perform said base station according to any one of the claims Redirect method.
  • the request packet can be upgraded to the tracking area of the base station, and whether the first base station is a pseudo base station is determined according to whether the first base station returns a request rejection message, and the first base station is not a pseudo base station. a base station, thereby establishing a communication connection with a base station having the highest signal strength in the area;
  • the base station attempting to access may be authenticated first, and then the redirect message sent by the base station may be received, so that it is first determined according to the authentication result whether the base station attempting to access is a pseudo base station, and in the case of being a pseudo base station.
  • the access to the base station to which the redirect message is directed can be avoided, and the pseudo base station and its redirect message can be searched for other base stations other than the base station to ensure secure access to the base station;
  • FIG. 1 is a schematic flow chart showing a method for redirecting a base station according to an embodiment of the present invention
  • FIG. 2 is a schematic flow chart of a method for redirecting a base station according to another embodiment of the present invention.
  • FIG. 3 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 4 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 5 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 6 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 7 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention.
  • FIG. 8 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • FIG. 10 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • FIG. 11 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • FIG. 12 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • FIG. 13 is a schematic flowchart of a method for redirecting a base station according to an embodiment of the present invention.
  • FIG. 14 is a schematic flowchart of a method for redirecting a base station according to another embodiment of the present invention.
  • FIG. 15 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 16 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 17 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 18 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention.
  • FIG. 19 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention.
  • FIG. 20 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • 21 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • Figure 22 is a block diagram schematically showing the structure of a computer for performing a base station redirection method according to the present invention
  • Figure 23 schematically illustrates a storage unit for holding or carrying program code that implements base station redirection in accordance with the present invention.
  • terminal and terminal device used herein include both a wireless signal receiver device, a device having only a wireless signal receiver without a transmitting capability, and a receiving and transmitting hardware.
  • Such devices may include cellular or other communication devices having a single line display or a multi-line display or a cellular or other communication device without a multi-line display; PCS (Personal Communications Service), which may combine voice, data Processing, fax, and/or data communication capabilities; PDA (Personal Digital Assistant), which can include radio frequency receivers, pagers, Internet/Intranet access, web browsers, notepads, calendars, and/or GPS (Global Positioning System (Global Positioning System) receiver; conventional laptop and/or palmtop computer or other device having a conventional laptop and/or palmtop computer or other device that includes and/or includes a radio frequency receiver.
  • PCS Personal Communications Service
  • PDA Personal Digital Assistant
  • terminal may be portable, transportable, installed in a vehicle (aviation, sea and/or land), or adapted and/or configured to operate locally, and/or Run in any other location on the Earth and/or space in a distributed form.
  • the "terminal” and “terminal device” used herein may also be a communication terminal, an internet terminal, a music/video playing terminal, and may be, for example, a PDA, a MID (Mobile Internet Device), and/or have a music/video playback.
  • Functional mobile phones can also be smart TVs, set-top boxes and other devices.
  • the concepts of servers, clouds, remote network devices, and the like used herein have equivalent effects, including but not limited to computers, network hosts, single network servers, multiple network server sets, or multiple servers.
  • the cloud that makes up.
  • the cloud is based on cloud computing (Cloud Computing)
  • the communication between the remote network device, the terminal device and the WNS server can be implemented by any communication method, including but not limited to, mobile communication based on 3GPP, LTE, WIMAX, TCP/IP, UDP protocol.
  • Computer network communication and short-range wireless transmission based on Bluetooth and infrared transmission standards.
  • the operation of the user equipment to receive the redirect message of the base station is performed before the authentication operation.
  • the signal strength of the base station in the area is generally detected, and the base station with the highest signal strength is selected to try to access.
  • the user equipment initiates a Tracking Area Update Request message to the base station. If the base station needs to redirect the user equipment, the user rejects the message for the tracking area upgrade request.
  • the user equipment After receiving the reject message for the tracking area upgrade request, the user equipment transmits an connection request (Attach Request) message to the base station, where the connection request message carries the IMSI (International Mobile Subscriber Identity) of the user equipment, and the base station After the IMSI is collected, the device rejects the packet and sends a Radio Resource Control (RRC) redirection packet to the user equipment to notify the user to connect to other base stations.
  • connection request carries the IMSI (International Mobile Subscriber Identity) of the user equipment
  • RRC Radio Resource Control
  • the user equipment does not authenticate the pseudo base station when receiving the redirection packet in the prior art, and therefore attempts to access the falsified base station redirection packet.
  • the base station pointed to by the base station, and the base station to which the pseudo base station redirection message is directed is still a pseudo base station or a normal base station with a lower security level. Therefore, once the redirection packet of the pseudo base station is accessed, the user equipment is secure. Causes great hidden dangers, such as easy to steal user information, call records, and receiving harassing text messages and scam messages.
  • FIG. 1 is a schematic flow chart of a method for redirecting a base station according to an embodiment of the present invention, which may be applied to a user equipment such as a mobile terminal.
  • the base station redirection method includes:
  • the user equipment when receiving the redirect message, may search for a redirect report.
  • the orientation method also includes:
  • the first prompt information is generated, used to prompt the redirected base station information, and the user selects to reject the redirect instruction or accept the redirect instruction.
  • the base station pointed to by the redirect message when the redirect message is received, the base station pointed to by the redirect message is not accessed.
  • the second base station pointed to by the redirect message can be avoided.
  • the first base station when the first base station is a normal base station, the first base station redirects the packet to the first
  • the second base station is a secure base station, and access to the second base station generally does not pose a security risk. In this case, if the third base station is still searched, the power consumption of the user equipment will be wasted.
  • the first prompt information is generated on the user equipment, for example, the first prompt information is “received from the first base station to the second base station. If the packet is attempted to access the second base station, the user may be informed that the current user equipment has received the redirected message, and then may select to attempt to access the second base station or refuse to access the second base station according to requirements.
  • the refusal redirection instruction may be input for the first prompt information, so that the user equipment searches for the third base station other than the first base station and the second base station. If the user believes that the message is trusted to be repeated, the user may accept the redirect command for the first prompt information, thereby attempting to access the second base station pointed by the redirect command.
  • FIG. 3 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 3, on the basis of the embodiment shown in FIG. 2, a communication connection is established with the second base station. After that, the base station redirection method further includes:
  • the operation of the user equipment to receive the redirection packet occurs before the authentication of the first base station is performed. Therefore, when the redirection packet of the first base station is received, the user cannot confirm whether the first base station and the second base station are pseudo.
  • the base station therefore, needs to further determine the security of the second base station when receiving the redirection packet of the first base station and connecting to the second base station pointed by the redirection packet.
  • the user equipment can record the security level of the connected base station before receiving the redirected message, and the current connection.
  • the security level of the two base stations so that the security level of the two base stations can be compared, so that the user can learn the security status of the network provided by the second base station, so as to select whether to continue to connect to the second base station.
  • the security level of the second base station is lower than the security level of the base station connected before receiving the packet, it indicates that the security level of the network where the user equipment is located is reduced (for example, only 2G is dropped from 3G), and the network with lower security level is lower. It is more likely to be invaded by criminals, thereby sending fraudulent information or stealing user information to user equipment.
  • the first base station and the second base station are not necessarily pseudo base stations, the security level of the network where the user equipment is located is reduced. Therefore, the second prompt information, for example, the second prompt, may be generated based on the situation.
  • the information may be “the current network security level is lowered, whether to continue to use the current network”, the user may choose to continue to use the current network, then the user equipment maintains a communication connection with the second base station, and if the user chooses not to use the current network, the user equipment is disconnected. A communication connection with the second base station and searching for the third base station.
  • FIG. 4 is a schematic flowchart of a base station redirection method according to another embodiment of the present invention. As shown in FIG. 4, the base station redirection method further includes:
  • the security level of the two can be compared, so that the user can learn the security status of the network provided by the third base station to select whether to continue to connect to the third base station.
  • the security level of the third base station is lower than the security level of the base station connected before receiving the packet, it indicates that the security level of the network where the user equipment is located is reduced (for example, only 2G is dropped from 3G), and the network with lower security level is lower. It is more likely to be invaded by criminals, thereby sending fraudulent information or stealing user information to user equipment.
  • the second base station is a secure base station, the security level of the network where the user equipment is located is reduced. Therefore, the third prompt information may be generated based on the situation. For example, the third prompt information may be “current.
  • the user equipment maintains a communication connection with the third base station. If the user chooses not to use the current network, the user equipment disconnects from the third base station. The communication is connected, and searches for a fourth base station other than the first base station, the second base station, and the third base station.
  • the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is Do not lower than the security level of the 4G base station.
  • the authentication mode of the 2G base station is GSM (Global System for Mobile Communication) authentication
  • the authentication mode of the 3G base station is WCDMA (Wideband Code Division Multiple Access) authentication
  • 4G base station is the authentication mode of the 2G base station.
  • the authentication method is LTE (Long Term Evolution) authentication.
  • the GSM authentication is unidirectional. Only the base station (network) authenticates the user, and the user equipment does not authenticate the base station (network). The illegal base station can pretend to be a legitimate base station to spoof the user equipment and steal user information. And in the GSM network, the problem of data integrity protection is not considered, and it is difficult to find out if the data is tampered with in the process of transmission.
  • the encryption of the GSM network is not end-to-end, it is only encrypted in the wireless channel part, and there is no encryption in the fixed network (using clear text transmission), which provides an opportunity for the attacker.
  • the GSM encryption algorithm and the key have security risks. For example, the key is too short, only 64 bits.
  • the encryption algorithm is not public and relatively fixed, and the encryption algorithm cannot be negotiated.
  • the WCDMA network can achieve two-way authentication, the security level is higher than that of the GSM network.
  • the authentication in the authentication process only implements the authentication of the HLR (Home Location Register) by the user equipment, but does not implement the authentication of the VLR (Visitor Location Register) by the user equipment, so the attacker can Intercept the legitimate IMSI for attack.
  • the attacker can obtain the CK and IK by intercepting the information between the VLR and the HLR to obtain an AV (Authentication Vector).
  • the user equipment roams between different PLMNs (Public Land Mobile Network). Different PLMNs may be different networks in different countries. When the local HLR sends the AV to the VLR of the roaming network, it passes through different networks. It is easy to be intercepted by an attacker.
  • PLMNs Public Land Mobile Network
  • the authentication process of the UE is:
  • the UE transmits the information between the UE and the CN to the NAS layer (Non-Access Stratum, non-access stratum, NAS protocol, and the transmitted content may be user information or control information, such as service establishment, release, or mobility management. Information)
  • MME Mobility Management Entity, which is the key control node of the 3GPP protocol LTE access network, which is responsible for the positioning of the idle mode UE, the paging process, including the relay, simply saying that the MME is responsible for the signaling processing part
  • the C2 and the MME request an authentication vector from the HSS (Home Subscriber Server).
  • HSS Home Subscriber Server
  • HSS returns one or more EPS (Evolved Packet System) authentication vectors (RAND, AUTN, XRES, KASME) to the MME;
  • EPS Evolved Packet System
  • the UE authenticates the first base station through the AUTN, calculates RES&CK/IK according to AUTN&RAND, and further calculates Kasme (the second layer key required for LTE authentication, which is calculated by a layer of keys CK and IK) ;
  • the UE and the MME derive the encryption key and integrity protection key required by the NAS layer and the AS layer according to Kasme. These keys are deleted when the UE changes from active to idle.
  • the level of security is higher.
  • FIG. 5 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 5, on the basis of the embodiment shown in FIG. 1, a base station redirection method searches for the third. Before the base station, it also includes:
  • S10 Determine whether a connection reject message is received before receiving the message redirected to the second base station, and if the connection reject message is received, perform step S2 to search for the third base station, otherwise, execute S11, and The second base station establishes a communication connection.
  • the signal strength of the base station in the area is detected, and the first base station with the highest signal strength is selected to try to access, and the tracking area upgrade request message is sent to the first base station, if the first base station needs Redirect the user equipment and feedback the rejection message for the tracking area upgrade request.
  • the user equipment After receiving the refusal message for the tracking area upgrade request, the user equipment transmits a connection request message to the first base station, and the base station sends a redirection message to the user equipment, and notifies the user to connect to the user equipment. Second base station.
  • the above situation is a process in which the first base station rejects its access request and redirects it during the process of attempting to access the first base station after the user enters a certain area, in which case the pseudo base station exists as the first The risk that the base station transmits the redirect message to the user equipment.
  • the source of the redirected packet is generally secure, and there is no risk in attempting to connect according to the redirected packet.
  • the redirect message can be directly transmitted to the user equipment, and in this case, the user equipment directly receives the redirect.
  • the message does not receive the connection rejection message for the tracking area upgrade request, and the connection rejection message for the transmission connection request feedback rejection message.
  • the connection reject message before receiving the message redirected to the second base station, it may be determined based on whether the connection reject message is received, whether the connection is attempted according to the redirect message, thereby avoiding risk.
  • the power consumption of the user equipment is wasted.
  • FIG. 6 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 6, on the basis of the embodiment shown in FIG. 1, a base station redirection method searches for the third. Base Before the station, it also includes:
  • step S13 it is determined whether the request rejection message of the first base station is received after the tracking area upgrade request message is sent, and if yes, step S2 is performed to search for the third base station, otherwise, step S14 is performed, and The first base station establishes a communication connection.
  • the signal strength of the base station in the area is detected, and the first base station with the highest signal strength is selected to try to access.
  • the packet received by the first base station is redirected to the second base station. If the first base station is not a pseudo base station, the first base station sends the redirect message because the current load of the first base station is high, and temporarily cannot be For user equipment access.
  • the first base station is a normal base station
  • the first base station if the first base station sends a redirection packet, it only indicates that the first base station is temporarily unavailable for the user equipment access, but the load of the normal base station generally does not continue to be maintained at a high level.
  • the level that is, the request to reject the request for the access request of the user equipment is not continued.
  • the pseudo base station feeds back the request for all the access requests sent by the user equipment, and then sends a redirect message.
  • the tracking area upgrade request message of the preset number of times may be transmitted to the first base station.
  • the time interval of each time the tracking area upgrade request message is transmitted may be set to 1 minute. If the first base station returns a request rejection message for all the tracking area upgrade request messages, then the first base station has a larger probability of being a pseudo base station. After receiving the tracking area upgrade request message, the first base station does not receive the request rejection message (or receives the request permission message of the base station), so that the first base station has reduced the load at this time, and the user can be used for the user. The device is accessed, and the first base station is a normal base station. Therefore, the user equipment can access the first base station, thereby establishing a communication connection with the base station with the highest signal strength in the area.
  • FIG. 7 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention. As shown in FIG. 7, the base station redirection apparatus 70 includes:
  • the message receiving module 71 is configured to receive a message that is redirected by the first base station to the second base station;
  • the searching module 72 searches for a third base station other than the first base station and the second base station when the message receiving module receives the message redirected to the second base station;
  • the connection establishing module 73 is configured to establish a communication connection with the third base station.
  • FIG. 8 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 8, the base station redirection apparatus further includes:
  • the prompting module 74 when the packet receiving module receives the packet redirected to the second base station, generates the first prompt information, is configured to prompt the redirected base station information, and causes the user to select to reject the redirect instruction or accept the heavy Directional instruction
  • the search module 72 is further configured to search the third base station based on a refusal redirection instruction selected by the user.
  • connection establishing module 73 is further configured to establish a communication connection with the second base station based on the user-selected accept redirection command.
  • FIG. 9 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 9, on the basis of the embodiment shown in FIG. 8, the base station redirection apparatus 70 further includes:
  • the security determination module 75 determines whether the security level of the second base station is lower than the security level of the base station connected before receiving the message.
  • the prompting module 74 generates second prompt information when the security level of the second base station is lower than the security level of the base station connected before receiving the packet.
  • FIG. 10 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 10, on the basis of the embodiment shown in FIG. 7, the base station redirection apparatus 70 further includes:
  • the security judging module 75 is configured to determine whether the security level of the third base station is lower than a security level of the base station connected before receiving the packet;
  • the prompting module 74 generates third prompt information when the security level of the third base station is lower than the security level of the base station connected before receiving the message.
  • the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  • FIG. 11 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 11, on the basis of the embodiment shown in FIG. 7, the base station redirection apparatus 70 further includes:
  • the message judging module 76 determines, before searching the third base station, whether the connection rejecting message is received before the packet receiving module receives the packet redirected to the second base station.
  • the search module 72 searches for the third base station when the message receiving module 71 receives the connection reject message before receiving the message redirected to the second base station, and the connection establishing module 73 is in the The message receiving module 71 establishes a communication connection with the second base station when receiving the connection reject message before receiving the message redirected to the second base station.
  • FIG. 12 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 12, on the basis of the embodiment shown in FIG. 7, the base station redirection apparatus 70 further includes:
  • the message transmission module 77 is configured to transmit a preset number of tracking area upgrade request messages to the first base station before searching the third base station;
  • the message receiving module 71 After the search module 72 sends the tracking area upgrade request message, the message receiving module 71 searches for the third base station when receiving the request rejection message of the first base station. After the connection establishment module 73 sends the tracking area upgrade request message, the message receiving module 71 establishes a communication connection with the first base station when receiving the request permission message of the first base station.
  • the present invention also proposes a base station redirection method and a base station redirection apparatus as shown below.
  • FIG. 13 is a schematic flowchart of a method for redirecting a base station according to an embodiment of the present invention, which may be applied to a mobile terminal.
  • the base station redirection method includes:
  • Step 1 Perform authentication on the first base station
  • Step 2 If the first base station fails to pass the authentication, when the packet redirected from the first base station to the second base station is received, the first base station and the second base station are searched for Three base stations;
  • Step 3 Establish a communication connection with the third base station.
  • the base station may be authenticated before receiving the redirect message. For example, after the user equipment enters an area, it is detected that the signal strength of the first base station is the highest, and then attempts to access the first base station, and directly initiates an authentication request to the first base station, requesting the first base station to feed back the authentication information; After the first base station feeds back the reject message for the tracking area upgrade request, or after receiving the feedback reject message for the transmission connection request, the first base station sends an authentication request to the first base station to request the first base station to feed back the authentication information.
  • the first base station that fails the authentication for example, the first base station feeds back the authentication information but does not match the authentication information stored by the terminal, or the first base station does not feed back the authentication information
  • the base station that attempts to access may be authenticated, and then the redirect message sent by the base station is received, so that it is first determined according to the authentication result whether the base station attempting to access is a pseudo base station,
  • a pseudo base station access to the base station to which the redirect message is directed can be avoided, and the pseudo base station and its redirect message can be searched for other base stations other than the base station to ensure secure access to the base station.
  • the identifiers of the first base station and the second base station are recorded if the first base station fails to pass the authentication.
  • the station is a secure base station.
  • authenticating the first base station includes:
  • an authentication request is initiated to the first base station, or when the first base station receives the feedback rejection message for the tracking area upgrade request, an authentication request is initiated to the first base station, and the first base station is requested to provide feedback. Authentication information.
  • the user equipment when the user equipment attempts to access the first base station, or when receiving the first base station feedback request rejection message for the tracking area upgrade request, the user equipment does not transmit the IMSI to the base station attempting to access, so In two cases, the base station is authenticated, which can reduce the probability that the pseudo base station acquires the user IMSI.
  • the authentication method of the user equipment to the first base station may be as follows:
  • the UE transmits the information between the UE and the CN to the NAS layer (Non-Access Stratum, non-access stratum, NAS protocol, and the transmitted content may be user information or control information, such as service establishment, release, or mobility management. Information)
  • MME Mobility Management Entity, which is the key control node of the 3GPP protocol LTE access network, which is responsible for the positioning of the idle mode UE, the paging process, including the relay, simply saying that the MME is responsible for the signaling processing part
  • the MME requests an authentication vector from the HSS (Home Subscriber Server).
  • the HSS returns one or more sets of EPS (Evolved Packet System) authentication vectors (RAND, AUTN, XRES, KASME) to the MME;
  • EPS Evolved Packet System
  • the UE authenticates the first base station by using the AUTN. If the first base station fails to pass the authentication, the UE ends. If the authentication is performed, the RES&CK/IK is calculated according to the AUTN&RAND, and the Kasme (which is required for LTE authentication) is further calculated. The second layer key is calculated by a layer of keys CK and IK);
  • the UE and the MME derive the encryption key and the integrity protection key required by the NAS layer and the AS layer according to the Kasme.
  • FIG. 14 is a schematic flowchart of a method for redirecting a base station according to another embodiment of the present invention. As shown in FIG. 14, the method for redirecting a base station according to the embodiment shown in FIG. 13 further includes:
  • Step 4 If the first base station passes the authentication, when receiving the message redirected from the first base station to the second base station, establish a communication connection with the second base station.
  • the first base station in the case that the first base station passes the authentication, the first base station is not a pseudo base station, and therefore, a communication connection can be established with the second base station according to the redirect message.
  • FIG. 15 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 15, after establishing a communication connection with the second base station, based on the embodiment shown in FIG.
  • the base station redirection method further includes:
  • Step 5 Determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet.
  • Step 6 If it is lower, the first prompt information is displayed.
  • the first base station is not a pseudo base station, it is possible for the first base station to redirect the user equipment to a base station having a lower security level.
  • the base station with the highest power in the area is detected as the first base station.
  • the first base station passes the authentication, but the first base station has a higher load at this time. Therefore, the redirect instruction is fed back to the user device. If the 4G base station in the area is high in complexity, only the second base station has a lower load, but the second base station is a 2G base station, and the base station connected to the user equipment before receiving the redirect message is a 4G base station, then After the user equipment accesses the second base station, the security level of the mobile network where the user equipment is located is lowered.
  • the first prompt information may be displayed in the above case, so that the user can know in time that the security level of the connected base station is lowered, and then whether to maintain the connection with the second base station.
  • FIG. 16 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 16, when the first base station fails to pass authentication, on the basis of the embodiment shown in FIG. 13, the base station The redirect method also includes:
  • Step 7 Display second prompt information, where the second prompt information is used to prompt the user that the first base station fails to pass the authentication, and causes the user to select to reject the redirect instruction or accept the redirect instruction;
  • Step 8 Search for the third base station based on the selected reject redirect instruction, or
  • Step 9 Establish a communication connection with the second base station based on the selected accept redirection command.
  • the user equipment is still required to connect to the second base station according to the redirect message of the first base station.
  • the communication connection with the second base station is still established according to the redirect message of the first base station, so as to detect the pseudo in the process of connecting to the second base station.
  • the base station sends fraudulent information or steals the message to the user terminal, thereby confirming the evidence of the crime.
  • FIG. 17 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 17, after establishing a communication connection with the second base station, on the basis of the embodiment shown in FIG.
  • the base station redirection method further includes:
  • Step 10 Determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet.
  • step 11 if it is lower, the third prompt information is displayed.
  • the first base station when the first base station fails to pass the authentication and is connected to the second base station to which the first base station redirects the message, the first base station may be tested according to whether the security level of the second base station is lowered.
  • the parameter values used by some base stations for authentication may not be stored or omitted, and the base stations cannot pass the authentication.
  • the carrier test can be provided with conditions, and if the first base station fails to pass the authentication, the communication connection with the second base station is still established according to the redirect message of the first base station, and the second base station is further determined. Is the security level reduced?
  • the security level of the second base station is not lowered, it may be determined that the first base station is a pseudo base station. If the security level of the second base station is not lowered, the first base station is a normal base station (because the redirection packet sent by the pseudo base station is generally used to redirect the user equipment to the base station with a lower security level to send fraud information or Stealing the message), but the parameters or parameter values required for authentication are missing, and the base station can be repaired accordingly.
  • the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  • the authentication mode of the 2G base station is GSM (Global System for Mobile Communication) authentication
  • the authentication mode of the 3G base station is WCDMA (Wideband Code Division Multiple Access) authentication
  • 4G base station is the authentication mode of the 2G base station.
  • the authentication method is LTE (Long Term Evolution) authentication.
  • the GSM authentication is unidirectional. Only the base station (network) authenticates the user, and the user equipment does not authenticate the base station (network). The illegal base station can pretend to be a legitimate base station to spoof the user equipment and steal user information. And in the GSM network, the problem of data integrity protection is not considered, and it is difficult to find out if the data is tampered with in the process of transmission.
  • the encryption of the GSM network is not end-to-end, it is only encrypted in the wireless channel part, and there is no encryption in the fixed network (using clear text transmission), which provides an opportunity for the attacker.
  • the GSM encryption algorithm and the key have security risks. For example, the key is too short, only 64 bits.
  • the encryption algorithm is not public and relatively fixed, and the encryption algorithm cannot be negotiated.
  • the WCDMA network can achieve two-way authentication, the security level is higher than that of the GSM network.
  • the authentication in the authentication process only implements the authentication of the HLR (Home Location Register) by the user equipment, but does not implement the authentication of the VLR (Visitor Location Register) by the user equipment, so the attacker can Intercept the legitimate IMSI for attack. And without considering the authentication and confidential communication on the network side, the attacker can intercept the letter between the VLR and the HLR. Get the AV (AuthenticationVector) to get CK and IK.
  • PLMNs Public Land Mobile Network
  • Different PLMNs may be different networks in different countries.
  • PLMNs Public Land Mobile Network
  • the LTE network does not have problems with the GSM network and the WCDMA network, so the security level is higher.
  • FIG. 18 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention. As shown in FIG. 18, the base station redirection apparatus 60 according to the second aspect of the present invention includes:
  • the authentication module 61 is configured to perform authentication on the first base station
  • the searching module 62 searches for the first base station and the second when receiving the message redirected from the first base station to the second base station if the first base station fails to pass the authentication.
  • the connection module 63 establishes a communication connection with the third base station.
  • connection module 63 establishes with the second base station when receiving the packet redirected from the first base station to the second base station, when the first base station is authenticated. Communication connection.
  • FIG. 19 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 19, on the basis of the embodiment shown in FIG.
  • the determining module 64 is configured to determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet;
  • the display module 65 displays the first prompt information under the request that the security level of the second base station is lower than the security level of the base station connected before receiving the message.
  • FIG. 20 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 20, on the basis of the embodiment shown in FIG.
  • the display module 65 is configured to display the second prompt information when the first base station fails to pass the authentication, and the second prompt information is used to prompt the user that the first base station fails to pass the authentication, and the user selects to reject the redirect instruction or Accept the redirect instruction;
  • the searching module 62 is configured to search for the third base station based on the rejected redirecting instruction of the selected second prompt information.
  • connection module 63 is configured to establish a communication connection with the second base station based on the selected accept redirection command.
  • the base station redirection device 60 further includes:
  • the determining module 66 is configured to determine, after the connection module 63 establishes a communication connection with the second base station, whether the security level of the second base station is lower than a security level of the base station connected before receiving the message;
  • the display module 65 displays the third prompt information when the security level of the second base station is lower than the security level of the base station connected before receiving the message.
  • the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  • the redirection packet when the redirection packet is received, the first base station that sends the redirection packet and the third base station other than the second base station that the redirection packet points are received. Therefore, when the first base station is a pseudo base station, the second base station pointed to by the redirect packet is not accessed, and the secure base station is ensured to prevent the user equipment from receiving fraud, harassment information or revealing personal information.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the present description including accompanying rights may be employed. All the features disclosed in the claims, abstract and drawings are combined with all the processes or units of any method or device so disclosed. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the website security detection device in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals.
  • Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 22 illustrates a computer in which a base station redirection method in accordance with the present invention can be implemented.
  • the computer traditionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520.
  • the memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above.
  • storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such a computer program product is typically a portable or fixed storage unit as described with reference to FIG.
  • the storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 520 in the mobile terminal of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 531', code that can be read by a processor, such as 510, which when executed by a computer causes the computer to perform various steps in the methods described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiments of the present invention relate to a base station redirection method and a base station redirection device. The base station redirection method comprises: searching a third base station excluding a second base station when a message redirected to the second base station is received; and establishing a communication connection with the third base station. According to the technical solution of the present invention, when the redirected message is received, the third base station excluding a first base station sending the redirected message and the second base station, to which the redirected message is directed, is searched. Therefore, under the condition that the first base station is a pseudo base station, the second base station, to which the redirected message is directed, is not connected, thereby guaranteeing access to a secure base station, preventing user equipment from receiving fraud or harassment information or avoiding leaking personal information.

