KR20100032277A - Method of selective encrypting control signal using control field - Google Patents

Abstract

PURPOSE: A selective control signal encrypting method is provided to reduce an excessive load applied to the total network by encoding only the selected control signal. CONSTITUTION: A mobile station transmits a SBCREQ(Subscribe Station Basic Capability request) message in order to negotiate a basic capability to a base station(S110). The base station negotiates a message confidentiality mode(S120). The mobile station and the base station executes an authorization process(S130). The base station selectively encodes a control message based on the message confidentiality mode negotiated with the mobile station. The base station transmits the selectively encrypted control message to the mobile station(S140).

Description

Selective encrypting control signal using control field

The present invention relates to a method for encrypting signals used in a wireless access system.

Hereinafter, the security sublayer used in the broadband wireless access system will be briefly described.

A security service is one that provides confidentiality (Security) and integrity for network data. Integrity means that in data and network security, certain information can only be accessed or changed by authorized persons. In other words, integrity is to ensure that messages are not tampered with by third parties or the like. Confidentiality is the disclosure of certain information only to authorized persons. In other words, confidentiality is to completely protect the content of the transmitted data to prevent unauthorized access to the content.

The security sublayer provides security, authentication, and confidentiality in broadband wireless networks. The security sublayer may apply an encryption function to a medium access control protocol data unit (MAC PDU) transferred between the mobile station and the base station. Thus, the base station and the mobile station can provide a robust defense against theft attacks of illegal users.

The base station encrypts the service flow throughout the network to prevent unauthorized access to the data transfer service. The security sublayer controls the base station to distribute information associated with the key to the mobile station using a key management protocol of an authenticated client / server architecture. At this time, the digital certificate-based mobile station device authentication may be added to the key management protocol to further strengthen the function of the basic security mechanism.

During the basic function negotiation between the base station and the mobile station, authentication and key exchange procedures are omitted unless the mobile station provides a security function. Further, even when a specific mobile station is registered as a mobile station that does not support the authentication function, the base station can consider that the authority of the mobile station has been verified. If a particular mobile station does not support a security function, no key exchange or data encryption function is performed since no service is provided to that mobile station.

The security sublayer consists of an encapsulation protocol and a Privacy Key Management (PKM) protocol. The encapsulation protocol is a protocol for the security of packet data in a broadband wireless network. The encapsulation protocol provides a method for applying such an algorithm to a set representing a cryptographic suite such as data encryption and data authentication algorithms and a MAC PDU payload. The PKM protocol is a protocol that provides a method for securely distributing key related data from a base station to a mobile station. The base station and the mobile station can provide a method for securely distributing key related data using the PKM protocol. Using the key management protocol, key-related data can be shared between the mobile station and the base station, and the base station can control network access.

It is an object of the present invention to provide a method for selectively protecting control signals exchanged between a mobile station and a base station.

Another object of the present invention is to provide a method for selectively protecting a control signal using an encryption control field (EC, EKS, etc.) defined in a header.

Another object of the present invention is to provide a method for selectively protecting a control signal using an encryption control field and / or a flow identifier.

It is still another object of the present invention to provide a method for selectively protecting a management message by using an encryption control field defined in a header included in the management message as one of the control signals.

In order to solve the above technical problem, the present invention discloses various methods of encrypting signals used in a wireless access system.

According to an aspect of the present invention, a method for selectively encrypting a control signal includes transmitting a first message including a first security negotiation parameter supported by a mobile station to a base station, and a second security negotiation parameter supported by the base station. Receiving a second message and receiving a control signal selectively encrypted according to the second security negotiation parameter from the base station. In this case, the header of the control signal may include indication information indicating whether the control signal is encrypted.

In one aspect of the present invention, the indication information may include an encryption control (EC) field indicating whether the control signal is encrypted. In addition, the indication information may further include an encryption key sequence (EKS) indicating an encryption degree of the control signal or an order of confidentiality protection and integrity protection of the control signal.

In one aspect of the present invention, the first security negotiation parameter includes a first control message confidentiality mode field that can be supported by a mobile station, and the second security negotiation parameter includes a second control message confidentiality mode field that can be supported by a mobile station and a base station. can do.

One aspect of the present invention may further comprise the step of the mobile station performing an authorization procedure with the base station. In this case, the selectively encrypted control signal may be transmitted after the authorization procedure is performed. In this case, it is preferable that the selectively encrypted control signal is a control signal whose integrity is protected by using at least one of Integrity Check Value (ICV), Cipher MAC (CMAC), and Hashed MAC (HMAC).

In another aspect of the present invention, a method for selectively encrypting a control signal includes receiving a first message from a mobile station that includes a first security negotiation parameter supported by the mobile station and a second security negotiation parameter to the mobile station; Transmitting a message, selectively encrypting the control signal according to the second security negotiation parameter, and transmitting the selectively encrypted control signal to the mobile station. In this case, the header of the control signal may include indication information indicating whether the control signal is encrypted.

In another aspect of the present invention, the indication information may include an encryption control (EC) field indicating whether the control signal is encrypted. In this case, the indication information may further include an encryption key sequence (EKS) indicating an encryption degree of the control signal or an order of confidentiality protection and integrity protection of the control signal.

In another aspect of the present invention, the first security negotiation parameter includes a first control message confidentiality mode field supported by the mobile station, and the second security negotiation parameter includes a second control message confidentiality mode field supported by the mobile station and the base station. can do.

Another aspect of the present invention may further include performing an authorization procedure with a base station. In this case, the selectively encrypted control signal may be transmitted after the authorization procedure is performed. Optionally, the encrypted control signal is preferably a control signal whose integrity is protected using at least one of ICV, CMAC and HMAC. In addition, the selectively encrypted control signal may be encrypted using the AES-CCM algorithm or the AES-CTR algorithm.

According to the embodiments of the present invention, the following effects are obtained.

First, by using an encrypted control signal selectively, the confidentiality of the control signal can be protected.

Second, by encrypting only selected control signals, not all control signals, it is possible to reduce excessive load on the entire network than when encrypting all control signals.

Third, the control signals are transparently transmitted according to the selective control signal encryption to prevent security vulnerabilities in which the concealment is compromised. Also, optionally encrypted control signals can be transmitted securely.

Fourth, by selectively encrypting the control signal, it is possible to block security threats that the control signal is exposed to malicious third parties.

The present invention relates to a wireless access system. In particular, embodiments of the present invention disclose various methods of encrypting signals used in a wireless access system.

The following embodiments are a combination of elements and features of the present invention in a predetermined form. Each component or feature may be considered to be optional unless otherwise stated. Each component or feature may be implemented in a form that is not combined with other components or features. In addition, some of the elements and / or features may be combined to form an embodiment of the present invention. The order of the operations described in the embodiments of the present invention may be changed. Some configurations or features of certain embodiments may be included in other embodiments, or may be replaced with corresponding configurations or features of other embodiments.

In the description of the drawings, procedures or steps which may obscure the gist of the present invention are not described, and procedures or steps that can be understood by those skilled in the art are not described.

In the present specification, embodiments of the present invention have been described based on data transmission / reception relations between a base station and a mobile station. Here, the base station is meant as a terminal node of a network that directly communicates with a mobile station. The specific operation described as performed by the base station in this document may be performed by an upper node of the base station in some cases.

That is, various operations performed for communication with a mobile station in a network consisting of a plurality of network nodes including a base station may be performed by the base station or network nodes other than the base station. In this case, the 'base station' may be replaced by terms such as a fixed station, a Node B, an eNode B (eNB), and an access point. In addition, the term 'mobile station' may be replaced with terms such as a user equipment (UE), a subscriber station (SS), a mobile subscriber station (MSS), a mobile terminal, or a terminal. .

In addition, the transmitting end refers to a node transmitting data or voice service, and the receiving end refers to a node receiving data or voice service. Therefore, in uplink, a mobile station may be a transmitting end and a base station may be a receiving end. Similarly, in downlink, a mobile station may be a receiving end and a base station may be a transmitting end.

Meanwhile, the mobile mobile station of the present invention may be a PDA (Personal Digital Assistant), a cellular phone, a PCS (Personal Communication Service) phone, a GSM (Global System for Mobile) phone, a WCDMA (Wideband CDMA) phone, a MBS (Mobile Broadband System) phone And the like can be used.

Embodiments of the invention may be implemented through various means. For example, embodiments of the present invention may be implemented by hardware, firmware, software, or a combination thereof.

In the case of a hardware implementation, the method according to embodiments of the present invention may include one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs). Field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, and the like.

In the case of an implementation by firmware or software, the method according to the embodiments of the present invention may be implemented in the form of a module, a procedure, or a function that performs the functions or operations described above. The software code may be stored in a memory unit and driven by a processor. The memory unit may be located inside or outside the processor, and may exchange data with the processor by various known means.

Embodiments of the present invention may be supported by standard documents disclosed in at least one of the wireless access systems IEEE 802 system, 3GPP system, 3GPP LTE system and 3GPP2 system. That is, steps or parts which are not described to clearly reveal the technical spirit of the present invention among the embodiments of the present invention may be supported by the above documents. In addition, all terms disclosed in the present document can be described by the above standard document. In particular, embodiments of the present invention may be supported by one or more of the standard documents P802.16-2004, P802.16e-2005, and P802.16Rev2 documents of the IEEE 802.16 system.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The following detailed description, together with the accompanying drawings, is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced. In addition, specific terms used in the embodiments of the present invention are provided to help the understanding of the present invention, and the use of the specific terms may be changed into other forms without departing from the technical spirit of the present invention. .

For example, the control signal used in the embodiments of the present invention may be used in terms of a control message, a management message, a MAC control message or a MAC management message.

In an IEEE 802.16e system, a mobile station and a base station generate a cipher based message authentication code (CMAC) key and a hashed message authentication code (HMAC) key for protection of a control signal through an authorization key shared with each other. The mobile station and the base station can generate a message authentication code (MAC) using the CMAC key and the HMAC key. In addition, the mobile station and the base station can exchange the message authentication code (MAC) in addition to the control signal, thereby ensuring the integrity of the control signal. On the other hand, when the base station and the mobile station uses the AES-CCM, the mobile station and the base station can ensure the integrity of the control signal by adding and replacing the integrity check value (ICV) to the control signal.

Even if the mobile station and the base station protect the integrity of the message by using the CMAC key and the HMAC key, the message authentication code provides a determination as to whether the message is forged, but not the confidentiality of the message. Therefore, the CMAC / HMAC key does not provide a covert function for the message.

In addition, the IEEE 802.16e system provides a concealment function for a general message, but does not provide a concealment function for a control signal. That is, because only CMAC / HMAC is added to the control signal and transmitted, it can be a security threat, and system protection against malicious attackers can also be vulnerable.

However, providing uniform confidentiality for all control signals can increase the load on the network and reduce the overall efficiency of the system. Among the currently used Medium Access Control (MAC) header fields, information necessary for selective protection of a control signal includes an Encryption Control (EC) field and / or an EKS (Encyption Key Sequence) field.

Hereinafter, the embodiments of the present invention will be described in detail with respect to methods for providing the confidentiality of the control signal using only the EC field and methods for providing the confidentiality of the control signal using the EC field and the EKS field.

When only the EC field having a predetermined bit is used by the base station and the mobile station, the base station may use both the EC field only to indicate whether confidentiality is provided and whether it is selectively encrypted. For example, when the EC field has a size of 1 bit, when the EC field is '0', this indicates that the corresponding control signal is not encrypted. In addition, when the EC field is '1', the control signal may be selectively encrypted and may provide confidentiality.

In addition, when the EC field and the EKS field are used, the EC field may indicate whether the payload of the control signal is encrypted. In this case, the EKS field may indicate an encryption level of the corresponding control signal as a key sequence.

As another aspect of the present invention, it is possible to provide confidentiality of a control signal using only a flow ID. For example, when the flow identifier indicates a transport type, the control signal (or management message) is not encrypted. However, when the flow identifier indicates a management type, it may indicate that a corresponding control signal (or a management message) is encrypted.

The EC field and / or the EKS field may be changed to another field performing the same function. That is, the EC field and / or the EKS field may be used or modified in an equal sense with all fields indicating whether the control signal is encrypted. In addition, the EC field and / or the EKS field may be included in a general MAC header and may be included in a header of another control signal (or control message).

In embodiments of the present invention, the flow identifier and the encryption control fields may be used in combination. For example, the combination of the flow identifier and the EC field or the combination of the flow identifier and the EKS field may indicate whether the control signal is selectively encrypted. For example, in the case of a transport flow ID, a security association (SA) is mapped to the flow identifier so that the security association is applied to all data of the corresponding flow identifier.

However, in the case of a management flow ID, encryption is selectively applied according to the EC field and / or the EKS field, not all control signals of the flow identifier to which the corresponding SA corresponds. That is, the mobile station can know whether the corresponding management message is encrypted by checking the header information according to the types of the management messages.

Embodiments of the present invention may be used to selectively encrypt a control signal between a base station and a mobile station after the authorization procedure between the base station and the mobile station is completed. In other words, the selective encryption of the control signal is effective after the authorization procedure is completed. At this time, the base station and the mobile station may encrypt the control signal using an encryption key (for example, TEK) negotiated with each other to protect the control signal.

In addition, the base station and the mobile station can further ensure message integrity by adding a message authentication code to the control signal. However, when AES-CCM (Advanced Encryption Standard-Counter mode encryption mode with Cipher block chaninng message authentication code) is applied to the embodiments of the present invention, AES-CCM is provided with message integrity protection by itself so that separate message authentication is performed. You do not need to include any code.

Among the encryption algorithms adopted by the IEEE 802.16e standard, which is a wireless access technology, AES-CCM basically includes its own message authentication function. However, AES-CCM is not a common denominator for the entire encryption algorithm. In the IEEE 802.16m system currently under development, it is desirable to support a function for ensuring confidentiality so that the mobile station and the base station can safely exchange control signals after the authorization procedure.

That is, there is a need for a solution that can prevent exposure of control signals transmitted and received between a mobile station and a base station without incurring a large load on the network. Accordingly, embodiments of the present invention provide confidentiality of a control signal by exchanging and then encrypting a control signal using an encryption key (for example, a Traffic Encryption Key (TEK)) negotiated between a mobile station and a base station. Various methods are disclosed to prevent this from being tampered with.

In the embodiments of the present invention, a type field and an attribute field for an additional key parameter need not be newly defined to a PKM attribute type parameter defined in the IEEE 802.16e standard. In addition, the encryption algorithm used to protect the control signal is also based on the assumption that the data encryption algorithms defined in the IEEE 802.16e standard.

That is, the CBC-IV attribute field is required when the control signal encryption algorithm identifier of 'SA Ciphersuite' is 0x01 (eg, DES in CBC mode). Further, CBC-IV is not necessary when the control signal encryption algorithm identifier of SA encryption is 0x02 (for example, AES), but is required when 0x03 (for example, AES in CBC mode).

Table 1 below shows a cryptographic suite used in embodiments of the present invention.

Type Length Value 20 3 A 24-bits integer identifying the cryptographic suite properties. The most significant byte, as defined in table 590, indicates the encryption algorithm and key length. The middle byte, as defined in Table 591 indicates the data authentication Algorithm. The least significant byte, as defined in Table 592, indicates the TEK Encryption Algorithm.

Referring to Table 1, the TEK encryption suite has a size of 24 bits, and the most significant byte represents an encryption algorithm and a key length. The middle byte of the TEK notation suite represents the data authentication algorithm, and the least significant byte represents the TEK authentication algorithm.

Table 2 below shows the allowed cryptographic suites used in the present invention.

Value Description 0x000000 0x010001 0x000002 0x010002 0x020003 0x020103 0x020104 0x030003 0x800003 0x800004 All remaining values No data encryption, no data authentication, no key encryption CBC Mode 56bits DES, no data authentication and 3-DES, 128 No data encryption, no data authentication and RSA, 1024 CBC mode 56bits DES, no data authentication and RSA, 1024 CCM mode AES, no data authentication and AES, 128 CCM mode 128 bit AES, CCM mode, 128 bit, ECB Mode AES with 128 bit key CCM mode 128 bit AES, CCM mode, AES key Wrap wiht 128 bit key CBC mode 128 bits AES, no data authentication, AES ECB mode with 128 bit key MBS CTR mode 128 bits AES, no data authentication, AES ECB mode with 128 bit key MBS CTR mode 128 bits AES, no data authentication, AES key Wrap wiht 128 bit key reserved

Table 1 shows 'Cryptographic Suites' of IEEE 802.16 including TEK-related contents, and Table 2 shows allowed Cryptographic Suites.

Hereinafter, in embodiments of the present invention, a control signal encryption algorithm identifier for encrypting a control signal, a control signal authentication algorithm identifier used for authenticating the control signal, and a TEK encryption algorithm identifier will be described.

Table 3 below shows an example of a control signal encryption algorithm identifier format used in embodiments of the present invention.

Value Description 0 1 2 3 4-127 128 129-255 No control signaling protection CBC mode, 56-bit DES CCM mode, 128 bit AES CBC mode, 128 bit AES reserved CTR mode, 128 bit AES for MBS with 8 bit ROC Reserved

Referring to Table 3, if the encryption algorithm identifier of the control signal is '0', it indicates that no control signal is protected. If '1', it indicates 56-bit Cipher Block Chaining (CBC) mode. CCC (CTR mode with CBC-MAC) mode, and '3' indicates the 128-bit CBC mode. If the encryption algorithm identifier is '4' to '127', it is a reserved value, and if it is '128', it indicates a counter mode encryption (CTR) mode.

Table 4 below shows an example of a control signal authentication algorithm identifier format used in embodiments of the present invention.

Value Description 0 1 2-255 No control signaling authentication CBC mode, 128 bit AES Reserved

Referring to Table 4, if the control signal authentication algorithm identifier indicates '0', it does not support authentication for any control signal. If '1' indicates 128 bits of CBC mode, the remaining bits are used as reserved values. Can be.

Table 5 below shows an example of a TEK Encryption Algorithm Identifier format used in embodiments of the present invention.

Value Description 0 1 2 3 4 5-255 Reserved 3-DES EDE with 128 bit key RSA with 1024-bit key ECB mode AES with 128 bits AES key wrap with 128 bit key reserved

Referring to Table 5, '0' and '5-255' of the TEK authentication algorithm identifier values represent reserved values, and '1' represents a 128-bit 3-Data Encryption Standard Encrypt-Decrypt-Encrypt (EDE). '2' represents an RSA of 1024 bits, '3' represents an AES mode ECB (Electronic Code Book) of 128 bits, and '4' represents an AES key wrap of 128 bits.

< Optional Control Signal Encryption Support Negotiation Method>

Hereinafter, negotiation methods for selectively encrypting a control signal in a mobile station and a base station will be described.

1 is a view showing one of the selective control signal encryption method as an embodiment of the present invention.

A mobile station (MS) may transmit a subscribe station basic capability request (SBC-REQ) message to negotiate basic capabilities to a base station (BS) in an initial procedure (S110).

In step S110, the SBC-REQ message may include a security negotiation parameter (Security Negotiation Parameter). In this case, the security negotiation parameter may include a message confidentiality mode field that specifies a confidentiality protection mode of a control signal supported by the mobile station.

Hereinafter, security negotiation parameters used in embodiments of the present invention will be described. Table 6 below shows an example of security negotiation parameters.

Type Length Value Scope 25 variable The compound field contains the sub-attributes as defined in the table below SBC-REQ, SBC-RSP

The security negotiation parameter may include an appendage field as a compound field. Table 7 below shows sub-attributes of security negotiation parameters.

Attribute Contents PKM Version Support Version of privacy Sub-layer supported Authorization Policy Support Authorization Policy to Support Message Authentication Code Mode Message Authentication Code to support Message Confidentiality Mode Message Confidentiality to support PN Window Size Size of capability of the receiver PN window per SAID PKM Flow Control Maximum number of concurrent PKM transaction Maximum Number of Supported Security Association Maximum number of supported SA

Referring to Table 7, the security negotiation parameters include PKM version support parameters, Authentication Policy Support parameters, Message Authentication Code Mode parameters, and Message Confidentiality Mode parameters. It may include a PN window size parameter, a PKM flow control parameter, and a maximum number of supported security association parameters. In this case, the message confidentiality mode parameter indicates control message confidentiality that can be supported by the current wireless access system.

Table 8 below shows an example of the PKM version support parameter format.

Type Length Value 25.1 One Bit 0: PKM version 1 Bit 1: PKM version 2 Bit 2: PKM version 3 Bits 3-7: Reserved, shall be set to zero

Referring to Table 8, it is assumed that embodiments of the present invention support PKM version 3. However, PKM version 2 or PKM version 1 may be used in addition to PKM version 3.

Table 9 below shows an example of a message confidentiality mode field format used in step S110.

Type Length Value 25.7 One Bit 0: No Message Confidentiality Bit 1: Selective Message Confidentiality Bits 2-7: Reserved. Shall be set to zero

Referring to Table 9, if the message confidential mode parameter is set to '0', it may indicate that the message confidential mode is not supported, and if it is set to '1', it may indicate that the message confidential mode is selectively supported. The mobile station may support one or more confidentiality protection modes, and may inform the message confidentiality mode supported by the mobile station by transmitting the SBC-REQ message to the base station in step S110.

Referring back to FIG. 1, the base station receiving the SBC-REQ message may negotiate security negotiation capability with the mobile station by transmitting an SBC-RSP message including security negotiation parameters that the base station can support. That is, in step S120, the base station may negotiate the message confidential mode with the mobile station by transmitting a security negotiation parameter including the message confidential mode field to the mobile station (S120).

In FIG. 1, the mobile station and the base station may perform an authorization procedure after completing the basic capability negotiation (S130).

The base station can selectively encrypt the control message based on the message confidentiality mode negotiated with the mobile station. In addition, the base station may optionally transmit an encrypted control message to the mobile station (S140).

2 is a view showing another one of an optional control signal encryption method as an embodiment of the present invention.

Figure 2 shows the access state of the mobile station in negotiation to selectively protect the control signal. Referring to FIG. 2, a mobile station may enter an access state from an initialization state or an idle state. At this time, the mobile station can perform ranging with the base station and acquire uplink synchronization (S210).

The mobile station may perform basic capability negotiation with the base station (S220), and perform authentication and key exchange with the base station (S230). After the authentication procedure with the base station, the mobile station can register as a serving base station (S240). In addition, the mobile station is assigned an IP address from the base station (S250). In FIG. 2, negotiation of the selective encryption of the control signal between the base station and the mobile station may be performed in step S210 or S220.

3 is a view showing another one of an optional control signal encryption method according to an embodiment of the present invention.

Negotiation of an optional method of encrypting control signals may also be performed in the mobile station in the idle mode. When the mobile station in the idle mode moves to another base station and when a predetermined location update condition is satisfied, the mobile station can perform location update with the base station. At this time, the mobile station can perform a selective confidentiality protection negotiation for the control signal with the base station.

Referring to FIG. 3, the idle mobile station may transmit a ranging request message including the security negotiation parameter to the base station (S310).

When the base station receives the ranging request message including the security negotiation parameter, the base station may transmit a ranging response message including security negotiation parameters supported by the base station to the mobile station (S320).

The security negotiation parameters used in steps S310 and S320 may refer to the description of Tables 6 to 9. Accordingly, the security negotiation parameter of step S310 may include a message confidentiality mode field indicating a confidentiality protection mode of the control signal supported by the mobile station, and the security negotiation parameter of step S320 includes the confidentiality of the control signal supported by the base station. A Message Confidentiality Mode field indicating a protection mode may be included.

After performing the selective confidentiality protection negotiation for the control signal in steps S310 and S320, the base station may transmit an encrypted control message selectively to the mobile station (S330).

The mobile station can know whether the control signal is encrypted by decoding the header of the control signal received in step S330. That is, the mobile station can confirm whether the corresponding control message is encrypted by checking the EC field and / or the EKS field of the control signal header.

4 is a diagram illustrating a selective control signal encryption negotiation method when an idle mode mobile station updates a location according to an embodiment of the present invention.

Referring to FIG. 4, a mobile station may enter an idle mode when a predetermined condition is satisfied in a connected state with a base station. The idle state may be classified into a paging available mode and a paging unavailable mode. At this time, the paging enabled mode indicates a paging listening interval for the mobile station to receive a paging message from the base station, and the non-paging mode indicates a case where the mobile station is in a sleep state.

The mobile station in the idle mode may negotiate whether to support the selective control signal protection by exchanging a ranging request message and a ranging response message with the base station during location update (see FIG. 3). In addition, as shown in FIG. 4, the idle mode mobile station may negotiate selective protection of a control signal with a base station through a paging message (for example, MOB_PAG-ADV) transmitted periodically or at a predetermined interval in the pageable mode. .

However, in the case of FIG. 4, the mobile station unilaterally receives information on whether to support protection of an encryption control signal that can be encrypted from the base station.

In embodiments of the present invention, if all the control signals are encrypted to provide uniform confidentiality, the overall network load may be very large or the overall efficiency of the system may be reduced. Therefore, in embodiments of the present invention, encryption may be applied only to predetermined control signals.

Among the Medium Access Control (MAC) header fields, information necessary for selective protection of a control signal is an Encryption Control (EC) field. The EC field (and / or encryption key sequence (EKS) field) may specify whether the payload is to be encrypted or not. The type of the flow ID may indicate whether the corresponding message is a transport mode or a management mode.

For example, the mobile station can know whether the control signal is encrypted by checking the EC field included in the header of the control signal. In addition, the mobile station can know whether the corresponding control signal is encrypted by the combination of the EC field and the EKS field. In addition, the base station may indicate whether the corresponding control signal is encrypted by a combination of the EC field and the flow identifier. In addition, the base station may indicate whether the corresponding control signal is encrypted as a flow identifier according to the message type.

That is, the mobile station can know whether encryption is supported by checking at least one of the message type of the EC field, the EKS field, and the flow identifier. In step S140 of FIG. 1 and step S330 of FIG. 3, the mobile station may selectively receive an encrypted control signal. At this time, the mobile station can confirm whether the corresponding control signal is encrypted by checking the EC field of the MAC header of the control signal. Of course, as another embodiment, as a combination of the EC field and the EKS field, it is possible to check whether the corresponding control signal is encrypted and the degree of encryption.

The negotiation method of the message confidential mode described with reference to FIGS. 1 to 4 may be performed even when the mobile station hands over to the target base station. For example, the mobile station and the target base station can negotiate whether to encrypt the control signal through a handover message. That is, the mobile station and the target base station can negotiate the message confidentiality mode using a handover request / response (HO-RSQ / RSP) message. Alternatively, the message confidential mode related information for a specific terminal may be delivered from the serving base station to the target base station through a backbone message.

<Optional Control Signal Encryption Method>

Hereinafter, methods of selectively encrypting a control signal will be described. The methods of encrypting the control signal can be applied to the case where the control signal is encrypted after the mobile station and the base station negotiate selective encryption.

5 is a diagram illustrating an example of a method of encrypting a control signal according to another embodiment of the present invention.

5 assumes a case where AES-CCM is used as an encryption algorithm in a mobile station and a base station. When the AES-CCM is used in the mobile station and the base station, the AES-CCM algorithm itself can provide both the integrity and confidentiality of the management message.

5 shows whether encryption is applied to a management message according to an EC field of a MAC header included in the management messages. For example, when the EC field is '1', it indicates that encryption is performed for confidentiality protection of the corresponding management message and ICV is added for integrity protection.

At this time, the base station may first encrypt the payload to protect the confidentiality of the management message, and then add the ICV for integrity protection. That is, the base station may perform encryption for confidentiality protection first, and then add ICV for integrity protection to the encrypted result.

If the EC field is '0', it indicates that no encryption is applied to the corresponding control signal.

6 is a diagram illustrating another example of a method of encrypting a control signal according to another embodiment of the present invention.

6 is similar to the case of FIG. 5. However, when selective encryption is applied to the management message, there is a difference from FIG. 5 in the order of encryption for confidentiality protection and ICV addition for integrity protection.

Referring to FIG. 6, when the EC field is '1', the base station first adds an ICV to the payload to protect the integrity of the management message, and the payload and ICV of the management message to protect the confidentiality of the management message. Can be encrypted. That is, the base station may first add the ICV to the management message for integrity protection, and then encrypt the payload and ICV for confidentiality protection.

In FIG. 5 and FIG. 6, as a method for indicating whether a control signal is encrypted, a bit indicating whether to encrypt the control signal is used. That is, the base station may indicate whether the corresponding control signal is encrypted using the EC field included in the MAC header.

However, as another aspect of the present invention, the EC field and the EKS field may be used together. In this case, the EC field may indicate whether the corresponding control signal is encrypted, and the EKS field may indicate the encryption level or the encryption order of the control signal. For example, if the EKS field is set to '00', the control signal is not encrypted. If set to '01', '10', or '11', the control signal is encrypted and ICV is added. . In addition, the base station may indicate the order of encryption and ICV addition using the EKS field.

7 is a diagram illustrating one of methods for encrypting a control signal according to another embodiment of the present invention.

FIG. 7 illustrates a case of using an Advance Encyption Standard Counter Mode Encryption (AES-CTR) algorithm in encryption. When using the AES-CTR algorithm, the base station may protect the integrity by adding a message authentication code (MAC) to the signal or message.

Referring to FIG. 7, the base station may selectively encrypt management messages to protect confidentiality or protect integrity by adding a message authentication code (MAC). For example, if the EC field of the header is '1', the message authentication code is added to the management message to protect the integrity, and the confidentiality can be protected by encrypting the management message.

In this case, the base station may first add a message authentication code to protect the integrity of the management message, and then encrypt the payload and the message authentication code of the management message to protect the confidentiality of the management message. That is, the base station may first add a message authentication code for integrity protection, and then encrypt the payload and MAC of the management message together for confidentiality protection.

If the EC field of the header is '0', it may indicate that the base station does not encrypt the management message but protects the integrity by adding a message authentication code. In case of a control signal classified as not to apply selective encryption in FIG. 7, no protection may be performed.

8 is a view showing another one of a method for encrypting a control signal as another embodiment of the present invention.

8 is similar to the case of FIG. However, when selective encryption is applied to the management message, there is a difference from FIG. 7 in the order of addition of encryption for confidentiality protection and message authentication code (MAC) for integrity protection.

Referring to FIG. 8, when the EC field is '1', the base station first encrypts the payload of the management message to protect the confidentiality of the management message, and the payload of the management message to protect the integrity of the management message. You can add a message authentication code (MAC) to the. That is, the base station may first encrypt the management message for confidentiality protection, and then add a message authentication code (MAC) to the encrypted payload for integrity protection.

As a method of indicating whether the control signal is encrypted in FIGS. 7 and 8, the base station may indicate whether the control signal is encrypted using an EC field included in a medium access control (MAC) header.

However, as another aspect of the present invention, the EC field and the EKS field may be used together. In this case, the EC field may indicate whether the corresponding control signal is encrypted, and the EKS field may indicate the encryption level or the encryption order of the control signal. For example, if the EKS field is set to '00', the control signal is not encrypted and only integrity is protected. If the EKS field is set to one of '01', '10' and '11', the control signal is Indicates that it is encrypted and a message authentication code (MAC) is added. At this time, the base station may indicate the order of addition of the encryption and the message authentication code by combining the bits of the EKS field.

<Control signal classification method>

In the embodiments of the present invention, all control signals are not encrypted, and only specific control signals may be encrypted. For example, selective encryption is applied according to individual control signal types in the same flow identifier only when the flow ID type indicates a management message.

In embodiments of the present invention, the type of control signal to which selective encryption is applied may be classified according to whether the CMAC is included. In addition, selective encryption may be applied depending on when the corresponding control signal is used. If it provides its own message authentication function like the AES-CCM algorithm, encryption and message authentication are performed at the same time. Thus, the base station does not need to add the CMAC / HMAC to the specific control signal. However, since other encryption algorithms specified in the standards of wireless access systems do not include a message authentication function, it is necessary to apply the encryption algorithm and add the CMAC / HMAC separately.

On the other hand, when the EC field is set to '0' or the EKS field is set to '00', a message authentication code is added to the control signal which does not need encryption to simply protect the integrity (for example, AES -CTR is used) or no protection is supported (for example, when using AES-CCM). At this time, control signals that do not support any protection represent all control signals not including the CMAC.

Table 10 below shows the types of MAC management messages (or MAC control signals) to which the CMAC tuple should be added.

Type Length Value Scope 141 13 or 19 DSx-REQ / RSP / ACK, REG-REQ / RSP, RES-CMD, DREG-CMD / REQ, TFTP-CPLT, MOB_SLP-REQ / RSP, MOB_SCN-REQ / RSP, MOB_BSHO-REQ / RSP, MOB_MSHO-REQ, MOB_HO-IND, MOB_MIH-MSG, RNG-REQ / RSP, SBC-REQ / RSP

Referring to Table 10, it is possible to know the types of MAC management messages to which the CMAC tuple can be added. That is, in embodiments of the present invention, MAC messages to which selective encryption of a control signal is applied may be identified. Therefore, the base station can selectively encrypt the control signals shown in Table 10.

Table 11 below shows a CMAC Tuple Value Field applied in embodiments of the present invention.

Field Length Notes reserved Key Sequence Number BSID CMAC Packet Number Counter, CMAC_PN_ * CMAC value 4 bits 4 bits 48 bits 32 bits 64 bits set to 0 AK sequence Number Only used in case of MDHO zone-optional This context is different UL, DL CMAC wiht AES-128

Referring to Tables 10 and 11, the application of the authentication tuple is limited to some management control signals, among which the management control signals protected through the CMAC tuple may also be limited to some MAC messages.

For example, MAC management messages that need to be encrypted and need not be encrypted may be distinguished from MAC management messages whose integrity must be protected through CMAC-based authentication tuples. In embodiments of the present invention, whether or not encryption is applied may vary depending on the type of control signal or the time point at which an individual control signal is used.

Table 12 below shows examples of control signals that are applied and encrypted with HMAC tuples and control signals that do not apply.

Scope Encryption shall be supported Encryption shall be not supported DSx-REQ / RSP / ACK, REG-REQ / RSP, RES-CMD, DREG-CMD / REQ, TFTP-CPLT, MOB_SLP-REQ / RSP, MOB_SCN-REQ / RSP, MOB_BSHO-REQ / RSP, MOB_MSHO-REQ, MOB_HO-IND, MOB_MIH-MSG DSx-REQ / RSP / ACK, REG-REQ / RSP, DREG-CMD / REQ, MOB_SLP-REQ / RSP, MOB_SCN-REQ / RSP, MOB_BSHO-REQ / RSP, MOB_MSHO-REQ, MOB_HO-IND RES-CMD, TFTP-CPLT, MOB_MIH-MSG

Referring to Table 12, a control signal to be encrypted and a control signal not to be encrypted can be checked among MAC management messages whose integrity is protected according to whether the HMAC is included.

Table 13 below shows examples of control signals that are applied and encrypted with CMAC tuples and control signals that do not apply.

Scope Encryption shall be supported Encryption shall be not supported DSx-REQ / RSP / ACK, REG-REQ / RSP, RES-CMD, DREG-CMD / REQ, TFTP-CPLT, MOB_SLP-REQ / RSP, MOB_SCN-REQ / RSP, MOB_BSHO-REQ / RSP, MOB_MSHO-REQ, MOB_HO-IND, MOB_MIH-MSG, RNG-REQ / RSP, SBC-REQ / RSP DSx-REQ / RSP / ACK, REG-REQ / RSP, DREG-CMD / REQ, MOB_SLP-REQ / RSP, MOB_SCN-REQ / RSP, MOB_BSHO-REQ / RSP, MOB_MSHO-REQ, MOB_HO-IND, RNG-REQ / RSP, SBC-REQ / RSP RES-CMD, TFTP-CPLT, MOB_MIH-MSG

Referring to Table 13, it is possible to check a control signal to be encrypted and a control signal not to be encrypted among MAC management messages whose integrity is protected according to whether the CMAC is included.

Table 14 below shows examples of control signals that are encoded by applying the short HMAC tuple and control signals that are not applied.

Scope Encryption shall be supported Encryption shall be not supported MOB_SLP-REQ / RSP, MOB_SCN-REQ / RSP, MOB_BSHO-REQ / RSP, MOB_MSHO-REQ, MOB_HO-IND, RNG-REQ / RSP, SBC-REQ / RSP, PKM-REQ / RSP MOB_SLP-REQ / RSP, MOB_SCN-REQ / RSP, MOB_BSHO-REQ / RSP, MOB_MSHO-REQ, MOB_HO-IND, RNG-REQ / RSP PKM-REQ / RSP

Referring to Table 14, it is possible to check a control signal to be encrypted and a control signal not to be encrypted among MAC management messages whose integrity is protected according to whether the short HMAC is included.

As described above, in the embodiments of the present invention, only a predetermined control signal (or MAC management message) may be encrypted. That is, classification of control signals to be encrypted is necessary. Accordingly, the base station and the mobile station can classify control signals (or MAC management messages) requiring encryption with reference to Tables 10 to 14.

As another embodiment of the present invention, a transmitter and a receiver in which the embodiments of the present invention described in FIGS.

The mobile station can operate as a transmitter in uplink and as a receiver in downlink. In addition, the base station may operate as a receiver in the uplink, and may operate as a transmitter in the downlink. That is, the mobile station and base station can include a transmitter and a receiver for the transmission of information or data.

The transmitter and receiver may include a processor, module, part, and / or means for carrying out the embodiments of the present invention. In particular, the transmitter and receiver may include a module (means) for encrypting the message, a module for interpreting the encrypted message, an antenna for transmitting and receiving the message, and the like.

The mobile station used in embodiments of the present invention may include a low power radio frequency (RF) / intermediate frequency (IF) module. In addition, the mobile station may perform a controller function, a medium access control (MAC) frame variable control function, a handover function, authentication and encryption function, data according to a controller function, a service characteristic, and a propagation environment for performing the above-described embodiments of the present invention. Means, modules or parts for performing packet modulation and demodulation, high speed packet channel coding, and real-time modem control for transmission.

The base station may transmit data received from the upper layer to the mobile station wirelessly or by wire. The base station may include a low power radio frequency (RF) / intermediate frequency (IF) module. In addition, the base station is a controller function for performing the above-described embodiments of the present invention, orthogonal frequency division multiple access (OFDMA) packet scheduling, time division duplex (TDD) packet scheduling and channel multiplexing function MAC frame variable control function according to service characteristics and propagation environment, high speed traffic real time control function, hand over function, authentication and encryption function, packet modulation and demodulation function for data transmission, high speed packet channel coding function and real time modem control Means, modules or parts for performing functions and the like.

The invention can be embodied in other specific forms without departing from the spirit and essential features of the invention. Accordingly, the above detailed description should not be construed as limiting in all aspects and should be considered as illustrative. The scope of the invention should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of the invention are included in the scope of the invention. In addition, the claims may be combined to form an embodiment by combining claims that do not have an explicit citation relationship or may be incorporated as new claims by post-application correction.

1 is a view showing one of the selective control signal encryption method as an embodiment of the present invention.

2 is a view showing another one of an optional control signal encryption method as an embodiment of the present invention.

3 is a view showing another one of an optional control signal encryption method according to an embodiment of the present invention.

4 is a diagram illustrating a method of negotiating an optional control signal encryption method when an idle mode mobile station updates a location according to an embodiment of the present invention.

5 is a diagram illustrating an example of a method of encrypting a control signal according to another embodiment of the present invention.

6 is a diagram illustrating another example of a method of encrypting a control signal according to another embodiment of the present invention.

7 is a diagram illustrating one of methods for encrypting a control signal according to another embodiment of the present invention.

8 is a view showing another one of a method for encrypting a control signal as another embodiment of the present invention.

Claims (13)

In the method for selectively encrypting the control signal, Transmitting a first message to the base station, the first message including a first security negotiation parameter supported by the mobile station; Receiving a second message including a second security negotiation parameter supported by the base station; And Receiving the control signal selectively encrypted according to the second security negotiation parameter from the base station, The control signal encryption method, characterized in that the header of the control signal includes indication information indicating whether the control signal is encrypted. The method of claim 1, The instruction information is, And an encryption control (EC) field indicating whether the control signal is encrypted. 3. The method of claim 2, And the indication information further comprises an encryption key sequence (EKS) indicating an encryption degree of the control signal or an order of confidentiality protection and integrity protection of the control signal. The method of claim 1, The first security negotiation parameter includes a first message confidentiality mode field supported by the mobile station, And the second security negotiation parameter includes a second message confidentiality mode field supported by the mobile station and the base station. The method of claim 4, wherein Further comprising the step of performing the authorization procedure with the base station, And wherein said selectively encrypted control signal is transmitted after said authorization procedure is performed. The method of claim 5, The selectively encrypted control signal, The control signal encryption method, characterized in that the integrity of the control signal protected by using at least one of Integrity Check Value (ICV), Cipher MAC (CMAC) and Hashed MAC (HMAC). In the method for selectively encrypting the control signal, Receiving from the mobile station a first message comprising a first security negotiation parameter supported by the mobile station; Sending a second message comprising a second security negotiation parameter to the mobile station; Selectively encrypting the control signal according to the second security negotiation parameter; And Transmitting the selectively encrypted control signal to the mobile station; The control signal encryption method, characterized in that the header of the control signal includes indication information indicating whether the control signal is encrypted. The method of claim 7, wherein The instruction information is, And an encryption control (EC) field indicating whether the control signal is encrypted. The method of claim 8, And the indication information further comprises an encryption key sequence (EKS) indicating an encryption degree of the control signal or an order of confidentiality protection and integrity protection of the control signal. The method of claim 7, wherein The first security negotiation parameter includes a first message confidentiality mode field supported by the mobile station, And the second security negotiation parameter includes a second message confidentiality mode field supported by the mobile station and the base station. The method of claim 10, Further comprising the step of performing the authorization procedure with the base station, And wherein said selectively encrypted control signal is transmitted after said authorization procedure is performed. The method of claim 11, The selectively encrypted control signal, Control signal encryption method characterized in that the integrity of the control signal protected by using at least one of ICV, CMAC and HMAC. The method of claim 7, wherein The selectively encrypted control signal, Control signal encryption method characterized in that the encryption using the AES-CCM algorithm or AES-CTR algorithm.

Images