WO2020093860A1 - 伪网络设备识别方法及通信装置 - Google Patents
伪网络设备识别方法及通信装置 Download PDFInfo
- Publication number
- WO2020093860A1 WO2020093860A1 PCT/CN2019/112336 CN2019112336W WO2020093860A1 WO 2020093860 A1 WO2020093860 A1 WO 2020093860A1 CN 2019112336 W CN2019112336 W CN 2019112336W WO 2020093860 A1 WO2020093860 A1 WO 2020093860A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network device
- message
- terminal device
- downlink message
- downlink
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 140
- 230000006854 communication Effects 0.000 title claims abstract description 95
- 238000004891 communication Methods 0.000 title claims abstract description 94
- 238000012545 processing Methods 0.000 claims abstract description 132
- 230000008569 process Effects 0.000 claims description 61
- 238000004590 computer program Methods 0.000 claims description 15
- 238000011144 upstream manufacturing Methods 0.000 claims description 12
- 238000013475 authorization Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000012795 verification Methods 0.000 abstract description 24
- 238000013461 design Methods 0.000 description 32
- 230000006870 function Effects 0.000 description 19
- 238000010586 diagram Methods 0.000 description 18
- 230000009471 action Effects 0.000 description 10
- 230000000694 effects Effects 0.000 description 6
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000007774 longterm Effects 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000001186 cumulative effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W74/00—Wireless channel access
- H04W74/08—Non-scheduled access, e.g. ALOHA
- H04W74/0833—Random access procedures, e.g. with 4-step access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
Definitions
- the embodiments of the present application relate to the field of communication technologies, and in particular, to a pseudo network device identification method and a communication device.
- the pseudo base station During the attack of the pseudo base station, the pseudo base station is placed near the normal terminal equipment. Because the signal quality of the pseudo base station is better, it will attract terminal equipment to reside in the pseudo base station. The pseudo base station spreads deceptive information or even viruses to the terminal equipment; or, the pseudo base station may also intercept the communication content between the normal base station and the terminal equipment to monitor the user's private data. In addition, when the terminal device camps on the pseudo base station, it cannot camp on the cell of the normal base station, so that the normal base station cannot page the terminal device, so that the terminal device cannot work normally.
- the terminal device Normally, during the process of camping on the cell of a normal base station, the terminal device first receives the synchronization signal of the cell and uses the synchronization signal to perform downlink synchronization with the normal base station. After the downlink synchronization is completed, the terminal device receives the broadcast message, and the camping is completed. process. At the same time, the terminal device continuously detects the signal quality of the neighboring cell. When the cell reselection condition is satisfied, the terminal device performs the cell reselection process. If there is a pseudo base station near the terminal device and the signal quality of the pseudo base station is good and meets the cell reselection conditions of the terminal device, the terminal device will perform cell reselection and camp on the pseudo base station.
- the pseudo base station can also receive the downlink message of the normal base station, the pseudo base station can forward the downlink message to the terminal device, so that the terminal device cannot distinguish whether it currently resides in the normal base station or the pseudo base station, thereby threatening the communication security.
- Embodiments of the present application provide a pseudo network device identification method and a communication device, so that a terminal device can distinguish between a current base station and a pseudo base station, thereby ensuring communication security.
- a pseudo network device identification method provided by an embodiment of the present application can be applied to a terminal device or a chip in the terminal device.
- the method will be described below by taking the terminal device as an example.
- the method includes: the terminal device sends an uplink message to the second network device, the uplink message is sent by the second network device to the first network device; the terminal device receives a downlink message from the second network device, and the downlink message is sent by the second network device Received by the first network device, the downlink message is a message generated by the first network device based on the uplink message and subjected to security processing using the first time information.
- the security processing includes at least one of encryption or integrity protection.
- the time information is time information determined by the first network device according to the time point at which the upstream message is received; the terminal device performs a security check on the downstream message, and the security check includes at least one of decryption or integrity protection check.
- the uplink message sent by the terminal device is forwarded to the first network device via the second network device.
- the first network device After receiving the uplink message, the first network device generates a downlink message for the uplink message, and uses the first time information for the downlink message.
- the message is safely processed and sent to the second network device, and the second network device sends the safely processed downlink message to the terminal device.
- the terminal device performs a security check on the received downlink message to identify whether the second network device is Pseudo network equipment, thereby improving communication security.
- the terminal device performs a security check on the downlink message by using the second time information to perform a security check on the downlink message.
- the second time information is the time determined by the terminal device according to the time point when the uplink message is sent Information; when the terminal device cannot correctly perform a security check on the downlink message, it is determined that the second network device is a pseudo network device.
- the terminal device calculates the time point at which the first network device receives the uplink message according to the time point at which the uplink message is sent, obtains second time information, and uses the second time information to use the first time for the first network device.
- the downstream information that is processed safely by time information is checked for safety. According to whether the downstream message can be successfully checked, the second network device that sends the downstream message can be determined to be a pseudo network device, which realizes the purpose of identifying the pseudo network device and ensures the communication. safety.
- the terminal device after the terminal device receives the downlink message from the second network device, it also performs security check on the downlink message using the second time information, which is determined by the terminal device according to the time point when the uplink message is sent Out of the time information, record the number of times that the downstream message cannot be correctly verified is n, determine whether the number of times n exceeds the preset number of times m, and the number of times n exceeds the preset number of times m, then determine that the second network device is a pseudo network device, m ⁇ 1 and an integer, n ⁇ 1 and an integer.
- the terminal device determines whether a second network device is involved according to the number of times that the downlink message is not correctly checked, to avoid the terminal device from misjudging.
- the downlink message is also processed by the first network device using the first secret key; the terminal device also uses the second secret key to perform security verification on the downlink message.
- the first network device uses the first secret key to securely process the downlink message, to prevent the pseudo network device from calculating the second time information to perform a security check on the downlink message. After the verification is successful, the downlink message is tampered. Further Guaranteed communication security.
- the uplink message includes message one during the random access process, and the downlink message includes message two during the random access process.
- the terminal device before the terminal device sends an uplink message to the second network device, it also receives a broadcast message from the first network device.
- the broadcast message is a message that is safely processed by the first network device.
- the broadcast message contains random Access (random access channel, RACH) resource configuration information or at least one kind of information in the system frame number SFN.
- RACH random access channel
- the terminal device sends an uplink message to the second network device, which includes: the terminal device determines the first RACH resource according to the RACH resource configuration information, the RACH resource configuration information indicates the first RACH resource, and the first RACH resource is used for The terminal device sends an uplink message; the terminal device sends message one to the second network device on the first RACH resource.
- the terminal device can flexibly choose to send the MSG1 message on the first RACH resource or the second RACH resource, to avoid that the terminal device does not require random access.
- the uplink message includes message three during random access, and the downlink message includes message four during random access.
- an embodiment of the present application provides a pseudo network device identification method, which can be applied to a first network device or a chip in the first network device.
- the following uses the first network device as an example.
- the method is described. The method includes: the first network device receives an uplink message from the second network device, the uplink message is sent by the terminal device to the second network device; the first network device sends a downlink message to the second network device, and the downlink message is The second network device sends to the terminal device, the downlink message is generated by the first network device for the uplink message, and the first network device uses the first time information for security processing.
- the security processing includes at least one of encryption or integrity protection.
- the first time information is time information determined by the first network device according to the time point when the uplink message is received.
- the uplink message sent by the terminal device is forwarded to the first network device via the second network device.
- the first network device After receiving the uplink message, the first network device generates a downlink message for the uplink message, and uses the first time information for the downlink message.
- the message is safely processed and sent to the second network device, and the second network device sends the safely processed downlink message to the terminal device.
- the terminal device performs a security check on the received downlink message to identify whether the second network device is Pseudo network equipment, thereby improving communication security.
- the first network device also uses the first secret key to perform secure processing on the downlink message before sending the securely processed downlink message to the second network device.
- the first network device uses the first secret key to securely process the downlink message, to prevent the pseudo network device from calculating the second time information to perform a security check on the downlink message. After the verification is successful, the downlink message is tampered. Further Guaranteed communication security.
- the uplink message includes message one during the random access process, and the downlink message includes message two during the random access process.
- the first network device before receiving the uplink message from the second network device, the first network device also sends a securely processed broadcast message to the terminal device.
- the securely processed broadcast message includes random access RACH resource configuration information or the system. At least one piece of information in the frame number SFN.
- the first network device configures RACH resources to the terminal device.
- the first network device receives the uplink message from the second network device by receiving message 1 from the second network device on the first RACH resource, message 2 does not carry the uplink authorization, and the RACH resource configuration information indicates the first A RACH resource, the first RACH resource is a resource for the terminal device to send uplink messages.
- the terminal device can flexibly choose to send the MSG1 message on the first RACH resource or the second RACH resource, to avoid that the terminal device does not require random access.
- the uplink message includes message three during random access, and the downlink message includes message four during random access.
- an embodiment of the present application provides a pseudo network device identification method.
- the method can be applied to a terminal device or a chip in the terminal device.
- the following describes the method by using the terminal device as an example.
- the method includes: the terminal device receives a downlink message from the second network device, the downlink message is sent by the first network device to the second network device, the downlink message carries indication information, and the indication information is used to indicate the effective duration of the downlink message to the terminal device;
- the terminal device determines whether the second network device is a pseudo network device according to the instruction information.
- the first network device when sending a downlink message to a terminal device, the first network device adds indication information to the downlink message to indicate to the terminal device the effective duration of the downlink message, so that the terminal device determines whether there is a Second, the network equipment is involved to ensure communication security.
- the terminal device determines whether the second network device is a pseudo network device according to the indication information, it determines whether the downlink message is valid according to the indication information; if the downlink message is valid, the terminal device determines the second network device It is a pseudo network device.
- the indication information indicating the effective duration of the downlink message is added to the downlink message, so that the terminal device determines whether the received downlink message is valid according to the effective duration, thereby Identifying whether the second network device is a pseudo network device ensures the security of communication.