Description

基站重定向方法和基站重定向装置Base station redirection method and base station redirection device 技术领域Technical field
本发明涉及通信安全技术领域,具体而言,涉及一种基站重定向方法和一种基站重定向装置。The present invention relates to the field of communication security technologies, and in particular, to a base station redirection method and a base station redirection device.
背景技术Background technique
重定向是指网络侧通过重定向命令告知用户设备(User Equipment,UE)基站的信息,以使UE根据该信息搜标基站,并接入基站。The redirection means that the network side informs the user equipment (UE) of the base station by the redirection command, so that the UE searches the base station according to the information and accesses the base station.
一般在UE连接至某个基站时,在基站负载过高的情况下,会向UE发送重定向指令,以使UE接入负载较低的基站。而由于通信协议的缺陷,UE也可能接收到来自伪基站的重定向指令,若连接至伪基站重定向指令所指向的基站,UE将存在很大的安全隐患。Generally, when the UE is connected to a certain base station, if the base station load is too high, a redirection instruction is sent to the UE, so that the UE accesses the base station with a lower load. However, due to the defect of the communication protocol, the UE may also receive a redirection instruction from the pseudo base station. If the base station is connected to the base station to which the pseudo base station redirection command is directed, the UE may have a great security risk.
发明内容Summary of the invention
本发明所要解决的技术问题是,如何对脚本运行的程序进行及时、有效的控制。The technical problem to be solved by the present invention is how to timely and effectively control the program running by the script.
为此目的,根据本发明的第一方面提出了一种基站重定向方法,包括:To this end, according to a first aspect of the present invention, a base station redirection method is provided, comprising:
在接收到第一基站重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;Searching for the third base station other than the first base station and the second base station when receiving the message redirected by the first base station to the second base station;
与所述第三基站建立通信连接。Establishing a communication connection with the third base station.
可选地,在接收到所述报文时,所述基站重定向方法还包括:Optionally, when receiving the packet, the base station redirection method further includes:
生成第一提示信息,用于提示重定向的基站信息,并使用户选择拒绝重定向指令或者接受重定向指令;Generating a first prompt message for prompting the redirected base station information, and causing the user to select to reject the redirect instruction or accept the redirect instruction;
基于用户选择的拒绝重定向指令搜索所述第三基站,或Searching for the third base station based on a user-selected refusal redirect instruction, or
基于用户选择的接受重定向指令与所述第二基站建立通信连接。Establishing a communication connection with the second base station based on the user-selected accept redirection command.
根据本发明的第二方面,还提出了一种基站重定向装置,包括:According to a second aspect of the present invention, a base station redirection apparatus is further provided, including:
报文接收模块,配置为接收第一基站重定向至第二基站的报文;a packet receiving module, configured to receive a packet redirected by the first base station to the second base station;
搜索模块,配置为在所述报文接收模块接收到重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;a search module, configured to search for a third base station other than the first base station and the second base station when the message receiving module receives a message redirected to the second base station;
连接建立模块,配置为与所述第三基站建立通信连接。A connection establishing module is configured to establish a communication connection with the third base station.
根据本发明的第三方面,提出了一种基站重定向方法,包括: According to a third aspect of the present invention, a base station redirection method is provided, including:
对第一基站进行鉴权;Performing authentication on the first base station;
若所述第一基站未通过鉴权,在接收到来自所述第一基站的重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;If the first base station fails to pass the authentication, when the packet redirected from the first base station to the second base station is received, searching for the third base station other than the first base station and the second base station;
与所述第三基站建立通信连接。Establishing a communication connection with the third base station.
根据本发明的第四方面,还提出了一种基站重定向装置,包括:According to a fourth aspect of the present invention, a base station redirection apparatus is further provided, including:
鉴权模块,配置为对第一基站进行鉴权;An authentication module configured to authenticate the first base station;
搜索模块,配置为在所述第一基站未通过鉴权的情况下,在接收到来自所述第一基站的重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;a search module, configured to: when the first base station fails to pass the authentication, search for the first base station and the first when receiving a message redirected from the first base station to the second base station a third base station other than the second base station;
连接模块,配置为与所述第三基站建立通信连接。根据本发明的第五方面,提供了一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算机上运行时,导致所述计算机执行权利要求书中的任一个所述的基站重定向方法。And a connection module configured to establish a communication connection with the third base station. According to a fifth aspect of the invention there is provided computer program comprising computer readable code, when said computer readable code is run on a computer, causing said computer to perform said base station according to any one of the claims Redirect method.
根据本发明的再一方面,提供了一种计算机可读介质,其中存储了权利要求书中要求保护的所述的计算机程序。According to still another aspect of the present invention, there is provided a computer readable medium storing the computer program as claimed in the claims.
根据上述技术方案,至少可以实现以下技术效果:According to the above technical solution, at least the following technical effects can be achieved:
1、在接收到重定向报文时,搜索发出重定向报文的第一基站,和重定向报文指向的第二基站以外的第三基站。从而在第一基站为伪基站的情况下,不会接入其重定向报文所指向的第二基站,保证接入安全的基站,避免用户设备收到诈骗、骚扰信息或者泄露个人信息;1. When receiving the redirect message, searching for the first base station that sends the redirect message, and the third base station other than the second base station that the redirect message points to. Therefore, when the first base station is a pseudo base station, the second base station pointed to by the redirect message is not accessed, and the secure base station is ensured to prevent the user equipment from receiving fraud, harassment information or revealing personal information;
2、可以在接收到重定向至第二基站的报文之前,基于是否接收到连接拒绝报文来判断,根据该重定向报文尝试连接是否存在风险,从而避免在没有风险的情况下,仍然搜索第三基站,导致用户设备功耗的浪费;2. Before receiving the packet redirected to the second base station, it is determined based on whether the connection reject message is received, and whether the connection is attempted according to the redirect message, so that the risk is avoided even if there is no risk. Searching for the third base station, resulting in waste of power consumption of the user equipment;
3、可以通过向基站的追踪区域升级请求报文,并根据第一基站是否返回了请求拒绝报文来判断第一基站是否为伪基站,并在第一基站不是伪基站的情况下接入第一基站,从而实现与区域内信号强度最高的基站建立通信连接;3. The request packet can be upgraded to the tracking area of the base station, and whether the first base station is a pseudo base station is determined according to whether the first base station returns a request rejection message, and the first base station is not a pseudo base station. a base station, thereby establishing a communication connection with a base station having the highest signal strength in the area;
4、可以先对尝试接入的基站进行鉴权,然后再接收其发出的重定向报文,从而根据鉴权结果先判断出尝试接入的基站是否为伪基站,在其为伪基站的情况下,可以避免接入其重定向报文所指向的基站,并且能够搜索该伪基站和其重定向报文指向基站以外的其他基站,保证接入安全的基站;4. The base station attempting to access may be authenticated first, and then the redirect message sent by the base station may be received, so that it is first determined according to the authentication result whether the base station attempting to access is a pseudo base station, and in the case of being a pseudo base station. The access to the base station to which the redirect message is directed can be avoided, and the pseudo base station and its redirect message can be searched for other base stations other than the base station to ensure secure access to the base station;
5、可以避免再次进入上述区域时,再次尝试接入第一基站或第二基站,保证尝试接入的基站为安全的基站。 5. It is possible to avoid attempting to access the first base station or the second base station again when entering the above area again, and ensuring that the base station attempting to access is a secure base station.
附图说明DRAWINGS
通过参考附图会更加清楚的理解本发明的特征和优点,附图是示意性的而不应理解为对本发明进行任何限制,在附图中:The features and advantages of the present invention are more clearly understood from the following description of the drawings.
图1示出了根据本发明一个实施例的基站重定向方法的示意流程图;FIG. 1 is a schematic flow chart showing a method for redirecting a base station according to an embodiment of the present invention; FIG.
图2示出了根据本发明另一个实施例的基站重定向方法的示意流程图;2 is a schematic flow chart of a method for redirecting a base station according to another embodiment of the present invention;
图3示出了根据本发明又一个实施例的基站重定向方法的示意流程图;FIG. 3 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention; FIG.
图4示出了根据本发明又一个实施例的基站重定向方法的示意流程图;FIG. 4 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention; FIG.
图5示出了根据本发明又一个实施例的基站重定向方法的示意流程图;FIG. 5 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention; FIG.
图6示出了根据本发明又一个实施例的基站重定向方法的示意流程图;6 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention;
图7示出了根据本发明一个实施例的基站重定向装置的示意框图;FIG. 7 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention; FIG.
图8示出了根据本发明另一个实施例的基站重定向装置的示意框图;FIG. 8 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention; FIG.
图9示出了根据本发明又一个实施例的基站重定向装置的示意框图;FIG. 9 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention; FIG.
图10示出了根据本发明又一个实施例的基站重定向装置的示意框图;FIG. 10 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention; FIG.
图11示出了根据本发明又一个实施例的基站重定向装置的示意框图;11 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention;
图12示出了根据本发明又一个实施例的基站重定向装置的示意框图;FIG. 12 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention; FIG.
图13是根据本发明一个实施例的基站重定向方法的示意流程图;FIG. 13 is a schematic flowchart of a method for redirecting a base station according to an embodiment of the present invention; FIG.
图14是根据本发明另一个实施例的基站重定向方法的示意流程图;FIG. 14 is a schematic flowchart of a method for redirecting a base station according to another embodiment of the present invention; FIG.
图15是根据本发明又一个实施例的基站重定向方法的示意流程图;FIG. 15 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention; FIG.
图16是根据本发明又一个实施例的基站重定向方法的示意流程图;FIG. 16 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention; FIG.
图17是根据本发明又一个实施例的基站重定向方法的示意流程图;FIG. 17 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention; FIG.
图18是根据本发明一个实施例的基站重定向装置的示意框图;FIG. 18 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention; FIG.
图19是根据本发明另一个实施例的基站重定向装置的示意框图;FIG. 19 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention; FIG.
图20是根据本发明又一个实施例的基站重定向装置的示意框图;20 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention;
图21是根据本发明又一个实施例的基站重定向装置的示意框图;21 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention;
图22示意性地示出了用于执行根据本发明的基站重定向方法的计算机的结构框图;以及Figure 22 is a block diagram schematically showing the structure of a computer for performing a base station redirection method according to the present invention;
图23示意性地示出了用于保持或者携带实现根据本发明的基站重定向的程序代码的存储单元。Figure 23 schematically illustrates a storage unit for holding or carrying program code that implements base station redirection in accordance with the present invention.
具体实施方式detailed description
下面详细描述本发明的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,仅用于解释本发明,而不能 解释为对本发明的限制。The embodiments of the present invention are described in detail below, and the examples of the embodiments are illustrated in the drawings, wherein the same or similar reference numerals are used to refer to the same or similar elements or elements having the same or similar functions. The embodiments described below with reference to the drawings are illustrative and are merely illustrative of the invention and not It is to be construed as limiting the invention.
本技术领域技术人员可以理解,除非特意声明,这里使用的单数形式“一”、“一个”、“所述”和“该”也可包括复数形式。应该进一步理解的是,本发明的说明书中使用的措辞“包括”是指存在所述特征、整数、步骤、操作、元件和/或组件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元件、组件和/或它们的组。应该理解,当我们称元件被“连接”或“耦接”到另一元件时,它可以直接连接或耦接到其他元件,或者也可以存在中间元件。此外,这里使用的“连接”或“耦接”可以包括无线连接或无线耦接。这里使用的措辞“和/或”包括一个或更多个相关联的列出项的全部或任一单元和全部组合。The singular forms "a", "an", "the" It is to be understood that the phrase "comprise" or "an" Integers, steps, operations, components, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element. Further, "connected" or "coupled" as used herein may include either a wireless connection or a wireless coupling. The phrase "and/or" used herein includes all or any one and all combinations of one or more of the associated listed.
本技术领域技术人员可以理解,除非另外定义,这里使用的所有术语(包括技术术语和科学术语),具有与本发明所属领域中的普通技术人员的一般理解相同的意义。还应该理解的是,诸如通用字典中定义的那些术语,应该被理解为具有与现有技术的上下文中的意义一致的意义,并且除非像这里一样被特定定义,否则不会用理想化或过于正式的含义来解释。Those skilled in the art will appreciate that all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the invention belongs, unless otherwise defined. It should also be understood that terms such as those defined in a general dictionary should be understood to have meaning consistent with the meaning in the context of the prior art, and will not be idealized or excessive unless specifically defined as here. The formal meaning is explained.
本技术领域技术人员可以理解,这里所使用的“终端”、“终端设备”既包括无线信号接收器的设备,其仅具备无发射能力的无线信号接收器的设备,又包括接收和发射硬件的设备,其具有能够在双向通信链路上,执行双向通信的接收和发射硬件的设备。这种设备可以包括:蜂窝或其他通信设备,其具有单线路显示器或多线路显示器或没有多线路显示器的蜂窝或其他通信设备;PCS(Personal Communications Service,个人通信系统),其可以组合语音、数据处理、传真和/或数据通信能力;PDA(Personal Digital Assistant,个人数字助理),其可以包括射频接收器、寻呼机、互联网/内联网访问、网络浏览器、记事本、日历和/或GPS(Global Positioning System,全球定位系统)接收器;常规膝上型和/或掌上型计算机或其他设备,其具有和/或包括射频接收器的常规膝上型和/或掌上型计算机或其他设备。这里所使用的“终端”、“终端设备”可以是便携式、可运输、安装在交通工具(航空、海运和/或陆地)中的,或者适合于和/或配置为在本地运行,和/或以分布形式,运行在地球和/或空间的任何其他位置运行。这里所使用的“终端”、“终端设备”还可以是通信终端、上网终端、音乐/视频播放终端,例如可以是PDA、MID(Mobile Internet Device,移动互联网设备)和/或具有音乐/视频播放功能的移动电话,也可以是智能电视、机顶盒等设备。Those skilled in the art can understand that the "terminal" and "terminal device" used herein include both a wireless signal receiver device, a device having only a wireless signal receiver without a transmitting capability, and a receiving and transmitting hardware. A device having a device capable of performing two-way communication receiving and transmitting hardware on a two-way communication link. Such devices may include cellular or other communication devices having a single line display or a multi-line display or a cellular or other communication device without a multi-line display; PCS (Personal Communications Service), which may combine voice, data Processing, fax, and/or data communication capabilities; PDA (Personal Digital Assistant), which can include radio frequency receivers, pagers, Internet/Intranet access, web browsers, notepads, calendars, and/or GPS (Global Positioning System (Global Positioning System) receiver; conventional laptop and/or palmtop computer or other device having a conventional laptop and/or palmtop computer or other device that includes and/or includes a radio frequency receiver. As used herein, "terminal", "terminal device" may be portable, transportable, installed in a vehicle (aviation, sea and/or land), or adapted and/or configured to operate locally, and/or Run in any other location on the Earth and/or space in a distributed form. The "terminal" and "terminal device" used herein may also be a communication terminal, an internet terminal, a music/video playing terminal, and may be, for example, a PDA, a MID (Mobile Internet Device), and/or have a music/video playback. Functional mobile phones can also be smart TVs, set-top boxes and other devices.
