CN101552982A - Method and user equipment for detecting degradation attack - Google Patents
Method and user equipment for detecting degradation attack Download PDFInfo
- Publication number
- CN101552982A CN101552982A CNA2008100271440A CN200810027144A CN101552982A CN 101552982 A CN101552982 A CN 101552982A CN A2008100271440 A CNA2008100271440 A CN A2008100271440A CN 200810027144 A CN200810027144 A CN 200810027144A CN 101552982 A CN101552982 A CN 101552982A
- Authority
- CN
- China
- Prior art keywords
- cryptographic algorithm
- tabulation
- integrity protection
- rrc
- rrc integrity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention provides a method for detecting degradation attack, which comprises the following steps: after a target mobile management entity MME receives switching preparation request information, wireless resource control, such as an RRC integrity protection and encryption algorithm list and a user plane UP encryption algorithm list, which are permitted by a system of the target mobile management entity MME are sent to user equipment UE; and the UE detects if the degradation attack exists according to the RRC integrity protection and encryption algorithm list and the user plane UP encryption algorithm list permitted by the system. The embodiment of the invention also provides the user equipment UE which can find out if the degradation attack exists during the mobile network switching of the embodiment, thereby preventing networks still operating during the degradation attack so as to effectively prevent the switching process and the network entity being further injured.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of method and subscriber equipment that detects degradation attack.
Background technology
Please refer to shown in Figure 1ly, existing 3GPP (the 3rd generation partnership project) wireless network is divided into 3GPP wireless access network and core net two parts.
EUTRAN (the wireless universal land Access Network of evolution): the LTE of following evolution (wireless access network of Long Term Evolution) Access Network comprises eNodeB (Node B of evolution is hereinafter to be referred as eNB).
The core net corresponding with the LTE Access Network of following evolution is called SAE (System Architecture Evolution), comprises MME (mobile management entity), SAE GW (SAE gateway)/PDN GW (packet field network gateway)/HSS entities such as (home network client servers).
For guaranteeing the future evolution network communication security; user equipment (UE) needs to consult identical RRC (Radio Resource control) security algorithm (cryptographic algorithm and protection algorithm integrallty), UP (user's face) security algorithm (cryptographic algorithm) with eNB; UE also needs to consult identical NAS (non-access signaling) security algorithm (cryptographic algorithm and protection algorithm integrallty) with MME; guaranteeing the safety of NAS signaling between UE and the MME, and the safety of RRC/UP signaling between UE and the eNB.
The basic procedure of existing UE and MME negotiation NAS security algorithm is as follows:
1, MME obtains the security algorithm tabulation that UE supports from initiation layer 3 request messages (for example Attach Request message AttachRequest, business request information Service Request or tracking area update request message TAURequest) that UE sends; Perhaps when switching, MME obtains the security algorithm tabulation that UE supports from source MME (perhaps source Serving GPRS Support Node SGSN).
2, dispose the security algorithm of system's permission and the NAS security algorithm tabulation that MME supports on the MME.The NAS security algorithm tabulation that MME supports according to UE, the NAS security algorithm tabulation that system allows, suitable NAS security algorithm is selected in the NAS security algorithm tabulation that MME supports.
3, (for example NAS safe mode command Security Mode Command SMC) sends to UE to MME the NAS message of the NAS security algorithm of selecting (and the security algorithm tabulation supported of UE, the security algorithm tabulation that system allows) by integrity protection.
The basic procedure of existing UE and eNB negotiation RRC security algorithm and UP security algorithm is as follows:
1, eNB obtains the security algorithm tabulation (comprising the RRC/UP security algorithm) that UE supports, tabulation of RRC security algorithm and the tabulation of UP security algorithm that system allows by X2 interface from source eNB (perhaps by the S1 interface from MME).
2, eNB disposes the RRC/UP security algorithm tabulation that eNB supports.The RRC/UP security algorithm tabulation that eNB supports according to UE, the RRC/UP security algorithm tabulation that system allows, suitable R RC/UP security algorithm is selected in the RRC/UP security algorithm tabulation that eNB supports.
