WO2019163810A1 - 無線通信システム、セキュリティプロキシ装置及び中継装置 - Google Patents
無線通信システム、セキュリティプロキシ装置及び中継装置 Download PDFInfo
- Publication number
- WO2019163810A1 WO2019163810A1 PCT/JP2019/006254 JP2019006254W WO2019163810A1 WO 2019163810 A1 WO2019163810 A1 WO 2019163810A1 JP 2019006254 W JP2019006254 W JP 2019006254W WO 2019163810 A1 WO2019163810 A1 WO 2019163810A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- message
- signature
- unit
- predetermined element
- relay device
- Prior art date
Links
- 238000004891 communication Methods 0.000 title claims description 33
- 230000008859 change Effects 0.000 claims abstract description 56
- 238000010295 mobile communication Methods 0.000 claims abstract description 20
- 238000005538 encapsulation Methods 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 18
- 230000004048 modification Effects 0.000 description 9
- 238000012986 modification Methods 0.000 description 9
- 238000000034 method Methods 0.000 description 8
- 230000004044 response Effects 0.000 description 7
- 230000011664 signaling Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 101000684181 Homo sapiens Selenoprotein P Proteins 0.000 description 1
- 102100023843 Selenoprotein P Human genes 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 229940119265 sepp Drugs 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/102—Route integrity, e.g. using trusted paths
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W92/00—Interfaces specially adapted for wireless communication networks
- H04W92/16—Interfaces between hierarchically similar devices
- H04W92/24—Interfaces between hierarchically similar devices between backbone network devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- the present invention relates to a wireless communication system, a security proxy device, and a relay device, and more particularly to message security and integrity between a visited network and a home network.
- LTE Long Term Evolution
- LTE-Advanced LTE-Advanced
- 5G systems which are LTE successors, are also being studied.
- N32 is defined as a reference point at the connection point between the home network of the user equipment (UE) (Home Public Land Mobile ⁇ ⁇ ⁇ Network (HPLMN)) and the UE's visited network (Visited PLMN (VPLMN)).
- UE user equipment
- HPLMN Home Public Land Mobile ⁇ ⁇ ⁇ Network
- VPLMN Visitd PLMN
- N32 is defined as a reference point between the security proxy device on the VPLMN side, specifically, Security Edge Protection Proxy (vSEPP) and SEPP on the HPLMN side (hSEPP).
- vSEPP Security Edge Protection Proxy
- hSEPP SEPP on the HPLMN side
- IPX provider IPX provider
- IPX provider IP exchange provider
- the present invention has been made in view of such a situation, and while guaranteeing the integrity of a message relayed between VPLMN and HPLMN, the information element included in the message, and the information element It is an object to provide a wireless communication system, a security proxy device, and a relay device that can be deleted, changed, or added.
- One aspect of the present invention is a wireless communication system (wireless communication system) including a security proxy device (vSEPP210) connected to a mobile communication network (VPLMN20) and a relay device (relay device 310) connected to the security proxy device. 10)
- the security proxy device includes an encapsulation unit (encapsulation unit 211) that encapsulates a predetermined element included in an original message (HTTP request) received from the mobile communication network, and the encapsulation unit.
- a first signature unit for adding a first signature to the first message in which the predetermined element is encapsulated; and a message transmission unit (message transmission unit 215) for transmitting the first message to the relay device;
- the relay device includes a message receiving unit (message receiving unit 311) that receives the first message.
- a change unit (a change unit 313) that decapsulates the predetermined element included in the first message and executes a change to the predetermined element, and a second message for the second message including the predetermined element changed by the change unit
- a second signature unit (signature unit 315) for adding two signatures; and a message relay unit (message relay unit 317) that relays the second message toward another mobile communication network (HPLMN30).
- One aspect of the present invention is a security proxy device connected to a mobile communication network, an encapsulation unit that encapsulates a predetermined element included in an original message received from the mobile communication network, and the encapsulation unit A first signature unit that adds a first signature to the first message in which the predetermined element is encapsulated; and a message transmission unit that transmits the first message to a relay device connected to the security proxy device.
- One aspect of the present invention is a relay device connected to a security proxy device connected to a mobile communication network, in which a predetermined element included in an original message received by the security proxy device from the mobile communication network is encapsulated.
- a message receiving unit that receives the first message, a change unit that decapsulates the predetermined element included in the first message and executes a change to the predetermined element, and the predetermined element changed by the change unit
- a second signature unit that adds a second signature to the second message; and a message relay unit that relays the second message toward another mobile communication network.
- FIG. 1 is an overall schematic configuration diagram of a wireless communication system 10.
- FIG. 2 is a diagram illustrating a configuration example of a network between the vSEPP 210 and the hSEPP 220.
- FIG. 3 is a functional block configuration diagram of the vSEPP 210.
- FIG. 4 is a functional block configuration diagram of the relay device 310.
- FIG. 5 is a diagram showing a message relay sequence between VPLMN20 and HPLMN30.
- FIG. 6A is a diagram illustrating a modification example of HTTP request in vSEPP 210.
- FIG. 6B is a diagram illustrating a modification example of HTTP request in vSEPP 210.