本技术领域技术人员可以理解,这里所使用的服务器、云端、远端网络设备等概念,具有等同效果,其包括但不限于计算机、网络主机、单个网络服务器、多个网络服务器集或多个服务器构成的云。在此,云由基于云计算(Cloud  Computing)的大量计算机或网络服务器构成,其中,云计算是分布式计算的一种,由一群松散耦合的计算机集组成的一个超级虚拟计算机。本发明的实施例中,远端网络设备、终端设备与WNS服务器之间可通过任何通信方式实现通信,包括但不限于,基于3GPP、LTE、WIMAX的移动通信、基于TCP/IP、UDP协议的计算机网络通信以及基于蓝牙、红外传输标准的近距无线传输方式。Those skilled in the art can understand that the concepts of servers, clouds, remote network devices, and the like used herein have equivalent effects, including but not limited to computers, network hosts, single network servers, multiple network server sets, or multiple servers. The cloud that makes up. Here, the cloud is based on cloud computing (Cloud Computing) A large number of computers or network servers, of which cloud computing is a kind of distributed computing, a super virtual computer composed of a group of loosely coupled computers. In the embodiment of the present invention, the communication between the remote network device, the terminal device and the WNS server can be implemented by any communication method, including but not limited to, mobile communication based on 3GPP, LTE, WIMAX, TCP/IP, UDP protocol. Computer network communication and short-range wireless transmission based on Bluetooth and infrared transmission standards.
本领域技术人员应当理解,本发明所称的“应用”、“应用程序”、“应用软件”以及类似表述的概念,是业内技术人员所公知的相同概念,是指由一系列计算机指令及相关数据资源有机构造的适于电子运行的计算机软件。除非特别指定,这种命名本身不受编程语言种类、级别,也不受其赖以运行的操作系统或平台所限制。理所当然地,此类概念也不受任何形式的终端所限制。Those skilled in the art should understand that the concepts of "application", "application", "application software" and similar expressions as used in the present invention are the same concepts well known to those skilled in the art, and are referred to by a series of computer instructions and related. Data software is an organically constructed computer software suitable for electronic operation. Unless otherwise specified, the naming itself is not limited by the type and level of programming language, nor by the operating system or platform on which it operates. Of course, such concepts are also not limited by any form of terminal.
在现有技术中,用户设备接收基站重定向报文的操作,是在鉴权操作之前进行的。In the prior art, the operation of the user equipment to receive the redirect message of the base station is performed before the authentication operation.
例如在用户设备进入某一区域后,一般会检测该区域内基站的信号强度,并选择信号强度最高的基站尝试接入。在尝试接入时,用户设备向该基站发起追踪区域升级请求(Tracking Area Update Request)报文,如果该基站需要对用户设备进行重定向,针对追踪区域升级请求反馈拒绝报文。用户设备在接收到针对追踪区域升级请求的拒绝报文后,向该基站传输连接请求(Attach Request)报文,在连接请求报文中会携带用户设备的IMSI(国际移动用户识别码),基站收集到IMSI后,针对传输连接请求反馈拒绝报文,并向用户设备传输无线资源控制(Radio Resource Control,RRC)重定向报文,通知用户连接至其他基站。For example, after the user equipment enters a certain area, the signal strength of the base station in the area is generally detected, and the base station with the highest signal strength is selected to try to access. When the access is attempted, the user equipment initiates a Tracking Area Update Request message to the base station. If the base station needs to redirect the user equipment, the user rejects the message for the tracking area upgrade request. After receiving the reject message for the tracking area upgrade request, the user equipment transmits an connection request (Attach Request) message to the base station, where the connection request message carries the IMSI (International Mobile Subscriber Identity) of the user equipment, and the base station After the IMSI is collected, the device rejects the packet and sends a Radio Resource Control (RRC) redirection packet to the user equipment to notify the user to connect to other base stations.
如果上述发出重定向报文的基站是伪基站,由于在现有技术中用户设备在接收到重定向报文时并未对伪基站进行鉴权,所以会尝试接入照伪基站重定向报文指向的基站,而伪基站重定向报文指向的基站一般仍然是伪基站,或者安全级别较低的正常基站,所以一旦按照伪基站的重定向报文接入基站,将会对用户设备的安全造成极大隐患,例如容易被窃取用户信息、通话记录,以及接收到骚扰短信、诈骗短信。If the base station that sends the redirection packet is a pseudo base station, the user equipment does not authenticate the pseudo base station when receiving the redirection packet in the prior art, and therefore attempts to access the falsified base station redirection packet. The base station pointed to by the base station, and the base station to which the pseudo base station redirection message is directed is still a pseudo base station or a normal base station with a lower security level. Therefore, once the redirection packet of the pseudo base station is accessed, the user equipment is secure. Causes great hidden dangers, such as easy to steal user information, call records, and receiving harassing text messages and scam messages.
图1示出了根据本发明一个实施例的基站重定向方法的示意流程图,该方法可以应用于移动终端等用户设备。如图1所示,该基站重定向方法包括:FIG. 1 is a schematic flow chart of a method for redirecting a base station according to an embodiment of the present invention, which may be applied to a user equipment such as a mobile terminal. As shown in FIG. 1, the base station redirection method includes:
S1,在接收到第一基站重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;S1, searching for a third base station other than the first base station and the second base station when receiving a message that is redirected by the first base station to the second base station;
S2,与所述第三基站建立通信连接。S2. Establish a communication connection with the third base station.
根据本实施例,用户设备在接收到重定向报文时,可以搜索发出重定向报 文的第一基站,和重定向报文指向的第二基站以外的第三基站。从而在第一基站为伪基站的情况下,不会接入其重定向报文所指向的第二基站,保证接入安全的基站,避免用户设备收到诈骗、骚扰信息或者泄露个人信息。According to this embodiment, when receiving the redirect message, the user equipment may search for a redirect report. The first base station of the text, and the third base station other than the second base station to which the redirect message is directed. Therefore, when the first base station is a pseudo base station, the second base station pointed to by the redirect packet is not accessed, and the secure base station is ensured to prevent the user equipment from receiving fraud, harassment information or revealing personal information.
图2示出了根据本发明另一个实施例的基站重定向方法的示意流程图,如图2所示,基于图1所示的实施例,在接收到所述报文时,所述基站重定向方法还包括:2 is a schematic flow chart of a method for redirecting a base station according to another embodiment of the present invention. As shown in FIG. 2, based on the embodiment shown in FIG. 1, when receiving the message, the base station is heavy. The orientation method also includes:
S3,生成第一提示信息,用于提示重定向的基站信息,并使用户选择拒绝重定向指令或者接受重定向指令;S3. The first prompt information is generated, used to prompt the redirected base station information, and the user selects to reject the redirect instruction or accept the redirect instruction.
S4,基于用户选择的拒绝重定向指令搜索所述第三基站,或S4. Search for the third base station based on a user-selected refusal redirection instruction, or
S5,基于用户选择的接受重定向指令与所述第二基站建立通信连接。S5. Establish a communication connection with the second base station based on the user-selected redirection command.
根据图1所示的实施例,在接收到重定向报文时,并不会接入重定向报文所指向的基站。这虽然在第一基站为伪基站的情况下,可以避免接入其重定向报文所指向的第二基站,但是在第一基站为正常基站时,第一基站重定向报文所指向的第二基站为安全基站,接入第二基站一般并不会存在安全隐患,在这种情况下,如果仍然搜索第三基站,那么将会造成用户设备功耗的浪费。According to the embodiment shown in FIG. 1, when the redirect message is received, the base station pointed to by the redirect message is not accessed. In the case that the first base station is a pseudo base station, the second base station pointed to by the redirect message can be avoided. However, when the first base station is a normal base station, the first base station redirects the packet to the first The second base station is a secure base station, and access to the second base station generally does not pose a security risk. In this case, if the third base station is still searched, the power consumption of the user equipment will be wasted.
根据本实施例,可以在收到重定向至第二基站的报文时,在用户设备上生成第一提示信息,例如第一提示信息为“接收到来自第一基站重定向至第二基站的报文,是否尝试接入第二基站”,以便用户及时获悉当前用户设备收到了重定向报文,进而可以根据需要进行选择尝试接入第二基站或者拒绝接入第二基站。According to this embodiment, when the message redirected to the second base station is received, the first prompt information is generated on the user equipment, for example, the first prompt information is “received from the first base station to the second base station. If the packet is attempted to access the second base station, the user may be informed that the current user equipment has received the redirected message, and then may select to attempt to access the second base station or refuse to access the second base station according to requirements.
例如用户认为重复向报文不可信,那么可以针对第一提示信息输入拒绝重定向指令,以使用户设备搜索第一基站和第二基站以外的第三基站。若用户认为重复向报文可信,那么可以针对第一提示信息输入接受重定向指令,从而尝试接入重定向指令所指向的第二基站。For example, if the user considers that the repeated message is not trusted, then the refusal redirection instruction may be input for the first prompt information, so that the user equipment searches for the third base station other than the first base station and the second base station. If the user believes that the message is trusted to be repeated, the user may accept the redirect command for the first prompt information, thereby attempting to access the second base station pointed by the redirect command.
图3示出了根据本发明又一个实施例的基站重定向方法的示意流程图,如图3所示,在如图2所示实施例的基础上,在与所述第二基站建立通信连接之后,基站重定向方法还包括:FIG. 3 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 3, on the basis of the embodiment shown in FIG. 2, a communication connection is established with the second base station. After that, the base station redirection method further includes:
S6,判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别;S6. Determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet.
S7,若低于,则生成第二提示信息。S7. If it is lower, the second prompt information is generated.
由于用户设备接收重定向报文的操作发生在对第一基站进行鉴权之前,因此在接收到第一基站的重定向报文时,用户并不能够确认第一基站和第二基站是否为伪基站,因此,在接收到第一基站的重定向报文,并连接至该重定向报文所指向的第二基站时,需要进一步判断第二基站的安全性。 The operation of the user equipment to receive the redirection packet occurs before the authentication of the first base station is performed. Therefore, when the redirection packet of the first base station is received, the user cannot confirm whether the first base station and the second base station are pseudo. The base station, therefore, needs to further determine the security of the second base station when receiving the redirection packet of the first base station and connecting to the second base station pointed by the redirection packet.
根据本实施例,在基于用户针对第一提示信息输入接受重定向指令与第二基站建立通信连接后,由于用户设备可以记录接收到重定向报文之前连接基站的安全级别,以及当前连接的第二基站的安全级别,因此可以比较两者的安全级别,便于用户获悉第二基站所提供网络的安全状况,以便选择是否继续连接于第二基站。According to this embodiment, after the user establishes a communication connection with the second base station based on the user inputting the redirection instruction for the first prompt information, the user equipment can record the security level of the connected base station before receiving the redirected message, and the current connection. The security level of the two base stations, so that the security level of the two base stations can be compared, so that the user can learn the security status of the network provided by the second base station, so as to select whether to continue to connect to the second base station.
若第二基站的安全级别低于接收到所述报文之前连接的基站的安全级别,那么说明用户设备所处网络的安全级别降低(例如从3G降只2G),而安全级别较低的网络更容易被不法分子入侵,从而向用户设备发送诈骗信息或者窃取用户信息。在这种情况下,虽然第一基站和第二基站不一定是伪基站,但是用户设备所处网络的安全级别降低确是事实,因此可以基于这种情况生成第二提示信息,例如第二提示信息可以是“当前网络安全级别降低,是否继续使用当前网络”,用户可以选择继续使用当前网络,那么用户设备维持与第二基站的通信连接,若用户选择不使用当前网络,那么用户设备断开与第二基站的通信连接,并搜索第三基站。If the security level of the second base station is lower than the security level of the base station connected before receiving the packet, it indicates that the security level of the network where the user equipment is located is reduced (for example, only 2G is dropped from 3G), and the network with lower security level is lower. It is more likely to be invaded by criminals, thereby sending fraudulent information or stealing user information to user equipment. In this case, although the first base station and the second base station are not necessarily pseudo base stations, the security level of the network where the user equipment is located is reduced. Therefore, the second prompt information, for example, the second prompt, may be generated based on the situation. The information may be “the current network security level is lowered, whether to continue to use the current network”, the user may choose to continue to use the current network, then the user equipment maintains a communication connection with the second base station, and if the user chooses not to use the current network, the user equipment is disconnected. A communication connection with the second base station and searching for the third base station.
图4示出了根据本发明又一个实施例的基站重定向方法的示意流程图,如图4所示,在如图1所示实施例的基础上,上述基站重定向方法还包括:FIG. 4 is a schematic flowchart of a base station redirection method according to another embodiment of the present invention. As shown in FIG. 4, the base station redirection method further includes:
S8,判断所述第三基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别,S8. Determine whether the security level of the third base station is lower than a security level of the base station connected before receiving the packet.
S9,若低于,则生成第三提示信息。S9. If it is lower, the third prompt information is generated.
根据本实施例,在搜索第三基站并与第三基站建立通信连接后,由于用户设备可以记录接收到重定向报文之前连接基站的安全级别,以及当前连接的第三基站的安全级别,因此可以比较两者的安全级别,便于用户获悉第三基站所提供网络的安全状况,以便选择是否继续连接于第三基站。According to this embodiment, after searching for the third base station and establishing a communication connection with the third base station, since the user equipment can record the security level of the connected base station before receiving the redirected message, and the security level of the currently connected third base station, The security level of the two can be compared, so that the user can learn the security status of the network provided by the third base station to select whether to continue to connect to the third base station.
若第三基站的安全级别低于接收到所述报文之前连接的基站的安全级别,那么说明用户设备所处网络的安全级别降低(例如从3G降只2G),而安全级别较低的网络更容易被不法分子入侵,从而向用户设备发送诈骗信息或者窃取用户信息。在这种情况下,虽然第第二基站是安全基站,但是用户设备所处网络的安全级别降低确是事实,因此可以基于这种情况生成第三提示信息,例如第三提示信息可以是“当前网络安全级别降低,是否继续使用当前网络”,用户可以选择继续使用当前网络,那么用户设备维持与第三基站的通信连接,若用户选择不使用当前网络,那么用户设备断开与第三基站的通信连接,并搜索第一基站、第二基站、第三基站以外的第四基站。If the security level of the third base station is lower than the security level of the base station connected before receiving the packet, it indicates that the security level of the network where the user equipment is located is reduced (for example, only 2G is dropped from 3G), and the network with lower security level is lower. It is more likely to be invaded by criminals, thereby sending fraudulent information or stealing user information to user equipment. In this case, although the second base station is a secure base station, the security level of the network where the user equipment is located is reduced. Therefore, the third prompt information may be generated based on the situation. For example, the third prompt information may be “current. If the network security level is lowered, whether the current network continues to be used, and the user can choose to continue using the current network, the user equipment maintains a communication connection with the third base station. If the user chooses not to use the current network, the user equipment disconnects from the third base station. The communication is connected, and searches for a fourth base station other than the first base station, the second base station, and the third base station.