3, the RRC/UP security algorithm of eNB selection sends to UE by the access signaling AS message (for example AS SMC) of integrity protection.
Above-mentioned existing UE and eNB consult in the flow process of RRC security algorithm and UP security algorithm, if the 1st step eNB is the RRC/UP security algorithm tabulation that allows from source eNB acquisition system by X2 interface, if source eNB victim breaks through, the RRC/UP security algorithm tabulation that eNB acquisition system allows just may be modified, the RRC/UP security algorithm that causes eNB to select is low intensive algorithm, making that the assailant is easier further breaks through, and this just degradation attack will take place.
But UE does not also know that eNB obtains the RRC/UP security algorithm tabulation that system allows by X2 interface or S1 interface, therefore, UE can't judge whether the RRC/UP security algorithm tabulation of system's permission that eNB obtains was modified, thereby can't know whether there is degradation attack.
Summary of the invention
Embodiment of the invention technical problem to be solved is, a kind of method and subscriber equipment that detects degradation attack is provided, and makes when the mobile network is switched, and can detect whether degradation attack takes place.
The embodiment of the invention provides a kind of method that detects degradation attack, may further comprise the steps:
After the target mobile management entity MME received handover preparation request message, radio resource control RRC integrity protection and cryptographic algorithm tabulation, the tabulation of user's face UP cryptographic algorithm of target MME being gone up system's permission sent to user equipment (UE);
Described UE tabulates according to RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that described system allows, detects whether there is degradation attack.
The embodiment of the invention also provides a kind of user equipment (UE), comprising:
First acquisition module is used to obtain radio resource control RRC integrity protection that system allows and cryptographic algorithm tabulation, the tabulation of user's face UP cryptographic algorithm;
Second acquisition module is used to obtain RRC integrity protection that target eNB selects and cryptographic algorithm, UP cryptographic algorithm;
Detection module; be used for the RRC integrity protection of more described target eNB selection and RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of cryptographic algorithm, UP cryptographic algorithm and the permission of described system and tabulate, detect whether there is degradation attack according to comparative result.
When the embodiment of the invention is switched the mobile network, tabulate to UE by the RRC/UP security algorithm that target MME sending system allows, make UE can detect whether there is degradation attack according to the RRC/UP security algorithm tabulation that this system allows, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
Description of drawings
Fig. 1 is existing 3GPP wireless network architecture figure.
Fig. 2 is the schematic flow sheet that the embodiment of the invention detects the method for degradation attack.
Fig. 3 is the idiographic flow schematic diagram of the embodiment of the invention one.
Fig. 4 is the idiographic flow schematic diagram of the embodiment of the invention two.
Fig. 5 is the idiographic flow schematic diagram of the embodiment of the invention three.
Fig. 6 is the structural representation of embodiment of the invention user equipment (UE).
Embodiment
Below in conjunction with accompanying drawing the embodiment of the invention is described in detail.
Please refer to shown in Figure 2ly, the embodiment of the invention provides a kind of method that detects degradation attack, comprising:
Step S1, after the target mobile management entity MME received handover preparation request message, radio resource control RRC integrity protection and cryptographic algorithm tabulation, the tabulation of user's face UP cryptographic algorithm of target MME being gone up system's permission sent to user equipment (UE);
Step S2, described UE tabulates according to RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that described system allows, detects whether there is degradation attack.
In the embodiment of the invention, NAS security algorithm tabulation: comprise NAS cryptographic algorithm, NAS protection algorithm integrallty; RRC security algorithm tabulation: comprise RRC cryptographic algorithm, RRC protection algorithm integrallty; UP security algorithm tabulation: comprise the UP cryptographic algorithm; The security algorithm tabulation that UE supports: comprise the NAS/RRC/UP security algorithm; The security algorithm tabulation that eNB supports: comprise the RRC/UP security algorithm; The security algorithm tabulation that MME supports: comprise the NAS security algorithm; The security algorithm tabulation that system allows: comprise the NAS/RRC/UP security algorithm.