- FIG. 7 is a diagram illustrating an example of a signature for an HTTP request in vSEPP 210.
- FIG. 1 is an overall schematic configuration diagram of a wireless communication system 10.
- FIG. 2 is a diagram illustrating a configuration example of a network between the vSEPP 210 and the hSEPP 2
- FIG. 8 is a diagram illustrating a modification example of HTTP request in the relay apparatus 310.
- FIG. 9 is a diagram illustrating an example of adding a change history to an HTTP request in the relay apparatus 310 and a signature for the HTTP request.
- FIG. 10 is a diagram illustrating a description example of an array of “requesthistory” (change history) in the relay device 310.
- FIG. 11 is a diagram illustrating an example of a signature for an HTTP request in the relay apparatus 320.
- FIG. 12 is a diagram illustrating an example of a hardware configuration of the vSEPP 210 and the relay apparatus 310.
- FIG. 1 is an overall schematic configuration diagram of a radio communication system 10 according to the present embodiment.
- the radio communication system 10 is a radio communication system according to 5G New Radio (NR).
- the wireless communication system 10 includes a Visited Public Land Mobile Network 30 (hereinafter referred to as VPLMN20), a Home Public Land Mobile Network 20 (hereinafter referred to as HPLMN30), and the like.
- VPLMN20 Visited Public Land Mobile Network 30
- HPLMN30 Home Public Land Mobile Network 20
- the user apparatus 50 (hereinafter referred to as UE50) can access the VPLMN20 and the HPLMN30, and a radio access network ((R) AN) included in the VPLMN20 and a radio access network (not shown) included in the HPLMN30, specifically And wireless communication with gNB (radio base station).
- UE50 can access the VPLMN20 and the HPLMN30, and a radio access network ((R) AN) included in the VPLMN20 and a radio access network (not shown) included in the HPLMN30, specifically And wireless communication with gNB (radio base station).
- R radio access network
- gNB radio base station
- VPLMN20 is composed of multiple functional entities. Specifically, VPLMN20 includes NSSF (Network Slice Selection Function), NEF (Network Exposure Function), NRF (Network Repository Function), PCF (Policy Control Function), and AF (Application Function).
- NSSF Network Slice Selection Function
- NEF Network Exposure Function
- NRF Network Repository Function
- PCF Policy Control Function
- AF Application Function
- VPLMN20 includes AMF (Access and Mobility Management Function) and SMF (Session Management Function). These function entities provide a Network Function 110 (hereinafter referred to as NF 110). Further, the VPLMN 20 includes a UPF (User Plane Function) and a DN (Data Network).
- AMF Access and Mobility Management Function
- SMF Session Management Function
- NF 110 Network Function 110
- UPF User Plane Function
- DN Data Network
- HPLMN30 has almost the same configuration as VPLMN20.
- HPLMN 30 includes AUSF (Authentication Server Function) and UDM (Unified Data Management). These functional entities provide a Network Function 120 (hereinafter referred to as NF 120).
- AUSF Authentication Server Function
- UDM Unified Data Management
- VPLMN20 is equipped with Visited Security Edge Protection Proxy 210 (hereinafter vSEPP210).
- the HPLMN 30 includes home Security Security Edge Protection Proxy 220 (hereinafter, hSEPP 220).
- VSEPP210 is connected to VPLMN20 (mobile communication network).
- the hSEPP 220 is connected to the HPLMN 30 (another mobile communication network).
- vSEPP 210 and hSEPP 220 constitute a security proxy device.
- N32 is the reference point at the connection point between VPLMN20 and HPLMN30.
- VSEPP210 and hSEPP220 provide functions related to security and integrity of messages (HTTP Request, HTTP Response, etc.) sent and received between VPLMN20 and HPLMN30.
- FIG. 2 shows an example of a network configuration between vSEPP210 and hSEPP220. As shown in FIG. 2, there is an IPX provider between vSEPP 210 and hSEPP 220.
- IPX provider 1 on the vSEPP210 side and an IPX provider 2 on the hSEPP220 side.
- the IPX provider 1 includes a relay device 310 that relays messages transmitted and received between the vSEPP 210 and the hSEPP 220.
- the IPX provider 2 includes a relay device 320 that relays the message.
- Relay device 310 is connected to vSEPP210.
- the relay device 320 is connected to the hSEPP 220.
- the relay device 310 and the relay device 320 provide a predetermined service.
- the relay device 310 and the relay device 320 are predetermined information that is a part of an information element included in a relayed message according to the operational conditions of the IPX provider. Changes (including deletion and addition of elements) to elements (such as Content-Length included in HTTP-headers) can be performed.
- FIG. 3 is a functional block configuration diagram of the vSEPP 210.
- the vSEPP 210 includes an encapsulation unit 211, a signature unit 213, and a message transmission unit 215.
- the hSEPP 220 has the same configuration as the vSEPP 210.
- the encapsulation unit 211 encapsulates a predetermined element included in the original message received from the VPLMN 20. Specifically, the encapsulating unit 211 uses a key acquired by a predetermined key exchange mechanism to use a Request (SBI (Service Base Based Interface) on the SBI (Service Base Based Interface) in the SBA (Service Base Base Architecture) included in the original message. Encapsulate the body and header of (SBI Request).