可选地,2G基站的安全级别低于3G基站的安全级别,3G基站的安全级 别低于4G基站的安全级别。Optionally, the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is Do not lower than the security level of the 4G base station.
例如2G基站的鉴权方式为GSM(Global System for Mobile Communication,全球移动通信系统)鉴权,3G基站的鉴权方式为WCDMA(Wideband Code Division Multiple Access,宽带码分多址)鉴权,4G基站的鉴权方式为LTE(Long Term Evolution,长期演进)鉴权。For example, the authentication mode of the 2G base station is GSM (Global System for Mobile Communication) authentication, and the authentication mode of the 3G base station is WCDMA (Wideband Code Division Multiple Access) authentication, 4G base station. The authentication method is LTE (Long Term Evolution) authentication.
其中,GSM鉴权是单向的,只有基站(网络)对用户的鉴权,没有用户设备对基站(网络)的鉴权,非法基站可以伪装成合法的基站欺骗用户设备,窃取用户信息。并且在GSM网络中,没有考虑数据完整性保护的问题,如果数据在传输的过程中被篡改也难以发现。GSM网络的加密不是端到端的,只在无线信道部分加密,在固定网中没有加密(采用明文传输),给攻击者提供了机会。GSM的加密算法和密钥存在安全隐患,如密钥太短,只有64bit,加密算法不公开且较为固定不变,无法协商加密算法。The GSM authentication is unidirectional. Only the base station (network) authenticates the user, and the user equipment does not authenticate the base station (network). The illegal base station can pretend to be a legitimate base station to spoof the user equipment and steal user information. And in the GSM network, the problem of data integrity protection is not considered, and it is difficult to find out if the data is tampered with in the process of transmission. The encryption of the GSM network is not end-to-end, it is only encrypted in the wireless channel part, and there is no encryption in the fixed network (using clear text transmission), which provides an opportunity for the attacker. The GSM encryption algorithm and the key have security risks. For example, the key is too short, only 64 bits. The encryption algorithm is not public and relatively fixed, and the encryption algorithm cannot be negotiated.
WCDMA网络虽然能够实现双向鉴权,安全级别高于GSM网络。但是,鉴权过程中的认证只是实现了用户设备对HLR(Home Location Register,归属位置寄存器)的认证,但没有实现用户设备对VLR(Visitor Location Register,拜访位置寄存器)的认证,因此攻击者可以截获合法的IMSI进行攻击。并且没有考虑网络端的认证和保密通信,攻击者可以通过截取VLR与HLR之间的信息获得AV(AuthenticationVector,鉴权向量)从而获得CK和IK。用户设备在不同的PLMN(Public Land Mobile Network,公共陆地移动网络)之间漫游,不同PLMN可以是不同国家的不同网络,当本地HLR把AV发送到漫游网络的VLR过程中,穿过不同网络,很容易被攻击者截获。Although the WCDMA network can achieve two-way authentication, the security level is higher than that of the GSM network. However, the authentication in the authentication process only implements the authentication of the HLR (Home Location Register) by the user equipment, but does not implement the authentication of the VLR (Visitor Location Register) by the user equipment, so the attacker can Intercept the legitimate IMSI for attack. And without considering the authentication and secure communication on the network side, the attacker can obtain the CK and IK by intercepting the information between the VLR and the HLR to obtain an AV (Authentication Vector). The user equipment roams between different PLMNs (Public Land Mobile Network). Different PLMNs may be different networks in different countries. When the local HLR sends the AV to the VLR of the roaming network, it passes through different networks. It is easy to be intercepted by an attacker.
而在LTE网络中,UE的鉴权过程为:In an LTE network, the authentication process of the UE is:
C1,UE向NAS层(Non-Access Stratum,非接入层,NAS协议处理UE和CN之间信息的传输,传输的内容可以是用户信息或控制信息,例如业务的建立、释放或者移动性管理信息)MME(Mobility Management Entity,是3GPP协议LTE接入网络的关键控制节点,它负责空闲模式的UE的定位,传呼过程,包括中继,简单的说MME是负责信令处理部分)发起鉴权请求;C1, the UE transmits the information between the UE and the CN to the NAS layer (Non-Access Stratum, non-access stratum, NAS protocol, and the transmitted content may be user information or control information, such as service establishment, release, or mobility management. Information) MME (Mobility Management Entity, which is the key control node of the 3GPP protocol LTE access network, which is responsible for the positioning of the idle mode UE, the paging process, including the relay, simply saying that the MME is responsible for the signaling processing part) initiates the authentication. request;
C2、MME则向HSS(Home Subscriber Server,归属签约用户服务器)索要鉴权向量;The C2 and the MME request an authentication vector from the HSS (Home Subscriber Server).
C3、HSS返回一套或多套EPS(Evolved Packet System,演进的分组系统)鉴权向量(RAND,AUTN,XRES,KASME)给MME;C3, HSS returns one or more EPS (Evolved Packet System) authentication vectors (RAND, AUTN, XRES, KASME) to the MME;
C4、MME收到后保存XRES、Kasme并将随机数RAND和鉴权令牌AUTN发送给UE; C4, after receiving the MME, the XRES and the Kasme are saved, and the random number RAND and the authentication token AUTN are sent to the UE;
C5、UE通过AUTN对第一基站进行鉴权,根据AUTN&RAND计算出RES&CK/IK,进一步计算出Kasme(LTE鉴权时所需要的二层密钥,是由一层密钥CK和IK算出来的);C5. The UE authenticates the first base station through the AUTN, calculates RES&CK/IK according to AUTN&RAND, and further calculates Kasme (the second layer key required for LTE authentication, which is calculated by a layer of keys CK and IK) ;
C6、UE与MME根据Kasme推导出NAS层与AS层所需的加密密钥和完整性保护密钥。当UE从活跃状态变为闲置状态时,将删除这些密钥。C6. The UE and the MME derive the encryption key and integrity protection key required by the NAS layer and the AS layer according to Kasme. These keys are deleted when the UE changes from active to idle.
一方面由于LTE网络的鉴权过程通过鉴权向量四元组完成,另一方面当UE从活跃状态变为闲置状态时,将删除密钥,因此不存在GSM网络和WCDMA网络所存在的问题,因此安全级别更高。On the one hand, since the authentication process of the LTE network is completed by the authentication vector quaternary, on the other hand, when the UE changes from the active state to the idle state, the key is deleted, so there is no problem existing in the GSM network and the WCDMA network. Therefore the level of security is higher.
图5示出了根据本发明又一个实施例的基站重定向方法的示意流程图,如图5所示,在如图1所示实施例的基础上,基站重定向方法在搜索所述第三基站之前,还包括:FIG. 5 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 5, on the basis of the embodiment shown in FIG. 1, a base station redirection method searches for the third. Before the base station, it also includes:
S10,判断在接收到重定向至第二基站的报文之前是否接收到连接拒绝报文,若接到连接拒绝报文,则执行步骤S2,搜索所述第三基站,否则,执行S11,与所述第二基站建立通信连接。S10: Determine whether a connection reject message is received before receiving the message redirected to the second base station, and if the connection reject message is received, perform step S2 to search for the third base station, otherwise, execute S11, and The second base station establishes a communication connection.
当用户设备进入某一区域后,会检测该区域内基站的信号强度,并选择信号强度最高的第一基站尝试接入,并向第一基站发起追踪区域升级请求报文,如果第一基站需要对用户设备进行重定向,针对追踪区域升级请求反馈拒绝报文。用户设备在接收到针对追踪区域升级请求的拒绝报文后,向第一基站传输连接请求报文,基站针对传输连接请求反馈拒绝报文,并向用户设备传输重定向报文,通知用户连接至第二基站。After the user equipment enters a certain area, the signal strength of the base station in the area is detected, and the first base station with the highest signal strength is selected to try to access, and the tracking area upgrade request message is sent to the first base station, if the first base station needs Redirect the user equipment and feedback the rejection message for the tracking area upgrade request. After receiving the refusal message for the tracking area upgrade request, the user equipment transmits a connection request message to the first base station, and the base station sends a redirection message to the user equipment, and notifies the user to connect to the user equipment. Second base station.
上述情况是在用户进入某一区域后,尝试接入第一基站的过程中,第一基站拒绝其接入请求,并对其重定向的过程,在这种情况下,存在伪基站作为第一基站向用户设备传输重定向报文的风险。The above situation is a process in which the first base station rejects its access request and redirects it during the process of attempting to access the first base station after the user enters a certain area, in which case the pseudo base station exists as the first The risk that the base station transmits the redirect message to the user equipment.
但是在其他情况下,重定向报文的来源基站一般是安全的,根据该重定向报文尝试连接并没有风险。例如用户设备正在连接于某个基站,但是该基站由于需要临时维修,或者突发故障,那么可以直接向用户设备传输重定向报文,而在这种情况下,用户设备会直接收到重定向报文,而不会收到针对追踪区域升级请求反馈拒绝报文、针对传输连接请求反馈拒绝报文等连接拒绝报文。However, in other cases, the source of the redirected packet is generally secure, and there is no risk in attempting to connect according to the redirected packet. For example, if the user equipment is connected to a certain base station, but the base station needs temporary maintenance or a sudden failure, the redirect message can be directly transmitted to the user equipment, and in this case, the user equipment directly receives the redirect. The message does not receive the connection rejection message for the tracking area upgrade request, and the connection rejection message for the transmission connection request feedback rejection message.
因此,根据本实施例,可以在接收到重定向至第二基站的报文之前,基于是否接收到连接拒绝报文来判断,根据该重定向报文尝试连接是否存在风险,从而避免在没有风险的情况下,仍然搜索第三基站,导致用户设备功耗的浪费。Therefore, according to the embodiment, before receiving the message redirected to the second base station, it may be determined based on whether the connection reject message is received, whether the connection is attempted according to the redirect message, thereby avoiding risk. In the case of the third base station, the power consumption of the user equipment is wasted.
图6示出了根据本发明又一个实施例的基站重定向方法的示意流程图,如图6所示,在如图1所示实施例的基础上,基站重定向方法在搜索所述第三基 站之前,还包括:6 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 6, on the basis of the embodiment shown in FIG. 1, a base station redirection method searches for the third. Base Before the station, it also includes:
S12,向所述第一基站传输预设次数的追踪区域升级请求报文;S12. Transmit a preset number of tracking area upgrade request messages to the first base station.
S13,判断每次发送所述追踪区域升级请求报文后都是否接收到所述第一基站的请求拒绝报文,若是,执行步骤S2,搜索所述第三基站,否则,执行步骤S14,与所述第一基站建立通信连接。S13, it is determined whether the request rejection message of the first base station is received after the tracking area upgrade request message is sent, and if yes, step S2 is performed to search for the third base station, otherwise, step S14 is performed, and The first base station establishes a communication connection.
当用户设备进入某一区域后,会检测该区域内基站的信号强度,并选择信号强度最高的第一基站尝试接入。在这种情况下收到第一基站重定向至第二基站的报文,如果第一基站不是伪基站,那么第一基站发出该重定向报文是由于第一基站当前负载较高,暂时无法供用户设备接入。After the user equipment enters a certain area, the signal strength of the base station in the area is detected, and the first base station with the highest signal strength is selected to try to access. In this case, the packet received by the first base station is redirected to the second base station. If the first base station is not a pseudo base station, the first base station sends the redirect message because the current load of the first base station is high, and temporarily cannot be For user equipment access.
可见,在第一基站是正常基站的情况下,若第一基站发出重定向报文,只是说明第一基站当前暂时无法供用户设备接入,但是正常基站的负载一般不会持续维持在较高的水平,也即不会持续对用户设备的接入请求反馈请求拒绝报文。而伪基站为了将用户设备重定向至安全级别较低的基站,对于用户设备发出的所有接入请求,都会反馈请求拒绝报文,进而发出重定向报文。It can be seen that, in the case that the first base station is a normal base station, if the first base station sends a redirection packet, it only indicates that the first base station is temporarily unavailable for the user equipment access, but the load of the normal base station generally does not continue to be maintained at a high level. The level, that is, the request to reject the request for the access request of the user equipment is not continued. In order to redirect the user equipment to the base station with a lower security level, the pseudo base station feeds back the request for all the access requests sent by the user equipment, and then sends a redirect message.
根据本实施例,可以向第一基站传输预设次数(大于一次,例如可以是10次)的追踪区域升级请求报文,优选地,每次传输追踪区域升级请求报文的时间间隔可以设置为1分钟。若对于所有的追踪区域升级请求报文,第一基站都返回了请求拒绝报文,那么说明书第一基站较大概率为伪基站。而在任一次传输追踪区域升级请求报文后,没有收到第一基站的请求拒绝报文(或者收到该基站的请求允许报文),那么说明第一基站此时负载已经降低,可以供用户设备接入了,还说明该第一基站为正常基站,因此,用户设备可以接入第一基站,从而实现与该区域内信号强度最高的基站建立通信连接。According to this embodiment, the tracking area upgrade request message of the preset number of times (more than one time, for example, may be 10 times) may be transmitted to the first base station. Preferably, the time interval of each time the tracking area upgrade request message is transmitted may be set to 1 minute. If the first base station returns a request rejection message for all the tracking area upgrade request messages, then the first base station has a larger probability of being a pseudo base station. After receiving the tracking area upgrade request message, the first base station does not receive the request rejection message (or receives the request permission message of the base station), so that the first base station has reduced the load at this time, and the user can be used for the user. The device is accessed, and the first base station is a normal base station. Therefore, the user equipment can access the first base station, thereby establishing a communication connection with the base station with the highest signal strength in the area.
图7示出了根据本发明一个实施例的基站重定向装置的示意框图,如图7所示,该基站重定向装置70包括:FIG. 7 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention. As shown in FIG. 7, the base station redirection apparatus 70 includes:
报文接收模块71,配置为接收第一基站重定向至第二基站的报文;The message receiving module 71 is configured to receive a message that is redirected by the first base station to the second base station;
搜索模块72,在所述报文接收模块接收到重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;The searching module 72 searches for a third base station other than the first base station and the second base station when the message receiving module receives the message redirected to the second base station;
连接建立模块73,配置为与所述第三基站建立通信连接。The connection establishing module 73 is configured to establish a communication connection with the third base station.
图8示出了根据本发明另一个实施例的基站重定向装置的示意框图,如图8所示,在如图7所示实施例的基础上,基站重定向装置还包括:FIG. 8 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 8, the base station redirection apparatus further includes:
提示模块74,在所述报文接收模块接收到重定向至第二基站的报文时,生成第一提示信息,配置为提示重定向的基站信息,并使用户选择拒绝重定向指令或者接受重定向指令; The prompting module 74, when the packet receiving module receives the packet redirected to the second base station, generates the first prompt information, is configured to prompt the redirected base station information, and causes the user to select to reject the redirect instruction or accept the heavy Directional instruction
其中,所述搜索模块72还配置为基于用户选择的拒绝重定向指令搜索所述第三基站,The search module 72 is further configured to search the third base station based on a refusal redirection instruction selected by the user.
或所述连接建立模块73还配置为基于用户选择的接受重定向指令与所述第二基站建立通信连接。Or the connection establishing module 73 is further configured to establish a communication connection with the second base station based on the user-selected accept redirection command.
图9示出了根据本发明又一个实施例的基站重定向装置的示意框图,如图9所示,在如图8所示实施例的基础上,基站重定向装置70还包括:FIG. 9 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 9, on the basis of the embodiment shown in FIG. 8, the base station redirection apparatus 70 further includes:
安全判断模块75,在所述连接建立模块73与所述第二基站建立通信连接之后,判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别,After the connection establishment module 73 establishes a communication connection with the second base station, the security determination module 75 determines whether the security level of the second base station is lower than the security level of the base station connected before receiving the message.
其中,所述提示模块74在所述第二基站的安全级别低于接收到所述报文之前连接的基站的安全级别时,生成第二提示信息。The prompting module 74 generates second prompt information when the security level of the second base station is lower than the security level of the base station connected before receiving the packet.