- the terminal device determines whether the second network device is a pseudo network device according to the indication information, it determines whether the downlink message is valid according to the indication information, and records the number n of received invalid downlink messages; Whether the number n exceeds the preset number m; if the number n exceeds the preset number m, it is determined that the second network device is a pseudo network device, m ⁇ 1 and an integer, and n ⁇ 1 and an integer.
- the terminal device determines whether a second network device intervenes based on the number of times that the invalid downlink message is received to prevent the terminal device from misjudgement.
- the downlink message includes a broadcast message; the terminal device receives the downlink message from the second network device, which is to receive a securely processed broadcast message from the second network device, and the broadcast message is safely processed by the first network device. Sent to the second network device; or, the terminal device receives a broadcast message from the second network device.
- the broadcast message includes the security-processed indication information, and the indication information in the broadcast message is safely processed by the first network device.
- the first network device adds indication information to the broadcast message, so that after the terminal device receives all the indication information, it can determine whether there is a network device currently involved according to the indication information, so as to identify the pseudo in the broadcast message stage The purpose of network equipment.
- an embodiment of the present application provides a pseudo network device identification method.
- the method may be applied to a first network device or a chip in the first network device.
- the method is described below by taking the first network device as an example.
- the method includes: the first network device adds indication information to a downlink message, and the indication information is used to indicate to the terminal device the effective duration of the downlink message; the first network device Send a downlink message to the second network device, where the downlink message is sent by the second network device to the terminal device.
- the first network device when sending a downlink message to a terminal device, the first network device adds indication information to the downlink message to indicate to the terminal device the effective duration of the downlink message, so that the terminal device determines whether there is a Second, the network equipment is involved to ensure communication security.
- the downlink message includes a broadcast message; when the first network device sends the downlink message to the second network device, the broadcast message is safely processed, and the securely processed broadcast message is sent to the second network device; or , The first network device performs security processing on the indication information, and sends a broadcast message containing the security-processed indication information to the second network device.
- an embodiment of the present application provides a communication device, which may be a terminal device or a chip in the terminal device.
- the device may include a processing unit, a sending unit, and a receiving unit.
- the processing unit may be a processor, the transmitting unit may be a transmitter, and the receiving unit may be a receiver; the terminal device may further include a storage unit, and the storage unit may be a memory;
- the processing unit executes the instructions stored in the storage unit, so that the terminal device implements the above-mentioned first aspect or functions in various possible implementation manners of the first aspect.
- the processing unit may be a processor, and the transceiver unit may be an input / output interface, a pin, or a circuit, etc .; the processing unit executes instructions stored in the storage unit to enable the terminal
- the device implements the functions in the above first aspect or various possible implementation manners of the first aspect.
- the storage unit may be a storage unit (for example, a register, a cache, etc.) in the chip, or may be located in the terminal device.
- the storage unit outside the chip for example, read-only memory, random access memory, etc.).
- an embodiment of the present application provides a communication apparatus, which may be a first network device or a chip in the first network device.
- the device may include a processing unit, a sending unit, and a receiving unit.
- the processing unit may be a processor
- the sending unit may be a transmitter
- the receiving unit may be a receiver
- the first network device may further include a storage unit
- the storage unit may be a memory
- the storage unit is used to store instructions, and the processing unit executes the instructions stored by the storage unit, so that the first network device implements the above-mentioned second aspect or functions in various possible implementation manners of the second aspect.
- the processing unit may be a processor, and the transceiving unit may be an input / output interface, a pin, or a circuit, etc .; the processing unit executes instructions stored in the storage unit, so that
- the first network device implements the functions in the second aspect or various possible implementation manners of the second aspect
- the storage unit may be a storage unit (for example, a register, a cache, etc.) in the chip, or may be the first A storage unit (for example, read only memory, random access memory, etc.) located outside the chip in a network device.
- an embodiment of the present application provides a communication apparatus, which may be a terminal device or a chip in the terminal device.
- the device may include a processing unit, a sending unit, and a receiving unit.
- the processing unit may be a processor, the transmitting unit may be a transmitter, and the receiving unit may be a receiver; the terminal device may further include a storage unit, and the storage unit may be a memory;
- the processing unit executes the instructions stored in the storage unit, so that the terminal device implements the foregoing third aspect or functions in various possible implementation manners of the third aspect.
- the processing unit may be a processor, and the transceiver unit may be an input / output interface, a pin, or a circuit, etc .; the processing unit executes instructions stored in the storage unit to enable the terminal
- the device implements the functions in the third aspect or various possible implementation manners of the third aspect, and the storage unit may be a storage unit (for example, a register, a cache, etc.) in the chip, or may be located in the terminal device.
- the storage unit outside the chip for example, read-only memory, random access memory, etc.).
- an embodiment of the present application provides a communication apparatus, which may be a first network device or a chip in the first network device.
- the device may include a processing unit, a sending unit, and a receiving unit.
- the processing unit may be a processor
- the sending unit may be a transmitter
- the receiving unit may be a receiver
- the first network device may further include a storage unit
- the storage unit may be a memory
- the storage unit is used to store instructions, and the processing unit executes the instructions stored by the storage unit, so that the first network device implements the above-mentioned fourth aspect or functions in various possible implementation manners of the fourth aspect.
- the processing unit may be a processor, and the transceiving unit may be an input / output interface, a pin, or a circuit, etc .; the processing unit executes instructions stored in the storage unit, so that
- the first network device implements the functions in the fourth aspect or various possible implementation manners of the fourth aspect
- the storage unit may be a storage unit (for example, a register, a cache, etc.) in the chip, or may be the first A storage unit (for example, read only memory, random access memory, etc.) located outside the chip in a network device.
- an embodiment of the present application provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the above-mentioned first aspect or methods in various possible implementation manners of the first aspect.
- an embodiment of the present application provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute the method in the second aspect or various possible implementation manners of the second aspect.
- an embodiment of the present application provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute the method in the third aspect or various possible implementation manners of the third aspect.
- an embodiment of the present application provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute the method in the fourth aspect or various possible implementation manners of the fourth aspect.
- an embodiment of the present application provides a computer-readable storage medium, in which instructions are stored in a computer-readable storage medium, which when executed on a computer, causes the computer to execute the first aspect or each of the first aspect In a possible implementation.
- an embodiment of the present application provides a computer-readable storage medium having instructions stored therein, which when executed on a computer, causes the computer to execute the above-mentioned second aspect or each of the second aspects In a possible implementation.
- an embodiment of the present application provides a computer-readable storage medium having instructions stored therein, which when executed on a computer, causes the computer to perform the third aspect or each of the third aspects In a possible implementation.
- an embodiment of the present application provides a computer-readable storage medium having instructions stored therein, which when executed on a computer, causes the computer to perform the fourth aspect or each of the fourth aspects In a possible implementation.
- the uplink message sent by the terminal device is forwarded to the first network device via the second network device, and after receiving the uplink message, the first network device generates a downlink for the uplink message Message, use the first time information to perform security processing on the downlink message and send it to the second network device, and the second network device sends the security processed downlink message to the terminal device, and the terminal device performs a security check on the received downlink message Verification to identify whether the second network device is a pseudo network device, thereby improving communication security.
- FIG. 1A is a schematic diagram of a scenario applicable to a method for pseudo network device identification provided by an embodiment of the present application
- 1B is a schematic diagram of a scenario used by another pseudo network device identification method provided by an embodiment of the present application.
- FIG. 3 is a schematic diagram of a security verification process in a method for pseudo network device identification provided by an embodiment of the present application
- FIG. 6 is a flowchart of another pseudo network device identification method provided by an embodiment of the present application.
- FIG. 7 is a schematic structural diagram of a communication device according to an embodiment of the present application.
- FIG. 8 is a schematic structural diagram of another communication device according to an embodiment of the present application.
- FIG. 9 is a schematic structural diagram of yet another communication device provided by an embodiment of this application.
- FIG. 10 is a schematic structural diagram of yet another communication device provided by an embodiment of this application.
- FIG. 11 is a schematic structural diagram of a communication device according to another embodiment of this application.
- FIG. 12 is a schematic structural diagram of yet another communication device provided by an embodiment of the present application.
- the process that the terminal device accesses the cell of the normal base station includes a synchronization phase, a broadcast message phase, and a random access phase.
- the terminal equipment accesses the pseudo base station.
- the terminal device accesses the normal base station.
- the terminal device After accessing a normal base station, due to factors such as terminal device movement, if a pseudo base station with better signal quality appears near the terminal device, the terminal device performs cell reselection to access the pseudo base station.
- the pseudo base station After accessing the pseudo base station, when the terminal device receives the downlink message, since the pseudo base station can also receive the downlink message of the normal base station, the pseudo base station can forward the downlink message to the terminal device, so that the terminal device cannot distinguish whether it currently resides in the normal base station or not Pseudo base stations, which in turn cause communication security to be threatened.
- embodiments of the present application provide a pseudo network device identification method and a communication apparatus, so as to identify whether the terminal device currently resides in a normal network device or a pseudo network device.
- the pseudo network device identification method provided by the embodiments of the present application may be used in a fourth generation (4th generation, 4G) mobile communication system (for example, a long term evolution (LTE) system, an advanced long term evolution system (advanced long term evolution), LTE-A)), the 3rd Generation Partnership Project (3GPP) related cellular system, the 5th generation (5G) mobile communication system and the subsequent evolved communication system.
- 4G fourth generation
- 4G fourth generation
- LTE long term evolution
- LTE-A advanced long term evolution system
- 3GPP 3rd Generation Partnership Project
- 5G 5th generation
- 5G can also be called new radio (new radio (NR)).
- NR new radio
- the first network device or the second network device involved in the embodiments of the present application may be base stations, such as macro base stations, micro base stations, and distributed unit-control units (DU-CU), which are deployed in A device capable of wireless communication with a terminal device in a wireless access network.
- the base station can be used to convert received air frames and internet protocol (IP) packets to each other as a router between the terminal equipment and the rest of the access network, where the rest of the access network can include an IP network;
- IP internet protocol
- the base station can also coordinate attribute management of the air interface.
- the base station may be an evolutionary base station (evolutional Node B, eNB or e-NodeB) in LTE, or may be a gNB in NR or the like.
- the base station can also be a wireless controller in a cloud radio access network (CRAN) scenario, or it can be a relay station, an access point, an in-vehicle device, a wearable device, or a future public land mobile network (public land mobile network) network devices in a mobile network (PLMN) network, etc., the embodiments of the present application are not limited.
- CRAN cloud radio access network
- PLMN mobile network
- the terminal device involved in the embodiments of the present application may be a device that provides voice and / or data connectivity to a user, a handheld device with a wireless connection function, or other processing devices connected to a wireless modem.
- Terminal devices can communicate with one or more core networks via a radio access network (RAN).
- RAN radio access network
- the terminal devices can be mobile terminal devices, such as mobile phones (or "cellular" phones) and mobile terminal devices.
- the computer for example, may be a portable, pocket-sized, hand-held, computer built-in or vehicle-mounted mobile device that exchanges language and / or data with the wireless access network.
- the terminal device may be a personal communication service (PCS) phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, and a personal digital assistant ( personal digital assistant (PDA), handheld device with wireless communication function, computing device or other processing device connected to a wireless modem, in-vehicle device, wearable device, terminal in future 5G network or public land mobile communication network in future evolution (
- PCS personal communication service
- PDA personal digital assistant
- handheld device with wireless communication function computing device or other processing device connected to a wireless modem, in-vehicle device, wearable device, terminal in future 5G network or public land mobile communication network in future evolution
- PLMN public mobile network
- PLMN public mobile network
- Terminal equipment can also be called a system, a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, an access point, Remote terminal equipment (remote terminal), access terminal equipment (access terminal), user terminal equipment (user terminal), user agent (user agent), user equipment (user device), or user equipment (user equipment).
- Remote terminal equipment remote terminal equipment
- access terminal equipment access terminal
- user terminal user terminal
- user agent user agent
- user equipment user device
- user equipment user equipment
- FIG. 1A is a schematic diagram of a scenario applicable to a pseudo network device identification method provided by an embodiment of the present application.
- the terminal device is located in the cell of the first network device and the cell of the second network device.
- the first network device may be a normal network device
- the second network device may be a pseudo network device.
- the terminal device accesses the second network device to cause a threat to communication security.
- the first network device sends a downlink message to the terminal device, it first performs security processing on the downlink message, and then sends the security-processed downlink message to the terminal device. After receiving the security-processed downlink message, the terminal device determines whether a second network device is involved.
- FIG. 1B is a schematic diagram of a scenario used by another pseudo network device identification method provided by an embodiment of the present application.
- the public network can provide both industrial communication services and public network communication services.
- factory components including servers in various departments, cell phones of personnel in various departments, etc.
- DU-CU distributed unit-control unit
- factory components can be connected to the control center via network equipment.
- the terminal device directly communicates with the core network of the public network through the DU-CU architecture or network device.
- the network device is a transit node that realizes the communication between the terminal device and the core network, the CU load is centrally controlled, and the DU is responsible for radio frequency transmission communication.
- the control center is responsible for issuing control commands to factory components and processing upstream messages of terminal devices.
- the factory component accesses the pseudo DU-CU or pseudo network device, thereby posing a threat to communication security.
- a normal DU-CU or normal network device sends a downlink message to a factory component
- the downlink message is first processed safely, and then the downlink message that has undergone the security processing is sent to the factory component.
- the factory component determines whether there is a pseudo DU-CU or a pseudo network device involved.
- FIG. 2 is a flowchart of a pseudo network device identification method provided by an embodiment of the present application. This embodiment describes the pseudo network device identification method described in this application from the perspective of interaction between the first network device and the terminal. This embodiment includes:
- the terminal device sends an uplink message to the second network device.
- the terminal device when the terminal device does not perform cell reselection or performs cell handover to the second network device, when the terminal device sends an uplink message, the uplink message is directly sent from the terminal device to the first network device; when the terminal device performs When cell reselection or cell handover is performed to access the second network device, the uplink message of the terminal device is first sent to the second network device, and then forwarded by the second network device to the first network device.
- the terminal device it does not know whether the uplink message is directly sent to the first network device or forwarded by the second network device to the first network device. In other words, the terminal device does not know whether the second network device is a pseudo network device. If the pseudo network device is not identified, when the terminal device resides in the pseudo network device, the terminal device will not know whether the uplink message and the downlink message have been forwarded by the second network device.
- the terminal device performs cell reselection or handover to the second network device, the terminal device initiates a random access procedure or other Communication process.
- the terminal device sends an uplink message to the second network device; correspondingly, the second network device receives the uplink message.
- the second network device sends an uplink message to the first network device.
- the second network device forwards the uplink message to the first network device, and correspondingly, the first network device receives the uplink message forwarded by the second network device.
- the first network device generates a downlink message for the uplink message, and uses the first time information to perform security processing on the downlink message.
- the first time information is time information determined by the first network device according to the time point when the uplink message is received, and the security processing includes at least one of encryption or integrity protection.
- the first network device After receiving the uplink message, the first network device generates a downlink message for the received uplink message, and uses the first time information to perform security processing on the downlink message to obtain the security processed downlink message. For example, if the upstream message is message one (MSG1) in the random access process, the first network device responds to the downstream message message two (MSG2) according to the MSG1, and performs security processing on the MSG2 to obtain the MSG2 that has undergone security processing; If the upstream message is message three (MSG3) during the random access process, the first network device responds to the downstream message message message four (MSG4) according to the MSG3, and performs security processing on the MSG4 to obtain the MSG4 that has undergone the security processing; When the message is a message containing data, etc., the first network device generates a response message according to the uplink message, and performs security processing on the response message to obtain a security-processed response message, where the response message includes an acknowledgement (acknowledgement, ACK)
- the security processing may include at least one of encryption or integrity protection.
- Encryption refers to that the first network device uses an encryption algorithm and encryption parameters to process the original downlink message.
- the encryption process requires the downlink message, encryption parameters and encryption
- the algorithm works together to get the encrypted downlink message; after the receiver device receives the encrypted downlink message, if it uses the same algorithm and parameters to perform the inverse operation, it will get the original downlink message, that is, the unencrypted downlink message; instead If the receiver does not know the encryption algorithm and encryption parameters, the original downlink message cannot be read correctly.
- the receiver is, for example, a terminal device or a second network device.
- Integrity protection means that the encrypted downstream message, the integrity protection parameter, and the integrity protection algorithm are operated together to obtain the operation result A (such as a character string), and the obtained operation result is added to the downstream message to be transmitted Transfer together later.
- the receiver uses the same algorithm and parameters to operate the downstream message carrying the operation result A to obtain the operation result B. If the two operation results A and B are consistent, it indicates that the downstream message passed the integrity protection check; assuming Downstream messages have undergone illegal changes during transmission, resulting in inconsistencies between A and B, indicating that the downstream messages cannot pass the integrity protection check.
- the security processing may include only the encryption process or the integrity protection process, or may also include the encryption and integrity protection processes.
- the security processing process is: the first network device first encrypts the downlink message, and then performs the integrity protection process on the encrypted downlink message. After receiving the safely processed downlink message, the receiver first performs integrity protection verification, and then decrypts the integrity protection verified downlink message.
- the first time information refers to the time determined by the first network device according to the time point when the uplink message is received.
- the first time information may be an absolute time or a relative time, or may be a time that has a fixed deviation from the absolute time or the relative time.
- T2 is a preset time value
- the first network device sends the securely processed downlink message to the second network device.
- the second network device receives the safely processed downlink message sent by the first network device.
- the second network device sends the securely processed downlink message to the terminal device.
- the terminal device receives the safely processed downlink message forwarded via the second network device.
- the terminal device performs a security check on the downlink message.
- the security verification includes at least one of decryption or integrity protection verification.
- the terminal device performs at least one of decryption or integrity protection check on the received downlink message to determine whether the second network device is a pseudo network device. For example, after receiving the safely processed downlink message, the terminal device first performs integrity protection verification, and then decrypts the integrity protection verified downlink message.
- the uplink message sent by the terminal device is forwarded to the first network device via the second network device.
- the first network device After receiving the uplink message, the first network device generates a downlink message for the uplink message and uses The first time information performs security processing on the downlink message and sends it to the second network device, and the second network device sends the security processed downlink message to the terminal device, and the terminal device performs security check on the received downlink message and identifies It is determined whether the second network device is a pseudo network device, thereby improving the security of communication.
- the terminal device when it performs a security check on the downlink message, it may use a second time information to perform a security check on the downlink message, and the second time information is the terminal The device determines the time information according to the time when the uplink message is sent or according to the time when the downlink message is received; the second time information and the first time information may be the same time or a fixed time difference; When the terminal device cannot correctly perform security check on the downlink message, the terminal device determines that the second network device is a pseudo network device.
- the terminal device uses the second time information to perform a security check on the downlink message.
- the uplink message is directly sent from the terminal device to the first network device.
- the downlink message after security processing is also directly sent from the first network device to the terminal device.
- the terminal device uses the determination
- the outgoing second time information can correctly perform security check on the received downlink message, indicating that the downlink message is sent to the terminal device by the normal first network device.
- the second time information determined by the terminal device cannot correctly perform security check on the downlink message, which means that the downlink message is forwarded to the terminal device by the pseudo network device, that is, the second network device.
- the second time information may be the absolute time when the terminal device sends the uplink message, or a relative time, or may be a time that has a fixed deviation from the absolute time or the relative time.
- the terminal device may learn that: t3 may be the same as t1, or there is a fixed time difference t6 between t3 and t1.
- the terminal device cannot learn that there is a fixed time difference t6 between t3 and t1.
- FIG. 3 is a schematic diagram of a security verification process in a pseudo network device identification method provided by an embodiment of the present application.
- the terminal device when there is no pseudo network device near the terminal device, that is, the second network device, the terminal device sends an uplink message to the first network device on frame 1 and the first network device on frame 3 Upstream message received.
- the terminal device estimates the time when the first network device receives the uplink message according to the time point when the uplink message is sent on the frame 1, and obtains the second time information according to the calculated time, and the second time information is related to the frame 3, for example;
- the first network device determines the first time information according to the time point when the uplink message is received on the frame 3, and obviously, the first time information is related to the frame 3.
- the terminal device can use the second time information to correct After performing security verification on the received downlink message, it is considered that no second network device is involved.
- the terminal device when there is a second network device with better signal quality in the accessory of the terminal device, the terminal device sends an upstream message to the first network device on frame 1 and the second network device on frame 3 Intercept the uplink message and forward the uplink message; after that, the first network device receives the uplink message forwarded by the second network device on frame 4.
- the terminal device estimates the time when the first network device receives the uplink message according to the time point when the uplink message is sent on the frame 1, and obtains the second time information according to the calculated time, and the second time information is related to the frame 3, for example;
- the first network device determines the first time information according to the time point when the uplink message is received on the frame number 4, and the first time information is related to the frame number 4, for example. Since the first time information is related to frame 4 and the second time information is related to frame 3, the first network device uses the first time information to securely process the downlink message and send it to the terminal device.
- the second time information correctly performs security check on the received downlink message, thereby determining that the second network device is a pseudo network device.
- the terminal device calculates the time point at which the first network device receives the uplink message according to the time point at which the uplink message is sent, and obtains the second time information. Using the second time information, the first network device uses the first The downstream information that is processed safely by time information is checked for safety. According to whether the downstream message can be successfully checked, the second network device that sends the downstream message can be determined to be a pseudo network device, which realizes the purpose of identifying the pseudo network device and ensures the communication. safety.
- the method further includes:
- the terminal device performs security check on the downlink message using second time information, and the second time information is time information determined by the terminal device according to the time point when the uplink message is sent; the terminal device records The number of times that the downlink message cannot be correctly verified is n; the terminal device determines whether the number of times n exceeds a preset number of times m,
- the terminal device determines that the second network device is a pseudo network device, where m ⁇ 1 is an integer and n ⁇ 1 is an integer.
- the number of times n may be the number of times that cannot be correctly verified continuously, or the number of times that are discontinuous and accumulated cannot be correctly verified.
- the terminal device after the terminal device receives the safely processed downlink message, if the terminal device cannot correctly verify the downlink message, it may be caused by the uplink message or the downlink message being forwarded by the second network device, or it may be caused by other reasons. . For example, if the number of terminal devices is too large, the first network device cannot process the uplink messages sent by multiple terminal devices in time, thereby causing the terminal devices to fail to correctly check the downlink messages. If, for the first time, the terminal device cannot correctly verify the downlink message that has undergone the security processing, it is determined that the second network device that sends the downlink message is a pseudo network device, and a misjudgment may occur.
- the terminal device receives the downlink message that has been processed safely, if the downlink message cannot be correctly verified, the record cannot be correctly verified.
- the cumulative number of times that the downlink message cannot be correctly verified is n. Then, whether the number of comparisons n exceeds the preset number of times m, if it exceeds, the second network device is considered to be a pseudo network device; if it does not exceed, the upstream message is resent, and the above verification process is repeated after receiving the corresponding downstream message If the downlink message still cannot be verified correctly, the number of times n that the downlink message cannot be verified correctly is updated to n + 1. Then, compare whether the number of times n + 1 exceeds the preset number of times m. If it exceeds, it is considered that the second network device is a pseudo network device.
- the terminal device cannot correctly verify the downlink message using the second time information after receiving the downlink message after security processing, record the downlink message cannot be correctly verified this time
- the terminal device receives the downlink message that has undergone security processing multiple times
- the cumulative number of times that the downlink message cannot be correctly verified using the second time information is n. After that, it is judged whether the number of times n exceeds the preset number of times m. If not, the upstream message is re-sent, so that the first network device continues to generate the downstream message for the upstream message, and processes and sends the downstream message securely. Then, repeat the above verification process.
- the number of times that the downlink message cannot be correctly updated is updated to n + 1. Then, compare whether the number of times n + 1 exceeds the preset number of times m, if If it exceeds, the second network device is considered to be a pseudo network device.
- the terminal device determines whether a second network device is involved according to the number of times that the downlink message is not correctly checked to avoid the terminal device from misjudging.
- the first network device uses the first time information to perform security processing on the downlink message.
- the first key is also used to perform security processing on the downlink message; correspondingly, the terminal device also uses the second key to perform security check on the downlink message.
- the first network device uses the first time information to perform security processing on the downlink message before, after, or at the same time, and uses the first key to perform security processing on the downlink message. Then, the first network device sends the downlink message after the security processing using the first key and the first time information to the terminal device.
- the first key is a key that can be known by the first network device and the terminal device, and the second network device cannot know the first key.
- the terminal device After receiving the downlink message, the terminal device performs a security check on the downlink message according to the second secret key corresponding to the first secret key and the second time information.
- the first key and the second key may be the same key.
- the first key and the second key may be pre-assigned keys, or keys derived from the pre-assigned keys.
- the first network device uses the first secret key to perform security processing on the downlink message to prevent the pseudo network device from calculating the second time information to perform security verification on the downlink message. After the verification is successful, the downlink message is tampered. Further Guaranteed communication security.
- FIG. 4 is a flowchart of another pseudo network device identification method provided by an embodiment of the present application.
- the uplink message includes message one in a random access process
- the downlink message includes a random access process.
- message two where message one is, for example, message (MSG) 1, and message two is, for example, message MSG2.
- MSG message
- MSG1 and MSG2 messages are examples of the uplink message. Examples include:
- the first network device sends a security-processed broadcast message to the terminal device.
- the terminal device accessing the first network device includes a signal synchronization phase, a broadcast message phase, and a random access phase.
- the first network device performs security processing on the broadcast message, and sends the security-processed broadcast message to the terminal device during the broadcast message phase.
- the terminal device receives the security-processed broadcast message.
- the broadcast message after security processing includes random access RACH resource configuration information, and / or, system frame number (system frame number, SFN).
- the RACH resource configuration information sent by the first network device to the terminal device indicates the first RACH resource and the first Two RACH resources. If the terminal device sends MSG1 on the first RACH resource, it means that the terminal device sends the MSG1 to identify whether a second network device is involved. If the terminal device sends MSG1 on the second RACH resource, it means The terminal equipment is mainly for random access.
- the terminal device sends MSG1 to the second network device on the resource indicated by the PRACAH resource configuration information.
- the second network device receives the MSG1.
- the terminal device it does not know whether the MSG1 is intercepted by the second network device.
- the terminal device directly sends MSG1 to the first network device on the resource indicated by the RACH resource configuration information.
- the second network device sends MSG1 to the first network device.
- the first network device receives the MSG1 message, and determines the first time information according to the time point when the MSG1 message is received.
- the terminal device needs to first determine whether it is random access or only identify whether a second network device is involved. If the terminal device is only to identify whether there is a second network device involved, then send MSG1 to the first network device on the first RACH resource; if the terminal device is for normal random access, then send the MSG1 to the second RACH resource. A network device sends MSG1.
- the first network device generates MSG2 for MSG1, and uses the first time information to perform security processing on MSG2.
- the first network device may also use the first secret key to perform security processing on the MSG2 message.
- the first secret key is, for example, a public key.
- the first network device determines that MSG1 is sent by the terminal device on the first RACH resource, the first network device generates MSG2 for MSG1 that does not carry an uplink grant (UL grant), and does not receive MSG3 in the future; such as the first network
- the first network device determines that the MSG1 message is sent by the terminal device on the second RACH resource, the first network device generates MSG2 carrying the uplink authorization for MSG1, and then continues to receive MSG3.
- the first network device sends the securely processed MSG2 to the second network device.
- the second network device sends the MSG2 that has undergone security processing to the terminal device.
- the terminal device receives the MSG2 that has undergone security processing.
- the terminal device uses the second time information to perform security verification on the MSG2.
- the terminal device When the first network device also uses the first key to perform security processing on the MSG2 message in step 204 above, then in this step, the terminal device also needs to use the second key to perform security verification on the MSG2 message.
- the second secret key is, for example, the private key of the terminal device, and the private key corresponds to the public key in step 204.
- the terminal device determines whether the second network device is a pseudo network device according to whether the downlink message can be correctly checked for security.
- the terminal device when the RACH resource configuration information indicates the first RACH resource and the second RACH resource, the terminal device can flexibly choose to send the MSG1 message on the first RACH resource or the second RACH resource, to avoid that the terminal device does not require random access At the time of entry, it is also necessary to identify whether there is a drawback of the intervention of the second network device by initiating random access.
- the uplink message includes message three in a random access process, and the downlink message includes a random access process.
- Message four this embodiment achieves the purpose of using MSG3 and MSG4 in the random access process to identify whether the second network device is a pseudo network device.
- This embodiment includes:
- the first network device sends a broadcast message that has undergone security processing to the terminal device.
- the first network device performs security processing on the broadcast message, and sends the security-processed broadcast message to the terminal device during the broadcast message phase.
- the terminal device receives the security-processed broadcast message.
- the broadcast message after security processing includes random access RACH resource configuration information, and / or, system frame number (system frame number, SFN).
- the terminal device sends MSG1 to the second network device on the resource indicated by the PRACAH resource configuration information.
- the second network device receives the MSG1.
- the second network device sends MSG1 to the first network device.
- the first network device receives the MSG1.
- the first network device generates MSG2 for MSG1.
- the first network device sends MSG2 to the second network device.
- the second network device receives the MSG2.
- the second network device sends MSG2 to the terminal device.
- the terminal device receives the MSG2.
- the terminal device sends MSG3 to the second network device.
- the second network device sends MSG3 to the first network device.
- the first network device receives the MSG3, and determines the first time information according to the time point of receiving the MSG3; the terminal device determines the second time information according to the time point of sending the MSG3.
- the network device may also determine the identity of the terminal device according to MSG3, and then determine the private key of the terminal device according to the identity tag.
- the first network device generates MSG4 for MSG3, and uses the first time information to perform security processing on MSG4.
- the first network device may also use the first secret key to perform security processing on the MSG4.
- the first secret key is, for example, the private key determined in step 305 above.
- the first network device and the second network device send the MSG4 after security processing.
- the second network device sends the MSG4 that has undergone security processing to the terminal device.
- the terminal device receives the MSG4 after the security processing.
- the terminal device uses the second time information to perform security verification on the MSG4.
- the terminal device When the first network device uses the private key to perform security processing on the MSG4 in step 309 above, then in this step, the terminal device also needs to use the private key to perform security verification on the MSG4 message.
- the terminal device determines whether the second network device is a pseudo network device.
- the first network device determines the identity of the terminal device according to MSG3 and then determines the private key, and uses the first time information and the private key to securely process MSG4, so that only the terminal device that stores the private key MSG4 performs security verification to further ensure communication security.
- the terminal device needs to maintain synchronization with the first network device. Considering the clock drift, the terminal device needs to maintain a timer. After each timer expires, the terminal device initiates random access Clock synchronization in network equipment or core network.
- the first network device after receiving the uplink message, the first network device generates a downlink message for the uplink message, and then performs security processing on the downlink message and sends it to the terminal device, so that the terminal device can correctly verify the security-processed downlink according to whether it can correctly verify the downlink message
- the message determines whether the second network device is a pseudo network device.
- the first network device does not always need to receive the uplink message before sending the downlink message.
- the terminal device determines whether a second network device is involved will be described in detail. Exemplary, see Figure 6.
- FIG. 6 is a flowchart of another pseudo network device identification method provided by an embodiment of the present application.
- This embodiment describes the pseudo network device identification method described in this application from the perspective of interaction between the first network device and the terminal.
- This embodiment includes:
- the first network device adds indication information to the downlink message, where the indication information is used to indicate to the terminal device the effective duration of the downlink message.
- the first network device When sending the downlink message to the terminal device, the first network device adds indication information to the downlink message, where the indication information is used to indicate the effective duration of the downlink message.
- the effective duration indicates that the downlink message is valid for multiple times, or indicates at which time point before the downlink message is valid.
- the first network device sends a downlink message with indication information added to the second network device.
- the downlink message is intercepted by the second network device.
- the second network device sends a downlink message with the indication information added to the terminal device.
- the terminal device determines whether the second network device is a pseudo network device according to the instruction information.
- the first network device when sending a downlink message to a terminal device, the first network device adds indication information to the downlink message to indicate the effective duration of the downlink message to the terminal device, so that the terminal device The effective duration determines whether a second network device is involved, thereby ensuring communication security.
- the terminal device after the terminal device receives the downlink message from the first network device, it also determines whether the downlink message is valid according to the indication information; if the downlink message is valid, the terminal device determines The second network device is not a pseudo network device; if the downlink message is invalid, the terminal device determines that the second network device is a pseudo network device.
- the terminal device parses out the effective duration, and determines whether the second network device is a pseudo network device according to the effective duration. For example, if the effective duration indicates that the downlink message is valid within a period of time, the terminal device determines whether the current time belongs to the period of time, and if so, the second network device is considered not to be a pseudo network device to intervene; otherwise, the terminal device considers the second network The device is a pseudo network device; for another example, if the valid duration indicates that the downlink message is valid before a certain point in time, the terminal device determines whether the current time exceeds the point in time, and if so, the second network device is considered to be a network device; otherwise, The terminal device determines that the second network device is a pseudo network device.
- the downlink message is added with indication information indicating the effective duration of the downlink message, so that the terminal device determines whether the received downlink message is valid according to the effective duration, Identifying whether the second network device is a pseudo network device ensures the security of communication.
- the terminal device when the terminal device determines whether the second network device is a pseudo network device according to the indication information, it may determine whether the downlink message is valid according to the indication information; The terminal device records the number n of received invalid downlink messages; the terminal device determines whether the number n exceeds a preset number m; if the number n exceeds the preset number m, the terminal device determines the The second network device is a pseudo network device, where m ⁇ 1 and an integer, and n ⁇ 1 and an integer.
- the terminal device after the terminal device receives the downlink message carrying the indication information, if the terminal device determines that the downlink message is invalid according to the indication information, it may be caused by the intervention of the second network device or may be caused by other reasons. If the terminal device receives an invalid downlink message for the first time, it is determined that a second network device is involved, and a misjudgment may occur. In order to prevent misjudgment, each time the terminal device receives an invalid downlink message, if the downlink message is invalid, it records the number n of times the invalid downlink message is received. Then, compare whether the number of times n exceeds the preset number of times m.
- the preset number of times m may indicate that the terminal device has received invalid downlink messages m times in succession, or may indicate that the terminal device has received invalid downlink messages m times in total.
- the terminal device determines whether a second network device intervenes according to the number of times that the invalid downlink message is received to prevent the terminal device from misjudgement.
- the process that the terminal device accesses the cell of the normal base station includes a synchronization phase, a broadcast message phase, and a random access phase.
- the first network device does not need to be triggered by the uplink message when sending the broadcast message. In the following, how to recognize the intervention of the second network device in the broadcast message stage will be described in detail.
- the downlink message includes a broadcast message;
- the terminal device receiving the downlink message from the second network device includes: the terminal device receives the securely processed broadcast message from the second network device, The broadcast message is processed securely by the first network device and sent to the second network device; or, the terminal device receives the broadcast message from the second network device, the indication in the broadcast message The information is safely processed by the first network device.
- the first network device before sending a broadcast message to the terminal device, the first network device first adds indication information to the broadcast message, and then sends the broadcast message with the added indication information to the terminal device. If there is a second network device, the addition The broadcast information indicating the indication information is forwarded to the terminal device via the second network device; correspondingly, the terminal device receives the broadcast message.
- the terminal device may perform security processing on the entire broadcast message, or may perform security processing only on the indication information in the broadcast message, which is not limited in the embodiments of the present application.
- the first network device adds indication information to the broadcast message, so that after receiving the indication information, the terminal device can determine whether there is a network device currently involved according to the indication information, so as to identify the false at the broadcast message stage The purpose of network equipment.
- the terminal device needs to maintain synchronization with the first network device. Considering the clock drift, the terminal device needs to maintain a timer. After each timer expires, the terminal device initiates random access and the first Clock synchronization in network equipment or core network.
- the communication device involved in this embodiment may be a terminal device or a chip applied to the terminal device.
- the communication device may be used to perform the functions of the terminal device in FIG. 2 or the optional embodiment described above.
- the communication device 100 may include a sending unit 11, a receiving unit 12, and a processing unit 13. among them,
- the sending unit 11 is configured to send an uplink message to the second network device, and the uplink message is sent by the second network device to the first network device;
- the receiving unit 12 is configured to receive a downlink message from the second network device.
- the downlink message is received by the second network device from the first network device.
- the downlink message is based on A message generated by the uplink message and subjected to a security process using first time information, the security process includes at least one of encryption or integrity protection, and the first time information is received by the first network device according to The time information determined by the time point of the uplink message;
- the processing unit 13 is configured to perform a security check on the downlink message, where the security check includes at least one of decryption or integrity protection check.
- the processing unit 13 is configured to perform security check on the downlink message using second time information, where the second time information is a time point at which the terminal device sends the uplink message according to The determined time information;
- the processing unit 13 determines that the second network device is a pseudo network device.
- the processing unit 13 is also used to perform security check on the downlink message using the second time information.
- the second time information is time information determined by the terminal device according to the time point at which the uplink message is sent, recording the number of times that the downlink message cannot be correctly verified is n, and determining whether the number of times n exceeds a preset number of times m , The number of times n exceeds the preset number of times m, it is determined that the second network device is a pseudo network device, the m ⁇ 1 is an integer, and n ⁇ 1 is an integer.
- the processing unit 13 is also used to perform a downlink key message on the downlink message when the first network device uses the first key key for security processing. Security verification.
- the uplink message includes random access message one, and the downlink message includes random access message two.
- the receiving unit 12 before the sending unit 11 sends the uplink message to the second network device, the receiving unit 12 is also used to receive a broadcast message from the first network device.
- the message after the first network device performs security processing, the broadcast message includes at least one of random access RACH resource configuration information or system frame number SFN.
- the processing unit 13 is configured to determine a first RACH resource according to the RACH resource configuration information, the RACH resource configuration information indicates the first RACH resource, and the first RACH resource is used for all
- the terminal device sends the uplink message
- the sending unit 11 is configured to send the message one to the second network device on the first RACH resource.
- the uplink message includes message three during random access, and the downlink message includes message four during random access.
- the communication device provided by the embodiment of the present application can perform the actions of the terminal device in FIG. 2 and the optional embodiments described above.
- the implementation principles and technical effects are similar, and are not described herein again.
- FIG. 8 is a schematic structural diagram of another communication device according to an embodiment of the present application.
- the communication device involved in this embodiment may be a first network device, or a chip applied to the first network device.
- the communication apparatus may be used to perform the functions of the first network device in FIG. 2 or the optional embodiment described above.
- the communication device 200 may include:
- the receiving unit 21 is configured to receive an uplink message from the second network device, and the uplink message is sent by the terminal device to the second network device;
- the processing unit 22 is configured to generate a downlink message for the uplink message and use the first time information to perform security processing on the downlink message.
- the security processing includes at least one of encryption or integrity protection.
- the time information is time information determined by the first network device according to the time point when the uplink message is received;
- the sending unit 23 is configured to send a downlink message to the second network device, and the downlink message is sent by the second network device to the terminal device.
- the processing unit 22 uses the first key to perform security processing on the downlink message before the transmission unit 23 transmits the security processed downlink message to the second network device.
- the uplink message includes message one during random access, and the downlink message includes message two during random access.
- the sending unit 23 is also used to send a securely processed broadcast message to the terminal device.
- the broadcast message contains at least one of random access RACH resource configuration information or system frame number SFN.
- the receiving unit 21 is specifically configured to receive the message one from the second network device on the first RACH resource, the message two does not carry an uplink authorization, and the RACH resource
- the configuration information indicates a first RACH resource, and the first RACH resource is a resource that the terminal device sends the uplink message.
- the uplink message includes message three during random access, and the downlink message includes message four during random access.
- the communication apparatus provided by the embodiment of the present application can perform the actions of the first network device in FIG. 2 and the optional embodiments described above.
- the implementation principles and technical effects are similar, and are not described herein again.
- FIG. 9 is a schematic structural diagram of yet another communication device provided by an embodiment of the present application.
- the communication device involved in this embodiment may be a terminal device or a chip applied to the terminal device.
- the communication device may be used to perform the functions of the terminal device in FIG. 6 or the optional embodiment described above.
- the communication device 300 may include:
- the receiving unit 31 is configured to receive a downlink message from a second network device.
- the downlink message is sent by the first network device to the second network device.
- the downlink message carries indication information, and the indication information is used to
- the terminal device indicates the effective duration of the downlink message;
- the processing unit 32 is configured to determine whether the second network device is a pseudo network device according to the instruction information.
- the processing unit 32 is configured to determine whether the downlink message is valid according to the instruction information, and if the downlink message is valid, the terminal device determines that the second network device is pseudo Network equipment.
- the processing unit 32 is configured to determine whether the downlink message is valid according to the instruction information, and record the number of times n that an invalid downlink message is received; the terminal device determines whether the number of times n Exceeding a preset number of times m, if the number of times n exceeds the preset number of times m, it is determined that the second network device is a pseudo network device, the m ⁇ 1 is an integer, and n ⁇ 1 is an integer.
- the downlink message includes a broadcast message
- the receiving unit 31 is configured to receive a security-processed broadcast message from the second network device, where the broadcast message is securely processed by the first network device and sent to the second network device;
- the receiving unit 31 is configured to receive the broadcast message from the second network device, where the broadcast message includes the security-processed indication information, and the indication information in the broadcast message is determined by the first Network equipment is handled safely.
- the communication device provided by the embodiment of the present application can perform the actions of the terminal device in FIG. 6 and the optional embodiments described above.
- the implementation principles and technical effects are similar, and are not repeated here.
- FIG. 10 is a schematic structural diagram of yet another communication device provided by an embodiment of the present application.
- the communication device involved in this embodiment may be a first network device, or a chip applied to the first network device.
- the communication apparatus may be used to perform the function of the first network device in FIG. 6 or the optional embodiment described above.
- the communication device 400 may include:
- the processing unit 41 is used to add indication information to the downlink message, and the indication information is used to indicate to the terminal device the effective duration of the downlink message;
- the sending unit 42 is configured to send the downlink message to the second network device, and the downlink message is sent by the second network device to the terminal device.
- the downlink message includes a broadcast message
- the processing unit 41 is configured to perform security processing on the broadcast message, and the sending unit 42 is configured to transmit the security processed broadcast message to the second network device;
- the processing unit 41 is used to perform security processing on the indication information
- the sending unit 42 is used to send a broadcast message containing the security-processed indication information to the second network device.
- the data transmission device provided by the embodiment of the present application may perform the actions of the first network device in FIG. 6 and the optional embodiment described above.
- the implementation principles and technical effects are similar, and details are not described herein again.
- the above receiving unit may be a receiver when actually implemented, and the sending unit may be a transmitter when actually implemented.
- the processing unit can be implemented in the form of software calling through processing elements; it can also be implemented in the form of hardware.
- the processing unit may be a separately established processing element, or may be integrated in a chip of the above-mentioned device, and may also be stored in the memory of the above-mentioned device in the form of a program code. Call and execute the functions of the above processing units.
- all or part of these units can be integrated together or can be implemented independently.
- the processing element described here may be an integrated circuit with signal processing capabilities.
- each step of the above method or each unit above may be completed by an integrated logic circuit of hardware in a processor element or instructions in the form of software.
- the above units may be one or more integrated circuits configured to implement the above method, for example: one or more application specific integrated circuits (application specific integrated circuits, ASICs), or one or more microprocessors (digital signal processor (DSP), or, one or more field programmable gate array (FPGA), etc.
- ASICs application specific integrated circuits
- DSP digital signal processor
- FPGA field programmable gate array
- the processing element may be a general-purpose processor, such as a central processing unit (CPU) or other processor that can call program code.
- CPU central processing unit
- these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
- SOC system-on-a-chip
- FIG. 11 is a schematic structural diagram of a communication device according to another embodiment of this application.
- the communication device 500 may include: a processor 51 (such as a CPU), a memory 52, a receiver 53, and a transmitter 54; both the receiver 53 and the transmitter 54 are coupled to the processor 51, and the processor 51 controls The receiving operation of the receiver 53 and the processor 51 control the sending operation of the transmitter 54;
- the memory 52 may include a high-speed random access memory (random-access memory, RAM), or may also include a non-volatile memory (non-volatile memory) , NVM), for example, at least one disk storage, various instructions can be stored in the memory 52 for performing various processing functions and implementing the method steps of the present application.
- RAM random-access memory
- NVM non-volatile memory
- the communication device involved in this application may further include: a power supply 55 and a communication bus 56.
- the receiver 53 and the transmitter 54 may be integrated in the transceiver of the communication device, or may be independent transceiver antennas on the communication device.
- the communication bus 56 is used to realize the communication connection between the elements.
- the above-mentioned memory 52 is used to store computer-executable program code, and the program code includes instructions; when the processor 51 executes the instructions, the processor 51 of the communication device is caused to perform the processing action of the terminal device in the above method embodiment
- the receiver 53 performs the receiving action of the terminal device in the above method embodiment
- the transmitter 54 performs the sending action of the terminal device in the above method embodiment.
- the communication device 600 may include: a processor 61 (for example, a CPU), a memory 62, a receiver 63, and a transmitter 64; both the receiver 63 and the transmitter 64 are coupled to the processor 61, and the processor 61 controls The receiving operation of the receiver 63 and the processor 61 control the sending operation of the transmitter 64;
- the memory 62 may include a high-speed random access memory (random-access memory, RAM), or may also include a non-volatile memory (non-volatile memory) , NVM), for example, at least one disk storage, various instructions can be stored in the memory 62, for performing various processing functions and implementing the method steps of the present application.
- the communication device involved in this application may further include: a communication bus 64.
- the receiver 63 and the transmitter 64 may be integrated in the transceiver of the communication device, or may be an independent transceiver antenna on the communication device.
- the communication bus 64 is used to realize the communication connection between the elements.
- the above-mentioned memory 62 is used to store computer-executable program code, and the program code includes instructions; when the processor 61 executes the instructions, the processor 61 of the communication device is caused to execute the first network device's
- the processing action causes the receiver 63 to perform the receiving action of the first network device in the foregoing embodiment, and causes the transmitter 64 to perform the sending action of the first network device in the foregoing method embodiment.
- the implementation principles and technical effects are similar and will not be repeated here Repeat.
- the computer program product includes one or more computer instructions.
- the computer may be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices.
- the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium.
- the computer instructions may be transmitted from a website site, computer, server, or data center via wire (e.g.
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more available medium integrated servers, data centers, and the like.
- the available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), and the like.
- the term "plurality” herein refers to two or more.
- the term “and / or” in this article is just an association relationship that describes an associated object, indicating that there can be three relationships, for example, A and / or B, which can mean: A exists alone, A and B exist at the same time, exist alone B these three cases.
- the description mode "at least one of " means one of the listed items or any combination thereof, for example, "at least one of A, B, and C” may mean: there is A alone, alone There are six situations: B, C alone, A and B, B and C, A and C, and A, B, and C.
- the character "/" in this article generally indicates that the related object is a "or” relationship; in the formula, the character "/" indicates that the related object is a "divide” relationship.
- the size of the sequence numbers of the above processes does not mean that the execution order is sequential, and the execution order of each process should be determined by its function and internal logic, and should not be implemented for this application.
- the implementation process of the examples constitutes no limitation.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (32)
- 一种伪网络设备识别方法,其特征在于,包括:终端设备向第二网络设备发送上行消息,所述上行消息由所述第二网络设备发送给第一网络设备;所述终端设备从所述第二网络设备接收下行消息,所述下行消息由所述第二网络设备从所述第一网络设备接收,所述下行消息为所述第一网络设备根据所述上行消息生成、并使用第一时间信息进行安全处理后的消息,所述安全处理包括加密或完整性保护中的至少一种处理,所述第一时间信息为所述第一网络设备根据接收所述上行消息的时间点确定的时间信息;所述终端设备对所述下行消息进行安全校验,所述安全校验包括解密或完整性保护校验中的至少一种校验。
- 根据权利要求1所述的方法,其特征在于,所述终端设备对所述下行消息进行安全校验,包括:所述终端设备使用第二时间信息对所述下行消息进行安全校验,所述第二时间信息为所述终端设备根据发送所述上行消息的时间点确定出的时间信息;所述终端设备无法正确对所述下行消息进行安全校验时,所述终端设备确定所述第二网络设备为伪网络设备。
- 根据权利要求1所述的方法,其特征在于,所述终端设备从所述第二网络设备接收下行消息之后,还包括:所述终端设备使用第二时间信息对所述下行消息进行安全校验,所述第二时间信息为所述终端设备根据发送所述上行消息的时间点确定出的时间信息;所述终端设备记录无法正确校验所述下行消息的次数为n;所述终端设备确定所述次数n是否超过预设次数m,所述次数n超过所述预设次数m,则所述终端设备确定所述第二网络设备为伪网络设备,所述m≥1且为整数,n≥1且为整数。
- 根据权利要求1~3任一项所述的方法,其特征在于,包括:所述下行消息还由所述第一网络设备使用第一秘钥进行安全处理;所述终端设备还使用第二秘钥对所述下行消息进行安全校验。
- 根据权利要求1~4任一项所述的方法,其特征在于,所述上行消息包括随机接入过程中的消息一,所述下行消息包括随机接入过程中的消息二。
- 根据权利要求1~5任一项所述的方法,其特征在于,所述终端设备向第二网络设备发送上行消息之前,还包括:所述终端设备从所述第一网络设备接收广播消息,所述广播消息是由所述第一网络设备进行安全处理后的消息,所述广播消息包含随机接入RACH资源配置信息或系统帧号SFN中的至少一种信息。
- 根据权利要求6所述的方法,其特征在于,所述终端设备向第二网络设备发送上行消息,包括:所述终端设备根据所述RACH资源配置信息,确定第一RACH资源,所述RACH 资源配置信息指示第一RACH资源,所述第一RACH资源用于所述终端设备发送所述上行消息;所述终端设备在所述第一RACH资源上向所述第二网络设备发送所述消息一。
- 根据权利要求1~4任一项所述的方法,其特征在于,所述上行消息包括随机接入过程中的消息三,所述下行消息包括随机接入过程中的消息四。
- 一种伪网络设备识别方法,其特征在于,包括:第一网络设备从第二网络设备接收上行消息,所述上行消息由终端设备发送给所述第二网络设备;所述第一网络设备向所述第二网络设备发送下行消息,所述下行消息由所述第二网络设备发送给所述终端设备,所述下行消息由所述第一网络设备针对所述上行消息生成、并由所述第一网络设备使用第一时间信息进行安全处理,所述安全处理包括加密或完整性保护中的至少一种处理,所述第一时间信息是所述第一网络设备根据接收所述上行消息的时间点确定出的时间信息。
- 根据权利要求9所述的方法,其特征在于,所述第一网络设备向所第二网络设备发送经过安全处理的下行消息之前,还包括:所述第一网络设备使用第一秘钥对所述下行消息进行安全处理。
- 根据权利要求9或10所述的方法,其特征在于,所述上行消息包括随机接入过程中的消息一,所述下行消息包括随机接入过程中的消息二。
- 根据权利要求9~11任一项所述的方法,其特征在于,所述第一网络设备从第二网络设备接收上行消息之前,还包括:所述第一网络设备向所述终端设备发送经过安全处理的广播消息,所述经过安全处理的广播消息包含随机接入RACH资源配置信息或系统帧号SFN中的至少一种信息。
- 根据权利要求12所述的方法,其特征在于,所述第一网络设备从第二网络设备接收上行消息,包括:所述第一网络设备在第一RACH资源上从所述第二网络设备接收所述消息一,所述消息二不携带上行授权,所述RACH资源配置信息指示所述第一RACH资源,所述第一RACH资源是所述终端设备发送所述上行消息的资源。
- 根据权利要求9或10所述的方法,其特征在于,所述上行消息包括随机接过程中的消息三,所述下行消息包括随机接入过程中的消息四。
- 一种通信装置,其特征在于,包括:发送单元,用于向第二网络设备发送上行消息,所述上行消息由所述第二网络设备发送给第一网络设备;接收单元,用于从所述第二网络设备接收下行消息,所述下行消息由所述第二网络设备从所述第一网络设备接收,所述下行消息为所述第一网络设备根据所述上行消息生成、并使用第一时间信息进行安全处理后的消息,所述安全处理包括加密或完整性保护中的至少一种处理,所述第一时间信息为所述第一网络设备根据接收所述上行消息的时间点确定的时间信息;处理单元,用于对所述下行消息进行安全校验,所述安全校验包括解密或完整性保护校验中的至少一种校验。
- 根据权利要求15所述的装置,其特征在于,所述处理单元,用于使用第二时间信息对所述下行消息进行安全校验,所述第二时间信息为根据发送所述上行消息的时间点确定出的时间信息;所述处理单元无法正确对所述下行消息进行安全校验时,所述处理单元确定所述第二网络设备为伪网络设备。
- 根据权利要求15所述的装置,其特征在于,所述处理单元,在所述接收单元从所述第二网络设备接收下行消息之后,还用于使用第二时间信息对所述下行消息进行安全校验,所述第二时间信息为根据发送所述上行消息的时间点确定出的时间信息,记录无法正确校验所述下行消息的次数为n,确定所述次数n是否超过预设次数m,所述次数n超过所述预设次数m,则确定所述第二网络设备为伪网络设备,所述m≥1且为整数,n≥1且为整数。
- 根据权利要求15~17任一项所述的装置,其特征在于,所述处理单元,在所述下行消息还由所述第一网络设备使用第一秘钥进行安全处理时,还用于使用第二秘钥对所述下行消息进行安全校验。
- 根据权利要求15~18任一项所述的装置,其特征在于,所述上行消息包括随机接入消息一,所述下行消息包括随机接入消息二。
- 根据权利要求15~19任一项所述的装置,其特征在于,所述接收单元,在所述发送单元向第二网络设备发送上行消息之前之前,还用于从所述第一网络设备接收广播消息,所述广播消息是由所述第一网络设备进行安全处理后的消息,所述广播消息包含随机接入RACH资源配置信息或系统帧号SFN中的至少一种信息。
- 根据权利要求20所述的装置,其特征在于,所述处理单元,用于根据所述RACH资源配置信息,确定第一RACH资源,所述RACH资源配置信息指示第一RACH资源,所述第一RACH资源用于发送所述上行消息;所述发送单元,用于在所述第一RACH资源上向所述第二网络设备发送所述消息一。
- 根据权利要求15~18任一项所述的装置,其特征在于,所述上行消息包括随机接入过程中的消息三,所述下行消息包括随机接入过程中的消息四。
- 一种通信装置,其特征在于,包括:接收单元,用于从第二网络设备接收上行消息,所述上行消息由终端设备发送给所述第二网络设备;处理单元,用于针对所述上行消息生成下行消息,并使用第一时间信息对所述下行消息进行安全处理,所述安全处理包括加密或完整性保护中的至少一种处理,所述第一时间信息是根据接收所述上行消息的时间点确定出的时间信息;发送单元,用于向所述第二网络设备发送下行消息,所述下行消息由所述第二网络设备发送给所述终端设备。
- 根据权利要求23所述的装置,其特征在于,所述处理单元,在所述发送单元向所第二网络设备发送经过安全处理的下行消息 之前,还使用第一秘钥对所述下行消息进行安全处理。
- 根据权利要求23或24所述的装置,其特征在于,所述上行消息包括随机接入过程中的消息一,所述下行消息包括随机接入过程中的消息二。
- 根据权利要求23~25任一项所述的装置,其特征在于,所述发送单元,在所述接收单元从第二网络设备接收上行消息之前,还用于向所述终端设备发送经过安全处理的广播消息,所述经过安全处理的广播消息包含随机接入RACH资源配置信息或系统帧号SFN中的至少一种信息。
- 根据权利要求26所述的装置,其特征在于,所述接收单元,具体用于在第一RACH资源上从所述第二网络设备接收所述消息一,所述消息二不携带上行授权,所述RACH资源配置信息指示所述第一RACH资源,所述第一RACH资源是所述终端设备发送所述上行消息的资源。
- 根据权利要求23或24所述的装置,其特征在于,所述上行消息包括随机接过程中的消息三,所述下行消息包括随机接入过程中的消息四。
- 一种计算机可读存储介质,其特征在于,用于存储计算机程序或指令,当所述计算机程序或指令在终端设备上运行时,使得所述终端设备执行权利要求1~8任一项所述的方法。
- 一种计算机可读存储介质,其特征在于,用于存储计算机程序或指令,当所述计算机程序或指令在网络设备上运行时,使得所述网络设备执行权利要求9~14任一项所述的方法。
- 一种计算机程序产品,其特征在于,当所述计算机程序产品在终端设备上运行时,使得所述终端设备执行如权利要求1~8任一项所述的方法。
- 一种计算机程序产品,其特征在于,当所述计算机程序产品在网络设备上运行时,使得所述网络设备执行如权利要求9~14任一项所述的方法。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BR112021008865-2A BR112021008865A2 (pt) | 2018-11-09 | 2019-10-21 | Método de processamento de segurança de informações, aparelho de comunicações e meio de armazenamento legível por computador |
EP19882092.0A EP3869846B1 (en) | 2018-11-09 | 2019-10-21 | Fake network device identification method and communication apparatus |
US17/315,049 US20210321260A1 (en) | 2018-11-09 | 2021-05-07 | Fake network device identification method and communications apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811333233.8 | 2018-11-09 | ||
CN201811333233.8A CN111182548B (zh) | 2018-11-09 | 2018-11-09 | 伪网络设备识别方法及通信装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/315,049 Continuation US20210321260A1 (en) | 2018-11-09 | 2021-05-07 | Fake network device identification method and communications apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020093860A1 true WO2020093860A1 (zh) | 2020-05-14 |
Family
ID=70611881
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/112336 WO2020093860A1 (zh) | 2018-11-09 | 2019-10-21 | 伪网络设备识别方法及通信装置 |
Country Status (5)
Country | Link |
---|---|
US (1) | US20210321260A1 (zh) |
EP (1) | EP3869846B1 (zh) |
CN (2) | CN113709746A (zh) |
BR (1) | BR112021008865A2 (zh) |
WO (1) | WO2020093860A1 (zh) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114270902A (zh) * | 2019-06-17 | 2022-04-01 | 苹果公司 | 在切换期间通过ue检测假基站的方法 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105657713A (zh) * | 2016-03-25 | 2016-06-08 | 珠海网博信息科技股份有限公司 | 一种伪ap检测阻断方法、无线装置及路由器 |
CN105792194A (zh) * | 2016-04-25 | 2016-07-20 | 中国联合网络通信集团有限公司 | 基站合法性的认证方法、认证装置、网络设备、认证系统 |
CN106028340A (zh) * | 2016-07-29 | 2016-10-12 | 宇龙计算机通信科技(深圳)有限公司 | 伪基站鉴别方法及系统 |
CN106211169A (zh) * | 2016-07-28 | 2016-12-07 | 努比亚技术有限公司 | 伪基站识别装置及方法 |
WO2017113063A1 (zh) * | 2015-12-28 | 2017-07-06 | 华为技术有限公司 | 一种nas消息处理、小区列表更新方法及设备 |
WO2018140204A1 (en) * | 2017-01-30 | 2018-08-02 | Intel IP Corporation | Fake gnb/enb detection using identity-based authentication and encryption |
Family Cites Families (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7042854B2 (en) * | 2000-06-26 | 2006-05-09 | Hughes Network Systems, Llc | Method and apparatus for acquiring a synchronization signal |
US7346005B1 (en) * | 2000-06-27 | 2008-03-18 | Texas Instruments Incorporated | Adaptive playout of digital packet audio with packet format independent jitter removal |
US7012893B2 (en) * | 2001-06-12 | 2006-03-14 | Smartpackets, Inc. | Adaptive control of data packet size in networks |
ATE427521T1 (de) * | 2001-07-26 | 2009-04-15 | Freescale Semiconductor Inc | Uhrensynchronisation in einem verteilten system |
ATE313195T1 (de) * | 2002-04-16 | 2005-12-15 | Bosch Gmbh Robert | Verfahren zum synchronisieren von uhren in einem verteilten kommunikationssystem |
US11304123B1 (en) * | 2005-07-14 | 2022-04-12 | Binj Laboratories, Inc. | Systems and methods for detecting and controlling transmission devices |
US10735576B1 (en) * | 2005-07-14 | 2020-08-04 | Binj Laboratories, Inc. | Systems and methods for detecting and controlling transmission devices |
JP5387918B2 (ja) * | 2008-04-30 | 2014-01-15 | 日本電気株式会社 | ルータ、そのルータを有する情報処理装置及びパケットのルーティング方法 |
US8462819B2 (en) * | 2010-01-06 | 2013-06-11 | Lsi Corporation | Adaptive clock recovery with step-delay pre-compensation |
JP5772395B2 (ja) * | 2011-08-29 | 2015-09-02 | 富士通株式会社 | 送信レート制御のためのプログラム、制御方法及び情報処理装置 |
CN102970671A (zh) * | 2012-11-27 | 2013-03-13 | 中国人民解放军信息工程大学 | 通信数据获取方法及伪基站、伪终端 |
CN104837137A (zh) * | 2014-02-10 | 2015-08-12 | 徐成琦 | 一种对比时差防伪基站诈骗的方法、系统及终端 |
US11159980B2 (en) * | 2014-07-22 | 2021-10-26 | Parallel Wireless, Inc. | Signaling storm reduction from radio networks |
US9900801B2 (en) * | 2014-08-08 | 2018-02-20 | Parallel Wireless, Inc. | Congestion and overload reduction |
US9628994B1 (en) * | 2015-12-30 | 2017-04-18 | Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. | Statistical system and method for catching a man-in-the-middle attack in 3G networks |
US11044260B2 (en) * | 2016-04-01 | 2021-06-22 | The Regents Of The University Of Michigan | Fingerprinting electronic control units for vehicle intrusion detection |
CN106060789B (zh) * | 2016-05-24 | 2018-05-08 | 北京小米移动软件有限公司 | 短消息识别方法及装置 |
CN109417475B (zh) * | 2016-05-30 | 2022-06-28 | 意大利电信股份公司 | 无线电信网络中的隐私保护 |
WO2018014937A1 (en) * | 2016-07-19 | 2018-01-25 | Telefonaktiebolaget Lm Ericsson (Publ) | Node and method for detecting that a wireless device has been communicating with a non-legitimate device |
CN108012271B (zh) * | 2016-10-28 | 2020-09-25 | 中国移动通信有限公司研究院 | 一种伪基站发现方法及装置 |
GB2560357B (en) * | 2017-03-09 | 2020-11-25 | Rosberg System As | Detecting false cell towers |
CN110741661B (zh) * | 2017-05-31 | 2023-05-26 | 苹果公司 | 用于伪基站检测的方法、移动设备和计算机可读存储介质 |
US10129283B1 (en) * | 2017-05-31 | 2018-11-13 | Apple Inc. | Detection of a rogue base station |
CN110521228B (zh) * | 2017-06-16 | 2024-04-02 | 摩托罗拉移动有限责任公司 | 恶意单元检测信息 |
CN111630936A (zh) * | 2017-12-30 | 2020-09-04 | 英特尔公司 | 用于无线通信的方法和设备 |
US10869195B2 (en) * | 2018-04-23 | 2020-12-15 | T-Mobile Usa, Inc. | Network assisted validation of secure connection to cellular infrastructure |
CN112586018B (zh) * | 2018-08-20 | 2023-02-21 | 中兴通讯股份有限公司 | 用于配置完整性信息的方法和设备 |
US11877149B2 (en) * | 2018-09-19 | 2024-01-16 | Apple Inc. | Protection of initial non-access stratum protocol message in 5G systems |
CN112956225A (zh) * | 2018-10-26 | 2021-06-11 | 瑞典爱立信有限公司 | 用于检测与非合法设备的通信的方法、用户设备和网络节点 |
WO2020087418A1 (zh) * | 2018-10-31 | 2020-05-07 | 深圳市欢太科技有限公司 | 伪基站处理方法、装置、移动终端以及存储介质 |
EP3874811A1 (en) * | 2018-11-01 | 2021-09-08 | Telefonaktiebolaget LM Ericsson (publ) | Systems and methods for preventing handover caused by an insecure message from a network node |
-
2018
- 2018-11-09 CN CN202110954187.9A patent/CN113709746A/zh active Pending
- 2018-11-09 CN CN201811333233.8A patent/CN111182548B/zh active Active
-
2019
- 2019-10-21 EP EP19882092.0A patent/EP3869846B1/en active Active
- 2019-10-21 WO PCT/CN2019/112336 patent/WO2020093860A1/zh unknown
- 2019-10-21 BR BR112021008865-2A patent/BR112021008865A2/pt unknown
-
2021
- 2021-05-07 US US17/315,049 patent/US20210321260A1/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017113063A1 (zh) * | 2015-12-28 | 2017-07-06 | 华为技术有限公司 | 一种nas消息处理、小区列表更新方法及设备 |
CN105657713A (zh) * | 2016-03-25 | 2016-06-08 | 珠海网博信息科技股份有限公司 | 一种伪ap检测阻断方法、无线装置及路由器 |
CN105792194A (zh) * | 2016-04-25 | 2016-07-20 | 中国联合网络通信集团有限公司 | 基站合法性的认证方法、认证装置、网络设备、认证系统 |
CN106211169A (zh) * | 2016-07-28 | 2016-12-07 | 努比亚技术有限公司 | 伪基站识别装置及方法 |
CN106028340A (zh) * | 2016-07-29 | 2016-10-12 | 宇龙计算机通信科技(深圳)有限公司 | 伪基站鉴别方法及系统 |
WO2018140204A1 (en) * | 2017-01-30 | 2018-08-02 | Intel IP Corporation | Fake gnb/enb detection using identity-based authentication and encryption |
Non-Patent Citations (1)
Title |
---|
See also references of EP3869846A4 |
Also Published As
Publication number | Publication date |
---|---|
EP3869846B1 (en) | 2023-05-31 |
EP3869846A4 (en) | 2021-12-08 |
CN111182548A (zh) | 2020-05-19 |
US20210321260A1 (en) | 2021-10-14 |
CN111182548B (zh) | 2021-08-31 |
CN113709746A (zh) | 2021-11-26 |
BR112021008865A2 (pt) | 2021-08-31 |
EP3869846A1 (en) | 2021-08-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11889405B2 (en) | Handling a UE that is in the idle state | |
WO2017166221A1 (zh) | 无线接入控制方法、装置及系统 | |
JP2017518701A (ja) | 高速初期リンクセットアップ中の認証のためのシステム、方法、および装置 | |
JP7410930B2 (ja) | 無線通信ネットワークにおける非アクセス階層通信の保護 | |
WO2017133021A1 (zh) | 一种安全处理方法及相关设备 | |
AU2018340618A1 (en) | Parameter protection method and device, and system | |
US9491621B2 (en) | Systems and methods for fast initial link setup security optimizations for PSK and SAE security modes | |
WO2018166338A1 (zh) | 一种秘钥更新方法及装置 | |
CN114025352A (zh) | 终端设备的鉴权方法及其装置 | |
TW202118259A (zh) | 在核心網路中的網路功能處的系統資訊保護 | |
US20230337002A1 (en) | Security context generation method and apparatus, and computer-readable storage medium | |
US20220303763A1 (en) | Communication method, apparatus, and system | |
WO2022127656A1 (zh) | 鉴权认证方法和相关装置 | |
WO2018137195A1 (zh) | 消息保护方法、用户设备和核心网设备 | |
US20210168614A1 (en) | Data Transmission Method and Device | |
JP2018530261A (ja) | ワイヤレス通信 | |
WO2020093860A1 (zh) | 伪网络设备识别方法及通信装置 | |
WO2023179679A1 (zh) | 一种基于信道秘钥的加密方法及装置 | |
WO2018049689A1 (zh) | 密钥协商方法及装置 | |
CN110351722B (zh) | 一种信息发送方法、密钥生成方法以及装置 | |
WO2020147602A1 (zh) | 一种认证方法、装置和系统 | |
US20200120493A1 (en) | Apparatus and method for communications | |
WO2019213925A1 (zh) | 密钥更新方法、设备和存储介质 | |
WO2023213191A1 (zh) | 安全保护方法及通信装置 | |
WO2023160716A1 (zh) | 小区切换的方法和装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19882092 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112021008865 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 2019882092 Country of ref document: EP Effective date: 20210519 |
|
ENP | Entry into the national phase |
Ref document number: 112021008865 Country of ref document: BR Kind code of ref document: A2 Effective date: 20210506 |