- SBI Service Base Based Interface
- SBA Service Base Base Architecture
- the encapsulating unit 211 encapsulates an element defined by a predetermined data format in accordance with JavaScript (registered trademark) Object Notation (JSON). Note that specific examples of elements to be encapsulated will be described later.
- the signature unit 213 adds a signature (first signature) to a message (first message) including an SBI request in which a predetermined element is encapsulated by the encapsulation unit 211.
- the signature unit 213 constitutes a first signature unit.
- the signature unit 213 has a function of verifying an added signature as well as adding a signature.
- the signature unit 213 adds a signature of VPLMN20 (Mobile Network Operator (MNO)) to the elements included in the header and payload to be protected included in the SBI request output from the encapsulation unit 211.
- MNO Mobile Network Operator
- a specific example of the signature by vSEPP 210 will be further described later.
- the message transmission unit 215 transmits a message (first message) in which the original message received from the VPLMN 20 is changed to the relay device 310. Specifically, the message transmission unit 215 transmits the message (first message) with the signature added by the signature unit 213 to the relay device 310.
- FIG. 4 is a functional block configuration diagram of the relay device 310. As illustrated in FIG. 4, the relay device 310 includes a message receiving unit 311, a changing unit 313, a signature unit 315, and a message relay unit 317. The relay device 320 has the same configuration as the relay device 310.
- the message receiving unit 311 receives a message from the vSEPP 210. Specifically, the message receiving unit 311 receives a message (first message) to which a predetermined element of SBI Request is encapsulated and an MNO signature is added.
- the changing unit 313 decapsulates the predetermined element included in the message received by the message receiving unit 311. Specifically, the changing unit 313 decapsulates the predetermined element using a key acquired by a predetermined key exchange mechanism.
- the changing unit 313 executes changes to the decapsulated predetermined elements (such as the body and header of the SBI request). As described above, the change to the predetermined element includes deletion and addition of the element.
- the changing unit 313 executes a change to the predetermined element based on a predetermined data format according to JSON.
- the change unit 313 executes a change to the content of the SBI request using JSON-Patch mechanism.
- a change is called JSON-Patch (RFC6902).
- RRC6902 JSON-Patch
- the signature unit 315 adds a signature (second signature) to the message (second message) including the predetermined element changed by the changing unit 313.
- the signature unit 315 constitutes a second signature unit. Note that the signature unit 315 has a function of verifying an added signature as well as adding a signature.
- the signature unit 315 adds the signature of the IPX provider 1 to the change history of the predetermined element by the change unit 313.
- the change history includes the content of encapsulation in vSEPP 210 and the signature (first signature) by the MNO of VPLMN20.
- the signature unit 315 guarantees the integrity of JSON-Patch including the elements to be changed (Linked list elements ("next", "previous")) in the array of elements (array). Therefore, a signature is added to the JSON-Patch.
- Linked list elements can indicate the correct application order of multiple JSON-Patches, and can prevent unauthorized modification of contents.
- a specific example of the signature by the relay apparatus 310 will be further described later.
- the message relay unit 317 relays a message (second message) including the predetermined element changed by the changing unit 313 toward the HPLMN 30 (another mobile communication network). Specifically, the message relay unit 317 relays the message (second message) with the signature added by the signature unit 315 toward the HPLMN 30.
- the message relayed by the message relay unit 317 includes the MNO signature (first signature) of the VPLMN 20, the IPX provider 1 signature (second signature), and the change history of the predetermined element by the changing unit 313.
- FIG. 5 shows a message relay sequence between VPLMN20 and HPLMN30.
- the message is an SBI Request, specifically, an HTTP Request will be described.
- the NF 110 included in the VPLMN 20 transmits an HTTP request to the vSEPP 210 in response to a request from the UE 50 (S10).
- the vSEPP 210 encapsulates the predetermined element included in the received HTTP request, and adds the MNO signature of the VPLMN 20 to the encapsulated predetermined element (S20).
- the vSEPP 210 transmits an HTTP request including a predetermined encapsulated element and a signature added to the relay device 310 operated by the IPX provider 1 (S30).
- the relay device 310 changes the predetermined element of the HTTP request (message) received from the vSEPP 210 and adds the signature of the IPX provider 1 to the change history of the predetermined element (S40).
- the relay device 310 decapsulates the predetermined encapsulated element and executes the change.
- the reason for executing the change includes operational conditions (such as upper limit values of various elements) in the IPX provider 1.
- operational conditions such as upper limit values of various elements
- HPLMN a more specific example, if Homogenous Support of IMS Voice over PS Sessions (always possible while VoLTE is in the LTE node's area) is “Support”, but there is no roaming agreement between the two companies, HPLMN Regardless, it is necessary to disable VoLTE when determining incoming calls.
- the flag is “support”, the specification is that the VoLTE call is received, so that the flag needs to be corrected.
- the relay device 310 transmits the HTTP request including the predetermined element for which the change has been performed and the signature is added to the relay device 320 operated by the IPX provider 2 (S50).
- the relay device 320 adds the signature of the IPX provider 2 to the HTTP request received from the relay device 310 (specifically, the change history of a predetermined element included in the HTTP request) (S60).