图10示出了根据本发明又一个实施例的基站重定向装置的示意框图,如图10所示,在如图7所示实施例的基础上,基站重定向装置70还包括:FIG. 10 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 10, on the basis of the embodiment shown in FIG. 7, the base station redirection apparatus 70 further includes:
安全判断模块75,配置为判断所述第三基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别;The security judging module 75 is configured to determine whether the security level of the third base station is lower than a security level of the base station connected before receiving the packet;
提示模块74,在所述第三基站的安全级别低于接收到所述报文之前连接的基站的安全级别时,生成第三提示信息。The prompting module 74 generates third prompt information when the security level of the third base station is lower than the security level of the base station connected before receiving the message.
可选地,2G基站的安全级别低于3G基站的安全级别,3G基站的安全级别低于4G基站的安全级别。Optionally, the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
图11示出了根据本发明又一个实施例的基站重定向装置的示意框图,如图11所示,在如图7所示实施例的基础上,基站重定向装置70还包括:FIG. 11 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 11, on the basis of the embodiment shown in FIG. 7, the base station redirection apparatus 70 further includes:
报文判断模块76,在搜索所述第三基站之前,判断在所述报文接收模块接收到重定向至第二基站的报文之前,是否接收到连接拒绝报文,The message judging module 76 determines, before searching the third base station, whether the connection rejecting message is received before the packet receiving module receives the packet redirected to the second base station.
其中,所述搜索模块72在所述报文接收模块71接收到重定向至第二基站的报文之前接收到连接拒绝报文时,搜索所述第三基站,所述连接建立模块73在所述报文接收模块71接收到重定向至第二基站的报文之前未接收到连接拒绝报文时,与所述第二基站建立通信连接。The search module 72 searches for the third base station when the message receiving module 71 receives the connection reject message before receiving the message redirected to the second base station, and the connection establishing module 73 is in the The message receiving module 71 establishes a communication connection with the second base station when receiving the connection reject message before receiving the message redirected to the second base station.
图12示出了根据本发明又一个实施例的基站重定向装置的示意框图,如图12所示,在如图7所示实施例的基础上,基站重定向装置70还包括:FIG. 12 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 12, on the basis of the embodiment shown in FIG. 7, the base station redirection apparatus 70 further includes:
报文传输模块77,在搜索所述第三基站之前,配置为向所述第一基站传输预设次数的追踪区域升级请求报文;The message transmission module 77 is configured to transmit a preset number of tracking area upgrade request messages to the first base station before searching the third base station;
其中,所述搜索模块72在每次发送所述追踪区域升级请求报文后,所述报文接收模块71都接收到所述第一基站的请求拒绝报文时,搜索所述第三基站, 所述连接建立模块73在任一次发送所述追踪区域升级请求报文后,所述报文接收模块71接收到所述第一基站的请求允许报文时,与所述第一基站建立通信连接。After the search module 72 sends the tracking area upgrade request message, the message receiving module 71 searches for the third base station when receiving the request rejection message of the first base station. After the connection establishment module 73 sends the tracking area upgrade request message, the message receiving module 71 establishes a communication connection with the first base station when receiving the request permission message of the first base station.
针对上述问题,本发明还提出如下所示的基站重定向方法和基站重定向装置。In response to the above problems, the present invention also proposes a base station redirection method and a base station redirection apparatus as shown below.
图13是根据本发明一个实施例的基站重定向方法的示意流程图,该方法可以应用于移动终端。如图13所示,该基站重定向方法包括:FIG. 13 is a schematic flowchart of a method for redirecting a base station according to an embodiment of the present invention, which may be applied to a mobile terminal. As shown in FIG. 13, the base station redirection method includes:
步骤1,对第一基站进行鉴权;Step 1: Perform authentication on the first base station;
步骤2,若所述第一基站未通过鉴权,在接收到来自所述第一基站的重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;Step 2: If the first base station fails to pass the authentication, when the packet redirected from the first base station to the second base station is received, the first base station and the second base station are searched for Three base stations;
步骤3,与所述第三基站建立通信连接。Step 3: Establish a communication connection with the third base station.
根据本实施例,可以在接收重定向报文之前,先对基站进行鉴权。例如用户设备进入一片区域后,检测到第一基站的信号强度最高,那么尝试接入第一基站,同时直接向第一基站发起鉴权请求,请求第一基站反馈鉴权信息;也可以在接收到第一基站针对追踪区域升级请求反馈拒绝报文后,或在接收到针对传输连接请求反馈拒绝报文后,向第一基站发起鉴权请求,请求第一基站反馈鉴权信息。According to this embodiment, the base station may be authenticated before receiving the redirect message. For example, after the user equipment enters an area, it is detected that the signal strength of the first base station is the highest, and then attempts to access the first base station, and directly initiates an authentication request to the first base station, requesting the first base station to feed back the authentication information; After the first base station feeds back the reject message for the tracking area upgrade request, or after receiving the feedback reject message for the transmission connection request, the first base station sends an authentication request to the first base station to request the first base station to feed back the authentication information.
对于未通过鉴权(例如第一基站反馈了鉴权信息,但是与终端存储的鉴权信息不相符,或者第一基站未反馈鉴权信息)的第一基站,一般可以判定其为伪基站,如果仍能接收到其发出的重定向报文(例如第一基站在非接入层向用户设备传输重定向报文),那么重定向报文所指向的第二基站也为伪基站,或者是安全级别较低的基站,用户设备可以将第一基站和第二基站的标识(例如身份标识、地址标识等)写入黑名单,并搜索该区域中,第一基站和第二基站以外的第三基站并尝试接入。当然,对于第三基站,也可以采用与第一基站相同的鉴权方式,如果第三基站通过鉴权,则与第三基站建立通信连接。For the first base station that fails the authentication (for example, the first base station feeds back the authentication information but does not match the authentication information stored by the terminal, or the first base station does not feed back the authentication information), it can generally be determined as a pseudo base station. If the redirection packet sent by the redirection packet is transmitted to the user equipment by the first base station, the second base station pointed to by the redirection packet is also a pseudo base station, or a base station with a lower security level, the user equipment may write the identifiers of the first base station and the second base station (for example, an identity identifier, an address identifier, and the like) to the blacklist, and search for the area other than the first base station and the second base station in the area. Three base stations and try to access. Certainly, for the third base station, the same authentication mode as the first base station may be adopted, and if the third base station passes the authentication, a communication connection is established with the third base station.
可见,根据本实施例,可以先对尝试接入的基站进行鉴权,然后再接收其发出的重定向报文,从而根据鉴权结果先判断出尝试接入的基站是否为伪基站,在其为伪基站的情况下,可以避免接入其重定向报文所指向的基站,并且能够搜索该伪基站和其重定向报文指向基站以外的其他基站,保证接入安全的基站。It can be seen that, according to the embodiment, the base station that attempts to access may be authenticated, and then the redirect message sent by the base station is received, so that it is first determined according to the authentication result whether the base station attempting to access is a pseudo base station, In the case of a pseudo base station, access to the base station to which the redirect message is directed can be avoided, and the pseudo base station and its redirect message can be searched for other base stations other than the base station to ensure secure access to the base station.
可选地,在第一基站未通过鉴权的情况下,记录第一基站和第二基站的标识。Optionally, the identifiers of the first base station and the second base station are recorded if the first base station fails to pass the authentication.
根据本实施例,可以避免再次(本发明中的“再次”是指第一次以后的任一次)进入上述区域时,再次尝试接入第一基站或第二基站,保证尝试接入的基 站为安全的基站。According to the present embodiment, it is possible to avoid again (in the present invention, "again" means any time after the first time), when attempting to access the above-mentioned area, attempting to access the first base station or the second base station again, and ensuring the base of the attempted access. The station is a secure base station.
可选地,对第一基站进行鉴权包括:Optionally, authenticating the first base station includes:
在尝试接入第一基站时,向第一基站发起鉴权请求,或在接收到第一基站针对追踪区域升级请求反馈拒绝报文时,向第一基站发起鉴权请求,请求第一基站反馈鉴权信息。When an attempt is made to access the first base station, an authentication request is initiated to the first base station, or when the first base station receives the feedback rejection message for the tracking area upgrade request, an authentication request is initiated to the first base station, and the first base station is requested to provide feedback. Authentication information.
根据本实施例,在用户设备尝试接入第一基站时,或在接收到第一基站针对追踪区域升级请求反馈拒绝报文时,用户设备并没有向尝试接入的基站传输IMSI,因此在这两种情况下对基站进行鉴权,可以降低伪基站获取到用户IMSI的概率。According to this embodiment, when the user equipment attempts to access the first base station, or when receiving the first base station feedback request rejection message for the tracking area upgrade request, the user equipment does not transmit the IMSI to the base station attempting to access, so In two cases, the base station is authenticated, which can reduce the probability that the pseudo base station acquires the user IMSI.
例如用户设备UE运行在4G(第四代移动通信技术)网络中,那么用户设备对第一基站的鉴权方式可以如下所示:For example, if the user equipment UE is running in a 4G (fourth generation mobile communication technology) network, the authentication method of the user equipment to the first base station may be as follows:
首先,UE向NAS层(Non-Access Stratum,非接入层,NAS协议处理UE和CN之间信息的传输,传输的内容可以是用户信息或控制信息,例如业务的建立、释放或者移动性管理信息)MME(Mobility Management Entity,是3GPP协议LTE接入网络的关键控制节点,它负责空闲模式的UE的定位,传呼过程,包括中继,简单的说MME是负责信令处理部分)发起鉴权请求;First, the UE transmits the information between the UE and the CN to the NAS layer (Non-Access Stratum, non-access stratum, NAS protocol, and the transmitted content may be user information or control information, such as service establishment, release, or mobility management. Information) MME (Mobility Management Entity, which is the key control node of the 3GPP protocol LTE access network, which is responsible for the positioning of the idle mode UE, the paging process, including the relay, simply saying that the MME is responsible for the signaling processing part) initiates the authentication. request;
S2、MME则向HSS(Home Subscriber Server,归属签约用户服务器)索要鉴权向量;S2: The MME requests an authentication vector from the HSS (Home Subscriber Server).
S3、HSS返回一套或多套EPS(Evolved Packet System,演进的分组系统)鉴权向量(RAND,AUTN,XRES,KASME)给MME;S3, the HSS returns one or more sets of EPS (Evolved Packet System) authentication vectors (RAND, AUTN, XRES, KASME) to the MME;
S4、MME收到后保存XRES、Kasme并将随机数RAND和鉴权令牌AUTN发送给UE;S4, after receiving the MME, save the XRES, Kasme, and send the random number RAND and the authentication token AUTN to the UE;
S5、UE通过AUTN对第一基站进行鉴权,若第一基站未通过鉴权,则结束,若通过鉴权,则根据AUTN&RAND计算出RES&CK/IK,进一步计算出Kasme(LTE鉴权时所需要的二层密钥,是由一层密钥CK和IK算出来的);S5. The UE authenticates the first base station by using the AUTN. If the first base station fails to pass the authentication, the UE ends. If the authentication is performed, the RES&CK/IK is calculated according to the AUTN&RAND, and the Kasme (which is required for LTE authentication) is further calculated. The second layer key is calculated by a layer of keys CK and IK);
S6、UE与MME根据Kasme推导出NAS层与AS层所需的加密密钥和完整性保护密钥。S6. The UE and the MME derive the encryption key and the integrity protection key required by the NAS layer and the AS layer according to the Kasme.
图14是根据本发明另一个实施例的基站重定向方法的示意流程图,如图14所示,在如图13所示实施例的基础上,基站重定向方法还包括:FIG. 14 is a schematic flowchart of a method for redirecting a base station according to another embodiment of the present invention. As shown in FIG. 14, the method for redirecting a base station according to the embodiment shown in FIG. 13 further includes:
步骤4,若所述第一基站通过鉴权,在接收到来自所述第一基站的重定向至第二基站的报文时,与所述第二基站建立通信连接。Step 4: If the first base station passes the authentication, when receiving the message redirected from the first base station to the second base station, establish a communication connection with the second base station.
根据本实施例,在第一基站通过鉴权的情况下,说明第一基站不是伪基站,因此可以根据其重定向报文与第二基站建立通信连接。 According to the embodiment, in the case that the first base station passes the authentication, the first base station is not a pseudo base station, and therefore, a communication connection can be established with the second base station according to the redirect message.
图15是根据本发明又一个实施例的基站重定向方法的示意流程图,如图15所示,在如图14所示实施例的基础上,在与所述第二基站建立通信连接后,基站重定向方法还包括:FIG. 15 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 15, after establishing a communication connection with the second base station, based on the embodiment shown in FIG. The base station redirection method further includes:
步骤5,判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别,Step 5: Determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet.
步骤6,若低于,则显示第一提示信息。 Step 6. If it is lower, the first prompt information is displayed.
根据本实施例,即使在第一基站不是伪基站的情况下,第一基站也有可能将用户设备重定向到一个安全级别较低的基站。According to the present embodiment, even in the case where the first base station is not a pseudo base station, it is possible for the first base station to redirect the user equipment to a base station having a lower security level.
例如用户设备进入一片区域后,检测到该区域中功率最高的基站为第一基站,在尝试连接第一基站的过程中,第一基站通过了鉴权,但是第一基站此时负载较高,因此会向用户设备反馈重定向指令。若此时区域中的4G基站复杂都较高,只有第二基站负载较低,但是该第二基站为2G基站,而用户设备在接收到重定向报文之前连接的基站为4G基站,那么在用户设备接入第二基站后,用户设备的所处移动网络的安全级别降低。For example, after the user equipment enters an area, the base station with the highest power in the area is detected as the first base station. In the process of attempting to connect to the first base station, the first base station passes the authentication, but the first base station has a higher load at this time. Therefore, the redirect instruction is fed back to the user device. If the 4G base station in the area is high in complexity, only the second base station has a lower load, but the second base station is a 2G base station, and the base station connected to the user equipment before receiving the redirect message is a 4G base station, then After the user equipment accesses the second base station, the security level of the mobile network where the user equipment is located is lowered.
根据本实施例,可以在上述情况下显示第一提示信息,以便用户及时获悉重定向之后连接的基站安全级别降低,进而判断是否维持与第二基站的连接。According to the embodiment, the first prompt information may be displayed in the above case, so that the user can know in time that the security level of the connected base station is lowered, and then whether to maintain the connection with the second base station.
图16是根据本发明又一个实施例的基站重定向方法的示意流程图,如图16所示,在所述第一基站未通过鉴权时,在如图13所示实施例的基础上,基站重定向方法还包括:FIG. 16 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 16, when the first base station fails to pass authentication, on the basis of the embodiment shown in FIG. 13, the base station The redirect method also includes:
步骤7,显示第二提示信息,所述第二提示信息用于提示用户第一基站未通过鉴权,且使用户选择拒绝重定向指令或者接受重定向指令;Step 7: Display second prompt information, where the second prompt information is used to prompt the user that the first base station fails to pass the authentication, and causes the user to select to reject the redirect instruction or accept the redirect instruction;
步骤8,基于所选择的拒绝重定向指令搜索所述第三基站,或 Step 8. Search for the third base station based on the selected reject redirect instruction, or