Below adopt four embodiment that the idiographic flow of said method is described.
Embodiment one:
In the present embodiment, switch between the inner eNB of same Access Network EUTRAN, MME also changes.
Please refer to shown in Figure 3ly, the idiographic flow of present embodiment is:
Step 301, eNB decision in source is initiated to switch
Step 302, source eNB sends handoff request (Handover Required) message to source MME.
Step 303, source MME sends handover preparation request (Forward RelocationRequest) message to target MME, carry the security algorithm tabulation (comprising the NAS/RRC/UP algorithm list) that UE supports in the handover preparation request message, the security algorithm tabulation (comprising the NAS/RRC/UP algorithm list) that system allows, the security algorithm tabulation (comprising the NAS/RRC/UP algorithm list) of current selection.
Step 304, target MME sends handover preparation request (Handover Request) message to target eNB, carry the security algorithm tabulation (comprising the RRC/UP algorithm list) that UE supports in the handover preparation request message, the security algorithm tabulation (comprising the RRC/UP algorithm list) that the system on the target MME allows.
Step 305, the security algorithm tabulation (comprising the RRC/UP algorithm list) that target eNB is supported according to UE, suitable R RC/UP algorithm is selected in the security algorithm tabulation (comprising the RRC/UP algorithm list) that system on the target MME allows, and the RRC/UP algorithm list of target eNB self support.
Be to be understood that, because the RRC/UP security algorithm that described system allows, the RRC/UP security algorithm that UE supports, the RRC/UP security algorithm that target eNB self is supported all has multiple, therefore, selection herein specifically is meant from aforementioned this three class RRC/UP security algorithm tabulation and selects the common RRC/UP security algorithm of supporting.
Step 306, target eNB send to switch to target MME prepares response (Handover RequestAcknowledge) message, switches the RRC/UP algorithm of preparing to carry in the response message selection.
Step 307, the NAS security algorithm tabulation that the NAS security algorithm tabulation that target MME supports according to UE, the system on the target MME allow, suitable NAS security algorithm is selected in the NAS security algorithm tabulation that target MME supports.
Be to be understood that, because the NAS security algorithm that described UE supports, the NAS security algorithm that system on the target MME allows, the NAS security algorithm that target MME self supports all has multiple, therefore, selection herein specifically is meant from aforementioned this three class NAS security algorithm tabulation and selects the common NAS security algorithm of supporting.
Target MME checks also whether the RRC/UP security algorithm tabulation that the system on the target MME allows tabulates identical with the RRC/UP security algorithm that the system of receiving from source MME allows.If different, the then RRC/UP security algorithm tabulation that allows in step 308 system on the described target MME of carrying.
Step 308; target MME sends to switch to source MME and prepares response (Forward RelocationResponse) message; switch and prepare to carry in the response message RRC/UP algorithm that target eNB is selected; the RRC/UP security algorithm tabulation that the NAS algorithm that target MME selects, the system on the target MME allow, and make NAS integrity protection (promptly calculating and carry the value of NAS message authentication code NAS-MAC).
Step 309; source MME sends handoff response (Handover Command) message to source eNB; carry the RRC/UP algorithm of target eNB selection, the NAS algorithm that target MME selects, the RRC/UP security algorithm tabulation that the system on the target MME allows in the switching response message, and make the NAS integrity protection.
Step 310, source eNB sends switching command (Handover Command) to UE, and notice UE switches on the target eNB.Carry the RRC/UP algorithm that target eNB is selected in the switching command; and make RRC integrity protection (promptly calculating and carry the value of RRC message authentication code RRC-MAC); the RRC/UP security algorithm tabulation that the NAS algorithm that target MME selects, the system on the target MME allow, and make the NAS integrity protection.
Step 3 11, the RRC/UP security algorithm tabulation that system on the target MME that the RRC/UP algorithm of the selection that UE comparison object eNB returns and target MME return allows, if the RRC/UP security algorithm of the selection that target eNB is returned is not in the scope of the RRC/UP security algorithm tabulation that the system that target MME returns allows, then there is degradation attack, the negotiating safety capability failure.