- the relay device 320 transmits an HTTP request to which the signature of the IPX provider 2 is further added to the hSEPP 220 (S70).
- the hSEPP 220 confirms all signatures included in the HTTP request received from the relay device 320, and regenerates a service request (SBI request) based on the change history included in the HTTP request (S80).
- HSEPP 220 sends the regenerated SBI request, specifically, HTTP request to NF 120 (S90).
- FIG. 6A shows an HTTP Request before changing a predetermined element
- FIG. 6B shows an HTTP Request after changing the predetermined element.
- the vSEPP 210 adds information (see “requesthistory” in FIG. 6B) that encapsulates a predetermined element according to JSON.
- vSEPP210 encapsulates HTTP request body, headers, URI, etc. according to JSON. Further, the method of adding the element (verb) is POST. The URI may be common to all HTTP requests.
- FIG. 7 shows an example of a signature for an HTTP request in vSEPP210.
- the vSEPP 210 adds the MNO signature of VPLMN20 to the elements included in the header and payload to be protected included in the HTTP request (the ⁇ protectedHeader.protectedPayload.signature ⁇ portion in FIG. 7). See).
- Protected header contains the algorithm related to HTTP Request description and key ID. Further, the payload (body) to be protected includes an object according to JSON.
- VSEPP210 guarantees the integrity of the HTTP Request based on JSON Web Signature (RFC7515).
- JSON Web Signature RRC7515
- EDSA Elliptic Curve Digital Signature Algorithm
- HMAC Hash-based Message Authentication Code
- FIG. 8 shows a modification example of HTTP Request in the relay device 310.
- the IPX provider 1 terminates the HTTP Request, and executes a change to transfer the TCP connection to a new host (here, IPX provider 2 (IPX2)) (underlined portion in FIG. 8). reference).
- IPX2 IPX provider 2
- FIG. 9 shows an example of adding a change history to the HTTP request in the relay apparatus 310 and a signature for the HTTP request.
- the relay device 310 adds the change contents of the HTTP request illustrated in FIG. 8 to the “requesthistory” (change history) array. As described above, in the present embodiment, such changes are added based on JSON-Patch (RFC6902).
- the relay device 310 adds the signature of the IPX provider 1 to the elements included in the header and payload to be protected included in the HTTP request (refer to ⁇ pprotectedHeaderIPX1.protectedPayloadIPX1.signatureIPX1 ⁇ in FIG. 9). .
- FIG. 10 shows a description example of an array of “requesthistory” (change history) in the relay device 310.
- “previous” indicates a changer (here, vSEPP 210, that is, MNO of VPLMN 20) to HTTP ⁇ Request at a timing before the relay apparatus 310 (IPX provider 1).
- the underlined portion in FIG. 10 shows an example of a specific change portion. “Content-Length” may change depending on the number of new elements (new_element).
- FIG. 11 shows an example of a signature for HTTP Request in the relay device 320.
- the relay device 320 does not change the HTTP Request received from the relay device 310, but adds the signature of the IPX provider 2 to the HTTP Request.
- the MNO signature of VPLMN20 is added to the elements included in the header and payload to be protected included in the HTTP request (refer to ⁇ protectedHeaderIPX2.protectedPayloadIPX2.signatureIPX2 ⁇ in FIG. 11).
- the signature method is the same as that of the vSEPP 210 and the relay device 320.
- the vSEPP 210 adds a signature (first signature) to a message (first message) including an SBI Request (HTTP Request) in which a predetermined element is encapsulated.
- the relay device 310 receives the message from the vSEPP 210, and executes changes to the decapsulated predetermined elements (such as the body and header of the SBI request). Further, the relay device 310 adds a signature (second signature) to the message (second message) including the changed predetermined element.
- IPX provider 1 the relay device 310
- IPX provider 2 the relay device 310
- VPNMN20 MNO, IPX provider 1 and IPX provider 2 the signature of each entity (VPNOMN20 MNO, IPX provider 1 and IPX provider 2) is added to the message, the integrity of the message can be guaranteed.
- the wireless communication system 10 including the vSEPP 210 and the relay device 310 it is possible to delete, change, or add the message while guaranteeing the integrity of the message relayed between the VPLMN 20 and the HPLMN 30.
- the relay device 310 executes a change to the predetermined element based on a predetermined data format (JSON-Patch) according to JSON. For this reason, the change with respect to the said predetermined element can be implement
- the relay device 310 (signature unit 315) can add a signature (second signature) to the change history ("requesthistory") of the predetermined element. For this reason, integrity can be guaranteed even for a time series of changes to the predetermined element.
- the relay device 310 sends the message (second message) including the MNO signature (first signature) of VPLMN20, the signature of IPX provider 1 (second signature), and the above-described change history (HPLMN30). Can be relayed towards. Therefore, the HPLMN 30 can transmit the message to a predetermined destination in the HPLMN 30 with the UE that has confirmed that the integrity of the received message including the time series of the change is guaranteed.
- JSON-Patch (RFC6902) is used to change a predetermined element included in a message.
- other methods such as JSON-Merge-Patch (RFC7396) are used.
- diff, binary diff or http-patch may be used.