步骤9,基于所选择的接受重定向指令与所述第二基站建立通信连接。 Step 9. Establish a communication connection with the second base station based on the selected accept redirection command.
由于在某些情况下,即使第一基站未通过鉴权,但是仍然需要用户设备按照第一基站的重定向报文连接至第二基站。In some cases, even if the first base station fails to pass the authentication, the user equipment is still required to connect to the second base station according to the redirect message of the first base station.
例如在公安机关侦破案件过程中,需要获取犯罪分子利用伪基站向用户发送重定向报文的证据。那么根据本实施例,可以在第一基站未通过鉴权的情况下,仍然按照第一基站的重定向报文与第二基站建立通信连接,以便在连接于第二基站的过程中,检测伪基站向用户终端发送诈骗信息或窃取消息的行为,从而确认犯罪证据。For example, in the process of detecting a case by a public security organ, it is necessary to obtain evidence that a criminal uses a pseudo base station to send a redirect message to the user. Then, according to the embodiment, in the case that the first base station fails to pass the authentication, the communication connection with the second base station is still established according to the redirect message of the first base station, so as to detect the pseudo in the process of connecting to the second base station. The base station sends fraudulent information or steals the message to the user terminal, thereby confirming the evidence of the crime.
图17是根据本发明又一个实施例的基站重定向方法的示意流程图,如图17所示,在与所述第二基站建立通信连接之后,在如图16所示实施例的基础上,基站重定向方法还包括: FIG. 17 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 17, after establishing a communication connection with the second base station, on the basis of the embodiment shown in FIG. The base station redirection method further includes:
步骤10,判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别,Step 10: Determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet.
步骤11,若低于,则显示第三提示信息。In step 11, if it is lower, the third prompt information is displayed.
根据本实施例,在第一基站未通过鉴权,且连接于第一基站重定向报文所指向的第二基站时,可以根据第二基站的安全级别是否降低对第一基站进行测试。According to this embodiment, when the first base station fails to pass the authentication and is connected to the second base station to which the first base station redirects the message, the first base station may be tested according to whether the security level of the second base station is lowered.
例如运营商在设置基站时,可能没有存储或遗漏了某些基站用于鉴权的参数值,导致这些基站无法通过鉴权。那么根据本实施例,可以为运营商测试提供条件,在第一基站未通过鉴权的情况下,仍然按照第一基站的重定向报文与第二基站建立通信连接,并进一步判断第二基站的安全级别是否降低。For example, when the operator sets up the base station, the parameter values used by some base stations for authentication may not be stored or omitted, and the base stations cannot pass the authentication. Then, according to the embodiment, the carrier test can be provided with conditions, and if the first base station fails to pass the authentication, the communication connection with the second base station is still established according to the redirect message of the first base station, and the second base station is further determined. Is the security level reduced?
若第二基站安全级别并未降低,可以判定第一基站为伪基站。若第二基站安全级别并未降低,那么说明书第一基站为正常基站(因为一般情况下伪基站发送的重定向报文是将用户设备重定向到安全级别较低的基站,以便发送诈骗信息或窃取消息),只不过缺少鉴权所需的参数或者参数值有误,进而可以据此对该基站进行修复。If the security level of the second base station is not lowered, it may be determined that the first base station is a pseudo base station. If the security level of the second base station is not lowered, the first base station is a normal base station (because the redirection packet sent by the pseudo base station is generally used to redirect the user equipment to the base station with a lower security level to send fraud information or Stealing the message), but the parameters or parameter values required for authentication are missing, and the base station can be repaired accordingly.
可选地,2G基站的安全级别低于3G基站的安全级别,3G基站的安全级别低于4G基站的安全级别。Optionally, the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
例如2G基站的鉴权方式为GSM(Global System for Mobile Communication,全球移动通信系统)鉴权,3G基站的鉴权方式为WCDMA(Wideband Code Division Multiple Access,宽带码分多址)鉴权,4G基站的鉴权方式为LTE(Long Term Evolution,长期演进)鉴权。For example, the authentication mode of the 2G base station is GSM (Global System for Mobile Communication) authentication, and the authentication mode of the 3G base station is WCDMA (Wideband Code Division Multiple Access) authentication, 4G base station. The authentication method is LTE (Long Term Evolution) authentication.
其中,GSM鉴权是单向的,只有基站(网络)对用户的鉴权,没有用户设备对基站(网络)的鉴权,非法基站可以伪装成合法的基站欺骗用户设备,窃取用户信息。并且在GSM网络中,没有考虑数据完整性保护的问题,如果数据在传输的过程中被篡改也难以发现。GSM网络的加密不是端到端的,只在无线信道部分加密,在固定网中没有加密(采用明文传输),给攻击者提供了机会。GSM的加密算法和密钥存在安全隐患,如密钥太短,只有64bit,加密算法不公开且较为固定不变,无法协商加密算法。The GSM authentication is unidirectional. Only the base station (network) authenticates the user, and the user equipment does not authenticate the base station (network). The illegal base station can pretend to be a legitimate base station to spoof the user equipment and steal user information. And in the GSM network, the problem of data integrity protection is not considered, and it is difficult to find out if the data is tampered with in the process of transmission. The encryption of the GSM network is not end-to-end, it is only encrypted in the wireless channel part, and there is no encryption in the fixed network (using clear text transmission), which provides an opportunity for the attacker. The GSM encryption algorithm and the key have security risks. For example, the key is too short, only 64 bits. The encryption algorithm is not public and relatively fixed, and the encryption algorithm cannot be negotiated.
WCDMA网络虽然能够实现双向鉴权,安全级别高于GSM网络。但是,鉴权过程中的认证只是实现了用户设备对HLR(Home Location Register,归属位置寄存器)的认证,但没有实现用户设备对VLR(Visitor Location Register,拜访位置寄存器)的认证,因此攻击者可以截获合法的IMSI进行攻击。并且没有考虑网络端的认证和保密通信,攻击者可以通过截取VLR与HLR之间的信 息获得AV(AuthenticationVector,鉴权向量)从而获得CK和IK。用户设备在不同的PLMN(Public Land Mobile Network,公共陆地移动网络)之间漫游,不同PLMN可以是不同国家的不同网络,当本地HLR把AV发送到漫游网络的VLR过程中,穿过不同网络,很容易被攻击者截获。Although the WCDMA network can achieve two-way authentication, the security level is higher than that of the GSM network. However, the authentication in the authentication process only implements the authentication of the HLR (Home Location Register) by the user equipment, but does not implement the authentication of the VLR (Visitor Location Register) by the user equipment, so the attacker can Intercept the legitimate IMSI for attack. And without considering the authentication and confidential communication on the network side, the attacker can intercept the letter between the VLR and the HLR. Get the AV (AuthenticationVector) to get CK and IK. The user equipment roams between different PLMNs (Public Land Mobile Network). Different PLMNs may be different networks in different countries. When the local HLR sends the AV to the VLR of the roaming network, it passes through different networks. It is easy to be intercepted by an attacker.
而LTE网络则不存在GSM网络和WCDMA网络所存在的问题,因此安全级别更高。The LTE network does not have problems with the GSM network and the WCDMA network, so the security level is higher.
图18是根据本发明一个实施例的基站重定向装置的示意框图,如图18所示,根据本发明的第二方面的基站重定向装置60,其特征在于,包括:FIG. 18 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention. As shown in FIG. 18, the base station redirection apparatus 60 according to the second aspect of the present invention includes:
鉴权模块61,配置为对第一基站进行鉴权;The authentication module 61 is configured to perform authentication on the first base station;
搜索模块62,在所述第一基站未通过鉴权的情况下,在接收到来自所述第一基站的重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;The searching module 62 searches for the first base station and the second when receiving the message redirected from the first base station to the second base station if the first base station fails to pass the authentication. a third base station other than the base station;
连接模块63,与所述第三基站建立通信连接。The connection module 63 establishes a communication connection with the third base station.
可选地,所述连接模块63在所述第一基站通过鉴权的情况下,在接收到来自所述第一基站的重定向至第二基站的报文时,与所述第二基站建立通信连接。Optionally, the connection module 63 establishes with the second base station when receiving the packet redirected from the first base station to the second base station, when the first base station is authenticated. Communication connection.
图19是根据本发明另一个实施例的基站重定向装置的示意框图,如图19所示,在如图18所示实施例的基础上,可选地,上述基站重定向装置60还包括:FIG. 19 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 19, on the basis of the embodiment shown in FIG.
判断模块64,配置为判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别;The determining module 64 is configured to determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet;
显示模块65,在所述第二基站的安全级别低于接收到所述报文之前连接的基站的安全级别的请款下,显示第一提示信息。The display module 65 displays the first prompt information under the request that the security level of the second base station is lower than the security level of the base station connected before receiving the message.
图20是根据本发明又一个实施例的基站重定向装置的示意框图,如图20所示,在如图18所示实施例的基础上,可选地,上述基站重定向装置60还包括:FIG. 20 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 20, on the basis of the embodiment shown in FIG.
显示模块65,在所述第一基站未通过鉴权时,配置为显示第二提示信息,所述第二提示信息用于提示用户第一基站未通过鉴权,且使用户选择拒绝重定向指令或者接受重定向指令;The display module 65 is configured to display the second prompt information when the first base station fails to pass the authentication, and the second prompt information is used to prompt the user that the first base station fails to pass the authentication, and the user selects to reject the redirect instruction or Accept the redirect instruction;
其中,所述搜索模块62配置为基于所选择的第二提示信息的拒绝重定向指令搜索所述第三基站,The searching module 62 is configured to search for the third base station based on the rejected redirecting instruction of the selected second prompt information.
或所述连接模块63配置为基于所选择的接受重定向指令与所述第二基站建立通信连接。Or the connection module 63 is configured to establish a communication connection with the second base station based on the selected accept redirection command.
图21是根据本发明又一个实施例的基站重定向装置的示意框图,如图21 所示,在如图20所示实施例的基础上,基站重定向装置60还包括:21 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention, as shown in FIG. 21. As shown in FIG. 20, the base station redirection device 60 further includes:
判断模块66,在所述连接模块63与所述第二基站建立通信连接之后,配置为判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别;The determining module 66 is configured to determine, after the connection module 63 establishes a communication connection with the second base station, whether the security level of the second base station is lower than a security level of the base station connected before receiving the message;
其中,所述显示模块65在所述第二基站的安全级别低于接收到所述报文之前连接的基站的安全级别时,显示第三提示信息。The display module 65 displays the third prompt information when the security level of the second base station is lower than the security level of the base station connected before receiving the message.
可选地,2G基站的安全级别低于3G基站的安全级别,3G基站的安全级别低于4G基站的安全级别。Optionally, the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
综上所述,通过本发明的技术方案,在接收到重定向报文时,搜索发出重定向报文的第一基站,和重定向报文指向的第二基站以外的第三基站。从而在第一基站为伪基站的情况下,不会接入其重定向报文所指向的第二基站,保证接入安全的基站,避免用户设备收到诈骗、骚扰信息或者泄露个人信息。In summary, when the redirection packet is received, the first base station that sends the redirection packet and the third base station other than the second base station that the redirection packet points are received. Therefore, when the first base station is a pseudo base station, the second base station pointed to by the redirect packet is not accessed, and the secure base station is ensured to prevent the user equipment from receiving fraud, harassment information or revealing personal information.
应当注意,在此提供的算法和公式不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示例一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。It should be noted that the algorithms and formulas provided herein are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems can also be used with the examples based herein. The structure required to construct such a system is apparent from the above description. Moreover, the invention is not directed to any particular programming language. It is to be understood that the invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
类似地,应当理解,为了精简本发明并帮助理解本发明各个方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法和装置解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如权利要求书所反映,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, the various features of the present invention are sometimes grouped together into a single embodiment in the above description of the exemplary embodiments of the present invention in order to the , diagram, or description of it. However, the method and apparatus disclosed are not to be interpreted as reflecting the invention that the claimed invention is claimed to have more features than those recited in the claims. Rather, as the following claims reflect, inventive aspects reside in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the embodiments, and each of the claims as a separate embodiment of the invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要 求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to the fact that at least some of such features and/or processes or units are mutually exclusive, any combination of the present description (including accompanying rights) may be employed. All the features disclosed in the claims, abstract and drawings are combined with all the processes or units of any method or device so disclosed. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的网站安全检测设备中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components of the website security detection device in accordance with embodiments of the present invention. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
例如,图22示出了可以实现根据本发明的基站重定向方法的计算机。该计算机传统上包括处理器510和以存储器520形式的计算机程序产品或者计算机可读介质。存储器520可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器520具有用于执行上述方法中的任何方法步骤的程序代码531的存储空间530。例如,用于程序代码的存储空间530可以包括分别用于实现上面的方法中的各种步骤的各个程序代码531。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图23所述的便携式或者固定存储单元。该存储单元可以具有与图22的移动终端中的存储器520类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括计算机可读代码531’,即可以由例如诸如510之类的处理器读取的代码,这些代码当由计算机运行时,导致该计算机执行上面所描述的方法中的各个步骤。For example, Figure 22 illustrates a computer in which a base station redirection method in accordance with the present invention can be implemented. The computer traditionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520. The memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above. For example, storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such a computer program product is typically a portable or fixed storage unit as described with reference to FIG. The storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 520 in the mobile terminal of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 531', code that can be read by a processor, such as 510, which when executed by a computer causes the computer to perform various steps in the methods described above.
本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全指同一个实施例。 "an embodiment," or "an embodiment," or "an embodiment," In addition, it is noted that the phrase "in one embodiment" is not necessarily referring to the same embodiment.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下被实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
以上所述仅是本发明的部分实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。 The above is only a part of the embodiments of the present invention, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present invention. It should be considered as the scope of protection of the present invention.

Claims (28)

  1. 一种基站重定向方法,包括:A base station redirection method includes:
    在接收到第一基站重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;Searching for the third base station other than the first base station and the second base station when receiving the message redirected by the first base station to the second base station;
    与所述第三基站建立通信连接。Establishing a communication connection with the third base station.
  2. 根据权利要求1所述的基站重定向方法,其中,在接收到所述报文时,还包括:The base station redirection method according to claim 1, wherein when the message is received, the method further includes:
    生成第一提示信息,用于提示重定向的基站信息,并使用户选择拒绝重定向指令或者接受重定向指令;Generating a first prompt message for prompting the redirected base station information, and causing the user to select to reject the redirect instruction or accept the redirect instruction;
    基于用户选择的拒绝重定向指令搜索所述第三基站,Searching for the third base station based on a user-selected refusal redirect instruction,
    或基于用户选择的接受重定向指令与所述第二基站建立通信连接。Or establishing a communication connection with the second base station based on a user-selected accept redirection command.
  3. 根据权利要求2所述的基站重定向方法,其中,在与所述第二基站建立通信连接之后,还包括:The base station redirection method according to claim 2, further comprising: after establishing a communication connection with the second base station,
    判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别;Determining whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet;
    若低于,则生成第二提示信息。If it is lower, the second prompt information is generated.
  4. 根据权利要求1所述的基站重定向方法,其中,还包括:The base station redirection method according to claim 1, further comprising:
    判断所述第三基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别,Determining whether the security level of the third base station is lower than a security level of the base station connected before receiving the packet,
    若低于,则生成第三提示信息。If it is lower, a third prompt information is generated.
  5. 根据权利要求3或4所述的基站重定向方法,其中,2G基站的安全级别低于3G基站的安全级别,3G基站的安全级别低于4G基站的安全级别。The base station redirection method according to claim 3 or 4, wherein the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  6. 根据权利要求1至5中任一项所述的基站重定向方法,其中,在搜索所述第三基站之前,还包括:The base station redirection method according to any one of claims 1 to 5, further comprising: before searching the third base station, further comprising:
    判断在接收到重定向至第二基站的报文之前是否接收到连接拒绝报文,若接到连接拒绝报文,则搜索所述第三基站,否则,与所述第二基站建立通信连接。Determining whether a connection reject message is received before receiving the message redirected to the second base station, and if the connection reject message is received, searching for the third base station, otherwise establishing a communication connection with the second base station.
  7. 根据权利要求1至6中任一项所述的基站重定向方法,其中,在搜索所述第三基站之前,还包括:The base station redirection method according to any one of claims 1 to 6, further comprising: before searching the third base station, further comprising:
    向所述第一基站传输预设次数的追踪区域升级请求报文;Transmitting, to the first base station, a preset number of tracking area upgrade request messages;
    判断每次发送所述追踪区域升级请求报文后都是否接收到所述第一基站的请求拒绝报文;Determining whether the request rejection message of the first base station is received after each sending the tracking area upgrade request message;
    若是,则搜索所述第三基站; If yes, searching for the third base station;
    否则,与所述第一基站建立通信连接。Otherwise, a communication connection is established with the first base station.
  8. 一种基站重定向装置,包括:A base station redirection device includes:
    报文接收模块,配置为接收第一基站重定向至第二基站的报文;a packet receiving module, configured to receive a packet redirected by the first base station to the second base station;
    搜索模块,配置为在所述报文接收模块接收到重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;a search module, configured to search for a third base station other than the first base station and the second base station when the message receiving module receives a message redirected to the second base station;
    连接建立模块,配置为与所述第三基站建立通信连接。A connection establishing module is configured to establish a communication connection with the third base station.
  9. 根据权利要求8所述的基站重定向装置,其中,还包括:The base station redirection device of claim 8, further comprising:
    提示模块,在所述报文接收模块接收到重定向至第二基站的报文时,生成第一提示信息,配置为提示重定向的基站信息,并使用户选择拒绝重定向指令或者接受重定向指令;The prompting module generates, when the packet receiving module receives the packet redirected to the second base station, the first prompt information, configured to prompt the redirected base station information, and causes the user to select to reject the redirect instruction or accept the redirect instruction;
    其中,所述搜索模块还配置为基于用户选择的拒绝重定向指令搜索所述第三基站,The search module is further configured to search for the third base station based on a user-selected refusal redirection instruction.
    或所述连接建立模块还配置为基于用户选择的接受重定向指令与所述第二基站建立通信连接。Or the connection establishment module is further configured to establish a communication connection with the second base station based on a user-selected accept redirection command.
  10. 根据权利要求9所述的基站重定向装置,其中,还包括:The base station redirection device of claim 9, further comprising:
    安全判断模块,配置为在所述连接建立模块与所述第二基站建立通信连接之后,判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别,a security judging module, configured to determine, after the connection establishing module establishes a communication connection with the second base station, whether a security level of the second base station is lower than a security level of a base station connected before receiving the packet,
    其中,所述提示模块在所述第二基站的安全级别低于接收到所述报文之前连接的基站的安全级别时,生成第二提示信息。The prompting module generates second prompt information when the security level of the second base station is lower than the security level of the base station connected before receiving the packet.
  11. 根据权利要求8所述的基站重定向装置,其中,还包括:The base station redirection device of claim 8, further comprising:
    安全判断模块,配置为判断所述第三基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别;The security judgment module is configured to determine whether the security level of the third base station is lower than a security level of the base station connected before receiving the packet;
    提示模块,在所述第三基站的安全级别低于接收到所述报文之前连接的基站的安全级别时,生成第三提示信息。The prompting module generates third prompt information when the security level of the third base station is lower than the security level of the base station connected before receiving the message.
  12. 根据权利要求10或11所述的基站重定向装置,其特征在于,2G基站的安全级别低于3G基站的安全级别,3G基站的安全级别低于4G基站的安全级别。The base station redirection device according to claim 10 or 11, wherein the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  13. 根据权利要求8至12中任一项所述的基站重定向装置,其中,还包括:The base station redirection device according to any one of claims 8 to 12, further comprising:
    报文判断模块,在搜索所述第三基站之前,判断在所述报文接收模块接收到重定向至第二基站的报文之前,是否接收到连接拒绝报文,The message judging module determines, before searching the third base station, whether the connection rejecting message is received before the packet receiving module receives the packet redirected to the second base station.
    其中,所述搜索模块在所述报文接收模块接收到重定向至第二基站的报文之前接收到连接拒绝报文时,搜索所述第三基站,所述连接建立模块在所述报 文接收模块接收到重定向至第二基站的报文之前未接收到连接拒绝报文时,与所述第二基站建立通信连接。The search module searches for the third base station when the packet receiving module receives the connection reject message before receiving the message redirected to the second base station, and the connection establishment module is in the report The receiving module establishes a communication connection with the second base station when receiving the connection reject message before receiving the message redirected to the second base station.
  14. 根据权利要求8至13中任一项所述的基站重定向装置,其中,还包括:The base station redirection device according to any one of claims 8 to 13, further comprising:
    报文传输模块,在搜索所述第三基站之前,配置为向所述第一基站传输预设次数的追踪区域升级请求报文;The message transmission module is configured to transmit a preset number of tracking area upgrade request messages to the first base station before searching the third base station;
    其中,所述搜索模块在每次发送所述追踪区域升级请求报文后,所述报文接收模块都接收到所述第一基站的请求拒绝报文时,搜索所述第三基站,所述连接建立模块在任一次发送所述追踪区域升级请求报文后,所述报文接收模块接收到所述第一基站的请求允许报文时,与所述第一基站建立通信连接。The search module, after receiving the tracking area upgrade request message, searches for the third base station, when the message receiving module receives the request rejection message of the first base station, After the connection establishment module sends the tracking area upgrade request message, the message receiving module establishes a communication connection with the first base station when receiving the request permission message of the first base station.
  15. 一种基站重定向方法,包括:A base station redirection method includes:
    对第一基站进行鉴权;Performing authentication on the first base station;
    若所述第一基站未通过鉴权,在接收到来自所述第一基站的重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;If the first base station fails to pass the authentication, when the packet redirected from the first base station to the second base station is received, searching for the third base station other than the first base station and the second base station;
    与所述第三基站建立通信连接。Establishing a communication connection with the third base station.
  16. 根据权利要求15所述的基站重定向方法,其中,还包括:The base station redirection method according to claim 15, further comprising:
    若所述第一基站通过鉴权,在接收到来自所述第一基站的重定向至第二基站的报文时,与所述第二基站建立通信连接。And if the first base station passes the authentication, when receiving the message redirected from the first base station to the second base station, establishing a communication connection with the second base station.
  17. 根据权利要求16所述的基站重定向方法,其中,在与所述第二基站建立通信连接后,还包括:The base station redirection method according to claim 16, wherein after establishing a communication connection with the second base station, the method further includes:
    判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别,Determining whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet,
    若低于,则显示第一提示信息。If it is lower, the first prompt information is displayed.
  18. 根据权利要求15所述的基站重定向方法,其中,在所述第一基站未通过鉴权时,还包括:The base station redirection method according to claim 15, wherein when the first base station fails to pass the authentication, the method further includes:
    显示第二提示信息,所述第二提示信息用于提示用户第一基站未通过鉴权,且使用户选择拒绝重定向指令或者接受重定向指令;Displaying the second prompt information, where the second prompt information is used to prompt the user that the first base station fails to pass the authentication, and causes the user to select to reject the redirect instruction or accept the redirect instruction;
    基于所选择的所述拒绝重定向指令搜索所述第三基站,或Searching for the third base station based on the selected reject redirect instruction, or
    基于所选择的所述接受重定向指令与所述第二基站建立通信连接。Establishing a communication connection with the second base station based on the selected accept redirection command.
  19. 根据权利要求18所述的基站重定向方法,其中,在与所述第二基站建立通信连接之后,还包括:The base station redirection method according to claim 18, further comprising: after establishing a communication connection with the second base station,
    判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别,Determining whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet,
    若低于,则显示第三提示信息。 If it is lower, the third prompt information is displayed.
  20. 根据权利要求17或19所述的基站重定向方法,其中,2G基站的安全级别低于3G基站的安全级别,3G基站的安全级别低于4G基站的安全级别。The base station redirection method according to claim 17 or 19, wherein the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  21. 一种基站重定向装置,包括:A base station redirection device includes:
    鉴权模块,配置为对第一基站进行鉴权;An authentication module configured to authenticate the first base station;
    搜索模块,在所述第一基站未通过鉴权的情况下,在接收到来自所述第一基站的重定向至第二基站的报文时,搜索所述第一基站和所述第二基站以外的第三基站;Searching, in the case that the first base station fails to authenticate, searching for the first base station and the second base station when receiving a message redirected from the first base station to the second base station a third base station other than the third base station;
    连接模块,与所述第三基站建立通信连接。The connection module establishes a communication connection with the third base station.
  22. 根据权利要求21所述的基站重定向装置,其中,所述连接模块在所述第一基站通过鉴权的情况下,在接收到来自所述第一基站的重定向至第二基站的报文时,与所述第二基站建立通信连接。The base station redirection apparatus according to claim 21, wherein the connection module receives a message redirected from the first base station to a second base station when the first base station passes authentication And establishing a communication connection with the second base station.
  23. 根据权利要求22所述的基站重定向装置,其中,还包括:The base station redirection device of claim 22, further comprising:
    判断模块,配置为判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别;The determining module is configured to determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet;
    显示模块,在所述第二基站的安全级别低于接收到所述报文之前连接的基站的安全级别的情况下,显示第一提示信息。The display module displays the first prompt information if the security level of the second base station is lower than the security level of the base station connected before receiving the message.
  24. 根据权利要求21所述的基站重定向装置,其中,还包括:The base station redirection device of claim 21, further comprising:
    显示模块,在所述第一基站未通过鉴权时,配置为显示第二提示信息,所述第二提示信息用于提示用户第一基站未通过鉴权,且使用户选择拒绝重定向指令或者接受重定向指令;The display module is configured to display the second prompt information when the first base station fails to pass the authentication, and the second prompt information is used to prompt the user that the first base station fails to pass the authentication, and causes the user to select to reject the redirect instruction or accept Redirect instruction
    其中,所述搜索模块配置为基于所选择的所述拒绝重定向指令搜索所述第三基站,The search module is configured to search the third base station based on the selected reject redirect instruction.
    或所述连接模块配置为基于所选择的所述接受重定向指令与所述第二基站建立通信连接。Or the connection module is configured to establish a communication connection with the second base station based on the selected redirection instruction.
  25. 根据权利要求24所述的基站重定向装置,其中,还包括:The base station redirection device of claim 24, further comprising:
    判断模块,在所述连接模块与所述第二基站建立通信连接之后,配置为判断所述第二基站的安全级别是否低于接收到所述报文之前连接的基站的安全级别,The determining module is configured to determine, after the connection module establishes a communication connection with the second base station, whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet,
    其中,所述显示模块在所述第二基站的安全级别低于接收到所述报文之前连接的基站的安全级别时,显示第三提示信息。The display module displays the third prompt information when the security level of the second base station is lower than the security level of the base station connected before receiving the message.
  26. 根据权利要求22或24所述的基站重定向装置,其中,2G基站的安全级别低于3G基站的安全级别,3G基站的安全级别低于4G基站的安全级别。The base station redirection device according to claim 22 or 24, wherein the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  27. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计 算机上运行时,导致所述计算机执行根据权利要求1-7、15-20中的任一个所述的基站重定向方法。A computer program comprising computer readable code when said computer readable code is When executed on a computer, the computer is caused to perform the base station redirection method according to any one of claims 1-7, 15-20.
  28. 一种计算机可读介质,其中存储了如权利要求27所述的计算机程序。 A computer readable medium storing the computer program of claim 27.
PCT/CN2017/090598 2016-06-30 2017-06-28 Base station redirection method and base station redirection device WO2018001278A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201610509881.9A CN106211157B (en) 2016-06-30 2016-06-30 Base station reorientation method and base station redirection device
CN201610509881.9 2016-06-30
CN201610509773.1A CN106060826A (en) 2016-06-30 2016-06-30 Base station redirection method and base station redirection device
CN201610509773.1 2016-06-30

Publications (1)

Publication Number Publication Date
WO2018001278A1 true WO2018001278A1 (en) 2018-01-04

Family

ID=60785946

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/090598 WO2018001278A1 (en) 2016-06-30 2017-06-28 Base station redirection method and base station redirection device

Country Status (1)

Country Link
WO (1) WO2018001278A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055934A (en) * 2021-03-26 2021-06-29 RealMe重庆移动通信有限公司 Redirection information processing method and device, terminal equipment and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090029677A1 (en) * 2007-07-26 2009-01-29 Sungkyunkwan University Foundation For Corporate Collaboration Mobile authentication through strengthened mutual authentication and handover security
CN103906158A (en) * 2012-12-28 2014-07-02 展讯通信(上海)有限公司 Method for returning to LTE network from 2G/3G network
CN104429151A (en) * 2012-06-11 2015-03-18 三星电子株式会社 Method and apparatus for controlling re-direction between heterogeneous mobile communication systems
CN105357672A (en) * 2015-11-20 2016-02-24 华为技术有限公司 Pseudo base station identification method and user equipment
CN105722085A (en) * 2016-03-28 2016-06-29 宇龙计算机通信科技(深圳)有限公司 Pseudo base station identification method, pseudo base station identification apparatus, and terminal
CN106060826A (en) * 2016-06-30 2016-10-26 北京奇虎科技有限公司 Base station redirection method and base station redirection device
CN106211157A (en) * 2016-06-30 2016-12-07 北京奇虎科技有限公司 Base station reorientation method and base station redirection device
CN106358199A (en) * 2016-09-30 2017-01-25 维沃移动通信有限公司 Method for recognizing pseudo base station by mobile terminal and mobile terminal

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090029677A1 (en) * 2007-07-26 2009-01-29 Sungkyunkwan University Foundation For Corporate Collaboration Mobile authentication through strengthened mutual authentication and handover security
CN104429151A (en) * 2012-06-11 2015-03-18 三星电子株式会社 Method and apparatus for controlling re-direction between heterogeneous mobile communication systems
CN103906158A (en) * 2012-12-28 2014-07-02 展讯通信(上海)有限公司 Method for returning to LTE network from 2G/3G network
CN105357672A (en) * 2015-11-20 2016-02-24 华为技术有限公司 Pseudo base station identification method and user equipment
CN105722085A (en) * 2016-03-28 2016-06-29 宇龙计算机通信科技(深圳)有限公司 Pseudo base station identification method, pseudo base station identification apparatus, and terminal
CN106060826A (en) * 2016-06-30 2016-10-26 北京奇虎科技有限公司 Base station redirection method and base station redirection device
CN106211157A (en) * 2016-06-30 2016-12-07 北京奇虎科技有限公司 Base station reorientation method and base station redirection device
CN106358199A (en) * 2016-09-30 2017-01-25 维沃移动通信有限公司 Method for recognizing pseudo base station by mobile terminal and mobile terminal

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055934A (en) * 2021-03-26 2021-06-29 RealMe重庆移动通信有限公司 Redirection information processing method and device, terminal equipment and storage medium
CN113055934B (en) * 2021-03-26 2022-06-10 RealMe重庆移动通信有限公司 Method and device for processing redirection information, terminal equipment and storage medium

Similar Documents

Publication Publication Date Title
Mallik Man-in-the-middle-attack: Understanding in simple words
US20230308477A1 (en) Methods and systems for detecting and preventing compromised network connections
RU2546610C1 (en) Method of determining unsafe wireless access point
EP3906652B1 (en) Protecting a telecommunications network using network components as blockchain nodes
WO2019184736A1 (en) Access authentication method and device, and server
KR102547749B1 (en) Authentication and Key Agreement with Perfect Forward Secrecy
US9781137B2 (en) Fake base station detection with core network support
US8151336B2 (en) Devices and methods for secure internet transactions
KR100952269B1 (en) Secure access to a subscription module
CN106211157B (en) Base station reorientation method and base station redirection device
Waliullah et al. Wireless LAN security threats & vulnerabilities
US20080098467A1 (en) METHOD AND APPARATUS FOR SELF CONFIGURATION OF LTE E-NODE Bs
CN105939521B (en) Detection alarm method and device for pseudo access point
KR102027717B1 (en) Prevent attacks from false base stations
CN102415119A (en) Managing undesired service requests in a network
WO2017024449A1 (en) Processing method and device for accessing to 3gpp network by terminal
Khan et al. Vulnerabilities of UMTS access domain security architecture
US10154369B2 (en) Deterrence of user equipment device location tracking
WO2018001278A1 (en) Base station redirection method and base station redirection device
US20220408253A1 (en) Method and System for Authenticating a Base Station
CN106060826A (en) Base station redirection method and base station redirection device
US9100429B2 (en) Apparatus for analyzing vulnerability of wireless local area network
US10305884B2 (en) Secure identification of internet hotspots for the passage of sensitive information
Lee et al. Man-in-the-middle Attacks Detection Scheme on Smartphone using 3G network
Dai et al. Mobile Technology Security Concerns and NESAS as a Solution

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17819275

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17819275

Country of ref document: EP

Kind code of ref document: A1