If the RRC/UP security algorithm that target eNB is selected is in the scope of the RRC/UP security algorithm tabulation that system allows, and priority is the highest, does not then have degradation attack.
Step 312, UE sends to switch to target eNB and finishes (Handover Completed) message, the RRC/UP security algorithm tabulation that the system of carrying in the handoff completion message allows, and make the RRC integrity protection.
Step 313; whether RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that the system that the RRC integrity protection that the more described system of target eNB allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm and described target eNB are obtained from source access network entity or target MME allows tabulate identical; if different, then there is degradation attack.
When present embodiment switches in evolvement network, tabulate to UE by the RRC/UP security algorithm that target MME sending system allows, make UE can detect whether there is degradation attack according to the RRC/UP security algorithm tabulation that this system allows, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
Simultaneously, in the present embodiment, the RRC/UP security algorithm tabulation that UE also allows system sends to target eNB, make target eNB also can detect whether there is degradation attack according to the RRC/UP security algorithm tabulation that this system allows, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
Embodiment two: in the present embodiment, switch between the inner eNB of same Access Network EUTRAN, MME also changes.
Please refer to shown in Figure 4ly, present embodiment and embodiment one are similar, and on the idiographic flow, step 401~407 are identical with step 301~307 among the embodiment one, and difference begins from step 408.
Step 408; target MME (by MME/ source, source eNB) sends NAS SMC (the NAS Security Mode Command of independent integrity protection to UE; the NAS safe mode command) message is carried the RRC/UP security algorithm tabulation that target MME goes up system's permission of configuration in the NAS SMC message of integrity protection.
Step 409, UE returns NAS SMC (NAS Security Mode Complete, the NAS safe mode is finished) message and gives target MME.
Step 410; target MME sends to switch to source MME and prepares response (Forward RelocationResponse) message; switch and prepare to carry in the response message RRC/UP algorithm that target eNB is selected; the NAS algorithm that target MME selects, and make NAS integrity protection (promptly calculating and carry the value of NAS message authentication code NAS-MAC).
Step 411, source MME sends handoff response (Handover Command) message to source eNB, carries the RRC/UP algorithm of target eNB selection, the NAS algorithm that target MME selects in the switching response message, and makes the NAS integrity protection.
Step 412, source eNB sends switching command (Handover Command) to UE, and notice UE switches on the target eNB.Carry the RRC/UP algorithm that target eNB is selected in the switching command, and make RRC integrity protection (promptly calculating and carry the value of RRC message authentication code RRC-MAC), the NAS algorithm that target MME selects, and make the NAS integrity protection.
Step 413, similar with step 311 among the embodiment one, the RRC/UP security algorithm tabulation that system on the target MME that the RRC/UP algorithm of the selection that UE comparison object eNB returns and target MME return allows, if the RRC/UP security algorithm of the selection that target eNB is returned is not in the scope of the RRC/UP security algorithm tabulation that the system that target MME returns allows, then there is degradation attack, the negotiating safety capability failure.
If the RRC/UP security algorithm that target eNB is selected is in the scope of the RRC/UP security algorithm tabulation that system allows, and priority is the highest, does not then have degradation attack.
Step 414, UE sends to switch to target eNB and finishes (Handover Completed) message, the RRC/UP security algorithm tabulation that the system of carrying in the handoff completion message allows, and make the RRC integrity protection.
Step 415; whether RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that the system that the RRC integrity protection that the more described system of target eNB allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm and described target eNB are obtained from source access network entity or target MME allows tabulate identical; if different, then there is degradation attack.
When present embodiment switches in evolvement network, tabulate to UE by the RRC/UP security algorithm that target MME sending system allows, make UE can detect whether there is degradation attack according to the RRC/UP security algorithm tabulation that this system allows, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
Simultaneously, in the present embodiment, the RRC/UP security algorithm tabulation that UE also allows system sends to target eNB, make target eNB also can detect whether there is degradation attack according to the RRC/UP security algorithm tabulation that this system allows, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
Embodiment three: switch to EUTRAN from 2G/3G, switch between the access network entity between the different Access Networks, core network entity also changes.
Please refer to shown in Figure 5ly, present embodiment is compared with embodiment one, and main difference is:
1, in the step 503, source SGSN (core network entity in the 2G/3G network) sends handover preparation request (Forward Relocation Request) message to target MME, only carries the security algorithm tabulation (comprising the NAS/RRC/UP algorithm list) that UE supports in the handover preparation request message.
2, the NAS security algorithm tabulation that the NAS security algorithm tabulation that target MME supports according to UE in the step 507, the system on the target MME allow, target MME goes up the NAS security algorithm tabulation of the support of configuration, selects suitable NAS security algorithm.Because the security algorithm that source SGSN only supports UE in the step 503 is tabulated and sent to target MME, so step 507 will can not check whether the RRC/UP security algorithm tabulation that the system on the target MME allows tabulates identical with the RRC/UP security algorithm that the system that receives from source SGSN allows in the present embodiment.
All the other flow processs and embodiment one are similar, repeat no more herein.
Present embodiment is when 2G/3G switches to EUTRAN, tabulate to UE by the RRC/UP security algorithm that target MME sending system allows, make UE can detect whether there is degradation attack according to the RRC/UP security algorithm tabulation that this system allows, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
Simultaneously, in the present embodiment, the RRC/UP security algorithm tabulation that UE also allows system sends to target eNB, make target eNB also can detect whether there is degradation attack according to the RRC/UP security algorithm tabulation that this system allows, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
Embodiment four: switch to EUTRAN from 2G/3G, switch between the access network entity between the different Access Networks, core network entity also changes.
Present embodiment is compared with embodiment three; difference only is: the RRC/UP security algorithm tabulation that target MME goes up system's permission of configuration can be carried in NAS SMC (safe mode command) message of independent integrity protection; send to UE by target MME (by source 2G/3G access network entity/source SGSN), and needn't be as progressively sending to UE by step 508~5 10 among the embodiment three.
Present embodiment is when 2G/3G switches to EUTRAN, tabulate to UE by the RRC/UP security algorithm that target MME sending system allows, make UE can detect whether there is degradation attack according to the RRC/UP security algorithm tabulation that this system allows, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
Simultaneously, in the present embodiment, the RRC/UP security algorithm tabulation that UE also allows system sends to target eNB, make target eNB also can detect whether there is degradation attack according to the RRC/UP security algorithm tabulation that this system allows, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
In the foregoing description one to four; in handoff procedure; if do not comprise RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm in the described switching command, then obtain and preserve RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm the NAS message of the integrity protection that before switching, sends from MME of UE.
Please refer to shown in Figure 6ly, the embodiment of the invention also provides a kind of user equipment (UE), comprising:
First acquisition module 601 is used to obtain radio resource control RRC integrity protection that system allows and cryptographic algorithm tabulation, the tabulation of user's face UP cryptographic algorithm;
Second acquisition module 602 is used to obtain RRC integrity protection that target eNB selects and cryptographic algorithm, UP cryptographic algorithm;
Detection module 603; be used for the RRC integrity protection of more described target eNB selection and RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of cryptographic algorithm, UP cryptographic algorithm and the permission of described system and tabulate, detect whether there is degradation attack according to comparative result.
Further, described first acquisition module 601 is used for obtaining RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm from switching command message.
Further, described first acquisition module 601 is used for obtaining RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm from the non-access signaling NAS Security Mode Command message that described target MME sends to UE.
Further; described first acquisition module 601 also is used at handoff procedure; if do not comprise RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm in the described switching command, then obtain and preserve RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm the NAS message of the integrity protection that before switching, sends from MME.
Further; described detection module 603 comprises first comparison module 604; be used for RRC integrity protection that more described target eNB selects and cryptographic algorithm tabulation, UP cryptographic algorithm whether in the scope of RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm, have degradation attack if not then judging.
Further; described detection module 603 comprises second comparison module 605; RRC integrity protection and the cryptographic algorithm that is used for more described target eNB selection tabulated, whether UP cryptographic algorithm priority in the scope that RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of the permission of described system are tabulated is the highest, if then there is not degradation attack in judgement.
The RRC/UP security algorithm that the embodiment of the invention allows by the RRC/UP security algorithm eNB selected by UE and system when the mobile network is switched is tabulated and is compared, make UE to detect and whether have degradation attack, if there is degradation attack, then negotiating safety capability failure, can only hold consultation again, carry out subsequent treatment again, overcome and to have known the defective that whether has degradation attack in the prior art, avoid when having degradation attack, still carrying out network operation, thereby effectively prevent from handoff procedure and network entity are caused further harm.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a station terminal equipment (can be mobile phone, personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (17)
1, a kind of method that detects degradation attack may further comprise the steps:
After the target mobile management entity MME received handover preparation request message, radio resource control RRC integrity protection and cryptographic algorithm tabulation, the tabulation of user's face UP cryptographic algorithm of target MME being gone up system's permission sent to user equipment (UE);
Described UE tabulates according to RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that described system allows, detects whether there is degradation attack.
2, method according to claim 1 is characterized in that: described target MME sends to user equipment (UE) with radio resource control RRC integrity protection and cryptographic algorithm tabulation, the tabulation of user's face UP cryptographic algorithm that described system allows, and comprising:
When switching in the evolvement network; described target MME is after the handover preparation request message that receives source core network entity transmission; check that target MME goes up RRC integrity protection and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm that system allows and tabulate not simultaneously with RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that the system that receives from the source core network entity allows, described target MME goes up RRC integrity protection that system allows and cryptographic algorithm tabulation, UP cryptographic algorithm with described target MME and tabulates and send to UE.
3, method according to claim 1 is characterized in that: described target MME sends to user equipment (UE) with radio resource control RRC integrity protection and cryptographic algorithm tabulation, the tabulation of user's face UP cryptographic algorithm that described system allows, and comprising:
When the 2G/3G network switched to evolvement network, described target MME went up RRC integrity protection and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm that system allows with target MME and sends to UE after receiving the handover preparation request message that the source core network entity sends.
4, according to claim 2 or 3 described methods, it is characterized in that: described target MME sends to user equipment (UE) with RRC integrity protection and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm that described system allows, and comprising:
Described target MME sends switching to the source core network entity and prepares response message, carries RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of the permission of described system in the described switching preparation response message and tabulates;
Described source core network entity sends switching response message to the source access network entity, carries RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of the permission of described system in the described switching response message and tabulates;
Described source access network entity sends switching command message to described UE, carries RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of the permission of described system in the described switching command message and tabulates.
5, according to claim 2 or 3 described methods, it is characterized in that: described target MME sends to user equipment (UE) with RRC integrity protection and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm that described system allows, and comprising:
Described target MME sends non-access signaling NAS Security Mode Command message to described UE, carries RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of the permission of described system in the described NAS Security Mode Command message and tabulates.
6, method according to claim 4 is characterized in that: also comprise:
In handoff procedure; if do not comprise RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm in the described switching command, then obtain and preserve RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm the NAS message of the integrity protection that before switching, sends from MME of UE.
7, method according to claim 1 is characterized in that: described UE tabulates according to RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that described system allows, detects whether there is degradation attack, comprising:
Described UE obtains RRC integrity protection that target eNB selects and cryptographic algorithm, UP cryptographic algorithm;
RRC integrity protection that the RRC integrity protection that the more described target eNB of described UE is selected and cryptographic algorithm, UP cryptographic algorithm and described system allow and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm detect whether there is degradation attack according to comparative result.
8, method according to claim 7 is characterized in that: described RRC integrity protection that target eNB selects and cryptographic algorithm, the UP cryptographic algorithm obtained comprises:
Described target eNB is tabulated according to RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that the system that receives from target MME allows, RRC integrity protection that UE supports and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm, and RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that target eNB self is supported are tabulated selection suitable R RC integrity protection and cryptographic algorithm, UP cryptographic algorithm;
Described target eNB is issued UE with RRC integrity protection and cryptographic algorithm, the UP cryptographic algorithm selected.
9, method according to claim 7 is characterized in that: described whether detection exists degradation attack according to comparative result, comprising:
If in the scope that RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of the permission of described system are tabulated, then there are not degradation attack in RRC integrity protection that described target eNB is selected and cryptographic algorithm, UP cryptographic algorithm.
10, method according to claim 7 is characterized in that: described whether detection exists degradation attack according to comparative result, comprising:
If RRC integrity protection that described target eNB is selected and cryptographic algorithm tabulation, UP cryptographic algorithm priority in the scope that RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of the permission of described system are tabulated is the highest, then there is not degradation attack.
11, method according to claim 1 is characterized in that: also comprise:
UE sends to target eNB with RRC integrity protection and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm that described system allows;
Whether RRC integrity protection and cryptographic algorithm tabulation, UP cryptographic algorithm that the system that the RRC integrity protection that the more described system of described target eNB allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm and described target eNB are obtained from source access network entity or target MME allows tabulate identical; if different, then there is degradation attack.
12, a kind of user equipment (UE) is characterized in that: comprising:
First acquisition module is used to obtain radio resource control RRC integrity protection that system allows and cryptographic algorithm tabulation, the tabulation of user's face UP cryptographic algorithm;
Second acquisition module is used to obtain RRC integrity protection that target eNB selects and cryptographic algorithm, UP cryptographic algorithm;
Detection module; be used for the RRC integrity protection of more described target eNB selection and RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of cryptographic algorithm, UP cryptographic algorithm and the permission of described system and tabulate, detect whether there is degradation attack according to comparative result.
13, user equipment (UE) according to claim 12 is characterized in that: described first acquisition module is used for obtaining RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm from switching command message.
14, user equipment (UE) according to claim 12 is characterized in that: described first acquisition module is used for obtaining RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm from the non-access signaling NAS Security Mode Command message that described target MME sends to UE.
15, user equipment (UE) according to claim 12; it is characterized in that: described first acquisition module also is used at handoff procedure; if do not comprise RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm in the described switching command, then obtain and preserve RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm the NAS message of the integrity protection that before switching, sends from MME.
16, user equipment (UE) according to claim 12; it is characterized in that: described detection module comprises first comparison module; be used for RRC integrity protection that more described target eNB selects and cryptographic algorithm tabulation, UP cryptographic algorithm whether in the scope of RRC integrity protection that described system allows and cryptographic algorithm tabulation, the tabulation of UP cryptographic algorithm, have degradation attack if not then judging.
17, user equipment (UE) according to claim 12; it is characterized in that: described detection module comprises second comparison module; RRC integrity protection and the cryptographic algorithm that is used for more described target eNB selection tabulated, whether UP cryptographic algorithm priority in the scope that RRC integrity protection and cryptographic algorithm tabulation, the UP cryptographic algorithm of the permission of described system are tabulated is the highest, if then there is not degradation attack in judgement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100271440A CN101552982A (en) | 2008-04-01 | 2008-04-01 | Method and user equipment for detecting degradation attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100271440A CN101552982A (en) | 2008-04-01 | 2008-04-01 | Method and user equipment for detecting degradation attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101552982A true CN101552982A (en) | 2009-10-07 |
Family
ID=41156901
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100271440A Pending CN101552982A (en) | 2008-04-01 | 2008-04-01 | Method and user equipment for detecting degradation attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101552982A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281534A (en) * | 2010-06-09 | 2011-12-14 | 中兴通讯股份有限公司 | Method and base station for updating PKM configuration in re-accessing in Wimax system |
| WO2013056681A1 (en) * | 2011-10-21 | 2013-04-25 | 华为技术有限公司 | Method, system, and related device for gsm security |
| CN104683981A (en) * | 2013-12-02 | 2015-06-03 | 华为技术有限公司 | Safety capability verification method, safety capability verification equipment and safety capability verification system |
| CN111641947A (en) * | 2019-03-01 | 2020-09-08 | 华为技术有限公司 | Key configuration method, device and terminal |
| CN113382404A (en) * | 2017-10-30 | 2021-09-10 | 华为技术有限公司 | Method and equipment for acquiring UE security capability |
| US11297502B2 (en) | 2017-09-08 | 2022-04-05 | Futurewei Technologies, Inc. | Method and device for negotiating security and integrity algorithms |
-
2008
- 2008-04-01 CN CNA2008100271440A patent/CN101552982A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281534A (en) * | 2010-06-09 | 2011-12-14 | 中兴通讯股份有限公司 | Method and base station for updating PKM configuration in re-accessing in Wimax system |
| CN102281534B (en) * | 2010-06-09 | 2015-08-26 | 中兴通讯股份有限公司 | The method of PKM config update when re-accessing in Wimax system and base station |
| WO2013056681A1 (en) * | 2011-10-21 | 2013-04-25 | 华为技术有限公司 | Method, system, and related device for gsm security |
| CN104683981A (en) * | 2013-12-02 | 2015-06-03 | 华为技术有限公司 | Safety capability verification method, safety capability verification equipment and safety capability verification system |
| US11297502B2 (en) | 2017-09-08 | 2022-04-05 | Futurewei Technologies, Inc. | Method and device for negotiating security and integrity algorithms |
| US11895498B2 (en) | 2017-09-08 | 2024-02-06 | Futurewei Technologies, Inc. | Method and device for negotiating security and integrity algorithms |
| CN113382404A (en) * | 2017-10-30 | 2021-09-10 | 华为技术有限公司 | Method and equipment for acquiring UE security capability |
| CN113382404B (en) * | 2017-10-30 | 2022-03-08 | 华为技术有限公司 | Method and equipment for acquiring UE security capability |
| US11418962B2 (en) | 2017-10-30 | 2022-08-16 | Huawei Technologies Co., Ltd. | Method and Device for Obtaining UE Security Capabilities |
| CN111641947A (en) * | 2019-03-01 | 2020-09-08 | 华为技术有限公司 | Key configuration method, device and terminal |
| CN111641947B (en) * | 2019-03-01 | 2021-12-03 | 华为技术有限公司 | Key configuration method, device and terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9497625B2 (en) | Method for negotiating security capability when terminal moves | |
| US9769867B2 (en) | Optimization of power consumption in dual SIM mobiles in connected mode in a wireless network | |
| US10039036B2 (en) | Operation of a serving node in a network | |
| EP2192804B1 (en) | Method of handling handover security configuration and related communication device | |
| EP2106190B1 (en) | A method, system and device for preventing the degradation attack while terminal is moving | |
| EP2187561B1 (en) | Method, system and devices for negotiating security capabilities while a terminal is moving | |
| US20100172500A1 (en) | Method of handling inter-system handover security in wireless communications system and related communication device | |
| KR102264618B1 (en) | Communication method, access network device, and terminal | |
| US9197645B2 (en) | Distribution of access control information in a network | |
| US20110269426A1 (en) | Methods and Arrangements for Communication Channel Re-Establishment | |
| CN108293259B (en) | NAS message processing and cell list updating method and equipment | |
| CN113596990A (en) | Method and equipment for supporting paging optimization | |
| EP3709601A1 (en) | Network node for use in a communication network, a communication device and methods of operating the same | |
| CN111356163B (en) | System information notification method, base station equipment and computer storage equipment | |
| CN101552982A (en) | Method and user equipment for detecting degradation attack | |
| EP2871874B1 (en) | Location update method, device and system | |
| EP2437543B1 (en) | Local circuit switched fallback cancellation mechanism | |
| CN112956226B (en) | Isolation of false base stations in a communication system | |
| EP3174331B1 (en) | Method and device for initiating mobility management process | |
| KR20150006274A (en) | Method and apparatus for transmitting and receiving control message | |
| US20150305072A1 (en) | Entity of a mobile cellular network | |
| CN101534506A (en) | Method for indicating base station security information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20091007 |