- any procedure set / data description language may be used as long as it can be applied to change or transfer of data, messages, and syntactic information.
- SBI Request HTTP Request
- SBA Response HTTP Response
- the operations of the vSEPP 210 and the relay device 310 have been described as examples.
- the hSEPP 220 and the relay device 320 can operate in the same manner.
- an IPX provider device (the relay device 310 and the relay device 320) exists between the vSEPP 210 and the hSEPP 220 has been described, but a device other than the IPX provider may be interposed. Absent.
- each functional block may be realized by one device physically and / or logically coupled, and two or more devices physically and / or logically separated may be directly and / or indirectly. (For example, wired and / or wireless) and may be realized by the plurality of devices.
- FIG. 12 is a diagram illustrating an example of a hardware configuration of the vSEPP 210 and the relay apparatus 310.
- the device may be configured as a computer device including a processor 1001, a memory 1002, a storage 1003, a communication device 1004, an input device 1005, an output device 1006, a bus 1007, and the like.
- Each functional block of the device (see FIGS. 3 and 4) is realized by any hardware element of the computer device or a combination of the hardware elements.
- the processor 1001 controls the entire computer by operating an operating system, for example.
- the processor 1001 may be configured by a central processing unit (CPU) including an interface with peripheral devices, a control device, an arithmetic device, a register, and the like.
- CPU central processing unit
- the memory 1002 is a computer-readable recording medium, and includes, for example, at least one of ROM (Read Only Memory), EPROM (Erasable Programmable ROM), EEPROM (Electrically Erasable Programmable ROM), RAM (Random Access Memory), and the like. May be.
- the memory 1002 may be called a register, a cache, a main memory (main storage device), or the like.
- the memory 1002 can store a program (program code) that can execute the method according to the above-described embodiment, a software module, and the like.
- the storage 1003 is a computer-readable recording medium such as an optical disc such as a CD-ROM (Compact Disc ROM), a hard disk drive, a flexible disc, a magneto-optical disc (eg a compact disc, a digital versatile disc, a Blu-ray). (Registered trademark) disk, smart card, flash memory (for example, card, stick, key drive), floppy (registered trademark) disk, magnetic strip, and the like.
- the storage 1003 may be referred to as an auxiliary storage device.
- the recording medium described above may be, for example, a database including a memory 1002 and / or a storage 1003, a server, or other suitable medium.
- the communication device 1004 is hardware (transmission / reception device) for performing communication between computers via a wired and / or wireless network, and is also referred to as a network device, a network controller, a network card, a communication module, or the like.
- the input device 1005 is an input device (for example, a keyboard, a mouse, a microphone, a switch, a button, a sensor, etc.) that accepts an input from the outside.
- the output device 1006 is an output device (for example, a display, a speaker, an LED lamp, or the like) that performs output to the outside. Note that the input device 1005 and the output device 1006 may have an integrated configuration (for example, a touch panel).
- each device such as the processor 1001 and the memory 1002 is connected by a bus 1007 for communicating information.
- the bus 1007 may be configured with a single bus or may be configured with different buses between apparatuses.
- notification of information includes physical layer signaling (eg, DCI (Downlink Control Information), UCI (Uplink Control Information)), upper layer signaling (eg, RRC signaling, MAC (Medium Access Control) signaling, broadcast information (MIB ( Master (Information Block), SIB (System Information Block)), other signals, or combinations thereof, and RRC signaling may also be referred to as RRC messages, eg, RRC Connection Connection message, RRC It may be a Connection ⁇ ⁇ Reconfiguration message.
- RRC messages eg, RRC Connection Connection message, RRC It may be a Connection ⁇ ⁇ Reconfiguration message.
- input / output information may be stored in a specific location (for example, a memory) or may be managed by a management table.
- the input / output information can be overwritten, updated, or appended.
- the output information may be deleted.
- the input information may be transmitted to other devices.
- the specific operation performed by the vSEPP 210 and the relay device 310 may be performed by another network node (device). Further, the functions of the vSEPP 210 and the relay device 310 may be provided by a combination of a plurality of other network nodes.
- a channel and / or symbol may be a signal (signal) if there is a corresponding description.
- the signal may be a message.
- system and “network” may be used interchangeably.
- the parameter or the like may be represented by an absolute value, may be represented by a relative value from a predetermined value, or may be represented by other corresponding information.
- the radio resource may be indicated by an index.
- GNB base station
- base station can accommodate one or a plurality of (for example, three) cells (also called sectors).
- a base station accommodates multiple cells, the entire coverage area of the base station can be partitioned into multiple smaller areas, each smaller area being a base station subsystem (eg, indoor small base station RRH: Remote Radio Head) can also provide communication services.
- RRH Remote Radio Head
- cell refers to part or all of the coverage area of a base station and / or base station subsystem that provides communication services in this coverage.
- base station eNodeB
- gNB gNodeB
- a base station may also be referred to in terms such as a fixed station, NodeB, eNodeB (eNB), gNodeB (gNB), access point, femtocell, small cell, and the like.
- UE50 is a subscriber station, mobile unit, subscriber unit, wireless unit, remote unit, mobile device, wireless device, wireless communication device, remote device, mobile subscriber station, access terminal, mobile terminal, wireless terminal by those skilled in the art , Remote terminal, handset, user agent, mobile client, client, or some other appropriate terminology.
- the phrase “based on” does not mean “based only on”, unless expressly specified otherwise. In other words, the phrase “based on” means both “based only on” and “based at least on.”
- any reference to elements using designations such as “first”, “second”, etc. as used herein does not generally limit the amount or order of those elements. These designations can be used herein as a convenient way to distinguish between two or more elements. Thus, a reference to the first and second elements does not mean that only two elements can be employed there, or that in some way the first element must precede the second element.
- Wireless communication system 20 VPLMN 30 HPLMN 50 UE 110 NF 120 NF 210 vSEPP 211 Encapsulation part 213 Signature part 215 Message transmission part 220 hSEPP 310 Relay device 311 Message reception unit 313 Change unit 315 Signature unit 317 Message relay unit 320 Relay device 1001 Processor 1002 Memory 1003 Storage 1004 Communication device 1005 Input device 1006 Output device 1007 Bus
Abstract
Description
図1は、本実施形態に係る無線通信システム10の全体概略構成図である。無線通信システム10は、5G New Radio(NR)に従った無線通信システムである。無線通信システム10は、Visited Public Land Mobile Network 30(以下、VPLMN20)、及びHome Public Land Mobile Network 20(以下、HPLMN30)及びを含む。
次に、無線通信システム10の機能ブロック構成について説明する。具体的には、vSEPP210及び中継装置310の機能ブロック構成について説明する。
図3は、vSEPP210の機能ブロック構成図である。図3に示すように、vSEPP210は、カプセル化部211、署名部213及びメッセージ送信部215を備える。なお、hSEPP220もvSEPP210と同様の構成を有する。
図4は、中継装置310の機能ブロック構成図である。図4に示すように、中継装置310は、メッセージ受信部311、変更部313、署名部315及びメッセージ中継部317を備える。なお、中継装置320も中継装置310と同様の構成を有する。
次に、無線通信システム10の動作について説明する。具体的には、VPLMN20とHPLMN30との間におけるメッセージの中継シーケンス、vSEPP210と中継装置310とにおけるメッセージの変更例、及び、vSEPP210と中継装置310とにおけるメッセージへの署名例について説明する。
図5は、VPLMN20とHPLMN30との間におけるメッセージの中継シーケンスを示す。ここでは、当該メッセージが、SBI Request、具体的には、HTTP Requestである例について説明する。
次に、vSEPP210、中継装置310(IPXプロバイダ1)及び中継装置320(IPXプロバイダ2)におけるメッセージ(HTTP Request)の変更例及びメッセージへの署名例について説明する。
図6A及び図6Bは、vSEPP210におけるHTTP Requestの変更例を示す。具体的には、図6Aは、所定要素の変更前のHTTP Requestを示し、図6Bは、当該所定要素の変更後のHTTP Requestを示す。
図8は、中継装置310におけるHTTP Requestの変更例を示す。図8に示す例では、IPXプロバイダ1は、当該HTTP Requestを一旦終了し、TCPコネクションを新たなホスト(ここでは、IPXプロバイダ2(IPX2))に転送する変更を実行する(図8の下線部参照)。
図11は、中継装置320におけるHTTP Requestに対する署名例を示す。ここでは、中継装置320は、中継装置310から受信したHTTP Requestに対する変更は実行せずに、当該HTTP Requestに対して、IPXプロバイダ2の署名を付加する。
上述した実施形態によれば、以下の作用効果が得られる。具体的には、vSEPP210は、所定要素がカプセル化されたSBI Request(HTTP Request)を含むメッセージ(第1メッセージ)に対する署名(第1署名)を付加する。
以上、実施形態に沿って本発明の内容を説明したが、本発明はこれらの記載に限定されるものではなく、種々の変形及び改良が可能であることは、当業者には自明である。
さらに、「基地局」「eNB」、「セル」、及び「セクタ」という用語は、本明細書では互換的に使用され得る。基地局は、固定局(fixed station)、NodeB、eNodeB(eNB)、gNodeB(gNB)、アクセスポイント(access point)、フェムトセル、スモールセルなどの用語で呼ばれる場合もある。
20 VPLMN
30 HPLMN
50 UE
110 NF
120 NF
210 vSEPP
211 カプセル化部
213 署名部
215 メッセージ送信部
220 hSEPP
310 中継装置
311 メッセージ受信部
313 変更部
315 署名部
317 メッセージ中継部
320 中継装置
1001 プロセッサ
1002 メモリ
1003 ストレージ
1004 通信装置
1005 入力装置
1006 出力装置
1007 バス
Claims (6)
- 移動通信ネットワークに接続されるセキュリティプロキシ装置と、
前記セキュリティプロキシ装置に接続される中継装置と
を含む無線通信システムであって、
前記セキュリティプロキシ装置は、
前記移動通信ネットワークから受信した原メッセージに含まれる所定要素をカプセル化するカプセル化部と、
前記カプセル化部によって前記所定要素がカプセル化された第1メッセージに対する第1署名を付加する第1署名部と、
前記第1メッセージを前記中継装置に送信するメッセージ送信部と
を備え、
前記中継装置は、
前記第1メッセージを受信するメッセージ受信部と、
前記第1メッセージに含まれる前記所定要素をデカプセル化し、前記所定要素に対する変更を実行する変更部と、
前記変更部によって変更された前記所定要素を含む第2メッセージに対する第2署名を付加する第2署名部と、
前記第2メッセージを他の移動通信ネットワークに向けて中継するメッセージ中継部とを備える無線通信システム。 - 前記変更部は、所定のデータフォーマットに基づいて前記所定要素に対する変更を実行する請求項1に記載の無線通信システム。
- 前記第2署名部は、前記変更部による前記所定要素の変更履歴に対して、前記第2署名を付加する請求項1に記載の無線通信システム。
- 前記メッセージ中継部は、前記第1署名、前記第2署名及び前記変更履歴を含む前記第2メッセージを中継する請求項3に記載の無線通信システム。
- 移動通信ネットワークに接続されるセキュリティプロキシ装置であって、
前記移動通信ネットワークから受信した原メッセージに含まれる所定要素をカプセル化するカプセル化部と、
前記カプセル化部によって前記所定要素がカプセル化された第1メッセージに対する第1署名を付加する第1署名部と、
前記第1メッセージを、前記セキュリティプロキシ装置に接続される中継装置に送信するメッセージ送信部と
を備えるセキュリティプロキシ装置。 - 移動通信ネットワークに接続されるセキュリティプロキシ装置と接続される中継装置であって、
前記セキュリティプロキシ装置が前記移動通信ネットワークから受信した原メッセージに含まれる所定要素がカプセル化された第1メッセージを受信するメッセージ受信部と、
前記第1メッセージに含まれる前記所定要素をデカプセル化し、前記所定要素に対する変更を実行する変更部と、
前記変更部によって変更された前記所定要素を含む第2メッセージに対する第2署名を付加する第2署名部と、
前記第2メッセージを他の移動通信ネットワークに向けて中継するメッセージ中継部とを備える中継装置。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2020500984A JP6966624B2 (ja) | 2018-02-21 | 2019-02-20 | 無線通信システム、セキュリティプロキシ装置及び中継装置 |
CN201980005878.5A CN111386682A (zh) | 2018-02-21 | 2019-02-20 | 无线通信系统、安全代理装置及中继装置 |
US16/766,984 US20200329044A1 (en) | 2018-02-21 | 2019-02-20 | Radio communication system, security proxy device, and relay device |
AU2019224247A AU2019224247B2 (en) | 2018-02-21 | 2019-02-20 | Radio communication system, security proxy device, and relay device |
EP19756464.4A EP3709580A4 (en) | 2018-02-21 | 2019-02-20 | WIRELESS COMMUNICATION SYSTEM, SECURITY PROXY DEVICE AND RELAY DEVICE |
CN202311056196.1A CN116866080A (zh) | 2018-02-21 | 2019-02-20 | 无线通信系统 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018-029222 | 2018-02-21 | ||
JP2018029222 | 2018-02-21 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019163810A1 true WO2019163810A1 (ja) | 2019-08-29 |
Family
ID=67686820
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2019/006254 WO2019163810A1 (ja) | 2018-02-21 | 2019-02-20 | 無線通信システム、セキュリティプロキシ装置及び中継装置 |
Country Status (6)
Country | Link |
---|---|
US (1) | US20200329044A1 (ja) |
EP (1) | EP3709580A4 (ja) |
JP (1) | JP6966624B2 (ja) |
CN (2) | CN111386682A (ja) |
AU (1) | AU2019224247B2 (ja) |
WO (1) | WO2019163810A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3886475A1 (en) * | 2020-03-27 | 2021-09-29 | Nokia Technologies Oy | Enhanced hop by hop security |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH1091427A (ja) * | 1996-06-11 | 1998-04-10 | Internatl Business Mach Corp <Ibm> | 署名入り内容の使用の安全を保証する方法及びシステム |
JP2002024147A (ja) * | 2000-07-05 | 2002-01-25 | Nec Corp | セキュアメールプロキシシステム及び方法並びに記録媒体 |
JP2008219585A (ja) * | 2007-03-06 | 2008-09-18 | Hitachi Ltd | 署名情報処理方法、そのプログラムおよび情報処理装置 |
JP2011509539A (ja) * | 2007-11-01 | 2011-03-24 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | プロキシを通じて接続されたホスト間の安全なネイバディスカバリ |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4546105B2 (ja) * | 2004-02-03 | 2010-09-15 | 株式会社日立製作所 | メッセージ交換方法、およびメッセージ変換システム |
US7496750B2 (en) * | 2004-12-07 | 2009-02-24 | Cisco Technology, Inc. | Performing security functions on a message payload in a network element |
US8130768B1 (en) * | 2005-07-14 | 2012-03-06 | Avaya Inc. | Enhanced gateway for routing between networks |
US11438310B2 (en) * | 2018-01-25 | 2022-09-06 | Koninklijke Kpn N.V. | IPX signaling security |
US11038923B2 (en) * | 2018-02-16 | 2021-06-15 | Nokia Technologies Oy | Security management in communication systems with security-based architecture using application layer security |
KR102422660B1 (ko) * | 2018-02-16 | 2022-07-20 | 텔레호낙티에볼라게트 엘엠 에릭슨(피유비엘) | 코어 네트워크 도메인들 사이에서 송신되는 메시지의 보호 |
WO2019158716A1 (en) * | 2018-02-19 | 2019-08-22 | Telefonaktiebolaget Lm Ericsson (Publ) | Security negotiation in service based architectures (sba) |
-
2019
- 2019-02-20 AU AU2019224247A patent/AU2019224247B2/en active Active
- 2019-02-20 CN CN201980005878.5A patent/CN111386682A/zh active Pending
- 2019-02-20 CN CN202311056196.1A patent/CN116866080A/zh active Pending
- 2019-02-20 US US16/766,984 patent/US20200329044A1/en active Pending
- 2019-02-20 JP JP2020500984A patent/JP6966624B2/ja active Active
- 2019-02-20 EP EP19756464.4A patent/EP3709580A4/en active Pending
- 2019-02-20 WO PCT/JP2019/006254 patent/WO2019163810A1/ja unknown
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH1091427A (ja) * | 1996-06-11 | 1998-04-10 | Internatl Business Mach Corp <Ibm> | 署名入り内容の使用の安全を保証する方法及びシステム |
JP2002024147A (ja) * | 2000-07-05 | 2002-01-25 | Nec Corp | セキュアメールプロキシシステム及び方法並びに記録媒体 |
JP2008219585A (ja) * | 2007-03-06 | 2008-09-18 | Hitachi Ltd | 署名情報処理方法、そのプログラムおよび情報処理装置 |
JP2011509539A (ja) * | 2007-11-01 | 2011-03-24 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | プロキシを通じて接続されたホスト間の安全なネイバディスカバリ |
Non-Patent Citations (2)
Title |
---|
"3GPP TS 23.501", December 2017, 3GPP, article "Subclause 4.2.4 Roaming reference architectures, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; System Architecture for the 5G System; Stage 2 (Release 15" |
See also references of EP3709580A4 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3886475A1 (en) * | 2020-03-27 | 2021-09-29 | Nokia Technologies Oy | Enhanced hop by hop security |
US20210306326A1 (en) * | 2020-03-27 | 2021-09-30 | Nokia Technologies Oy | Enhanced hop by hop security |
CN113518345A (zh) * | 2020-03-27 | 2021-10-19 | 诺基亚技术有限公司 | 增强的逐跳安全性 |
Also Published As
Publication number | Publication date |
---|---|
JP6966624B2 (ja) | 2021-11-17 |
AU2019224247A1 (en) | 2020-06-18 |
JPWO2019163810A1 (ja) | 2020-12-03 |
CN111386682A (zh) | 2020-07-07 |
EP3709580A4 (en) | 2020-12-23 |
EP3709580A1 (en) | 2020-09-16 |
AU2019224247B2 (en) | 2021-10-21 |
US20200329044A1 (en) | 2020-10-15 |
CN116866080A (zh) | 2023-10-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3783862B1 (en) | Session management method and session management function network element | |
US11284250B2 (en) | Network, network nodes, wireless communication devices and method therein for handling network slices in a wireless communication network | |
US11206537B2 (en) | Session activation method, apparatus, and system | |
CN109587688B (zh) | 系统间移动性中的安全性 | |
US11323976B2 (en) | Network device and radio communication method | |
EP3860176B1 (en) | Method, apparatus, and system for obtaining capability information of terminal | |
RU2760869C1 (ru) | Способ передачи информации терминала и соответствующие продукты | |
US20190281116A1 (en) | Data Transmission Method, Apparatus, and System, and Storage Medium | |
US10542513B2 (en) | Deregistration method of user equipment in network and user equipment performing the same | |
CN113676904B (zh) | 切片认证方法及装置 | |
WO2018103531A1 (zh) | 接入网络切片的方法及装置 | |
CN110831247A (zh) | 一种通信方法及装置 | |
JP6966624B2 (ja) | 無線通信システム、セキュリティプロキシ装置及び中継装置 | |
WO2022148469A1 (zh) | 一种安全保护方法、装置和系统 | |
WO2022091188A1 (ja) | ネットワークノード及び通信方法 | |
WO2021073382A1 (zh) | 注册方法及装置 | |
WO2024066924A1 (zh) | 用户终端策略的配置方法、装置、介质及芯片 | |
WO2022174802A1 (zh) | 密钥更新的方法和装置 | |
WO2023213181A1 (zh) | 一种通信方法及装置 | |
WO2024067619A1 (zh) | 通信方法和通信装置 | |
WO2023153101A1 (ja) | アクセスネットワークノード、制御ノード、User Equipment、及びコアネットワークノード | |
WO2019193879A1 (ja) | ユーザ装置、ネットワーク装置及び無線通信方法 | |
EP4044644A1 (en) | Identity authentication method and communication device | |
CN115706973A (zh) | 一种安全通信的方法及通信装置 | |
CN116349326A (zh) | 无线通信方法、设备及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19756464 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2020500984 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2019224247 Country of ref document: AU Date of ref document: 20190220 Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2019756464 Country of ref document: EP Effective date: 20200609 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |