KR20100030610A - Method of selective encrypting control signal - Google Patents

Abstract

PURPOSE: A method for encoding a selective control signal is provided to encode only selected control signals, thereby reducing excessive load of the entire network. CONSTITUTION: A mobile station of an idle state transmits a ranging request message including security negotiation parameters to a base station(S510). The base station receives the ranging request message. The base station transmits a ranging response message including the security negotiation parameter to the mobile station(S520).

Description

Selective encrypting control signal

The present invention relates to various methods of encrypting signals used in a wireless access system.

Hereinafter, the security sublayer used in the broadband wireless access system will be briefly described.

A security service is one that provides confidentiality (Security) and integrity for network data. Integrity means that in data and network security, certain information can only be accessed or changed by authorized persons. In other words, integrity is to ensure that messages are not tampered with by third parties or the like. Confidentiality is the disclosure of certain information only to authorized persons. In other words, confidentiality is to completely protect the content of the transmitted data to prevent unauthorized access to the content.

The security sublayer provides security, authentication, and confidentiality in broadband wireless networks. The security sublayer may apply an encryption function to a medium access control protocol data unit (MAC PDU) transferred between the mobile station and the base station. Thus, the base station and the mobile station can provide a robust defense against theft attacks of illegal users.

The base station encrypts the service flow throughout the network to prevent unauthorized access to the data transfer service. The security sublayer controls the base station to distribute information associated with the key to the mobile station using a key management protocol of an authenticated client / server architecture. At this time, the digital certificate-based mobile station device authentication may be added to the key management protocol to further strengthen the function of the basic security mechanism.

During the basic function negotiation between the base station and the mobile station, authentication and key exchange procedures are omitted unless the mobile station provides a security function. Further, even when a specific mobile station is registered as a mobile station that does not support the authentication function, the base station can consider that the authority of the mobile station has been verified. If a particular mobile station does not support a security function, no key exchange or data encryption function is performed since no service is provided to that mobile station.

The security sublayer consists of an encapsulation protocol and a Privacy Key Management (PKM) protocol. The encapsulation protocol is a protocol for the security of packet data in a broadband wireless network. The encapsulation protocol provides a method for applying such an algorithm to a set representing a cryptographic suite such as data encryption and data authentication algorithms and a MAC PDU payload. The PKM protocol is a protocol that provides a method for securely distributing key related data from a base station to a mobile station. The base station and the mobile station can provide a method for securely distributing key related data using the PKM protocol. Using the key management protocol, key-related data can be shared between the mobile station and the base station, and the base station can control network access.

The present invention relates to a method for selectively protecting control signaling exchanged between a mobile station and a base station in a wireless access system.

In the IEEE 802.16e system, a mobile station and a base station can generate a cipher based message authentication code (CMAC) key and a hashed message authentication code (HMAC) key for protection of a control signal through an authorization key shared with each other. In addition, the mobile station and the base station may generate a message authentication code (MAC) using the CMAC key and / or the HMAC key. That is, the mobile station and the base station can guarantee the integrity of the control signal by exchanging the message authentication code (MAC) in addition to the control signal. On the other hand, when using the AES-CCM, the mobile station and the base station can ensure the integrity of the control signal by exchanging an Integrity Check Value (ICV) in addition to the control signal.

Although the mobile station and the base station protect the integrity of the message by using the CMAC key and the HMAC key, the message authentication code provides a judgment on whether the message is forged or not but does not provide the confidentiality of the message. Therefore, the message authentication code does not provide a concealment function for the message.

A general radio access system (hereinafter, referred to as an 802.16e system) including an IEEE 802.16e system provides a concealment function for a general message but does not provide a concealment function for a control signal.

That is, the 802.16e system supports Integrity for control signaling, but does not guarantee confidentiality. Therefore, in the general wireless access system, only CMAC / HMAC is added to the control signal and transmitted, which may be a security threat, and the system protection against malicious attackers may also be vulnerable.

However, enforcing collective control of all control signals between the mobile station and the base station can result in load in terms of system performance or network efficiency.

In addition, the IEEE 802.16e system supports multiple encryption algorithms (eg, AES-CTR) that do not consider support for integrity, and AES-CCM (Advanced Encryption Standard-CTR mode encryption mode) to ensure integrity and confidentiality at the same time. Basically consider the use of with Cipher block chaining Message authentication code. Thus, there is also a need to consider algorithms used for selective confidentiality protection for control signals. Accordingly, embodiments of the present invention disclose various methods for supporting selective confidentiality for control signals.

It is an object of the present invention to provide a method for selectively protecting control signals exchanged between a mobile station and a base station.

Another object of the present invention is to provide a method for selectively protecting a control signal using an encryption control (EC, EKS, etc.) field defined in a general MAC header and / or an extended header (EH).

Another object of the present invention is to provide a method for selectively protecting a control signal using a flow identifier, a flow ID type, and / or a management flow ID.

It is still another object of the present invention to provide a method for specifying whether a corresponding PDU includes control signals to be selectively encrypted through an extended header (EH). That is, as an example of the extension header, it is possible to know whether the management message is encrypted or not encrypted through the EC Bit included in the Security Extended Header (SEH) or the Fragmentation Extended Header (FEH). . Technical objects to be achieved in the present invention are not limited to the above-mentioned matters, and other technical problems which are not mentioned are those skilled in the art from the embodiments of the present invention to be described below. Can be considered.

The present invention discloses various methods and apparatus for encrypting signals used in a wireless access system. In particular, various methods and apparatus are disclosed for selectively encrypting management messages (e.g. control signals).

In a first embodiment of the present invention, a method for selectively encrypting a management message includes a method in which a mobile station generates a MAC protocol data unit (PDU) including an optionally encrypted management message and a fragmentation extended header (FEH). And transmitting the MAC PDU to a base station. In this case, the split header extension (FEH) may include indication information indicating whether the management message is encrypted.

The level of security for selectively encrypting management messages may be determined in advance by the type and time of use of the management messages. Even if encryption is not applied, CMAC may be added to the management message to support only integrity.

The first embodiment of the present invention may further include negotiating a protection level with the base station and selectively encrypting a management message based on the negotiated security level. At this time, in the embodiments of the present invention, the management message may be a medium access control (MAC) management message.

In the first embodiment, the negotiating security level may include transmitting a first message including a first security negotiation parameter supported by the mobile station to the base station and a second security negotiation parameter supported by the base station. Receiving the message. In this case, the first message is one of SBC-REQ message, ranging request message, and handover request message, and the second message is SBC-RSP message, lane. It may be one of a gong response message and a handover response message.

In the first embodiment, the first security negotiation parameter may include a first message confidentiality mode field supported by the mobile station, and the second security negotiation parameter may include a second message confidentiality mode field supported by the mobile station and the base station. .

The first embodiment may further comprise the mobile station performing an authorization procedure with the base station. In this case, the optionally encrypted MAC management message is preferably transmitted after the authorization procedure is performed to generate the TEK for encryption.

In the first embodiment, the selectively encrypting the MAC management message comprises: encrypting the MAC management message based on the negotiated security level and adding an integrity check value (ICV) to the encrypted MAC management message. Can be.

Alternatively, selectively encrypting the MAC management message in the first embodiment may include generating a message authentication code for the MAC management message based on the negotiated security level and a message authentication code generated in the MAC management message. (MAC) can be configured as a step.

In the first embodiment, the indication information may include an encryption control (EC) field indicating whether the MAC management message is encrypted.

In a second embodiment of the present invention, a method for selectively encrypting a medium access control (MAC) management message at a base station may include selectively negotiating a MAC management message based on the negotiated security level with the base station and the negotiated security level. Encrypting and transmitting a MAC protocol data unit (PDU) including an optionally encrypted MAC management message and split header (FEH) to the mobile station. In this case, the split header extension (FEH) may include indication information indicating whether the MAC management message is encrypted.

In the second embodiment, the negotiating security level may include receiving a first message including a first security negotiation parameter supported by the mobile station and a second message including a second security negotiation parameter supported by the base station. And transmitting to the mobile station. In this case, the first message may be a subscriber terminal basic capability negotiation request (SEC-REQ) message, and the second message may be a subscriber station basic capability negotiation response (SBC-RSP) message. In addition, the first security negotiation parameter may include a first message confidentiality mode field supported by the mobile station, and the second security negotiation parameter may include a second message confidentiality mode field supported by the mobile station and the base station.

The second embodiment further includes the step of the base station performing an authorization procedure with the mobile station, wherein the optionally encrypted MAC management message is preferably transmitted after the authorization procedure is performed and the TEK is established.

In the second embodiment, selectively encrypting the MAC management message may include encrypting the MAC management message and adding an integrity check value (ICV) to the encrypted MAC management message.

In the second embodiment, the selectively encrypting the MAC management message may include generating a message authentication code for the MAC management message and attaching a generated message authentication code (MAC) to the corresponding MAC management message. have.

In the second embodiment, the indication information may include an encryption control (EC) field indicating whether the MAC management message is encrypted.

As a third embodiment of the present invention, a mobile terminal for selectively transmitting and receiving an encrypted MAC (Medium Access Control) management message may include first MAC data including an optionally encrypted first MAC management message and a first split header. A processor for receiving a second MAC data including a transmitting module to transmit, optionally a second MAC management message and a second split header, and a processor to encrypt the first MAC management message and to decrypt the second MAC management message It may include. In this case, the first split header extension EH and the second split header header may include indication information indicating whether the first MAC management message and the second MAC management message are encrypted.

In a third embodiment, the processor may include an encryption module for selectively encrypting the first MAC management message and a decryption module for decrypting the second MAC management message.

The processor may also encrypt the first MAC management message first and add an integrity check value (ICV) to the encrypted first MAC management message. Alternatively, the processor may first generate a message authentication code for the first MAC management message and attach a message authentication code (MAC) to the corresponding MAC management message.

The first to third embodiments are merely some of the preferred embodiments of the present invention, and various embodiments in which the technical features of the present invention are reflected will be described below by those skilled in the art. It can be derived and understood based on the detailed description of the invention.

According to embodiments of the present invention has the following effects.

First, it is possible to selectively protect the control signal (i.e. MAC management message) transmitted and received between the mobile station and the base station.

Second, it is possible to specify whether to selectively apply encryption to the control signal using a header (e.g. general MAC header and / or split extension header) including an encryption control (e.g. EC or EKS) field.

Third, control signals may be selectively protected using various types of flow identifiers.

Third, by encrypting only selected control signals, not all control signals, it is possible to reduce excessive load that may be added to the entire network than when encrypting all control signals.

Fourth, the control signals are transparently transmitted according to the selective encryption of the control signals, thereby preventing security vulnerabilities in which the concealment is compromised. Also, optionally encrypted control signals can be transmitted securely. Therefore, it is possible to block the security threat that the control signal is exposed to malicious third parties.

Effects obtained in the embodiments of the present invention are not limited to the above-mentioned effects, and other effects not mentioned above are usually described in the technical field to which the present invention pertains from the description of the embodiments of the present invention. Can be clearly derived and understood by those who have That is, effects that are not intended in the application stage of the present invention may also be derived by those skilled in the art from the embodiments of the present invention.

The following embodiments combine the components and features of the present invention in a predetermined form. Each component or feature may be considered to be optional unless otherwise stated. Each component or feature may be embodied in a form that is not combined with other components or features. In addition, some components and / or features may be combined to form an embodiment of the present invention. The order of the operations described in the embodiments of the present invention may be changed. Some components or features of one embodiment may be included in another embodiment or may be replaced with corresponding components or features of another embodiment.

In the description of the drawings, procedures or steps, which may obscure the gist of the present invention, are not described, and procedures or steps that can be understood by those skilled in the art are not described.

In the present specification, embodiments of the present invention have been described based on data transmission / reception relations between a base station and a terminal. Here, the base station has a meaning as a terminal node of a network that directly communicates with the terminal. The specific operation described as performed by the base station in this document may be performed by an upper node of the base station in some cases.

That is, various operations performed for communication with a terminal in a network consisting of a plurality of network nodes including a base station may be performed by a network node other than the base station or the base station. In this case, the 'base station' may be replaced by terms such as a fixed station, a Node B, an eNode B (eNB), an advanced base station (ABS), or an access point. In addition, a 'mobile station' may include a user equipment (UE), a subscriber station (SS), a mobile subscriber station (MSS), an advanced mobile station (AMS) or a mobile terminal (Mobile Terminal). May be replaced by the term.

In addition, the transmitting end refers to a node transmitting data or voice service, and the receiving end refers to a node receiving data or voice service. Therefore, in uplink, a terminal may be a transmitting end and a base station may be a receiving end. Similarly, in downlink, a terminal may be a receiving end and a base station may be a transmitting end.

Embodiments of the present invention may be supported by standard documents disclosed in at least one of the wireless access systems IEEE 802 system, 3GPP system, 3GPP LTE system and 3GPP2 system. That is, steps or parts which are not described to clearly reveal the technical spirit of the present invention among the embodiments of the present invention may be supported by the above documents.

In addition, all terms disclosed in the present document can be described by the above standard document. In particular, embodiments of the present invention may be supported by one or more of the standard documents P802.16-2004, P802.16e-2005, and P802.16 Rev2 and P802.16m documents of the IEEE 802.16 system.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. The detailed description, which will be given below with reference to the accompanying drawings, is intended to explain exemplary embodiments of the present invention and is not intended to represent the only embodiments in which the present invention may be practiced.

In addition, specific terms used in the embodiments of the present invention are provided to help the understanding of the present invention, and the use of the specific terms may be changed into other forms without departing from the technical spirit of the present invention. .

For example, the term control signal used in the embodiments of the present invention may be changed to a term such as a control message, a management message, a MAC control message or a MAC management message. In addition, the term extension header used in the embodiments of the present invention may be changed to a term such as a split extension header or a security extension header.

In embodiments of the present invention, data confidentiality means protecting data from unauthorized exposure. Data confidentiality can be ensured through the encryption of data. Encryption refers to the conversion of data exchanged between a transmitter and a receiver into a form that can not be identified by a third party. Encryption requires an encryption algorithm and encryption key.

Among the encryption algorithms adopted by the IEEE 802.16e standard, which is a wireless access technology, AES-CCM basically includes its own message authentication function. However, AES-CCM is not a common denominator for the entire encryption algorithm. The IEEE 802.16m system currently under development requires a mobile station and a base station to support a function for ensuring confidentiality so that control signals can be exchanged safely after an authorization procedure.

That is, there is a need for a solution that can prevent exposure of control signals transmitted and received between a mobile station and a base station without incurring a large load on the network. Accordingly, embodiments of the present invention disclose various methods for preventing the confidentiality of a control signal from being compromised by the mobile station and the base station encrypting and exchanging a control signal using a Traffic Encryption Key (TEK). .

Hereinafter, the embodiments of the present invention will be described in detail with respect to methods for providing the confidentiality of the control signal using the EC field and methods for providing the confidentiality of the control signal using the EC field and the EKS field.

When only the EC field having a predetermined bit is used by the base station and the mobile station, the base station may use both the EC field only to indicate whether confidentiality is provided and whether it is selectively encrypted. For example, when the EC field has a size of 1 bit, when the EC field is '0', this indicates that the corresponding control signal is not encrypted. In addition, when the EC field is '1', the control signal may be selectively encrypted and may provide confidentiality.

In addition, when the EC field and the EKS field are used, the EC field may indicate whether the payload of the control signal is encrypted. In this case, the EKS field may indicate a protection level of the corresponding control signal as a key sequence.

As another aspect of the present invention, it is possible to provide confidentiality of a control signal using only a flow ID. For example, when the flow identifier indicates a transport type, the control signal (or management message) is not encrypted. However, when the flow identifier indicates a management type, it may indicate that a corresponding control signal (or a management message) is encrypted.

The EC field and / or the EKS field may be changed to another field performing the same function. That is, the EC field and / or the EKS field may be used or modified in an equal sense with all fields indicating whether the control signal is selectively encrypted. In addition, the EC field and / or the EKS field may be included in a general MAC header / split header and may be included in a header of another control signal (or control message).

In embodiments of the present invention, the flow identifier and the encryption control fields may be used in combination. For example, the combination of the flow identifier and the EC field or the combination of the flow identifier and the EKS field may indicate whether the control signal is selectively encrypted. For example, in the case of a transport flow ID, a security association (SA) is mapped to the flow identifier so that the security association is applied to all data of the corresponding flow identifier.

However, in the case of a management flow ID, encryption is selectively applied according to the EC field and / or the EKS field, not all control signals of the flow identifier to which the corresponding SA corresponds. That is, the mobile station can know whether the corresponding management message is encrypted by checking the header information according to the types of the management messages.

Embodiments of the present invention may be used to selectively encrypt a control signal between a base station and a mobile station after the authorization procedure between the base station and the mobile station is completed. That is, the selective encryption of the control signal is effective after the authorization process is completed and the TEK is set. At this time, the base station and the mobile station can selectively encrypt the control signal using an encryption key (for example, TEK) negotiated with each other to protect the control signal.

For example, the initial network entry procedure before the authorization procedure is when TEK is not activated. Therefore, the encryption of the selective control signal is not supported in the initial network entry procedure. However, if the mobile station and the base station set the TEK through the authorization procedure, the base station and the mobile station use the TEK to select the confidentiality of the control signal. Can be provided.

In addition, the base station and the mobile station can further ensure message integrity by adding a message authentication code to the control signal. However, when AES-CCM (Advanced Encryption Standard-Counter mode encryption mode with Cipher block chaining message authentication code) is applied to the embodiments of the present invention, AES-CCM is provided with its own message integrity protection so that separate message authentication is performed. You do not need to include any code.

For example, if a message authentication code is included to support only control message integrity, only AES-CCM / AES-CTR is not used, or only control message integrity is supported unless message integrity and confidentiality are not supported at the same time. It means when it is necessary.

Among the encryption algorithms adopted by the IEEE 802.16e standard, which is a wireless access technology, AES-CCM basically includes its own message authentication function. However, AES-CCM is not a common denominator for the entire encryption algorithm. In the IEEE 802.16m system currently under development, it is desirable to support a function for ensuring confidentiality so that the mobile station and the base station can safely exchange control signals after the authorization procedure.

That is, there is a need for a solution that can prevent exposure of control signals transmitted and received between a mobile station and a base station without incurring a large load on the network. Therefore, embodiments of the present invention, by using the encryption key (e.g., Traffic Encryption Key (TEK)) negotiated between the mobile station and the base station to encrypt the control signal with a selection and then exchange the control signal Various methods are disclosed for preventing the confidentiality of the data from being compromised.

Embodiments of the present invention preferably target application in an IEEE 802.16m system. For example, when an IEEE 802.16e mobile station accesses an IEEE 802.16e base station, after the authorization procedure, only a message authentication code may be added to the control signaling to be exchanged between the mobile station and the base station. However, the technical spirit of the present invention may also be applied to an IEEE 802.16e system.

On the other hand, when the IEEE 802.16m terminal accesses the IEEE 802.16m base station, as described in the present invention, it is possible to prevent exposure of the control signaling by selectively encrypting and exchanging control signaling with the mobile station. The exchange of control signaling through encryption may optionally be applied to control signals after the authorization procedure. Therefore, by using an optional encryption method, it is possible to ensure the confidentiality of the control signaling in consideration of the network load or system efficiency. In addition, it is possible to securely deliver MAC management messages through an optional encryption method.

In the embodiments of the present invention, a type field and an attribute field for an additional key parameter need not be newly defined to a PKM attribute type parameter defined in the IEEE 802.16e standard. In addition, the encryption algorithm used to protect the control signal is also based on the assumption that the data encryption algorithms (AES-CCM / AES-CTR) defined in the IEEE 802.16e standard.

That is, the CBC-IV attribute field is required when the control signal encryption algorithm identifier of 'SA Ciphersuite' is 0x01 (eg, DES in CBC mode). Further, CBC-IV is not necessary when the control signal encryption algorithm identifier of SA encryption is 0x02 (for example, AES), but is required when 0x03 (for example, AES in CBC mode).

Table 1 below shows a cryptographic suite that can be used in embodiments of the present invention.

Referring to Table 1, the TEK encryption suite has a size of 24 bits, and the most significant byte represents an encryption algorithm and a key length. The middle byte of the TEK notation suite represents the data authentication algorithm, and the least significant byte represents the TEK authentication algorithm.

Table 2 below shows the allowed cryptographic suites that can be used in the present invention.

Table 1 shows 'Cryptographic Suites' of IEEE 802.16 including TEK-related contents, and Table 2 shows 'Cryptographic Suites' allowed.

Hereinafter, in embodiments of the present invention, a control signal encryption algorithm identifier for encrypting a control signal, a control signal authentication algorithm identifier used for authenticating the control signal, and a TEK encryption algorithm identifier will be described.

Table 3 below shows an example of a Control Signal Encryption Algorithm Identifier format that can be used in embodiments of the present invention.

Referring to Table 3, if the encryption algorithm identifier of the control signal is '0', it indicates that no control signal is protected. If '1', it indicates 56-bit Cipher Block Chaining (CBC) mode. CCC (CTR mode with CBC-MAC) mode, and '3' indicates the 128-bit CBC mode. If the encryption algorithm identifier is '4' to '127', it is a reserved value, and if it is '128', it indicates a counter mode encryption (CTR) mode. In addition, the remaining 129-255 represent reserved values. Among the various algorithms shown in Table 3, it is desirable to use AES-CCM for selective encryption of control signals.

Table 4 below shows an example of a Control Signaling Authentication Algorithm Identifier format that can be used in embodiments of the present invention.

Referring to Table 4, when the control signal authentication algorithm identifier indicates '0', it indicates that authentication for a predetermined control signal is not supported, and when '1' indicates a CBC mode of 128 bits for a predetermined control signal, the remaining bits Can be used as a reserved value.

Table 5 below shows an example of a TEK Encryption Algorithm Identifier format that can be used in embodiments of the present invention.

Referring to Table 5, '0' and '5-255' of the TEK authentication algorithm identifier values represent reserved values, and '1' represents a 128-bit 3-Data Encryption Standard Encrypt-Decrypt-Encrypt (EDE). '2' represents an RSA of 1024 bits, '3' represents an AES mode ECB (Electronic Code Book) of 128 bits, and '4' represents an AES key wrap of 128 bits.

<Negotiation method for supporting optional control signal encryption>

Hereinafter, negotiation methods for selectively encrypting a control signal in a mobile station and a base station will be described.

1 is a diagram illustrating a negotiation process for selectively protecting a control signal.

A mobile station (MS) may transmit a subscribe station basic capability request (SBC-REQ) message to negotiate basic capabilities to a base station (BS) in an initial procedure (S110).

In step S110, the SBC-REQ message may include a security negotiation parameter (Security Negotiation Parameter). In this case, the security negotiation parameter may include a message confidentiality mode field that specifies a confidentiality protection mode for the control signal that can be supported by the mobile station.

Hereinafter, security negotiation parameters that can be used in embodiments of the present invention will be described. Table 6 below shows an example of security negotiation parameters.

The security negotiation parameter may include an appendage field as a compound field. Table 7 below shows sub-attributes of security negotiation parameters.

Referring to Table 7, the security negotiation parameters include PKM version support parameters, Authentication Policy Support parameters, Message Authentication Code Mode parameters, and Message Confidentiality Mode parameters. It may include a PN window size parameter, a PKM flow control parameter, and a maximum number of supported security association parameters. At this time, the message confidential mode parameter indicates the control message confidentiality that can be supported by the current wireless access system.

Table 8 below shows an example of the PKM version support parameter format.

Referring to Table 8, it is assumed that embodiments of the present invention support PKM version 3. However, PKM version 2 or PKM version 1 may be used in addition to PKM version 3.

Table 9 below shows an example of a message confidentiality mode field format used in step S110.

Referring to Table 9, if the message confidential mode parameter is set to '0', it may indicate that the message confidential mode is not supported, and if it is set to '1', it may indicate that the message confidential mode is optionally supported. The mobile station can support one or more confidentiality protection modes, and can inform the message confidential mode that can be supported by the mobile station by transmitting the SBC-REQ message to the base station in step S110.

Referring back to FIG. 1, the base station receiving the SBC-REQ message may negotiate security negotiation capability with the mobile station by transmitting an SBC-RSP message including security negotiation parameters that the base station can support. That is, in step S120, the base station may negotiate the message confidential mode with the mobile station by transmitting a security negotiation parameter including the message confidential mode field to the mobile station (S120).

In FIG. 1, the mobile station and the base station may perform an authorization procedure after completing the basic capability negotiation through steps S110 to S120 (S130).

The base station can selectively encrypt the control message based on the message confidential mode negotiated with the mobile station. In addition, the mobile station and the base station can optionally exchange the encrypted control message (S140).

As another embodiment of the present invention, the flow identifier may be included in the MAC header of the control signal selectively encrypted in step S140. In this case, a newly defined confidentiality management flow identifier (CMF_ID) may be used as the flow identifier, and the mobile station may know that the corresponding control signal is encrypted by checking the flow identifier type indicating the CMF_ID.

2 is a diagram illustrating an optional encryption procedure of a control signal.

When the type of the flow identifier of the control signal in FIG. 2 is a transport type, the encryption procedure of FIG. 2 is not used. However, when the flow ID type of the control signal is a management type, selective encryption may be applied according to the control signal type in the flow identifier.

Referring to FIG. 2, control signal types to which selective encryption is applied are basically classified based on the CMAC, and may vary depending on when individual control signals are used. According to the type of the control signal, the EC field of the general MAC header (GMH) may be set to '1'. In this case, the control signal is classified based on Cipher based Message Authentication Code (CMAC). In addition, selective encryption and CMAC / HMAC for the control signal can be simultaneously supported.

On the other hand, if the ECH field of GMH is set to '0', encryption classified based on CMAC is not applied to the control signal, and only message authentication code (MAC) is supported or no control signal is applied. Protection is also not supported. In this case, when no protection is supported for the control signal, it means all control signals to which the CMAC is not applied.

3 is a diagram illustrating an encryption method of a MAC management message.

On the other hand, the allocation of the security association (SA) for the protection of the control signal may be applied to the primary SA (Primary SA), static SA (Static SA) defined in IEEE 802.16e according to the type of MAC management message. This sorted MAC management message may be encrypted by the base station in the three forms of FIG.

Referring to FIG. 3, the MAC management message may include a general MAC header (GMH) 310, a management message type field 320, and a management message payload 330. In addition, the MAC management message may further include a message authentication code (MAC) 340 and a cyclic redundancy check (CRC) 350.

FIG. 3 (a) shows the MAC (Message Authentication Code) for the management message type 320 field and the management message payload 330 of the MAC management message first, and then the management message type 320 field, MAC. A method of encrypting payload 330 and MAC 340 is shown. In this case, the receiver may first decrypt the encrypted management message type field, the MAC payload 330 and the calculated MAC 340, and verify the MAC (Message Authentication Code) 340.

3 (b) illustrates a method of first encrypting a management message type field 320 and a MAC payload 330 at a transmitting end, and calculating a MAC for the encrypted management message type field and the MAC payload 330. In this case, the receiving end may verify the MAC (Message Authentication Code) 340, and then decrypt the encrypted management message type field and the MAC payload 330.

3 (c) shows a MAC (340) for the management message type 320 field and the management message payload 330 first using the MAC 340, and then the management message type ( 320 shows a method of encrypting the field and the management message payload 330. In this case, the receiver may first decrypt only the encrypted management message type field and the MAC payload 330 and verify the MAC 340.

4 is a state diagram illustrating a method for selectively negotiating control signal encryption of a mobile station in an initial state or an idle mode state.

Figure 4 shows the access state of the mobile station during negotiation to selectively protect the control signal. Referring to FIG. 4, a mobile station may enter an access state from an initialization state or an idle state. In this case, the mobile station may perform a ranging procedure with the base station and acquire uplink synchronization (410).

The mobile station may perform a basic capability negotiation process (SBC-REQ / RSP) with the base station (220) and perform authentication and key exchange with the base station (430). After the authentication procedure with the base station is completed, the mobile station can register with the serving base station (440). In addition, the mobile station can be assigned an Internet Protocol (IP) address from the base station (450). In FIG. 4, the negotiation about the selective encryption of the control signal between the base station and the mobile station may be performed in step 410 or 420.

5 is a diagram illustrating a negotiation process for selectively protecting a control signal in an idle mode.

Negotiation of an optional method of encrypting control signals may also be performed in the mobile station in the idle mode. When the mobile station in the idle mode moves to another base station and when a predetermined location update condition is satisfied, the mobile station can perform location update with the base station. At this time, the mobile station can perform a selective confidentiality protection negotiation for the control signal with the base station.

Referring to FIG. 5, the idle mobile station may transmit a ranging request message including security negotiation parameters supported by the mobile station to the base station (S510).

When the base station receives the ranging request message including the security negotiation parameter, the base station may transmit a ranging response message including security negotiation parameters (Security Negotiation Parameters) supported by the base station to the mobile station (S520).

The security negotiation parameters used in steps S510 and S520 may refer to the descriptions of Tables 6 to 9. Accordingly, the security negotiation parameter of step S510 may include a message confidentiality mode field indicating a confidentiality protection mode of the control signal supported by the mobile station, and the security negotiation parameter of step S520 includes the confidentiality of the control signal supported by the base station. A Message Confidentiality Mode field indicating a protection mode may be included.

After performing the selective confidentiality protection negotiation for the control signal in steps S510 and S520, the base station may transmit an encrypted control message selectively to the mobile station (S530).

The mobile station can know whether the corresponding control signal is encrypted by decoding the header of the control signal received in step S530. For example, the mobile station can confirm whether the control message is encrypted by checking the EC field and / or the EKS field of the control signal header.

The mobile station can also selectively encrypt the control message based on the message confidentiality mode negotiated with the base station. The mobile station can also optionally transmit an encrypted control message to the base station. In this case, the TEK used for selective confidentiality support of the control signal may be a newly generated TEK while the mobile station performs location update to the target base station.

6 is a diagram illustrating a method for selectively negotiating control signal encryption of an idle mode mobile terminal.

Referring to FIG. 6, a mobile station may enter an idle mode when a predetermined condition is satisfied in a connected state with a base station. The idle state may be classified into a paging available mode and a paging unavailable mode. In this case, the paging enabled mode indicates a paging listening interval for the mobile station to receive a paging message from the base station, and the non-paging mode indicates a state in which the mobile station and the base station do not communicate.

The mobile station in the idle mode may negotiate whether to support the selective control signal protection by exchanging a ranging request message and a ranging response message with the base station during location update (see FIG. 5). In addition, as shown in FIG. 6, the idle mode mobile station may negotiate selective protection of a control signal with a base station through a paging message (for example, MOB_PAG-ADV) transmitted periodically or at a predetermined interval in the pageable mode. .

In the case of FIG. 6, however, the mobile station unilaterally receives information on whether to support protection of an encryption control signal that can be encrypted from the base station.

In embodiments of the present invention, if all the control signals are encrypted to provide uniform confidentiality, the overall network load may be very large or the overall efficiency of the system may be reduced. Therefore, in embodiments of the present invention, encryption may be applied only to predetermined control signals.

Among the Medium Access Control (MAC) header fields, information necessary for selective protection of a control signal is an Encryption Control (EC) field. The EC field (and / or encryption key sequence (EKS) field) may specify whether the payload is to be encrypted or not. The type of the flow ID may indicate whether the corresponding message is a transport mode or a management mode. That is, when the flow identifier indicates a management type, when encryption and integrity are simultaneously and simultaneously supported, and when only integrity is supported, values for cases where both encryption and integrity are not supported may be defined and used.

The mobile station can know whether the control signal is encrypted by checking the EC field included in the header of the control signal. In addition, the mobile station can know whether the corresponding control signal is encrypted by the combination of the EC field and the EKS field. In addition, the base station may indicate whether the corresponding control signal is encrypted by a combination of the EC field and the flow identifier. In addition, the base station may indicate whether the corresponding control signal is encrypted as a flow identifier according to the message type.

That is, the mobile station can know whether encryption is supported by checking at least one of the message type of the EC field, the EKS field, and the flow identifier. In step S140 of FIG. 1 and step S530 of FIG. 5, the mobile station may receive an encrypted control signal selectively.

For example, the mobile station can confirm whether the control signal is encrypted by checking the EC field of the MAC header of the control signal. Alternatively, the mobile terminal may check whether the corresponding control signal is encrypted as a combination of the EC field and the EKS field and the degree of encryption.

As another embodiment of the present invention, the mobile station can know whether the corresponding control signal is encrypted using the flow identifier type field included in the MAC header field. In this case, the confidentiality management flow identifier may be defined and used as one of the flow identifiers for the selective encryption of the control signal. That is, when the confidentiality management flow identifier is included in the header of the control signal, the mobile terminal may recognize that the control signal is selectively encrypted.

7 is a diagram illustrating a method for selectively encrypting a control signal during handover.

The message confidential mode negotiation method disclosed in the embodiments of the present invention may be performed even when the mobile station hands over to the target base station. FIG. 7A shows a case where a mobile station starts handover (MS initiate), and FIG. 7B shows a case where a base station starts handover (BS initiate).

Referring to FIG. 7A, the mobile station MS may transmit a handover request message (MSHO-REQ) including security negotiation parameters (see Tables 6 to 9) to a serving base station (SBS). have. In this case, the security negotiation parameter included in the handover request message may include a message confidentiality mode supported by the mobile station (S701).

Upon receiving the MSHO-REQ message, the SBS generates a MAC request message or a handover request primitive (HO-REQ) including security related information at a target base station (TBS) to generate a backbone network or a network control and management system ( NCMS (Network Control and Management System) can be transmitted to the target base station. At this time, the NCMS may be included in each base station and the mobile station or operate externally as an upper entity of each base station and / or the mobile station (S703).

In operation S703, the security related information may include information on security negotiation parameters (see Tables 6 to 9) that can be supported by the mobile station. That is, the negotiated state for the confidentiality protection of the optional control signal or the message confidentiality mode of the mobile station may be transmitted to the target base station via the MAC request message or the HO-REQ primitive.

In addition, the handover request primitive may include a unique identifier (SBS_ID) of the SBS, a mobile station MAC address, a handover type (HO type), and a number of recommended BSs parameter indicating the number of BSs recommended by the mobile station or the SBS. ), A candidate TBS list indicating a list of BSs recommended for TBS, service flow information, and the like may further be included.

Upon receiving the HO-REQ primitive or MAC message, the TBS may generate a MAC response message or a handover response primitive (HO-RSP) including security related information that can be supported by the TBS, and transmit the same to a serving base station through a backbone network or an NCMS. (S705).

In operation S705, the security related information may include information on security negotiation parameters (see Tables 6 to 9) that are supported by the TBS. That is, the negotiated state for the confidentiality protection of the selective control signal of the TBS or the supportable message confidentiality mode of the TBS may be transmitted to the serving base station via a MAC response message or a HO-RSP primitive.

At this time, the handover response primitive is a recommendation that is a mobile station MAC address, a handover type (HO Type), a number of recommended BSs parameter indicating a number of base stations recommended by the mobile station or SBS, and a candidate target BS list. It may further include a Recommended TBS List.

Upon receiving the MAC response message or the HO-RSP primitive from the TBS, the SBS may transmit a handover response message (BSHO-RSP) including security negotiation parameters supported by the TBS to the mobile station (S707).

The mobile station can know about security negotiation parameters that can be supported by the TBS through step S707. Therefore, after the mobile station completes the handover to the TBS area, that is, accesses the TBS, it is possible to reliably transmit and / or receive a control signal selectively encrypted in the TBS (S709).

In step S709, the mobile station can determine whether the corresponding control signal is encrypted by checking the security extension header included in the MAC protocol data unit (PDU) including the control signal in the TBS cell area. In this case, the security extension header may include indication information (eg, an encryption control (EC) field) indicating whether the control signal is selectively encrypted.

Referring to FIG. 7B, when the SBS intends to start handover, it may exchange security related information with the TBS. That is, the SBS may transmit a MAC request message or HO-REQ primitive including security related information currently supported by the SBS to the TBS via the backbone network or NCMS (S702).

Receiving the MAC request message or the HO-REQ primitive, the TBS may transmit a MAC response message or HO-RSP primitive including security-related information supported by the TBS to the SBS (S704).

In operation S704, the security related information may include security negotiation parameters (see Tables 6 to 9) that are supported by the TBS. That is, a negotiation state or message confidentiality mode for confidentiality protection of an optional control signal supported by the TBS may be transmitted to the serving base station through a MAC response message or a HO-RSP primitive.

In this case, the MAC response message or the HO-RSP primitive is a MAC address of the mobile station, a handover type (HO Type), a Number of Recommended BSs parameter indicating the number of base stations recommended by the mobile station or the SBS, and a HO. It may further include a Recommended TBS List, which is a candidate target BS list corresponding to the REQ message.

Upon receiving the MAC response message or the HO-RSP primitive, the SBS may send a handover response message (BSHO-RSP) including the security negotiation parameters supported by the TBS to the mobile station (S706).

The mobile station can know about security negotiation parameters that can be supported by the TBS through step S706. Therefore, after the mobile station completes the handover to the TBS area, that is, accesses the TBS, it is possible to reliably transmit and / or receive a control signal selectively encrypted in the TBS (S708).

In step S708, the mobile station can determine whether the corresponding control signal is encrypted by checking the security extension header included in the MAC protocol data unit (PDU) including the control signal in the TBS cell area. In this case, the security extension header may include indication information (eg, an encryption control (EC) field) indicating whether the control signal is selectively encrypted.

In addition, in step S708 or S709, in addition to the encryption control field, the flow identifier type field may indicate whether a specific control signal is selectively encrypted.

That is, referring to FIG. 7, the mobile station and the target base station may negotiate selective encryption support for the control signal through handover messages. In addition, the message confidential mode-related information for a specific terminal may be delivered from the serving base station to the target base station through the backbone message.

8 is a diagram illustrating one method of selectively encrypting a control signal.

8 assumes a case where AES-CCM is used as an encryption algorithm in a mobile station and a base station. When the AES-CCM is used in the mobile station and the base station, the AES-CCM algorithm itself can provide both the integrity and confidentiality of the management message.

8 illustrates whether selective encryption is applied to a corresponding management message according to a message type of an EC field, an EKS field, or a flow identifier (Flow ID) of a MAC header (or split header extension (FEH)) included in the management messages. Indicates whether or not. For example, when the EC field is '1', it indicates that encryption is performed for confidentiality protection of the corresponding management message and ICV is added for integrity protection.

At this time, the base station and / or the mobile station may first encrypt the payload to protect the confidentiality of the management message and then add the ICV for integrity protection. That is, the base station and / or the mobile station may first perform encryption for confidentiality protection, and then add ICV for integrity protection to the encrypted result.

If the EC field is '0', it indicates that no encryption is applied to the corresponding control signal.

In FIG. 8, a base station and / or a mobile station may indicate a protection level of a control message using a flow identifier type field rather than an EC field. For example, if the type field of the flow identifier is a Confidential Management Flow ID (CMF_ID), the confidentiality and integrity of the message are guaranteed at the same time, but the flow identifier type field is the main flow identifier (PF_ID) or negative. In the case of indicating the flow identifier SF_ID, this may indicate that no protection is performed.

If the type field of the flow identifier is CMF_ID, the base station and / or the mobile station may first perform encryption for confidentiality protection, and then add ICV for integrity protection to the encrypted result.

9 is a diagram illustrating another method of selectively encrypting a control signal.

9 is similar to the case of FIG. 8. However, when selective encryption is applied to the management message, there is a difference from FIG. 5 in the order of encryption for confidentiality protection and ICV addition for integrity protection.

9, when the EC field is '1', the base station and / or the mobile station first adds an ICV to the payload to protect the integrity of the management message, and the management message to protect the confidentiality of the management message. Payload and ICV can be encrypted. That is, the base station and / or the mobile station may first add the ICV to the management message for integrity protection and then encrypt the payload and ICV for confidentiality protection.

As a method of indicating whether the control signal is encrypted in FIGS. 8 and 9, a bit indicating whether to encrypt the control signal is used. That is, the base station may indicate whether the corresponding control signal is encrypted using the EC field included in the MAC header (or the split header).

However, as another aspect of the present invention, the EC field and the EKS field may be used together. In this case, the EC field may indicate whether the corresponding control signal is encrypted, and the EKS field may indicate the encryption level or the encryption order of the control signal. For example, if the EKS field is set to '00', the control signal is not encrypted. If set to '01', '10', or '11', the control signal is encrypted and ICV is added. . In addition, the base station may indicate the order of encryption and ICV addition using the EKS field.

In FIG. 9, the mobile station and the base station may indicate whether the control signal is encrypted using a flow identifier type field in addition to the EC field and / or the EKS field.

For example, if the flow identifier type field indicates CMF_ID, the base station first adds an ICV to the payload of the management message to protect the integrity of the management message, and payload of the management message to protect the confidentiality of the management message. And ICV. That is, the base station may first add the ICV to the management message for integrity protection, and then encrypt the payload and ICV for confidentiality protection.

10 is a diagram illustrating yet another method for selectively encrypting a control signal.

FIG. 10 illustrates a case where an AES-CTR algorithm is used instead of an AES-CCM algorithm. When using the AES-CTR algorithm, the base station may protect the integrity by adding a message authentication code (MAC) to the signal or message.

As described above, when only the message authentication code is included to support only the integrity of the message, only the integrity of the message is required except when AES-CCM / AES-CTR is not used or message integrity and confidentiality are not simultaneously supported. Means.

Referring to FIG. 10, the base station may selectively encrypt management messages to protect confidentiality or protect integrity by adding a message authentication code (MAC). For example, when the EC field of the split extension header (FEH) is '1', the message authentication code is added to the management message to protect the integrity, and the confidentiality can be protected by encrypting the management message.

In this case, the base station may first add a message authentication code to protect the integrity of the management message, and then encrypt the payload and the message authentication code of the management message to protect the confidentiality of the management message. That is, the base station may first add a message authentication code for integrity protection, and then encrypt the payload and MAC of the management message together for confidentiality protection.

If the EC field of the split header header (FEH) is '0', it may indicate that the base station does not encrypt the management message, but protects the integrity by adding a message authentication code. If the control signal is classified as not applied to the selective encryption in Figure 10 may be no protection.

In FIG. 10, a flow identifier type field may be used to indicate whether a control signal is selectively encrypted. In this case, the flow identifier type field may indicate three protection levels.

For example, when the flow identifier type field is CMF_ID, this may indicate that an optional encryption for confidentiality protection and a message authentication code (MAC) for integrity protection are added. In addition, when the flow identifier type field indicates PF_ID or SF_ID, this indicates a case in which only a message authentication code for integrity protection is added to the control signal. In addition, when the flow identifier type field indicates PF_ID or SF_ID, and when no protection is required, this may indicate that no protection is applied to the corresponding control signal.

In other words, the base station can selectively encrypt management messages to protect confidentiality or protect integrity by adding a message authentication code (MAC). For example, if the F_ID type field of the header indicates CMF_ID, the base station first adds a message authentication code to the management message to protect its integrity, and then encrypts the payload and message authentication code of the management message to ensure confidentiality. I can protect it.

If the F_ID type field of the header indicates PF_ID or SF_ID, the base station does not encrypt the management message, but may protect the integrity by adding a message authentication code to the management message. In this case, the specific management message can be exchanged through the main flow or the sub flow with only the message authentication code for integrity protection added. In case of a control signal classified as not to apply selective encryption in FIG. 8, no protection may be performed.

11 is a diagram illustrating yet another method for selectively encrypting a control signal.

FIG. 11 is similar to the case of FIG. 10. However, when selective encryption is applied to the management message, there is a difference from FIG. 10 in the order of addition of encryption for confidentiality protection and message authentication code (MAC) for integrity protection.

Referring to FIG. 11, when the EC field is '1', the base station and / or the mobile station first encrypts the payload of the management message to protect the confidentiality of the management message, and manages to protect the integrity of the management message. A message authentication code (MAC) can be added to the payload of the message. That is, the base station and / or the mobile station may first encrypt the management message for confidentiality protection and then add a message authentication code (MAC) to the encrypted payload for integrity protection.

10 and 11, a method indicating whether a control signal is encrypted or not, wherein the base station and / or the mobile station encrypts the control signal using an EC field included in a medium access control (MAC) header (or a split header). It can indicate whether or not.

However, as another aspect of the present invention, the EC field and the EKS field may be used together. In this case, the EC field may indicate whether the corresponding control signal is encrypted, and the EKS field may indicate the encryption level or the encryption order of the control signal. For example, if the EKS field is set to '00', the control signal is not encrypted and only integrity is protected. If the EKS field is set to one of '01', '10' and '11', the control signal is Indicates that it is encrypted and a message authentication code (MAC) is added. At this time, the base station and / or the mobile station may indicate the order of addition of the encryption and the message authentication code by combining the bits of the EKS field.

In FIG. 11, a flow identifier type field other than an EC field may be used to indicate whether a control signal is selectively encrypted. For example, if the F_ID type field indicates CMF_ID, the base station and / or the mobile station first encrypts the payload of the management message to protect the confidentiality of the management message, and then pays off the management message to protect the integrity of the management message. You can add a message authentication code (MAC) to the. That is, the base station and / or the mobile station may first encrypt the management message for confidentiality protection and then add a message authentication code (MAC) to the encrypted payload for integrity protection.

As described above, when the flow ID type is Transport, the encryption method of FIGS. 8 to 11 is not necessary. That is, only when the flow identifier type is management, selective encryption for control signaling may be applied according to a separate flow identifier for encryption.

In the embodiments of the present invention, the security level for the control signal to which the selective encryption is applied is predetermined according to the type of the management messages, and may vary depending on the time point at which the control signals are used. In the case of providing its own message authentication function such as AES-CCM, since encryption and message authentication are guaranteed at the same time, the addition of CMAC / HMAC is not necessary as described with reference to FIGS. 8 and 9.

However, other commonly used encryption algorithms do not include message authentication. Therefore, as indicated in Figs. 10 and 11, it is preferable that the application of the encryption algorithm and the addition of the CMAC / HMAC be made separately. On the other hand, if no encryption is required for the control message, then only MAC is supported or no protection is supported. The case where no protection is supported for a particular message indicates the case of control signals that do not include CMAC in the commonly used communication technology.

8 to 11 illustrate selective encryption application procedures for control signals according to a predefined protection level proposed by the present invention. In all these procedures, control signals that are protected at the same time with encryption and integrity are preferably mapped to the Primary Security Association. 8 to 11, CMAC and / or HMAC may be used as the message authentication code (MAC), and the EC field may be used as an indicator indicating whether the control signal is selectively encrypted.

<Control signal classification method>

In the embodiments of the present invention, all control signals are not encrypted, and only specific control signals may be encrypted. For example, selective encryption is applied according to individual control signal types in the same flow identifier only when the flow ID type indicates a management message.

In embodiments of the present invention, the control signal to which the selective encryption is applied may be classified according to the type of the control signal or whether the CMAC is included. In addition, selective encryption may be applied depending on when the corresponding control signal is used. That is, selective encryption is not applied to the control signals used in the initial network entry procedure before the authentication procedure.

If it provides its own message authentication function like the AES-CCM algorithm, encryption and message authentication are performed at the same time. Thus, the base station does not need to add the CMAC / HMAC to the specific control signal. However, even when AES-CCM is used, if the confidentiality of the message is not required, only integrity may be provided by addition of CMAC. However, since other encryption algorithms specified in the standards of wireless access systems do not include a message authentication function, it is necessary to apply the encryption algorithm and add the CMAC / HMAC separately.

On the other hand, when the EC field is set to '0' or the EKS field is set to '00', a message authentication code is added to the control signal which does not need encryption to simply protect the integrity (for example, AES -CTR is used) or no protection is supported (for example, when using AES-CCM). At this time, control signals that do not support any protection represent all control signals not including the CMAC.

Table 10 below shows the types of MAC management messages (or MAC control signals) to which the CMAC tuple should be added.

Referring to Table 10, it is possible to know the types of MAC management messages to which the CMAC tuple can be added. That is, in embodiments of the present invention, MAC messages to which selective encryption of a control signal is applied may be identified. Therefore, the base station can selectively encrypt the control signals shown in Table 10.

Table 11 below shows a CMAC Tuple Value Field applied in embodiments of the present invention.

Referring to Tables 10 and 11, the application of the authentication tuple is limited to some management control signals, among which the management control signals protected through the CMAC tuple may also be limited to some MAC messages.

For example, MAC management messages that need to be encrypted and need not be encrypted may be distinguished from MAC management messages whose integrity must be protected through CMAC-based authentication tuples. That is, among the control signals defined in the conventional 16e, control signals without the CMAC Tuple may be basically not encrypted. However, among the control signals attached to the CMAC Tuple, messages related to ranging, handoff, RESET Command, MIH and TFTP may not be encrypted, and Registration, PKM, Basic Capabilities Messages associated with entering the idle mode, creating a dynamic service, handoff request, and scanning request can be encrypted. In embodiments of the present invention, whether or not encryption is applied may vary depending on the type of control signal or the time point at which an individual control signal is used.

Table 12 below shows examples of control signals that are applied and encrypted with HMAC tuples and control signals that do not apply.

Referring to Table 12, a control signal to be encrypted and a control signal not to be encrypted can be checked among MAC management messages whose integrity is protected according to whether the HMAC is included.

Table 13 below shows examples of control signals that are applied and encrypted with CMAC tuples and control signals that do not apply.

Referring to Table 13, it is possible to check a control signal to be encrypted and a control signal not to be encrypted among MAC management messages whose integrity is protected according to whether the CMAC is included.

Table 14 below shows examples of control signals that are encoded by applying the short HMAC tuple and control signals that are not applied.

Referring to Table 14, it is possible to check a control signal to be encrypted and a control signal not to be encrypted among MAC management messages whose integrity is protected according to whether the short HMAC is included.

As described above, in the embodiments of the present invention, only a predetermined control signal (or MAC management message) may be encrypted. That is, classification of control signals to be encrypted is necessary. Accordingly, the base station and the mobile station can classify control signals (or MAC management messages) requiring encryption with reference to Tables 10 to 14. In addition, the security level for the control signal to which the selective encryption is applied may be determined in advance according to the type of the management messages, and may vary depending on when the control signals are used.

<Selective Control Signal Encryption Method Using Split Extension Header>

Hereinafter, as another embodiment of the present invention, a selective control signal encryption method using a split header is described in detail. Another embodiment of the present invention will be described with reference to FIGS. 8 to 11 again.

8 to 11 illustrate selective encryption application procedures for a MAC management message according to a predefined security level proposed by the present invention. In all the procedures performed in the embodiments of the present invention, it is preferable that the management message protected at the same time with encryption and integrity is mapped to a primary SA.

8 is an example of using AES-CCM, and two scenarios are possible. One is when selective encryption is applied to some MAC management messages and the other is when no protection is supported.

In the P802.16m system, an encryption control (EC) field included in a fragmentation extended header may inform whether a management message is encrypted.

In addition, as another aspect of the present invention, when the type field included in the extension header indicates encryption control information, the type field may function as an encryption control extension header type (EC EH Type) field. . The EC EH type field may indicate whether the management message is selectively encrypted.

For example, if the EC field (or EC EH type field) is set, confidentiality and integrity of the management message are guaranteed at the same time. If the EC field (or EC EH Type field) is not set, no protection is provided. Do not. More specifically, it is preferable that encryption for confidentiality protection for the management message is preceded, and ICV for integrity protection is added to the encrypted result.

9 is an example of using AES-CCM, and two scenarios are possible as in FIG. 8. One is when selective encryption is applied to some MAC management messages and the other is when no protection is supported for the management message.

In FIG. 9, when an EC field (or an EC EH type field) included in the FEH is set, the ICV addition for integrity protection for the MAC management message is preceded, and the confidentiality of the payload and ICV of the MAC management message is preceded. Encryption for protection is applied.

10 is an example of not using AES-CCM, and three scenarios are possible. In the first case, selective encryption and message authentication codes are applied to some MAC management messages. In the second case, only message authentication codes are applied to some MAC management messages. The third case is no protection for MAC management messages.

In embodiments of the present invention, when the EC field (or the EC EH type field) is set, confidentiality and integrity are guaranteed at the same time, and when the EC field is not set, only integrity is guaranteed. No protection is provided for MAC management messages that are classified as not being subjected to selective encryption.

More specifically, when selective protection for the management message is made, a MAC for integrity protection is added, and encryption for confidentiality protection is applied to the payload and MAC of the management message.

If the EC field of the FEH is not set, the mobile station and / or the base station hashes the MAC management message to generate a message authentication code, and includes the generated message authentication code in the MAC management message to ensure the integrity of the MAC management message. can do.

In addition, the addition of a MAC for integrity protection for management messages and the application of encryption to the payload of management messages can also be considered. Otherwise, only the MAC for integrity protection is added to the management message and exchanged between the mobile station and the base station.

FIG. 11 is an example of not using AES-CCM. As in FIG. 10, three scenarios are possible. In the first case, selective encryption and message authentication codes are applied to some MAC management messages. In the second case, only message authentication codes are applied to some MAC management messages. The third is when no protection for MAC management messages is supported.

The classification for management messages to which selective encryption is applied may be represented as an EC field of the FEH in an 802.16m system.

If the EC field is set in the MAC management message, confidentiality and integrity are guaranteed at the same time in the MAC management message. If the EC field is not set, only the integrity is protected. No protection is provided for MAC management messages that are classified as not being subjected to selective encryption.

If selective protection for the MAC management message is made (eg EC = 1), then the MAC is added to it after encryption for confidentiality protection is performed on the payload of the management message.

If the EC field is not set (e.g., EC = 0), the mobile station and / or the base station hashes the MAC management message to generate a message authentication code, and includes the generated message authentication code in the MAC management message. The integrity of the MAC management message can be guaranteed.

In addition, the application of encryption to the payload of the management message and the addition of a MAC for integrity protection for the management message can also be considered. Otherwise, only MAC for integrity protection is added to the payload of the management message. If no protection is considered for the management message, neither encryption nor MAC is considered.

As described above, when the flow type is Transport, the procedure described with reference to FIGS. 8 to 11 is not required. That is, only when the flow type is management, selective encryption of the management message included in the MAC PDU is determined according to setting of a separate EC field for encryption control.

The management message to which the selective encryption is applied may vary depending on the type of the message or when the management message is used. In the case of providing its own message authentication function such as AES-CCM, since encryption and message authentication are guaranteed at the same time, the addition of the CMAC is not required as shown in FIGS. 8 and 9. However, since an algorithm other than AES-CCM such as AES-CTR does not include a message authentication function, it is preferable that the application of the encryption algorithm and the addition of the CMAC are performed separately as shown in FIGS. 10 and 11.

On the other hand, when the EC EH Type is not set, only MAC is supported for management messages that do not require encryption and no protection is supported.

For the classification of the management message to which the selective encryption is applied in the embodiments of the present invention, refer to the above-described <control signal classification method>.

FIG. 12 is a diagram illustrating one of formats of an extended header that can be used in embodiments of the present invention.

Referring to FIG. 12, the extension header may include a last field and a type field indicating a type of the corresponding extension header. In this case, the last field indicates whether one or more other extension headers exist in addition to the current extension header.

In addition, when the type field includes encryption control information (ie, EC EH type), the type field may indicate that a corresponding management message is selectively encrypted. Accordingly, the security extension header may indicate whether the corresponding PDU includes a MAC management message encrypted based on the management message type and usage.

In order to transmit encryption control information (EC information) indicating whether the MAC management message is encrypted, an overhead of at least 1 byte is required.

As another embodiment of the present invention, EC information indicating whether the corresponding MAC management message is encrypted may be transmitted through a fragmentation extension header (FEH) in addition to the security extension header.

Table 15 below shows one of the formats of the FEH used when the FEH proposed by the present invention is transmitted with a MAC management message.

Referring to Table 15, the FEH may include one or more of an EH field, an FC field, an EC field, and an SN field. If the FEH is always included in the MAC management message, the FEH may be defined without the LAST field and the EH type field.

In addition, when the fragmentation control (FC) indicates that there is no divided management message, the FEH may be transmitted without a sequence number (SN) field as shown in Table 15. In addition, when the FC field indicates that there is a fragment management message, the FEH may additionally include 1 byte together with the SN field and may be transmitted.

Table 16 below shows the FEH field included in the FEH of Table 15.

Referring to Table 16, the EH field indicates whether an extension header is present, the EC field indicates whether encryption control (EC) is applied, the SN field indicates a number of MAC management division sequence, and the FC field indicates a division control bit. Indicates.

Table 17 below shows another one of the formats of the FEH used when the FEH is transmitted with the MAC management message.

Referring to Table 17, the FEH may include one or more of an EH field, a FI field, an EC field, an SN field, and an FC field. In Table 17, the FEH may additionally transmit the SN field and the FC field to the FEH by using an indicator (FI field) having a size of 1 bit in the SN field and the FC field. That is, when the split indication (FI) field is set to '1', the SN field and the FC field are included in the FEH. When the split indication (FI) field is set to '0', the SN field and the FC field are not included in the FEH.

Table 18 below shows FEH fields used in Table 17.

In the above Tables 15 to 18, the EH field may be omitted.

Tables 19 and 20 below show the formats of FEH that can be used in embodiments of the present invention.

The FEH of Table 19 and Table 20 may be used even when the FEH is not transmitted with the MAC management message. If the MAC management message does not require the FEH, the FEH needs a LAST field and a type field. In addition, in the embodiments of the present invention, when FEH is transmitted to indicate only EC, only one byte of FEH needs to be transmitted. However, when all the split information is transmitted through the FEH, it may indicate whether the SN or the SN / FC field is additionally included in the FEH using the FC field or the FI field as shown in Table 19 or Table 20, respectively.

If the FEH is not transmitted, it means that encryption is disabled and no fragmentation of the MAC message occurs. However, FEH is encrypted even if no splitting occurs (ie EC field is set to '1' and 1 byte FEH is transmitted) or only splitting occurs (ie EC field is set to '0'). And 2 bytes FEH is transmitted).

FIG. 13 is a diagram illustrating one of formats of a fragmentation extended header that can be used in embodiments of the present invention.

FIG. 13A illustrates FEH when the FI field of Table 19 is set to '1'. In this case, the FEH may have a size of 2 bytes and may include a LAST field, a type field, a FI field, an EC field, an SN field, and an FC field.

FIG. 13B shows the FEH when the FI field of Table 19 is set to '0'. In this case, the FEH may have a size of 1 byte and may include a LAST field, a type field, a FI field, and an EC field.

FIG. 14 is a diagram illustrating another one of formats of a fragmentation extended header that can be used in embodiments of the present invention. FIG.

Referring to FIG. 14A, the FEH may include an EC field, a sequence number indicator (SNI) field, a polling field, an FC field, and an SN field as two bytes. 14 (a) shows the FEH field when the SNI field is set to '1'. Referring to FIG. 14B, the FEH may include an EC field and an SNI field as a size of 1 byte. 14 (b) shows the FEH when the SNI field is set to '0'.

Table 21 below shows another example of the FEH format of FIG. 14.

Referring to Table 21, the FEH may include at least one of an EC field, a sequence number indicator (SNI) field, a polling field, an FC field, and an SN field. At this time, the EC field indicates whether the corresponding MAC management message is selectively encrypted, and the SNI field indicates whether the FC field and the SN field are included in the FEH. In addition, the polling field indicates whether acknowledgment for the MAC message is required.

FIG. 15 is a diagram illustrating another one of formats of a fragmentation extended header that can be used in embodiments of the present invention.

Table 22 below shows an example of the FC field used in FIG. 15.

Referring to Table 22, when the FC field has a size of 2 bits and is set to '00' or '01', the first byte included in the MPDU is the first byte of the MAC SDU, and the last byte of the MPDU is the MAC. Indicates the last byte of the SDU. In addition, when the FC field is set to '10' or '11', it indicates that the first byte included in the MPDU is not the first byte of the MAC SDU, and the last byte of the MPDU is not the last byte of the MAC SDU. . Refer to Table 21 when each bit of the FC field is used.

In FIG. 15A, the FC field is set to '01', '10' or '11'. In this case, the FEH has a size of 2 bytes and includes a Last field, a Type field, an FC field, and an EC field. In FIG. 15B, when the FC field is set to '00', the FEH has a size of 1 byte and may include only a Last field, a Type field, an FC field, and an EC field.

FIG. 16 illustrates a mobile station and a base station in which the embodiments of the present invention described with reference to FIGS. 1 to 15 may be performed.

The mobile terminal may operate as a transmitter in uplink and as a receiver in downlink. In addition, the base station may operate as a receiver in the uplink, and may operate as a transmitter in the downlink.

That is, the mobile terminal and the base station may include a transmission module (Tx module: 1640, 1650) and a receiving module (Rx module: 1650, 1670), respectively, to control transmission and reception of information, data, and / or messages. Antennas 1600 and 1610 for transmitting and receiving information, data, and / or messages. In addition, the mobile station and the base station may each include a processor 1620 and 1630 for performing the above-described embodiments of the present invention, and memories 1680 and 1690 capable of temporarily or continuously storing the processing of the processor. Can be.

In particular, the processors 1620 and 1630 may include an encryption module (or means) for performing the encryption process of the MAC management message disclosed in embodiments of the present invention and / or a decryption module (or, for interpreting the encrypted message). Means) may be further included. In addition, the mobile terminal and the base station of FIG. 16 may further include a low power radio frequency (RF) / intermediate frequency (IF) module.

The transmission module and the reception module included in the mobile station and the base station include a packet modulation and demodulation function, a high speed packet channel coding function, an orthogonal frequency division multiple access (OFDMA) packet scheduling, and a time division duplex (TDD) for data transmission. Division Duplex) may perform packet scheduling and / or channel multiplexing.

In addition, the processor included in the mobile station and the base station may include an encryption control function for controlling encryption of management messages (control signals, etc.), a handover function, an authentication and encryption function, a MAC according to service characteristics, and a propagation environment. Medium Access Control) frame variable control, high-speed traffic real-time control and / or real-time modem control.

The apparatus described with reference to FIG. 16 is a means by which the methods described with reference to FIGS. 2 to 15 may be implemented. Embodiments of the present invention can be performed using the components and functions of the above-described mobile terminal and base station apparatus.

The processor 1620 included in the mobile terminal includes an encryption module for controlling encryption of a management message. The mobile terminal can perform an encryption operation using an encryption module.

The mobile terminal can negotiate the security level with the base station through a basic performance negotiation process (SBC-REQ / RSP message transmission and reception). If the mobile station and the base station support selective encryption of the management message, the processor of the mobile terminal may control the selective encryption operation of the control signal described with reference to FIGS. 2 to 15.

If AES-CCM mode is applied for selective encryption, the ICV portion of the encrypted MAC PDU is used for integrity protection of the payload of the management message. That is, the processor of the mobile station and / or the base station may encrypt the MAC management message and selectively encrypt the MAC management message by adding an integrity check value (ICV) to the encrypted management message.

If AES-CCM mode is not applied to selective encryption, the CMAC tuple is included as the last attribute of the MAC management message. At this time, the CMAC may protect the integrity of the entire MAC management message. Accordingly, the processor of the mobile station and / or the base station may hash the MAC management message to generate a message authentication code (eg CMAC), and add the generated message authentication code to the MAC management message to protect the integrity of the MAC management message. .

In addition, the receiving module 1660 of the mobile terminal receives the selectively encrypted MAC management messages transmitted from the base station to the processor 1620, the processor decodes the extended header included in the MAC PDU to selectively It can be checked whether an encrypted MAC management message is included. If the PDU optionally includes an encrypted MAC management message, the processor of the mobile terminal may decode the MAC management message using an encryption and / or decryption module.

The receiving module 1670 of the base station may transmit the encrypted MAC management message received through the antenna 1650 to the processor 1690. In addition, the transmission module of the base station may selectively transmit the encrypted MAC management message to the mobile terminal through the antenna.

The processor of the base station may determine whether the MAC management message optionally encrypted is included in the MAC PDU by decoding the split extension header (see FIG. 13) and the EC field included in the split extension header. The processor of the base station may selectively decode the encrypted MAC management message, thereby performing an operation in which the corresponding MAC management message is used.

On the other hand, in the present invention, the mobile terminal is a personal digital assistant (PDA), a cellular phone, a personal communication service (PCS) phone, a GSM (Global System for Mobile) phone, a WCDMA (Wideband CDMA) phone, A mobile broadband band system (MBS) phone, a hand-held PC, a notebook PC, a smart phone, or a multi-mode multi-band (MM-MB) terminal may be used.

Here, a smart phone is a terminal that combines the advantages of a mobile communication terminal and a personal portable terminal, and may mean a terminal incorporating data communication functions such as schedule management, fax transmission and reception, which are functions of a personal mobile terminal, in a mobile communication terminal. have. In addition, a multimode multiband terminal can be equipped with a multi-modem chip to operate in both portable Internet systems and other mobile communication systems (e.g., code division multiple access (CDMA) 2000 systems, wideband CDMA (WCDMA) systems, etc.). Speak the terminal.

Embodiments of the invention may be implemented through various means. For example, embodiments of the present invention may be implemented by hardware, firmware, software, or a combination thereof.

In the case of a hardware implementation, the method according to embodiments of the present invention may include one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs). Field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, and the like.

In the case of an implementation by firmware or software, the method according to the embodiments of the present invention may be implemented in the form of a module, a procedure, or a function that performs the functions or operations described above. For example, software code may be stored in the memory units 1680 and 1690 and driven by the processors 1620 and 1630. The memory unit may be located inside or outside the processor, and may exchange data with the processor by various known means.

The invention can be embodied in other specific forms without departing from the spirit and essential features of the invention. Accordingly, the above detailed description should not be construed as limiting in all aspects and should be considered as illustrative. The scope of the invention should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of the invention are included in the scope of the invention. In addition, the claims may be combined to form an embodiment by combining claims that do not have an explicit citation relationship or may be incorporated as new claims by post-application correction.

Embodiments of the present invention can be applied to various wireless access systems. Examples of various radio access systems include 3rd Generation Partnership Project (3GPP), 3GPP2 and / or IEEE 802.xx (Institute of Electrical and Electronic Engineers 802) systems. Embodiments of the present invention can be applied not only to the various radio access systems, but also to all technical fields to which the various radio access systems are applied.

1 is a diagram illustrating a negotiation process for selectively protecting a control signal.

2 is a diagram illustrating an optional encryption procedure of a control signal.

3 is a diagram illustrating an encryption method of a MAC management message.

4 is a state diagram illustrating a method for selectively negotiating control signal encryption of a mobile station in an initial state or an idle mode state.

5 is a diagram illustrating a negotiation process for selectively protecting a control signal in an idle mode.

6 is a diagram illustrating a method for selectively negotiating control signal encryption of an idle mode mobile terminal.

7 is a diagram illustrating a method for selectively encrypting a control signal during handover.

8 is a diagram illustrating one method of selectively encrypting a control signal.

9 is a diagram illustrating another method of selectively encrypting a control signal.

10 is a diagram illustrating yet another method for selectively encrypting a control signal.

11 is a diagram illustrating yet another method for selectively encrypting a control signal.

FIG. 12 is a diagram illustrating one of formats of an extended header that can be used in embodiments of the present invention.

FIG. 13 is a diagram illustrating one of formats of a fragmentation extended header that can be used in embodiments of the present invention.

FIG. 14 is a diagram illustrating another one of formats of a fragmentation extended header that can be used in embodiments of the present invention. FIG.

FIG. 15 is a diagram illustrating another one of formats of a fragmentation extended header that can be used in embodiments of the present invention.

FIG. 16 illustrates a mobile station and a base station in which the embodiments of the present invention described with reference to FIGS. 1 to 15 may be performed.

Claims (21)

In a method for selectively encrypting management messages, Generating a protocol data unit (PDU) that optionally includes the encrypted management message and split header (FEH); And Transmitting the MAC PDU to the base station; And the split extension header (FEH) includes indication information indicating whether the management message is encrypted. The method of claim 1, The mobile station negotiating a security level with the base station; And Selectively encrypting the management message based on the negotiated security level. The method of claim 2, Negotiating the security level, Transmitting a first message to the base station, the first message including a first security negotiation parameter supported by the mobile station; And Receiving a second message comprising a second security negotiation parameter supported by the base station. The method of claim 3, wherein The first message is one of a subscriber station basic capability negotiation request (SBC-REQ) message, a ranging request (RNG-REQ) message, and a handover message. And wherein the second message is one of a subscriber station basic capability negotiation response (SBC-RSP) message, a ranging response message, and a handover response message. The method of claim 3, wherein The first security negotiation parameter includes a first message confidentiality mode field supported by the mobile station, And wherein the second security negotiation parameter includes a second message confidentiality mode field supported by the mobile station and the base station. The method of claim 1, Further comprising the step of performing the authorization procedure with the base station, The MAC PDU including the selectively encrypted management message and the split header is transmitted after the authorization procedure is performed. The method of claim 2, Selectively encrypting the management message, Encrypting the management message; And Adding an integrity check value (ICV) to the encrypted management message. The method of claim 2, Selectively encrypting the management message, Generating a message authentication code (MAC) by hashing the management message; And Attaching the message authentication code to the management message. The method of claim 1, The instruction information is, And an encryption control (EC) field indicating whether the management message is encrypted. In a method for selectively encrypting management messages, The base station negotiating a security level with the mobile station; Selectively encrypting a management message based on the negotiated security level; And Sending a Media Access Control Protocol Data Unit (MAC PDU) including the management message and a split header extension (FEH) selectively encrypted to the mobile station; And the split extension header (FEH) includes indication information indicating whether the management message is encrypted. The method of claim 10, Negotiating the security level, Receiving the first message including a first security negotiation parameter supported by the mobile station; And And transmitting to the mobile station a second message comprising a second security negotiation parameter supported by the base station. The method of claim 11, The first message is one of a subscriber station basic capability negotiation request (SBC-REQ) message, a ranging request message, and a handover request message. And wherein the second message is one of a subscriber station basic capability negotiation response (SBC-RSP) message, a ranging response message, and a handover response message. The method of claim 11, The first security negotiation parameter includes a first message confidentiality mode field supported by the mobile station, And wherein the second security negotiation parameter includes a second message confidentiality mode field supported by the mobile station and the base station. The method of claim 10, The base station performing an authorization procedure with the mobile station, And wherein said selectively encrypted management message is transmitted after said authorization procedure is performed. The method of claim 10, Selectively encrypting the management message, Encrypting the management message; And Adding an integrity check value (ICV) to the encrypted management message. The method of claim 10, Selectively encrypting the management message, Generating a message authentication code (MAC) by hashing the management message; And Attaching the message authentication code to the management message. The method of claim 10, The instruction information is, And an encryption control (EC) field indicating whether the management message is encrypted. In the mobile terminal for selectively transmitting and receiving an encrypted medium access control (MAC) management message, the mobile terminal comprises: A transmission module for transmitting the first MAC data, wherein the first MAC message includes an encrypted first management message and a first split header; A receiving module for receiving second MAC data, wherein the second MAC message includes an encrypted second management message and a second split header; And And a processor that encrypts the first management message and decrypts the second management message. And the first split header extension (EH) and the second split header header include indication information indicating whether the first management message and the second management message are encrypted. The method of claim 18, The processor, An encryption module for selectively encrypting the first management message; And And a decryption module for decrypting the second management message. The method of claim 18, The processor is And first encrypting the first management message and adding an integrity check value (ICV) to the encrypted first management message. The method of claim 18, The processor, And generating a message authentication code (MAC) by hashing the first management message, and attaching the message authentication code (MAC) to the first management message.

Images