WO2018001278A1 - Procédé et dispositif de redirection de station de base - Google Patents

Procédé et dispositif de redirection de station de base Download PDF

Info

Publication number
WO2018001278A1
WO2018001278A1 PCT/CN2017/090598 CN2017090598W WO2018001278A1 WO 2018001278 A1 WO2018001278 A1 WO 2018001278A1 CN 2017090598 W CN2017090598 W CN 2017090598W WO 2018001278 A1 WO2018001278 A1 WO 2018001278A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
security level
message
redirection
module
Prior art date
Application number
PCT/CN2017/090598
Other languages
English (en)
Chinese (zh)
Inventor
黄琳
张婉桥
杨卿
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201610509881.9A external-priority patent/CN106211157B/zh
Priority claimed from CN201610509773.1A external-priority patent/CN106060826A/zh
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2018001278A1 publication Critical patent/WO2018001278A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/14Reselecting a network or an air interface

Definitions

  • the present invention relates to the field of communication security technologies, and in particular, to a base station redirection method and a base station redirection device.
  • the redirection means that the network side informs the user equipment (UE) of the base station by the redirection command, so that the UE searches the base station according to the information and accesses the base station.
  • UE user equipment
  • the UE when the UE is connected to a certain base station, if the base station load is too high, a redirection instruction is sent to the UE, so that the UE accesses the base station with a lower load. However, due to the defect of the communication protocol, the UE may also receive a redirection instruction from the pseudo base station. If the base station is connected to the base station to which the pseudo base station redirection command is directed, the UE may have a great security risk.
  • the technical problem to be solved by the present invention is how to timely and effectively control the program running by the script.
  • a base station redirection method comprising:
  • the base station redirection method when receiving the packet, further includes:
  • a base station redirection apparatus including:
  • a packet receiving module configured to receive a packet redirected by the first base station to the second base station
  • a search module configured to search for a third base station other than the first base station and the second base station when the message receiving module receives a message redirected to the second base station;
  • a connection establishing module is configured to establish a communication connection with the third base station.
  • a base station redirection method including:
  • the first base station fails to pass the authentication, when the packet redirected from the first base station to the second base station is received, searching for the third base station other than the first base station and the second base station;
  • a base station redirection apparatus including:
  • An authentication module configured to authenticate the first base station
  • a search module configured to: when the first base station fails to pass the authentication, search for the first base station and the first when receiving a message redirected from the first base station to the second base station a third base station other than the second base station;
  • connection module configured to establish a communication connection with the third base station.
  • computer program comprising computer readable code, when said computer readable code is run on a computer, causing said computer to perform said base station according to any one of the claims Redirect method.
  • the request packet can be upgraded to the tracking area of the base station, and whether the first base station is a pseudo base station is determined according to whether the first base station returns a request rejection message, and the first base station is not a pseudo base station. a base station, thereby establishing a communication connection with a base station having the highest signal strength in the area;
  • the base station attempting to access may be authenticated first, and then the redirect message sent by the base station may be received, so that it is first determined according to the authentication result whether the base station attempting to access is a pseudo base station, and in the case of being a pseudo base station.
  • the access to the base station to which the redirect message is directed can be avoided, and the pseudo base station and its redirect message can be searched for other base stations other than the base station to ensure secure access to the base station;
  • FIG. 1 is a schematic flow chart showing a method for redirecting a base station according to an embodiment of the present invention
  • FIG. 2 is a schematic flow chart of a method for redirecting a base station according to another embodiment of the present invention.
  • FIG. 3 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 4 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 5 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 6 is a schematic flow chart showing a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 7 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention.
  • FIG. 8 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • FIG. 10 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • FIG. 11 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • FIG. 12 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • FIG. 13 is a schematic flowchart of a method for redirecting a base station according to an embodiment of the present invention.
  • FIG. 14 is a schematic flowchart of a method for redirecting a base station according to another embodiment of the present invention.
  • FIG. 15 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 16 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 17 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention.
  • FIG. 18 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention.
  • FIG. 19 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention.
  • FIG. 20 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • 21 is a schematic block diagram of a base station redirection apparatus according to still another embodiment of the present invention.
  • Figure 22 is a block diagram schematically showing the structure of a computer for performing a base station redirection method according to the present invention
  • Figure 23 schematically illustrates a storage unit for holding or carrying program code that implements base station redirection in accordance with the present invention.
  • terminal and terminal device used herein include both a wireless signal receiver device, a device having only a wireless signal receiver without a transmitting capability, and a receiving and transmitting hardware.
  • Such devices may include cellular or other communication devices having a single line display or a multi-line display or a cellular or other communication device without a multi-line display; PCS (Personal Communications Service), which may combine voice, data Processing, fax, and/or data communication capabilities; PDA (Personal Digital Assistant), which can include radio frequency receivers, pagers, Internet/Intranet access, web browsers, notepads, calendars, and/or GPS (Global Positioning System (Global Positioning System) receiver; conventional laptop and/or palmtop computer or other device having a conventional laptop and/or palmtop computer or other device that includes and/or includes a radio frequency receiver.
  • PCS Personal Communications Service
  • PDA Personal Digital Assistant
  • terminal may be portable, transportable, installed in a vehicle (aviation, sea and/or land), or adapted and/or configured to operate locally, and/or Run in any other location on the Earth and/or space in a distributed form.
  • the "terminal” and “terminal device” used herein may also be a communication terminal, an internet terminal, a music/video playing terminal, and may be, for example, a PDA, a MID (Mobile Internet Device), and/or have a music/video playback.
  • Functional mobile phones can also be smart TVs, set-top boxes and other devices.
  • the concepts of servers, clouds, remote network devices, and the like used herein have equivalent effects, including but not limited to computers, network hosts, single network servers, multiple network server sets, or multiple servers.
  • the cloud that makes up.
  • the cloud is based on cloud computing (Cloud Computing)
  • the communication between the remote network device, the terminal device and the WNS server can be implemented by any communication method, including but not limited to, mobile communication based on 3GPP, LTE, WIMAX, TCP/IP, UDP protocol.
  • Computer network communication and short-range wireless transmission based on Bluetooth and infrared transmission standards.
  • the operation of the user equipment to receive the redirect message of the base station is performed before the authentication operation.
  • the signal strength of the base station in the area is generally detected, and the base station with the highest signal strength is selected to try to access.
  • the user equipment initiates a Tracking Area Update Request message to the base station. If the base station needs to redirect the user equipment, the user rejects the message for the tracking area upgrade request.
  • the user equipment After receiving the reject message for the tracking area upgrade request, the user equipment transmits an connection request (Attach Request) message to the base station, where the connection request message carries the IMSI (International Mobile Subscriber Identity) of the user equipment, and the base station After the IMSI is collected, the device rejects the packet and sends a Radio Resource Control (RRC) redirection packet to the user equipment to notify the user to connect to other base stations.
  • connection request carries the IMSI (International Mobile Subscriber Identity) of the user equipment
  • RRC Radio Resource Control
  • the user equipment does not authenticate the pseudo base station when receiving the redirection packet in the prior art, and therefore attempts to access the falsified base station redirection packet.
  • the base station pointed to by the base station, and the base station to which the pseudo base station redirection message is directed is still a pseudo base station or a normal base station with a lower security level. Therefore, once the redirection packet of the pseudo base station is accessed, the user equipment is secure. Causes great hidden dangers, such as easy to steal user information, call records, and receiving harassing text messages and scam messages.
  • FIG. 1 is a schematic flow chart of a method for redirecting a base station according to an embodiment of the present invention, which may be applied to a user equipment such as a mobile terminal.
  • the base station redirection method includes:
  • the user equipment when receiving the redirect message, may search for a redirect report.
  • the orientation method also includes:
  • the first prompt information is generated, used to prompt the redirected base station information, and the user selects to reject the redirect instruction or accept the redirect instruction.
  • the base station pointed to by the redirect message when the redirect message is received, the base station pointed to by the redirect message is not accessed.
  • the second base station pointed to by the redirect message can be avoided.
  • the first base station when the first base station is a normal base station, the first base station redirects the packet to the first
  • the second base station is a secure base station, and access to the second base station generally does not pose a security risk. In this case, if the third base station is still searched, the power consumption of the user equipment will be wasted.
  • the first prompt information is generated on the user equipment, for example, the first prompt information is “received from the first base station to the second base station. If the packet is attempted to access the second base station, the user may be informed that the current user equipment has received the redirected message, and then may select to attempt to access the second base station or refuse to access the second base station according to requirements.
  • the refusal redirection instruction may be input for the first prompt information, so that the user equipment searches for the third base station other than the first base station and the second base station. If the user believes that the message is trusted to be repeated, the user may accept the redirect command for the first prompt information, thereby attempting to access the second base station pointed by the redirect command.
  • FIG. 3 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 3, on the basis of the embodiment shown in FIG. 2, a communication connection is established with the second base station. After that, the base station redirection method further includes:
  • the operation of the user equipment to receive the redirection packet occurs before the authentication of the first base station is performed. Therefore, when the redirection packet of the first base station is received, the user cannot confirm whether the first base station and the second base station are pseudo.
  • the base station therefore, needs to further determine the security of the second base station when receiving the redirection packet of the first base station and connecting to the second base station pointed by the redirection packet.
  • the user equipment can record the security level of the connected base station before receiving the redirected message, and the current connection.
  • the security level of the two base stations so that the security level of the two base stations can be compared, so that the user can learn the security status of the network provided by the second base station, so as to select whether to continue to connect to the second base station.
  • the security level of the second base station is lower than the security level of the base station connected before receiving the packet, it indicates that the security level of the network where the user equipment is located is reduced (for example, only 2G is dropped from 3G), and the network with lower security level is lower. It is more likely to be invaded by criminals, thereby sending fraudulent information or stealing user information to user equipment.
  • the first base station and the second base station are not necessarily pseudo base stations, the security level of the network where the user equipment is located is reduced. Therefore, the second prompt information, for example, the second prompt, may be generated based on the situation.
  • the information may be “the current network security level is lowered, whether to continue to use the current network”, the user may choose to continue to use the current network, then the user equipment maintains a communication connection with the second base station, and if the user chooses not to use the current network, the user equipment is disconnected. A communication connection with the second base station and searching for the third base station.
  • FIG. 4 is a schematic flowchart of a base station redirection method according to another embodiment of the present invention. As shown in FIG. 4, the base station redirection method further includes:
  • the security level of the two can be compared, so that the user can learn the security status of the network provided by the third base station to select whether to continue to connect to the third base station.
  • the security level of the third base station is lower than the security level of the base station connected before receiving the packet, it indicates that the security level of the network where the user equipment is located is reduced (for example, only 2G is dropped from 3G), and the network with lower security level is lower. It is more likely to be invaded by criminals, thereby sending fraudulent information or stealing user information to user equipment.
  • the second base station is a secure base station, the security level of the network where the user equipment is located is reduced. Therefore, the third prompt information may be generated based on the situation. For example, the third prompt information may be “current.
  • the user equipment maintains a communication connection with the third base station. If the user chooses not to use the current network, the user equipment disconnects from the third base station. The communication is connected, and searches for a fourth base station other than the first base station, the second base station, and the third base station.
  • the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is Do not lower than the security level of the 4G base station.
  • the authentication mode of the 2G base station is GSM (Global System for Mobile Communication) authentication
  • the authentication mode of the 3G base station is WCDMA (Wideband Code Division Multiple Access) authentication
  • 4G base station is the authentication mode of the 2G base station.
  • the authentication method is LTE (Long Term Evolution) authentication.
  • the GSM authentication is unidirectional. Only the base station (network) authenticates the user, and the user equipment does not authenticate the base station (network). The illegal base station can pretend to be a legitimate base station to spoof the user equipment and steal user information. And in the GSM network, the problem of data integrity protection is not considered, and it is difficult to find out if the data is tampered with in the process of transmission.
  • the encryption of the GSM network is not end-to-end, it is only encrypted in the wireless channel part, and there is no encryption in the fixed network (using clear text transmission), which provides an opportunity for the attacker.
  • the GSM encryption algorithm and the key have security risks. For example, the key is too short, only 64 bits.
  • the encryption algorithm is not public and relatively fixed, and the encryption algorithm cannot be negotiated.
  • the WCDMA network can achieve two-way authentication, the security level is higher than that of the GSM network.
  • the authentication in the authentication process only implements the authentication of the HLR (Home Location Register) by the user equipment, but does not implement the authentication of the VLR (Visitor Location Register) by the user equipment, so the attacker can Intercept the legitimate IMSI for attack.
  • the attacker can obtain the CK and IK by intercepting the information between the VLR and the HLR to obtain an AV (Authentication Vector).
  • the user equipment roams between different PLMNs (Public Land Mobile Network). Different PLMNs may be different networks in different countries. When the local HLR sends the AV to the VLR of the roaming network, it passes through different networks. It is easy to be intercepted by an attacker.
  • PLMNs Public Land Mobile Network
  • the authentication process of the UE is:
  • the UE transmits the information between the UE and the CN to the NAS layer (Non-Access Stratum, non-access stratum, NAS protocol, and the transmitted content may be user information or control information, such as service establishment, release, or mobility management. Information)
  • MME Mobility Management Entity, which is the key control node of the 3GPP protocol LTE access network, which is responsible for the positioning of the idle mode UE, the paging process, including the relay, simply saying that the MME is responsible for the signaling processing part
  • the C2 and the MME request an authentication vector from the HSS (Home Subscriber Server).
  • HSS Home Subscriber Server
  • HSS returns one or more EPS (Evolved Packet System) authentication vectors (RAND, AUTN, XRES, KASME) to the MME;
  • EPS Evolved Packet System
  • the UE authenticates the first base station through the AUTN, calculates RES&CK/IK according to AUTN&RAND, and further calculates Kasme (the second layer key required for LTE authentication, which is calculated by a layer of keys CK and IK) ;
  • the UE and the MME derive the encryption key and integrity protection key required by the NAS layer and the AS layer according to Kasme. These keys are deleted when the UE changes from active to idle.
  • the level of security is higher.
  • FIG. 5 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 5, on the basis of the embodiment shown in FIG. 1, a base station redirection method searches for the third. Before the base station, it also includes:
  • S10 Determine whether a connection reject message is received before receiving the message redirected to the second base station, and if the connection reject message is received, perform step S2 to search for the third base station, otherwise, execute S11, and The second base station establishes a communication connection.
  • the signal strength of the base station in the area is detected, and the first base station with the highest signal strength is selected to try to access, and the tracking area upgrade request message is sent to the first base station, if the first base station needs Redirect the user equipment and feedback the rejection message for the tracking area upgrade request.
  • the user equipment After receiving the refusal message for the tracking area upgrade request, the user equipment transmits a connection request message to the first base station, and the base station sends a redirection message to the user equipment, and notifies the user to connect to the user equipment. Second base station.
  • the above situation is a process in which the first base station rejects its access request and redirects it during the process of attempting to access the first base station after the user enters a certain area, in which case the pseudo base station exists as the first The risk that the base station transmits the redirect message to the user equipment.
  • the source of the redirected packet is generally secure, and there is no risk in attempting to connect according to the redirected packet.
  • the redirect message can be directly transmitted to the user equipment, and in this case, the user equipment directly receives the redirect.
  • the message does not receive the connection rejection message for the tracking area upgrade request, and the connection rejection message for the transmission connection request feedback rejection message.
  • the connection reject message before receiving the message redirected to the second base station, it may be determined based on whether the connection reject message is received, whether the connection is attempted according to the redirect message, thereby avoiding risk.
  • the power consumption of the user equipment is wasted.
  • FIG. 6 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 6, on the basis of the embodiment shown in FIG. 1, a base station redirection method searches for the third. Base Before the station, it also includes:
  • step S13 it is determined whether the request rejection message of the first base station is received after the tracking area upgrade request message is sent, and if yes, step S2 is performed to search for the third base station, otherwise, step S14 is performed, and The first base station establishes a communication connection.
  • the signal strength of the base station in the area is detected, and the first base station with the highest signal strength is selected to try to access.
  • the packet received by the first base station is redirected to the second base station. If the first base station is not a pseudo base station, the first base station sends the redirect message because the current load of the first base station is high, and temporarily cannot be For user equipment access.
  • the first base station is a normal base station
  • the first base station if the first base station sends a redirection packet, it only indicates that the first base station is temporarily unavailable for the user equipment access, but the load of the normal base station generally does not continue to be maintained at a high level.
  • the level that is, the request to reject the request for the access request of the user equipment is not continued.
  • the pseudo base station feeds back the request for all the access requests sent by the user equipment, and then sends a redirect message.
  • the tracking area upgrade request message of the preset number of times may be transmitted to the first base station.
  • the time interval of each time the tracking area upgrade request message is transmitted may be set to 1 minute. If the first base station returns a request rejection message for all the tracking area upgrade request messages, then the first base station has a larger probability of being a pseudo base station. After receiving the tracking area upgrade request message, the first base station does not receive the request rejection message (or receives the request permission message of the base station), so that the first base station has reduced the load at this time, and the user can be used for the user. The device is accessed, and the first base station is a normal base station. Therefore, the user equipment can access the first base station, thereby establishing a communication connection with the base station with the highest signal strength in the area.
  • FIG. 7 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention. As shown in FIG. 7, the base station redirection apparatus 70 includes:
  • the message receiving module 71 is configured to receive a message that is redirected by the first base station to the second base station;
  • the searching module 72 searches for a third base station other than the first base station and the second base station when the message receiving module receives the message redirected to the second base station;
  • the connection establishing module 73 is configured to establish a communication connection with the third base station.
  • FIG. 8 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 8, the base station redirection apparatus further includes:
  • the prompting module 74 when the packet receiving module receives the packet redirected to the second base station, generates the first prompt information, is configured to prompt the redirected base station information, and causes the user to select to reject the redirect instruction or accept the heavy Directional instruction
  • the search module 72 is further configured to search the third base station based on a refusal redirection instruction selected by the user.
  • connection establishing module 73 is further configured to establish a communication connection with the second base station based on the user-selected accept redirection command.
  • FIG. 9 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 9, on the basis of the embodiment shown in FIG. 8, the base station redirection apparatus 70 further includes:
  • the security determination module 75 determines whether the security level of the second base station is lower than the security level of the base station connected before receiving the message.
  • the prompting module 74 generates second prompt information when the security level of the second base station is lower than the security level of the base station connected before receiving the packet.
  • FIG. 10 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 10, on the basis of the embodiment shown in FIG. 7, the base station redirection apparatus 70 further includes:
  • the security judging module 75 is configured to determine whether the security level of the third base station is lower than a security level of the base station connected before receiving the packet;
  • the prompting module 74 generates third prompt information when the security level of the third base station is lower than the security level of the base station connected before receiving the message.
  • the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  • FIG. 11 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 11, on the basis of the embodiment shown in FIG. 7, the base station redirection apparatus 70 further includes:
  • the message judging module 76 determines, before searching the third base station, whether the connection rejecting message is received before the packet receiving module receives the packet redirected to the second base station.
  • the search module 72 searches for the third base station when the message receiving module 71 receives the connection reject message before receiving the message redirected to the second base station, and the connection establishing module 73 is in the The message receiving module 71 establishes a communication connection with the second base station when receiving the connection reject message before receiving the message redirected to the second base station.
  • FIG. 12 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 12, on the basis of the embodiment shown in FIG. 7, the base station redirection apparatus 70 further includes:
  • the message transmission module 77 is configured to transmit a preset number of tracking area upgrade request messages to the first base station before searching the third base station;
  • the message receiving module 71 After the search module 72 sends the tracking area upgrade request message, the message receiving module 71 searches for the third base station when receiving the request rejection message of the first base station. After the connection establishment module 73 sends the tracking area upgrade request message, the message receiving module 71 establishes a communication connection with the first base station when receiving the request permission message of the first base station.
  • the present invention also proposes a base station redirection method and a base station redirection apparatus as shown below.
  • FIG. 13 is a schematic flowchart of a method for redirecting a base station according to an embodiment of the present invention, which may be applied to a mobile terminal.
  • the base station redirection method includes:
  • Step 1 Perform authentication on the first base station
  • Step 2 If the first base station fails to pass the authentication, when the packet redirected from the first base station to the second base station is received, the first base station and the second base station are searched for Three base stations;
  • Step 3 Establish a communication connection with the third base station.
  • the base station may be authenticated before receiving the redirect message. For example, after the user equipment enters an area, it is detected that the signal strength of the first base station is the highest, and then attempts to access the first base station, and directly initiates an authentication request to the first base station, requesting the first base station to feed back the authentication information; After the first base station feeds back the reject message for the tracking area upgrade request, or after receiving the feedback reject message for the transmission connection request, the first base station sends an authentication request to the first base station to request the first base station to feed back the authentication information.
  • the first base station that fails the authentication for example, the first base station feeds back the authentication information but does not match the authentication information stored by the terminal, or the first base station does not feed back the authentication information
  • the base station that attempts to access may be authenticated, and then the redirect message sent by the base station is received, so that it is first determined according to the authentication result whether the base station attempting to access is a pseudo base station,
  • a pseudo base station access to the base station to which the redirect message is directed can be avoided, and the pseudo base station and its redirect message can be searched for other base stations other than the base station to ensure secure access to the base station.
  • the identifiers of the first base station and the second base station are recorded if the first base station fails to pass the authentication.
  • the station is a secure base station.
  • authenticating the first base station includes:
  • an authentication request is initiated to the first base station, or when the first base station receives the feedback rejection message for the tracking area upgrade request, an authentication request is initiated to the first base station, and the first base station is requested to provide feedback. Authentication information.
  • the user equipment when the user equipment attempts to access the first base station, or when receiving the first base station feedback request rejection message for the tracking area upgrade request, the user equipment does not transmit the IMSI to the base station attempting to access, so In two cases, the base station is authenticated, which can reduce the probability that the pseudo base station acquires the user IMSI.
  • the authentication method of the user equipment to the first base station may be as follows:
  • the UE transmits the information between the UE and the CN to the NAS layer (Non-Access Stratum, non-access stratum, NAS protocol, and the transmitted content may be user information or control information, such as service establishment, release, or mobility management. Information)
  • MME Mobility Management Entity, which is the key control node of the 3GPP protocol LTE access network, which is responsible for the positioning of the idle mode UE, the paging process, including the relay, simply saying that the MME is responsible for the signaling processing part
  • the MME requests an authentication vector from the HSS (Home Subscriber Server).
  • the HSS returns one or more sets of EPS (Evolved Packet System) authentication vectors (RAND, AUTN, XRES, KASME) to the MME;
  • EPS Evolved Packet System
  • the UE authenticates the first base station by using the AUTN. If the first base station fails to pass the authentication, the UE ends. If the authentication is performed, the RES&CK/IK is calculated according to the AUTN&RAND, and the Kasme (which is required for LTE authentication) is further calculated. The second layer key is calculated by a layer of keys CK and IK);
  • the UE and the MME derive the encryption key and the integrity protection key required by the NAS layer and the AS layer according to the Kasme.
  • FIG. 14 is a schematic flowchart of a method for redirecting a base station according to another embodiment of the present invention. As shown in FIG. 14, the method for redirecting a base station according to the embodiment shown in FIG. 13 further includes:
  • Step 4 If the first base station passes the authentication, when receiving the message redirected from the first base station to the second base station, establish a communication connection with the second base station.
  • the first base station in the case that the first base station passes the authentication, the first base station is not a pseudo base station, and therefore, a communication connection can be established with the second base station according to the redirect message.
  • FIG. 15 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 15, after establishing a communication connection with the second base station, based on the embodiment shown in FIG.
  • the base station redirection method further includes:
  • Step 5 Determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet.
  • Step 6 If it is lower, the first prompt information is displayed.
  • the first base station is not a pseudo base station, it is possible for the first base station to redirect the user equipment to a base station having a lower security level.
  • the base station with the highest power in the area is detected as the first base station.
  • the first base station passes the authentication, but the first base station has a higher load at this time. Therefore, the redirect instruction is fed back to the user device. If the 4G base station in the area is high in complexity, only the second base station has a lower load, but the second base station is a 2G base station, and the base station connected to the user equipment before receiving the redirect message is a 4G base station, then After the user equipment accesses the second base station, the security level of the mobile network where the user equipment is located is lowered.
  • the first prompt information may be displayed in the above case, so that the user can know in time that the security level of the connected base station is lowered, and then whether to maintain the connection with the second base station.
  • FIG. 16 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 16, when the first base station fails to pass authentication, on the basis of the embodiment shown in FIG. 13, the base station The redirect method also includes:
  • Step 7 Display second prompt information, where the second prompt information is used to prompt the user that the first base station fails to pass the authentication, and causes the user to select to reject the redirect instruction or accept the redirect instruction;
  • Step 8 Search for the third base station based on the selected reject redirect instruction, or
  • Step 9 Establish a communication connection with the second base station based on the selected accept redirection command.
  • the user equipment is still required to connect to the second base station according to the redirect message of the first base station.
  • the communication connection with the second base station is still established according to the redirect message of the first base station, so as to detect the pseudo in the process of connecting to the second base station.
  • the base station sends fraudulent information or steals the message to the user terminal, thereby confirming the evidence of the crime.
  • FIG. 17 is a schematic flowchart of a method for redirecting a base station according to still another embodiment of the present invention. As shown in FIG. 17, after establishing a communication connection with the second base station, on the basis of the embodiment shown in FIG.
  • the base station redirection method further includes:
  • Step 10 Determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet.
  • step 11 if it is lower, the third prompt information is displayed.
  • the first base station when the first base station fails to pass the authentication and is connected to the second base station to which the first base station redirects the message, the first base station may be tested according to whether the security level of the second base station is lowered.
  • the parameter values used by some base stations for authentication may not be stored or omitted, and the base stations cannot pass the authentication.
  • the carrier test can be provided with conditions, and if the first base station fails to pass the authentication, the communication connection with the second base station is still established according to the redirect message of the first base station, and the second base station is further determined. Is the security level reduced?
  • the security level of the second base station is not lowered, it may be determined that the first base station is a pseudo base station. If the security level of the second base station is not lowered, the first base station is a normal base station (because the redirection packet sent by the pseudo base station is generally used to redirect the user equipment to the base station with a lower security level to send fraud information or Stealing the message), but the parameters or parameter values required for authentication are missing, and the base station can be repaired accordingly.
  • the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  • the authentication mode of the 2G base station is GSM (Global System for Mobile Communication) authentication
  • the authentication mode of the 3G base station is WCDMA (Wideband Code Division Multiple Access) authentication
  • 4G base station is the authentication mode of the 2G base station.
  • the authentication method is LTE (Long Term Evolution) authentication.
  • the GSM authentication is unidirectional. Only the base station (network) authenticates the user, and the user equipment does not authenticate the base station (network). The illegal base station can pretend to be a legitimate base station to spoof the user equipment and steal user information. And in the GSM network, the problem of data integrity protection is not considered, and it is difficult to find out if the data is tampered with in the process of transmission.
  • the encryption of the GSM network is not end-to-end, it is only encrypted in the wireless channel part, and there is no encryption in the fixed network (using clear text transmission), which provides an opportunity for the attacker.
  • the GSM encryption algorithm and the key have security risks. For example, the key is too short, only 64 bits.
  • the encryption algorithm is not public and relatively fixed, and the encryption algorithm cannot be negotiated.
  • the WCDMA network can achieve two-way authentication, the security level is higher than that of the GSM network.
  • the authentication in the authentication process only implements the authentication of the HLR (Home Location Register) by the user equipment, but does not implement the authentication of the VLR (Visitor Location Register) by the user equipment, so the attacker can Intercept the legitimate IMSI for attack. And without considering the authentication and confidential communication on the network side, the attacker can intercept the letter between the VLR and the HLR. Get the AV (AuthenticationVector) to get CK and IK.
  • PLMNs Public Land Mobile Network
  • Different PLMNs may be different networks in different countries.
  • PLMNs Public Land Mobile Network
  • the LTE network does not have problems with the GSM network and the WCDMA network, so the security level is higher.
  • FIG. 18 is a schematic block diagram of a base station redirection apparatus according to an embodiment of the present invention. As shown in FIG. 18, the base station redirection apparatus 60 according to the second aspect of the present invention includes:
  • the authentication module 61 is configured to perform authentication on the first base station
  • the searching module 62 searches for the first base station and the second when receiving the message redirected from the first base station to the second base station if the first base station fails to pass the authentication.
  • the connection module 63 establishes a communication connection with the third base station.
  • connection module 63 establishes with the second base station when receiving the packet redirected from the first base station to the second base station, when the first base station is authenticated. Communication connection.
  • FIG. 19 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 19, on the basis of the embodiment shown in FIG.
  • the determining module 64 is configured to determine whether the security level of the second base station is lower than a security level of the base station connected before receiving the packet;
  • the display module 65 displays the first prompt information under the request that the security level of the second base station is lower than the security level of the base station connected before receiving the message.
  • FIG. 20 is a schematic block diagram of a base station redirection apparatus according to another embodiment of the present invention. As shown in FIG. 20, on the basis of the embodiment shown in FIG.
  • the display module 65 is configured to display the second prompt information when the first base station fails to pass the authentication, and the second prompt information is used to prompt the user that the first base station fails to pass the authentication, and the user selects to reject the redirect instruction or Accept the redirect instruction;
  • the searching module 62 is configured to search for the third base station based on the rejected redirecting instruction of the selected second prompt information.
  • connection module 63 is configured to establish a communication connection with the second base station based on the selected accept redirection command.
  • the base station redirection device 60 further includes:
  • the determining module 66 is configured to determine, after the connection module 63 establishes a communication connection with the second base station, whether the security level of the second base station is lower than a security level of the base station connected before receiving the message;
  • the display module 65 displays the third prompt information when the security level of the second base station is lower than the security level of the base station connected before receiving the message.
  • the security level of the 2G base station is lower than the security level of the 3G base station, and the security level of the 3G base station is lower than the security level of the 4G base station.
  • the redirection packet when the redirection packet is received, the first base station that sends the redirection packet and the third base station other than the second base station that the redirection packet points are received. Therefore, when the first base station is a pseudo base station, the second base station pointed to by the redirect packet is not accessed, and the secure base station is ensured to prevent the user equipment from receiving fraud, harassment information or revealing personal information.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the present description including accompanying rights may be employed. All the features disclosed in the claims, abstract and drawings are combined with all the processes or units of any method or device so disclosed. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the website security detection device in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals.
  • Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 22 illustrates a computer in which a base station redirection method in accordance with the present invention can be implemented.
  • the computer traditionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520.
  • the memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above.
  • storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such a computer program product is typically a portable or fixed storage unit as described with reference to FIG.
  • the storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 520 in the mobile terminal of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 531', code that can be read by a processor, such as 510, which when executed by a computer causes the computer to perform various steps in the methods described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Les modes de réalisation de la présente invention concernent un procédé et un dispositif de redirection de station de base. Le procédé de redirection de station de base consiste à rechercher une troisième station de base en excluant une deuxième station de base lors de la réception d'un message redirigé vers la deuxième station de base; et établir une connexion de communication avec la troisième station de base. Selon la solution technique de la présente invention, lors de la réception du message redirigé, la troisième station de base, à l'exclusion d'une première station de base envoyant le message redirigé et de la seconde station de base vers laquelle le message est dirigé, est recherchée. Par conséquent, à condition que la première station de base soit une pseudo-station de base, la deuxième station de base, vers laquelle le message redirigé est dirigé, n'est pas connectée, ce qui garantit l'accès à une station de base sécurisée, et empêche l'équipement utilisateur de recevoir des informations frauduleuses ou de harcèlement ou évite les fuites d'informations personnelles.
PCT/CN2017/090598 2016-06-30 2017-06-28 Procédé et dispositif de redirection de station de base WO2018001278A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201610509881.9 2016-06-30
CN201610509881.9A CN106211157B (zh) 2016-06-30 2016-06-30 基站重定向方法和基站重定向装置
CN201610509773.1A CN106060826A (zh) 2016-06-30 2016-06-30 基站重定向方法和基站重定向装置
CN201610509773.1 2016-06-30

Publications (1)

Publication Number Publication Date
WO2018001278A1 true WO2018001278A1 (fr) 2018-01-04

Family

ID=60785946

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/090598 WO2018001278A1 (fr) 2016-06-30 2017-06-28 Procédé et dispositif de redirection de station de base

Country Status (1)

Country Link
WO (1) WO2018001278A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055934A (zh) * 2021-03-26 2021-06-29 RealMe重庆移动通信有限公司 重定向信息的处理方法、装置、终端设备和存储介质

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090029677A1 (en) * 2007-07-26 2009-01-29 Sungkyunkwan University Foundation For Corporate Collaboration Mobile authentication through strengthened mutual authentication and handover security
CN103906158A (zh) * 2012-12-28 2014-07-02 展讯通信(上海)有限公司 一种从2g/3g网络返回lte网络的方法
CN104429151A (zh) * 2012-06-11 2015-03-18 三星电子株式会社 用于控制异构移动通信系统之间的重定向的方法和装置
CN105357672A (zh) * 2015-11-20 2016-02-24 华为技术有限公司 一种伪基站识别方法及用户设备
CN105722085A (zh) * 2016-03-28 2016-06-29 宇龙计算机通信科技(深圳)有限公司 伪基站识别方法、伪基站识别装置和终端
CN106060826A (zh) * 2016-06-30 2016-10-26 北京奇虎科技有限公司 基站重定向方法和基站重定向装置
CN106211157A (zh) * 2016-06-30 2016-12-07 北京奇虎科技有限公司 基站重定向方法和基站重定向装置
CN106358199A (zh) * 2016-09-30 2017-01-25 维沃移动通信有限公司 一种移动终端识别伪基站的方法及移动终端

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090029677A1 (en) * 2007-07-26 2009-01-29 Sungkyunkwan University Foundation For Corporate Collaboration Mobile authentication through strengthened mutual authentication and handover security
CN104429151A (zh) * 2012-06-11 2015-03-18 三星电子株式会社 用于控制异构移动通信系统之间的重定向的方法和装置
CN103906158A (zh) * 2012-12-28 2014-07-02 展讯通信(上海)有限公司 一种从2g/3g网络返回lte网络的方法
CN105357672A (zh) * 2015-11-20 2016-02-24 华为技术有限公司 一种伪基站识别方法及用户设备
CN105722085A (zh) * 2016-03-28 2016-06-29 宇龙计算机通信科技(深圳)有限公司 伪基站识别方法、伪基站识别装置和终端
CN106060826A (zh) * 2016-06-30 2016-10-26 北京奇虎科技有限公司 基站重定向方法和基站重定向装置
CN106211157A (zh) * 2016-06-30 2016-12-07 北京奇虎科技有限公司 基站重定向方法和基站重定向装置
CN106358199A (zh) * 2016-09-30 2017-01-25 维沃移动通信有限公司 一种移动终端识别伪基站的方法及移动终端

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055934A (zh) * 2021-03-26 2021-06-29 RealMe重庆移动通信有限公司 重定向信息的处理方法、装置、终端设备和存储介质
CN113055934B (zh) * 2021-03-26 2022-06-10 RealMe重庆移动通信有限公司 重定向信息的处理方法、装置、终端设备和存储介质

Similar Documents

Publication Publication Date Title
Mallik Man-in-the-middle-attack: Understanding in simple words
US20230308477A1 (en) Methods and systems for detecting and preventing compromised network connections
RU2546610C1 (ru) Способ определения небезопасной беспроводной точки доступа
EP3906652B1 (fr) Protection d'un réseau de télécommunications en utilisant des composants de réseau en tant que noeuds de chaîne de blocs
KR102547749B1 (ko) 완전 순방향 비밀성을 통한 인증 및 키 합의
US9781137B2 (en) Fake base station detection with core network support
US8151336B2 (en) Devices and methods for secure internet transactions
KR100952269B1 (ko) 가입 모듈로의 안전 접근
CN105939521B (zh) 伪接入点的检测报警方法及装置
Waliullah et al. Wireless LAN security threats & vulnerabilities
CN106211157B (zh) 基站重定向方法和基站重定向装置
US20080098467A1 (en) METHOD AND APPARATUS FOR SELF CONFIGURATION OF LTE E-NODE Bs
KR102027717B1 (ko) 허위 기지국으로부터의 공격 방지
CN102415119A (zh) 管理网络中不期望的服务请求
WO2017024449A1 (fr) Procédé et dispositif de traitement pour accéder à un réseau 3gpp par un terminal
Khan et al. Vulnerabilities of UMTS access domain security architecture
US20220408253A1 (en) Method and System for Authenticating a Base Station
CN114697963B (zh) 终端的身份认证方法、装置、计算机设备和存储介质
US9100429B2 (en) Apparatus for analyzing vulnerability of wireless local area network
US10154369B2 (en) Deterrence of user equipment device location tracking
WO2018001278A1 (fr) Procédé et dispositif de redirection de station de base
CN106060826A (zh) 基站重定向方法和基站重定向装置
US10305884B2 (en) Secure identification of internet hotspots for the passage of sensitive information
Lee et al. Man-in-the-middle Attacks Detection Scheme on Smartphone using 3G network
Yang et al. Attacks and Threats Verification Based on 4G/5G Security Architecture

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17819275

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17819275

Country of ref document: EP

Kind code of ref document: A1