CN114189864B - Non-cellular access device and access method for mobile communication system - Google Patents

Non-cellular access device and access method for mobile communication system Download PDF

Info

Publication number
CN114189864B
CN114189864B CN202210139868.4A CN202210139868A CN114189864B CN 114189864 B CN114189864 B CN 114189864B CN 202210139868 A CN202210139868 A CN 202210139868A CN 114189864 B CN114189864 B CN 114189864B
Authority
CN
China
Prior art keywords
security
module
n3iwf
access
mobile terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210139868.4A
Other languages
Chinese (zh)
Other versions
CN114189864A (en
Inventor
王俊
田永春
曾浩洋
金鸣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 30 Research Institute
Original Assignee
CETC 30 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 30 Research Institute filed Critical CETC 30 Research Institute
Priority to CN202210139868.4A priority Critical patent/CN114189864B/en
Publication of CN114189864A publication Critical patent/CN114189864A/en
Application granted granted Critical
Publication of CN114189864B publication Critical patent/CN114189864B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Abstract

The invention discloses a non-cellular access device and an access method of a mobile communication system, wherein the device comprises an N3IWF module, a security enhancement USIM module, a control plane signaling processing security module and a user plane service processing security module. The invention can realize the safety enhancement function without changing the protocol, flow and network element function of the 3GPP standard.

Description

Non-cellular access device and access method for mobile communication system
Technical Field
The invention belongs to the technical field of mobile communication, and particularly relates to a non-cellular access device and an access method of a mobile communication system.
Background
The non-cellular access network and the core network both rely on civil mobile communication industrial chain resources and can only perform slight customization and enhancement; the safety equipment domain and the safety application domain are two domains for bearing the sensitive information of the application core of the vertical industry, and the customization degree and the safety protection requirement are higher. The non-cellular access network may be a satellite, WLAN, radio, or various heterogeneous access means such as cable.
From the perspective of security risk analysis, the specific analysis is as follows:
(1) the UE (user equipment) -non-cellular access point, which is an air interface, completely depends on the technical systems such as WLAN and satellite, and has relatively weak security, and the security risk is also large due to the openness of the air interface, so 3GPP defines the non-cellular access as an untrusted access environment.
(2) Non-cellular access points-N3 IWF, N3 IWF-core network, core network-security applications, these several sections are wired interfaces, the security risk is smaller than the air interface, but because it relies on the public infrastructure of the operator, the management authority and the security protection level are lower, so there is also security risk.
(3) Inside the safety application, this section belongs to the inside private network of trade user, and the safety protection level is higher, and the safety risk is lower relatively.
When the traditional safety protection measures are applied to vertical industries with higher safety requirements, the following defects still exist. The method specifically comprises the following steps:
(1) the method has the configuration requirement of arranging the USIM card for the mobile terminal, and is not applicable to UE without the USIM card under the access condition of WLAN, satellite, radio station or cable and the like;
(2) IKE SA (security association of Internet key exchange) and IPSec SA (security association of Internet security protocol) established between UE and N3IWF are encrypted by adopting foreign algorithms such as DES, 3DES and the like, and are verified by adopting foreign algorithms such as MD5, SHA-1 and the like, so that the method has larger back door hidden danger, the key exchange protocols such as DH have hidden dangers of insufficient security strength, quantum attack resistance and the like, and the security requirements of vertical industries or key industries cannot be met;
(3) the EAP-AKA bidirectional authentication between the UE and the core network adopts AES as a unique authentication algorithm, thereby having backdoor hidden dangers, generally, the vertical industry or the key industry can replace AES as a domestic/special authentication algorithm, and the safety requirements of the vertical industry or the key industry are met.
The standardization degree of the mobile communication system is higher, and the dependence degree on an industrial chain is higher, so that the protocols and the flows of the 3GPP standard cannot be modified, and the network elements of the core network cannot be customized too much. Therefore, on the premise of not changing the protocol and flow of the 3GPP standard and not greatly changing the network element of the core network, how to simultaneously consider the application mode of the mobile terminal without the USIM card and perform security enhancement on the mobile communication system under the non-cellular access condition so as to meet the flexible use requirement and high-strength security requirement of the vertical industry or the key industry is a problem to be solved urgently.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a non-cellular access device and an access method of a mobile communication system, access authentication and service security encryption protection of multiple levels at the system level can realize a security enhancement function on the premise of not changing the protocol and flow of the 3GPP standard and not changing the network element function, so as to meet the flexible use requirement and high-strength security requirement of the vertical industry or the key industry.
The purpose of the invention is realized by the following technical scheme:
a mobile communication system non-cellular access device, the said device includes N3IWF module, USIM module of security enhancement, control plane signaling process security module and user plane business process security module;
the N3IWF module provides functions and functional interfaces of a standard N3IWF, and the functional interfaces comprise a security enhancement USIM module interface, a control plane signaling processing security module interface and a user plane service processing security module interface;
the security enhancement USIM module provides communication access bidirectional authentication, the function of the security enhancement USIM module takes effect when a control panel signaling processing security module is used for safely accessing services in a conversion mode, and the security enhancement function of the security enhancement USIM module takes effect when a core network UDM supports security enhancement;
the control plane signaling processing security module provides judgment of the type of an access terminal, provides security access service in a relay mode for a mobile terminal with an SIM card, provides security access service in a conversion mode for a common terminal without the SIM card, and completes access authentication security enhancement based on a domestic/special authentication algorithm by a USIM card and a core network security enhancement UDM of the mobile terminal in the relay mode through bidirectional access authentication; under a forwarding mode, bidirectional access authentication is performed by a security enhancement USIM module of the N3IWF and a core network security enhancement UDM to complete access authentication security enhancement based on a domestic/special authentication algorithm;
the user plane service processing security module provides negotiation and establishment of user plane IPSec channels of the access terminals UE-N3IWF and N3 IWF-security gateway.
On the other hand, the invention also provides a non-cellular access method of a mobile communication system, which adopts the access device and is applied to a mobile terminal with an SIM card, and the method comprises the following steps:
the mobile terminal accesses a non-cellular access point and establishes an IP channel between the mobile terminal and the non-cellular access point, and the default assumption of the security is that the mobile terminal is not trusted;
the mobile terminal and the N3IWF module establish IKE SA security association;
starting IPSec SA security association between the mobile terminal and the N3IWF module;
the mobile terminal completes bidirectional access authentication with a core network UDM through a self security enhancement USIM module, wherein the self security enhancement USIM module of the mobile terminal is an SIM card;
based on the bidirectional access authentication of the previous step, the mobile terminal completes the security negotiation process with the core network through the relay of the N3IWF module to generate a protection algorithm and a key of the NAS layer, the confidentiality and integrity protection of the NAS layer follows 3GPP, and a commercial system is adopted;
the mobile terminal and the N3IWF module respectively derive a generation key KN3IWFA control plane IPSec SA security association is established between the mobile terminal and the N3IWF module, and security protection is provided for the subsequent control plane network access attachment process;
the mobile terminal and a core network complete a subsequent network access attachment process through N3IWF relay based on a control plane IPSec channel;
the N3IWF module establishes a user plane IPSec SA between the mobile terminal and the security gateway by calling a user plane service processing security module, is used for providing an IPSec channel which is based on a domestic/special algorithm and a protocol and bears upper-layer services, and provides bottom-layer borne security protection for the subsequent user plane service transmission process;
based on IPSec channels borne by UE-N3IWF, N3IWF and the user plane bottom layer of the security gateway, an end-to-end service security encryption tunnel is established between the mobile terminal and the security gateway, so that end-to-end service encryption protection based on a domestic/special algorithm is realized.
Further, the establishing of the IKE SA security association between the mobile terminal and the N3IWF module specifically includes:
the N3IWF module provides a home/proprietary algorithm and protocol based on the mobile terminal by calling a control plane signaling processing security module.
Further, the step of starting the IPSec SA security association between the mobile terminal and the N3IWF module specifically includes:
the N3IWF module judges whether the mobile terminal does not carry AUTH information and supports an EAP protocol according to the IKE _ AUTH protocol exchange message, and if the mobile terminal does not carry AUTH information and supports the EAP protocol, the N3IWF module provides access service for the mobile terminal in a relay mode subsequently.
Further, the mobile terminal completes bidirectional access authentication with the core network UDM through its own security enhanced USIM module, which includes:
whether the core network UDM supports the security enhancement function or not, the N3IWF module provides a transparent relay to help the mobile terminal and the core network UDM complete the communication access bidirectional authentication process.
On the other hand, the invention also provides a non-cellular access method of a mobile communication system, which adopts the access device and is applied to a common terminal without an SIM card, and the method comprises the following steps:
the common terminal is accessed to a non-cellular access point, and an IP channel between the common terminal and the non-cellular access point is established, wherein the default assumption of the safety is that the common terminal is not trusted;
establishing IKE SA security association between the common terminal and the N3IWF module;
IPSec SA security association of a control plane is started between the common terminal and the N3IWF module;
the N3IWF module acquires identity information from the common terminal and establishes an identity mapping association relationship of the common terminal locally, and the N3IWF module completes bidirectional access authentication with a core network UDM through a security enhancement USIM module;
the N3IWF module and a core network complete a security negotiation process to generate a protection algorithm and a key of the NAS, wherein confidentiality and integrity protection at the position follows 3GPP, and a commercial system is adopted;
the N3IWF module and the core network complete the subsequent network access attachment process;
the N3IWF module establishes a user plane IPSec SA between the ordinary terminal and the security gateway by calling a user plane service processing security module, is used for providing an IPSec channel which is based on a domestic/special algorithm and a protocol and bears upper-layer services, and provides bottom-layer borne security protection for the subsequent user plane service transmission process;
an end-to-end service security encryption tunnel is established between the common terminal and the security gateway, and end-to-end service encryption protection based on a domestic/special algorithm is realized.
Further, the establishing of the IKE SA security association between the common terminal and the N3IWF module specifically includes:
and the N3IWF module provides a home-made/special algorithm and a protocol for the common terminal by calling a control plane signaling processing security module.
Further, the step of starting the IPSec SA security association between the common terminal and the N3IWF module specifically includes:
and the N3IWF module judges whether the common terminal does not carry AUTH information and supports an EAP protocol or not according to the IKE _ AUTH protocol exchange message, and if the common terminal carries the AUTH information and does not support the EAP protocol, the N3IWF module provides access service for the common terminal in a conversion mode subsequently.
Further, the step of the N3IWF module completing bidirectional access authentication with the core network UDM through the security enhanced USIM module includes:
if the core network UDM supports the security enhancement function, the N3IWF module calls a security enhancement USIM module to provide access authentication security enhancement based on a domestic/special authentication algorithm under the condition of not changing an EAP-AKA protocol and a process of a 3GPP standard; and if the core network UDM is the standard UDM, the N3IWF module calls a security enhancement USIM module to provide an authentication algorithm of the standard 3 GPP.
The invention has the beneficial effects that:
by enhancing the design of the N3IWF, the invention not only can realize the safe access of the SIM card and the mobile terminal without the SIM card, but also can realize the safe access and the safe transmission between the USIM card and the enhanced N3IWF, and the safe access and the safe transmission between the core network and the data network, and finally realize the multi-level access authentication and the service safety encryption protection at the system level, and can realize the safety enhancement function on the premise of not changing the protocol and the flow of the 3GPP standard and not changing the network element function so as to meet the flexible use requirement and the high-strength safety requirement of the vertical industry or the key industry.
Drawings
Fig. 1 is a schematic structural diagram of a non-cellular access device of a mobile communication system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an embodiment of the present invention for applying a non-cellular access device of a mobile communication system to an access scenario of a mobile terminal with a SIM card;
fig. 3 is a schematic diagram of an application of a non-cellular access device of a mobile communication system to an access scenario of a mobile terminal without a SIM card according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The standardization degree of the mobile communication system is higher, and the dependence degree on an industrial chain is higher, so that the protocols and the flows of the 3GPP standard cannot be modified, and the network elements of the core network cannot be customized too much. Therefore, on the premise of not changing the protocol and flow of the 3GPP standard and not greatly changing the network element of the core network, how to simultaneously consider the application mode of the mobile terminal without the USIM card and perform security enhancement on the mobile communication system under the non-cellular access condition so as to meet the flexible use requirement and high-strength security requirement of the vertical industry or the key industry is a problem to be solved urgently.
In order to solve the above technical problem, the following embodiments of the non-cellular access device and the access method of the mobile communication system of the present invention are proposed.
Example 1
Referring to fig. 1, fig. 1 is a schematic structural diagram of a non-cellular access device of a mobile communication system according to this embodiment.
The embodiment provides a Non-cellular access device of mobile communication system, which comprises a main body Function of N3IWF (Non-3 GPP InterWorking Function), a USIM module for security enhancement, a security module for control plane signaling processing, a security module for user plane service processing, a secure mobile terminal in the system, and a UDM (unified data management), other security enhancement function entities such as a security gateway and the like jointly form a complete mobile communication security private network system, so that multi-level access authentication security enhancement and service security transmission such as security access of a mobile terminal with an SIM card and a mobile terminal without the SIM card, security transmission of the mobile terminal and an N3IWF (Internet Web service interface), access authentication security enhancement of the mobile terminal and a core network, end-to-end service transmission security enhancement of the mobile terminal and the security gateway and the like are realized, and the flexible use requirements and high-strength security requirements of vertical industries or key industries are met.
Wherein the N3IWF body function provides the functions of a standard N3IWF and an interface open for embedding security enhanced capabilities related to the security enhanced USIM module, the control plane signaling processing security module, and the user plane traffic processing security module.
The security enhancement USIM module provides communication access bidirectional authentication, the function of the security enhancement USIM module takes effect when the security module is processed by the control panel signaling to safely access services in a conversion mode, and the security enhancement function of the security enhancement USIM module takes effect when the core network UDM supports security enhancement. The method is used in cooperation with a core network UDM (unified data management), the security enhancement capability is optional, and the method is effective according to whether the core network UDM (unified data management) supports the security enhancement capability. If the core network UDM (unified data management) has security enhancement capability, the USIM module supports communication access main authentication security enhancement based on a domestic/special authentication algorithm; if the core network UDM (unified data management) is standard UDM (unified data management), the USIM module supports communication access main authentication based on a 3GPP standard authentication algorithm.
It should be noted that, when the control plane signaling processing security module accesses the service in the switching mode, the function of the security enhanced USIM module will be in effect. And when the control plane signaling processing security module safely accesses the service in the relay mode, the function of the security enhancement USIM module is not effective. The security enhancement function of the security enhanced USIM module is in effect when the control plane signaling handles the security module to securely access services in a transition mode and the core network UDM supports security enhancements. When the control plane signaling processing security module securely accesses services in the transfer mode and the core network UDM does not support security enhancements, the security enhanced USIM module only takes effect of standard functions and the security enhanced functions do not take effect.
The control plane signaling processing security module provides judgment of the type of the access terminal, provides subsequent security access service in a relay mode for a mobile terminal with an SIM card, and provides subsequent security access service in a conversion mode for a common terminal without the SIM card; and negotiating and establishing a control plane IPSec channel based on a domestic/special cryptographic algorithm and a protocol between the access terminals UE-N3IWF, and providing a bottom layer IPSec bearing channel of the control plane for subsequent bearing signaling information interaction. In the relay mode, the bidirectional access authentication is realized by a security enhanced USIM card of the mobile terminal and a security enhanced UDM of a core network, so that the access authentication security enhancement based on a domestic/special authentication algorithm is completed; under the forwarding mode, the bidirectional access authentication is realized by a security enhanced USIM module of the N3IWF and a core network security enhanced UDM, and the access authentication security enhancement based on a domestic/special authentication algorithm is completed.
The user plane service processing security module provides negotiation and establishment of user plane IPSec channels between the access terminals UE-N3IWF and between the N3 IWF-security gateways based on a domestic/special cryptographic algorithm and a protocol, and provides a bottom layer IPSec bearing channel of the user plane for subsequently bearing upper layer services.
The non-cellular access device of the mobile communication system provided by the embodiment can realize the safe access of the SIM card and the mobile terminal without the SIM card, can also realize the safe access and the safe transmission between the USIM card and the enhanced N3IWF, and the safe access and the safe transmission between the core network and the data network, finally realize the multi-level access authentication and the service safety encryption protection on the system level, and can realize the safety enhancement function on the premise of not changing the protocol and the flow of the 3GPP standard and not changing the network element function so as to meet the flexible use requirement and the high-strength safety requirement of the vertical industry or the key industry.
Example 2
Referring to fig. 2, fig. 2 is a schematic diagram illustrating that the present embodiment applies the non-cellular access device of the mobile communication system provided in the foregoing embodiment to an access scenario of a mobile terminal with a SIM card.
In the figure, solid lines represent security procedures or functional entities to which the present invention relates, and dotted lines represent conventional security procedure methods or functional entities.
In this embodiment, the functional entities related to the method and apparatus for enhancing security using non-cellular access of mobile communication include a terminal side security enhanced USIM card, a security module, a security enhanced mobile terminal, a non-cellular access point, an N3IWF, a security module (including a control plane signaling processing security module and a user plane service processing security module), an AMF, a security enhanced UDM (unified data management), and the like, and an application side security gateway and a dedicated security application.
It should be noted that the N3IWF supports the security enhancement function by being slightly customized based on the standard N3IWF, and at the same time, the security enhancement USIM card and the security module can be deployed. The security enhanced mobile terminal, the non-cellular access point, the AMF, the security enhanced UDM (unified data management) and the security gateway are the rest of the functional entities that the system is matched with.
The method specifically comprises the following steps:
s01: the mobile terminal initiates an access request to the non-cellular access point, requesting to establish a communication connection with the non-cellular access point.
S02: after the mobile terminal completes the non-cellular access point access, the mobile terminal and the N3IWF carry out the security parameter negotiation of the IKE SA, and establish the IKE SA security association with the N3IWF based on a domestic or special algorithm and a protocol, and the N3IWF carries out the cryptographic operation and the protocol processing by depending on a security module;
s03: the mobile terminal sends an IKE _ AUTH request to the N3IWF, and only needs to carry the UE ID and does not carry authentication materials;
s04: the N3IWF judges that the mobile terminal supports an EAP protocol according to the IKE _ AUTH request, subsequently provides service for the mobile terminal in a relay mode, returns an IKE _ AUTH response to the mobile terminal and indicates the mobile terminal to initiate an NAS network access attachment flow;
s05: the mobile terminal sends an IKE _ AUTH request to the N3IWF, and the IKE _ AUTH request carries an NAS network access attachment request;
s06: the N3IWF converts the received IKE _ AUTH request into an N2 message bearing format and initiates a network access attachment request to the AMF;
s07: AMF initiates an authentication vector request to UDM (unified data management) to trigger a main authentication security process;
s08: the main authentication process of EAP-AKA is carried out between the core network and the security enhancement mobile terminal, the mobile terminal relies on a security enhancement USIM card, the core network relies on a security enhancement UDM (unified data management), and the access authentication security enhancement based on a domestic/special authentication algorithm is realized;
s09: after completing the two-way access authentication, the AMF obtains KSEAFDeriving a key, triggering an SMC process between the key and the mobile terminal, and sending a Security Mode Command (Security Mode instruction) to the mobile terminal through an N3 IWF;
s10: the mobile terminal responds to AMF with Security Mode Complete through N3 IWF;
s11: AMF sends its derived key K to N3IWFN3IWF
S12: n3IWF sends IKE _ AUTH response message of EAP-Success to mobile terminal, so that the mobile terminal derives key K locallyN3IWF
S13: the mobile terminal and the N3IWF are each based on a secret key KN3IWFIKE _ AUTH exchange is carried out, and IPSec SA security association is established. The mobile terminal establishes a control plane IPSec encryption tunnel with the N3IWF based on a domestic/special cryptographic algorithm and a protocol, so that subsequent signaling interaction between the mobile terminal and the N3IWF is carried based on the control plane IPSec encryption tunnel;
s14: the AMF completes a subsequent network access attachment process and sends a Registration Accept message to the mobile terminal, and the mobile terminal and the 5G mobile communication system establish a user plane service channel;
s15: the N3IWF establishes an IPSec encryption channel which is based on a domestic/special cryptographic algorithm and a protocol and is used for bearing upper-layer services with the mobile terminal and the security gateway respectively, and provides the security protection of bottom-layer bearing for the subsequent user plane service transmission process.
S16: the mobile terminal and the complete gateway establish an additional end-to-end IPSec encryption tunnel based on a domestic/special algorithm and a protocol, so that end-to-end encryption protection of service data is realized, and subsequent service interaction is performed based on the end-to-end encryption tunnel.
In this scenario, S02 to S08, S13, and S15 are security procedures related to the security enhancement method of the present invention, and S09 to S12, S14, and S16 are standard commercial security mechanisms or traditional security enhancement mechanisms.
The non-cellular access method of the mobile communication system provided by the embodiment implements the secure access of the mobile terminal with the SIM card, the secure access and secure transmission between the USIM card and the enhanced N3IWF, and the secure access and secure transmission between the USIM card and the core network and the data network, and finally implements the multi-level access authentication and service security encryption protection at the system level, and can implement the security enhancement function without changing the protocol and flow of the 3GPP standard and without changing the network element function, so as to meet the flexible use requirement and high-strength security requirement of the vertical industry or the key industry.
Example 3
Referring to fig. 3, fig. 3 is a schematic diagram illustrating an application of the non-cellular access device of the mobile communication system provided in the foregoing embodiment to an access scenario of a mobile terminal without a SIM card in the present embodiment.
In the figure, solid lines represent security procedures or functional entities to which the present invention relates, and dotted lines represent conventional security procedure methods or functional entities.
In this embodiment, the functional entities related to the method and apparatus for enhancing security using non-cellular access of mobile communication include a terminal-side security module, a security-enhanced normal terminal, a non-cellular access point, an N3IWF, a security-enhanced USIM card, a security module (including a control plane signaling processing security module and a user plane service processing security module), an AMF, a security-enhanced UDM (unified data management), and the like, and an application-side security gateway and a dedicated security application.
It should be noted that the N3IWF supports the security enhancement function by being slightly customized based on the standard N3IWF, and at the same time, the security enhancement USIM card and the security module can be deployed. The security enhanced common terminal, the non-cellular access point, the AMF, the security enhanced UDM (unified data management) and the security gateway are the rest of the functional entities matched with the system.
The method specifically comprises the following steps:
s01: the ordinary terminal initiates an access request to the non-cellular access point, and requests to establish communication connection with the non-cellular access point.
S02: after the access of a non-cellular access point is finished, the common terminal and the N3IWF carry out the security parameter negotiation of the IKE SA, establish the IKE SA security association with the N3IWF based on a domestic or special algorithm and a protocol, and the N3IWF carries out the cryptographic operation and the protocol processing by depending on a security module;
s03: the common terminal sends an IKE _ AUTH request to the N3IWF, and carries authentication materials;
s04: and the N3IWF judges that the common terminal does not support the EAP protocol according to the IKE _ AUTH request, subsequently provides service for the common terminal in a conversion mode, returns an IKE _ AUTH response to the common terminal and establishes the IPSec SA security association. A control plane IPSec encryption tunnel is established between the N3IWF and the common terminal based on a domestic/special cryptographic algorithm and a protocol, so that subsequent signaling interaction between the common terminal and the N3IWF is carried based on the control plane IPSec encryption tunnel;
s05: the N3IWF acquires necessary identity information from the UE through a control plane IPSec encryption tunnel, establishes an identity mapping association relationship of the UE locally, and initiates a network access attachment request to the AMF in an N2 message format;
s06: AMF initiates an authentication vector request to UDM (unified data management) to trigger a main authentication security process;
s07: the main authentication process of EAP-AKA is carried out between a core network and N3IWF (as a main authentication agent of a common terminal), the N3IWF relies on a locally deployed security enhanced USIM card, and the core network home domain relies on a security enhanced UDM (unified data management) to realize the access authentication security enhancement based on a domestic/special authentication algorithm;
s08: after completing the two-way access authentication, the AMF obtains KSEAFDeriving a key, triggering an SMC process of the NAS, and sending a Security Mode Command to the N3 IWF;
s09: the N3IWF responds to the Security Mode Complete to the AMF;
s11: AMF sends its derived key K to N3IWFN3IWF
S12: AMF completes the subsequent network access attachment process and sends Registration Accept message to N3IWF, so that the common terminal establishes a user plane service channel with the 5G mobile communication system through N3 IWF;
s13: the N3IWF establishes an IPSec encryption channel based on a domestic/special cryptographic algorithm and protocol and used for bearing upper-layer services with a common terminal and a security gateway respectively, and provides security protection of bottom-layer bearing for the subsequent user plane service transmission process.
S14: an additional end-to-end IPSec encryption tunnel based on a domestic/special algorithm and a protocol is established between the common terminal and the complete gateway, so that end-to-end encryption protection of service data is realized, and the subsequent service interaction is carried out based on the end-to-end encryption tunnel.
It should be noted that, in this scenario, S02 to S13 are security processes related to the security enhancement method of the present invention, and S14 is a standard commercial security mechanism or a conventional security enhancement mechanism.
The non-cellular access method of the mobile communication system provided by the embodiment can realize the secure access of a common terminal without an SIM card, realize the secure access and secure transmission between the USIM card and the enhanced N3IWF, and the secure access and secure transmission between the USIM card and the core network and the data network, finally realize the multi-level access authentication and service security encryption protection at the system level, and realize the security enhancement function on the premise of not changing the protocol and flow of the 3GPP standard and not changing the network element function, so as to meet the flexible use requirement and high-strength security requirement of the vertical industry or the key industry.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (5)

1. A mobile communication system non-cellular access device, characterized in that, the device comprises an N3IWF module, a security enhanced USIM module, a control plane signaling processing security module and a user plane service processing security module;
the N3IWF module provides functions and functional interfaces of a standard N3IWF, and the functional interfaces comprise a security enhancement USIM module interface, a control plane signaling processing security module interface and a user plane service processing security module interface;
the security enhancement USIM module can be matched with a core network UDM for use, and if the core network UDM has security enhancement capability, the security enhancement USIM module supports communication access main authentication security enhancement based on a domestic/special authentication algorithm; if the core network UDM is a standard UDM, the security enhancement USIM module supports communication access main authentication based on a 3GPP standard authentication algorithm;
the security enhancement USIM module provides communication access bidirectional authentication, the function of the security enhancement USIM module takes effect when the security module is processed by control panel signaling to safely access services in a conversion mode, and the security enhancement function of the security enhancement USIM module takes effect when the core network UDM supports security enhancement;
the control plane signaling processing security module provides judgment of the type of the access terminal, provides security access service in a relay mode for a mobile terminal with an SIM card, and provides security access service in a conversion mode for a common terminal without the SIM card;
the control surface signaling processing security module also provides negotiation and establishment of a control surface IPSec channel based on a domestic/special cryptographic algorithm and a protocol between access terminals UE-N3IWF, provides a bottom layer IPSec bearing channel of the control surface for subsequent bearing signaling information interaction, and under a relay mode, bidirectional access authentication is realized by a security enhancement USIM card of the mobile terminal and a core network security enhancement UDM to complete access authentication security enhancement based on the domestic/special authentication algorithm; under a forwarding mode, bidirectional access authentication is performed by a security enhancement USIM module of the N3IWF and a core network security enhancement UDM to complete access authentication security enhancement based on a domestic/special authentication algorithm;
the user plane service processing security module provides negotiation and establishment of user plane IPSec channels of the access terminals UE-N3IWF and N3 IWF-security gateway.
2. A non-cellular access method for a mobile communication system, which is applied to a mobile terminal with a SIM card by using the access device of claim 1, the method comprising:
the mobile terminal accesses a non-cellular access point and establishes an IP channel between the mobile terminal and the non-cellular access point;
the mobile terminal and the N3IWF module establish IKE SA security association;
the method for starting the IPSec SA security association between the mobile terminal and the N3IWF module specifically comprises the following steps:
the N3IWF module judges whether the mobile terminal does not carry AUTH information and supports an EAP protocol according to the IKE _ AUTH protocol exchange message, if the mobile terminal does not carry AUTH information and supports the EAP protocol, the N3IWF module provides access service for the mobile terminal in a relay mode subsequently;
the mobile terminal completes bidirectional access authentication with a core network UDM through a self security enhancement USIM card, and the method specifically comprises the following steps:
whether the core network UDM supports the security enhancement function or not, the N3IWF module provides a transparent relay to help the mobile terminal and the core network UDM to complete a communication access bidirectional authentication process;
the mobile terminal completes the safety negotiation process with the core network through the relay of the N3IWF module to generate a protection algorithm and a key of the NAS layer;
the mobile terminal and the N3IWF module respectively derive a generation key KN3IWFEstablishing control plane IPSec SA security association between the mobile terminal and the N3IWF module;
the mobile terminal and a core network complete a subsequent network access attachment process through an N3IWF relay based on a control plane IPSec channel;
the N3IWF module establishes user plane IPSec SA between the mobile terminal and the security gateway by calling a user plane service processing security module, and is used for providing an IPSec channel which is based on a domestic/special algorithm and a protocol and bears upper layer services;
and an end-to-end service security encryption tunnel is established between the mobile terminal and the security gateway.
3. The non-cellular access method of claim 2, wherein the establishing the IKE SA security association between the mobile terminal and the N3IWF module specifically comprises:
the N3IWF module provides a home/proprietary algorithm and protocol based on the mobile terminal by calling a control plane signaling processing security module.
4. A non-cellular access method of a mobile communication system, which is applied to a general terminal without a SIM card by using the access device of claim 1, the method comprising:
the common terminal is accessed to a non-cellular access point, and an IP channel between the common terminal and the non-cellular access point is established;
establishing IKE SA security association between the common terminal and the N3IWF module;
the IPSec SA security association for the control plane is started between the normal terminal and the N3IWF module, which specifically includes:
the N3IWF module judges whether the common terminal does not carry AUTH information and supports an EAP protocol or not according to the IKE _ AUTH protocol exchange message, if the common terminal carries the AUTH information and does not support the EAP protocol, the N3IWF module provides access service for the common terminal in a conversion mode subsequently;
the N3IWF module acquires identity information from the common terminal and establishes an identity mapping association relationship of the common terminal locally, and the N3IWF module completes bidirectional access authentication with a core network UDM through a security enhanced USIM module, and specifically comprises the following steps:
if the core network UDM supports the security enhancement function, the N3IWF module calls a security enhancement USIM module to provide access authentication security enhancement based on a domestic/special authentication algorithm under the condition of not changing an EAP-AKA protocol and a process of a 3GPP standard; if the core network UDM is the standard UDM, the N3IWF module calls a security enhancement USIM module to provide a standard 3GPP authentication algorithm;
the N3IWF module and the core network complete the safety negotiation process to generate the protection algorithm and the key of the NAS;
the N3IWF module and the core network complete the subsequent network access attachment process;
the N3IWF module establishes user plane IPSec SA between the ordinary terminal and the security gateway by calling a user plane service processing security module, and is used for providing an IPSec channel which is based on a domestic/special algorithm and a protocol and bears upper layer services;
and an end-to-end service security encryption tunnel is established between the common terminal and the security gateway.
5. The non-cellular access method of claim 4, wherein the establishing the IKE SA security association between the regular terminal and the N3IWF module specifically comprises:
and the N3IWF module provides a home-made/special algorithm and a protocol for the common terminal by calling a control plane signaling processing security module.
CN202210139868.4A 2022-02-16 2022-02-16 Non-cellular access device and access method for mobile communication system Active CN114189864B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210139868.4A CN114189864B (en) 2022-02-16 2022-02-16 Non-cellular access device and access method for mobile communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210139868.4A CN114189864B (en) 2022-02-16 2022-02-16 Non-cellular access device and access method for mobile communication system

Publications (2)

Publication Number Publication Date
CN114189864A CN114189864A (en) 2022-03-15
CN114189864B true CN114189864B (en) 2022-05-31

Family

ID=80545995

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210139868.4A Active CN114189864B (en) 2022-02-16 2022-02-16 Non-cellular access device and access method for mobile communication system

Country Status (1)

Country Link
CN (1) CN114189864B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115696318B (en) * 2023-01-05 2023-05-09 中国电子科技集团公司第三十研究所 Secure communication device, secure authentication method, and secure communication method
CN117177238B (en) * 2023-11-02 2024-01-23 中国电子科技集团公司第三十研究所 Method and system for initiating control instruction by terminal

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102017677A (en) * 2008-04-11 2011-04-13 艾利森电话股份有限公司 Access through non-3GPP access networks
CN109155908A (en) * 2016-05-16 2019-01-04 苹果公司 The emergency services of non-cellular wireless access are supported
WO2020191333A1 (en) * 2019-03-21 2020-09-24 Apple Inc. Handling of 3gpp and non-3gpp access in the 5g system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2533466B1 (en) * 2011-06-08 2020-03-04 Alcatel Lucent Method and apparatus for providing network access to a user entity
WO2016180865A1 (en) * 2015-05-11 2016-11-17 Telefonaktiebolaget Lm Ericsson (Publ) Methods and nodes for handling access to a service via an untrusted non-3gpp network
CN110268734B (en) * 2017-02-07 2023-09-15 沃洛切特解决方案有限责任公司 Interworking function using untrusted networks
WO2020160176A1 (en) * 2019-01-29 2020-08-06 Apple Inc. Mechanisms to converge the wi-fi access network with the 5g new radio (nr) access network within the radio access network
CN112929876B (en) * 2019-12-05 2022-05-17 大唐移动通信设备有限公司 Data processing method and device based on 5G core network
US20210385192A1 (en) * 2020-06-09 2021-12-09 Qualcomm Incorporated Access to home operator services with separate wireless network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102017677A (en) * 2008-04-11 2011-04-13 艾利森电话股份有限公司 Access through non-3GPP access networks
CN109155908A (en) * 2016-05-16 2019-01-04 苹果公司 The emergency services of non-cellular wireless access are supported
WO2020191333A1 (en) * 2019-03-21 2020-09-24 Apple Inc. Handling of 3gpp and non-3gpp access in the 5g system

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
"23501-f00".《3GPP tsg_ct\WG4_protocollars_ex-CN4》.2017, *
"23502-g60".《3GPP specs\archive》.2020, *
"33899-130".《3GPP tsg_sa\WG3_Security》.2017, *
"("Full Text & Metadata":untrusted non 3GPP access ) AND ("Full Text & Metadata":IKE SA) AND ("Full Text & Metadata":N3IWF) AND ("Full Text & Metadata":IPSec SA)";Cesare Roseti;《2021 4th International Symposium on Advanced Electrical and Communication Technologies (ISAECT)》;20220112;全文 *
5G移动通信系统的安全研究;毕晓宇;《信息安全研究》;20200105(第01期);全文 *
一种无卡终端经WLAN接入EPC的认证方法研究;周俊超;《微型机与应用》;20160310(第05期);全文 *

Also Published As

Publication number Publication date
CN114189864A (en) 2022-03-15

Similar Documents

Publication Publication Date Title
CN114189864B (en) Non-cellular access device and access method for mobile communication system
TWI724132B (en) Method of wireless communication, apparatus for wireless communication and computer program for performing the method
KR101438243B1 (en) Sim based authentication
JP4369513B2 (en) Improved subscriber authentication for unlicensed mobile connection signaling
US9027111B2 (en) Relay node authentication method, apparatus, and system
US20100119069A1 (en) Network relay device, communication terminal, and encrypted communication method
US20070118744A1 (en) System and method for managing user equipment to access networks by using generic authentication architecture
CN101309272B (en) Authentication server and mobile communication terminal access controlling method of virtual private network
JP2021509561A (en) Systems and methods for end-to-end secure communication in device-to-device communication networks
CN101600203A (en) A kind of control method of security service and WLAN terminal
CN110366175B (en) Security negotiation method, terminal equipment and network equipment
EP3510803B1 (en) Secure link layer connection over wireless local area networks
TWI430674B (en) Security method in wireless communication method having relay node
BR112021003460A2 (en) device with no subscriber identity, device with subscriber identity, method for use on a device without subscriber identity, method for use on a device with subscriber identity, and computer program product
WO2012151905A1 (en) Method and device for network handover
CN111654861B (en) Authentication method, authentication device, authentication equipment and computer readable storage medium
US20130139242A1 (en) Network Accessing Device and Method for Mutual Authentication Therebetween
WO2006074592A1 (en) A method and device for supporting multiple logic networks in the wlan
WO2010124569A1 (en) Method and system for user access control
CN104244210A (en) Emergency communication method, mobile terminal, authentication server and wireless access point
US20120120933A1 (en) Method for enhanced radio resource management in a public land mobile network
US20060253893A1 (en) Method and network for wlan session control
JP2012060357A (en) Remote access control method for mobile body system
KR20130009836A (en) A wireless telecommunications network, and a method of authenticating a message
CN114650531A (en) Method for realizing multiple security enhancement functions based on USIM card and USIM card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant