鑒權(quán)加密流程

1、33102分組域和電路域的鑒權(quán)加密流程是互相獨立的。目前SGSN實現(xiàn)的時候，可以實現(xiàn)兩種處理：1、是否鑒權(quán)；2、隔多少次鑒權(quán)一次。可以配置間隔的次數(shù)。對于加密來說，每次搭建Iu連接，就需要進(jìn)行加密的重新協(xié)商。哪怕是由于進(jìn)行業(yè)務(wù)引起的Iu連接建立。但是此時只是重新協(xié)商一致性校驗的相關(guān)參數(shù)和加密算法，密鑰CK和IK是不會變的（因為密鑰的產(chǎn)生是在鑒權(quán)流程中根據(jù)RAND產(chǎn)生的，所以只有鑒權(quán)之后，才會產(chǎn)生新的密鑰）。3G是不能重用鑒權(quán)參數(shù)（5元組）的。因為AUTN中有跟時間同步相關(guān)的參數(shù)，所以無法重用。a. 鑒權(quán)流程Figure 5: Authentication and key agreementUp

2、on receipt of a request from the VLR/SGSN, the HE/AuC sends an ordered array of n authentication vectors (the equivalent of a GSM "triplet") to the VLR/SGSN. The authentication vectors are ordered based on sequence number. Each authentication vector consists of the following components: a

3、random number RAND, an expected response XRES, a cipher key CK, an integrity key IK and an authentication token AUTN. Each authentication vector is good for one authentication and key agreement between the VLR/SGSN and the USIM.When the VLR/SGSN initiates an authentication and key agreement, it sele

4、cts the next authentication vector from the ordered array and sends the parameters RAND and AUTN to the user. Authentication vectors in a particular node are used on a first-in / first-out basis. The USIM checks whether AUTN can be accepted and, if so, produces a response RES which is sent back to t

5、he VLR/SGSN. The USIM also computes CK and IK. The VLR/SGSN compares the received RES with XRES. If they match the VLR/SGSN considers the authentication and key agreement exchange to be successfully completed. The established keys CK and IK will then be transferred by the USIM and the VLR/SGSN to th

6、e entities which perform ciphering and integrity functions.VLR/SGSNs can offer secure service even when HE/AuC links are unavailable by allowing them to use previously derived cipher and integrity keys for a user so that a secure connection can still be set up without the need for an authentication

7、and key agreement. Authentication is in that case based on a shared integrity key, by means of data integrity protection of signalling messages (see 6.4).The authenticating parties shall be the AuC of the user's HE (HE/AuC) and the USIM in the user's mobile station. The mechanism consists of

8、 the following procedures:總的來說，CK和IK當(dāng)作鑒權(quán)五元組中的一部分，存在SGSN/VLR中。但是SGSN/VLR并不把它們下發(fā)給UE，而是只下發(fā)AUTN和RAND。UE通過對AUTN的鑒權(quán)，達(dá)到對網(wǎng)絡(luò)鑒權(quán)的目的。然后，如果通過了AUTN的鑒權(quán)的話，UE利用RAND，根據(jù)USIM中已經(jīng)寫好的算法，算出RES，然后發(fā)給SGSN/VLR。SGSN/VLR收到后，將其與鑒權(quán)五元組中的XRES相比，如果相同，就代表該UE是合法的。這樣就完成了網(wǎng)絡(luò)對UE的鑒權(quán)。然后，UE在USIM中算出CK和IK，同時，SGSN/VLR也采用相同的CK和IK。（這兩個CK和IK之所以相同，是

9、由于他們都是通過同一個RAND算出來的。所以這樣的話，UE和SGSN/VLR就能采用相同的CK和IK來進(jìn)行數(shù)據(jù)加密了。）KSI:UMTS中使用KSI，GSM中使用CKSN。The key set identifier (KSI) is a number which is associated with the cipher and integrity keys derived during authentication. The key set identifier is allocated by the network and sent with the authentication req

10、uest message to the mobile station where it is stored together with the calculated cipher key CK and integrity key IK. KSI in UMTS corresponds to CKSN in GSM. The USIM stores one KSI/CKSN for the PS domain key set and one KSI/CKSN for the CS domain key set.KSI用于網(wǎng)絡(luò)鑒別保存在UE中的CK和IK。The purpose of the ke

11、y set identifier is to make it possible for the network to identify the cipher key CK and integrity key IK which are stored in the mobile station without invoking the authentication procedure. This is used to allow re-use of the cipher key CK and integrity key IK during subsequent connection set-ups

12、.IK:IK有128bit。在CS和PS與UE之間都可以存在各自的IK。如IKcs，IKps。IK用于在UE和RNC之間的RRC層的完整性保護(hù)。一致性校驗是在RRC層進(jìn)行的。The UIA（UMTS完整性算法） shall be implemented in the ME and in the RNC.Integrity protection shall be applied at the RRC layer.由于在UE和網(wǎng)絡(luò)之間傳送的大多數(shù)的信令信息是相當(dāng)敏感的，所以必須保證它們的完整性。Most control signalling information elements that ar

13、e sent between the MS and the network are considered sensitive and must be integrity protected. A message authentication function shall be applied on these signalling information elements transmitted between the ME and the RNC.CK:CK有128bit。在CS和PS與UE之間都可以存在各自的CK。如CKcs ，CKps加密是在RLC或者M(jìn)AC層進(jìn)行的。是在UE和RNC之間

14、進(jìn)行的。The ciphering function is performed either in the RLC sub-layer or in the MAC sub-layer, according to the following rules:-If a radio bearer is using a non-transparent RLC mode (AM or UM), ciphering is performed in the RLC sub-layer.-If a radio bearer is using the transparent RLC mode, ciphering

15、 is performed in the MAC sub-layer (MAC-d entity).Ciphering when applied is performed in the S-RNC and the ME and the context needed for ciphering (CK, HFN, etc.) is only known in S-RNC and the ME.鑒權(quán)流程由網(wǎng)絡(luò)側(cè)發(fā)起，其目的是：由網(wǎng)絡(luò)來檢查是否允許終端接入網(wǎng)絡(luò)；提供鑒權(quán)參數(shù)五元組中的隨機(jī)數(shù)數(shù)組，供終端計算出加密密鑰（CK）；同時，供終端計算出與網(wǎng)絡(luò)側(cè)進(jìn)行一致性檢查的密鑰（IK）；最后一個目的是可以提

16、供終端對網(wǎng)絡(luò)的鑒權(quán)。 與GSM的鑒權(quán)流程相比，3G的鑒權(quán)流程增加了一致性檢查的功能及終端對網(wǎng)絡(luò)的鑒權(quán)功能。這些功能使3G的安全特性有了進(jìn)一步的增強(qiáng)。網(wǎng)絡(luò)側(cè)在發(fā)起鑒權(quán)前，如果VLR內(nèi)還沒有鑒權(quán)參數(shù)五元組，此時將首先發(fā)起到HLR取鑒權(quán)集的過程，并等待鑒權(quán)參數(shù)五元組的返回。鑒權(quán)參數(shù)五元組的信息包含RAND、XRES、AUTN、CK和IK。在檢測到鑒權(quán)參數(shù)五元組的存在后，網(wǎng)絡(luò)側(cè)下發(fā)鑒權(quán)請求消息。此消息中將包含某個五元組的RAND和AUTN。用戶終端在接收到此消息后，由其USIM驗證AUTN，即終端對網(wǎng)絡(luò)進(jìn)行鑒權(quán)，如果接受，USIM卡將利用RAND來計算出CK與IK和簽名XRES。如果USIM認(rèn)為鑒權(quán)成

17、功，在鑒權(quán)響應(yīng)消息中將返回XRES。網(wǎng)絡(luò)側(cè)在收到鑒權(quán)響應(yīng)消息之后，比較此鑒權(quán)響應(yīng)消息中的XRES與存儲在VLR數(shù)據(jù)庫中的鑒權(quán)參數(shù)五元組的XRES，確定鑒權(quán)是否成功：成功，則繼續(xù)后面的正常流程；不成功，則會發(fā)起異常處理流程，釋放網(wǎng)絡(luò)側(cè)與此終端間的連接，并釋放被占用的網(wǎng)絡(luò)資源、無線資源。（不成功的處理見后面的描述）在成功的鑒權(quán)之后，終端將會把CK（加密密鑰）與IK（一致性檢查密鑰）存放到USIM卡中。鑒權(quán)失敗的話，SGSN會發(fā)起一個鑒權(quán)失敗報告消息給HLR，此時HLR可能會發(fā)起一個cancle location （也就是HLR發(fā)起的分離流程啦）VLR/SGSN可能會發(fā)起一次新的鑒權(quán)加密流程。Upo

18、n receipt of user authentication response Reporting authentication failures from the SGSN/VLR to the HLRThe purpose of this procedure is to provide a mechanism for reporting authentication failures from the serving environment back to the home environment.The procedure is shown in Figure 13.Figure 1

19、3: Reporting authentication failure from VLR/SGSN to HLRThe procedure is invoked by the serving network VLR/SGSN when the authentication procedure fails. The authentication failure report shall contain the subscriber identity and a failure cause code. The possible failure causes are either that the

20、network signature was wrong or that the user response was wrong.The HE may decide to cancel the location of the user after receiving an authentication failure report.b. 加密1、在A/Gb模式下，手機(jī)在發(fā)送了Authentication and Ciphering Response消息后，就開始加密了。2G的加密是在LLC層的。其中在Authentication and Ciphering request消息中帶有2G的加密算法

21、。In A/Gb mode, the scope of ciphering is from the ciphering function in the SGSN to the ciphering function in the MS. Ciphering is done in the LLC layer, and from the perspective of the existing GSM MS-BTS radio path, an LLC PDU is transmitted as plain text.SGSN在收到一個正確的Authentication and Ciphering R

22、esponse消息后，就開始加密。In A/Gb mode, the MS starts ciphering after sending the Authentication and Ciphering Response message. The SGSN starts ciphering when a valid Authentication and Ciphering Response message is received from the MS.2、在Iu模式下，加密的開始是受 security mode setup 流程控制的。當(dāng)發(fā)送了security mode command 下行

23、消息后，下行的消息（包括該消息）就開始了一致性校驗；當(dāng)UE返回了security mode complete 消息后，上行的消息（包括該消息）就開始了一致性校驗。加密的相關(guān)信息，包括CK的選擇、加密算法的選擇，則是在加密模式設(shè)定（security mode setup ）的流程中確定的。所以，根據(jù)流程圖，可以看到在3G里面，是在security mode complete 消息發(fā)送后，UE和UTRAN才開始進(jìn)行加密的（因為通過前面的消息交互，確定了相關(guān)的CK和算法）。這個加密是在RLC層的。加密是在RLC（確認(rèn)和非確認(rèn)模式），透明模式的RLC加密在MAC層，都屬于空口層二，數(shù)據(jù)鏈路層。針對業(yè)務(wù)

24、數(shù)據(jù)和信令。一致性檢查在RRC，針對信令。Security mode set-up procedureThis section describes one common procedure for both ciphering and integrity protection set-up. It is mandatory to start integrity protection of signalling messages by use of this procedure at each new signalling connection establishment between MS

25、and VLR/SGSN. The four exceptions when it is not mandatory to start integrity protection are:-If the only purpose with the signalling connection establishment and the only result is periodic location registration, i.e. no change of any registration information.-If there is no MS-VLR/SGSNsignalling a

26、fter the initial L3 signalling message sent from MS to VLR/SGSN, i.e. in the case of deactivation indication sent from the MS followed by connection release.-If the only MS-VLR/SGSN signalling after the initial L3 signalling message sent from MS to VLR/SGSN, and possible user identity request and au

27、thentication (see below), is a reject signalling message followed by a connection release.When the integrity protection shall be started, the only procedures between MS and VLR/SGSN that are allowed after the initial connection request (i.e. the initial Layer 3 message sent to VLR/SGSN) and before t

28、he security mode set-up procedure are the following:-Identification by a permanent identity (i.e. request for IMSI), and-Authentication and key agreement.The message sequence flow below describes the information transfer at initial connection establishment, possible authentication and start of integ

29、rity protection and possible ciphering.Figure 14: Local authentication and connection set-upNOTE 1:The network must have the "UE security capability" information before the integrity protection can start, i.e. the "UE security capability" must be sent to the network in an unprote

30、cted message. Returning the "UE security capability" later on to the UE in a protected message will give UE the possibility to verify that it was the correct "UE security capability" that reached the network.Detailed description of the flow above:1.RRC connection establishment in

31、cludes the transfer from MS to RNC of the ME security capability optionally the GSM Classmarks 2 and 3 and the START values for the CS service domain respective the PS service domain. The UE security capability information includes the ciphering capabilities (UEAs) and the integrity capabilities (UI

32、As) of the MS. The START values and the UE security capability information are stored in the SRNC. If the GSM Clasmarks 2 and 3 are transmitted during the RRC Connection establishment, the RNC must store the GSM ciphering capability of the UE (see also message 7).2.The MS sends the Initial L3 messag

33、e (Location update request, CM service request, Routing area update request, attach request, paging response etc.) to the VLR/SGSN. This message contains e.g. the user identity and the KSI. The included KSI (Key Set Identifier) is the KSI allocated by the CS service domain or PS service domain at th

34、e last authentication for this CN domain.4.The VLR/SGSN determines which UIAs and UEAs that are allowed to be used in order of preference.5.The VLR/SGSNinitiates integrity and ciphering by sending the RANAP message Security Mode Command to SRNC. This message contains an ordered list of allowed UIAs

35、in order of preference, and the IK to be used. If ciphering shall be started, it contains the ordered list of allowed UEAs in order of preference, and the CK to be used. If a new authentication and security key generation has been performed (see 3 above), this shall be indicated in the message sent

36、to the SRNC. The indication of new generated keys implies that the START value to be used shall be reset (i.e. set to zero) at start use of the new keys. Otherwise, it is the START value already available in the SRNC that shall be used (see 1. above).7.The SRNC generates the RRC message Security mod

37、e command. The message includes the ME security capability, optionally the GSM ciphering capability (if received during RRC Connection establishment), the UIA and FRESH to be used and if ciphering shall be started also the UEA to be used. Additional information (start of ciphering) may also be inclu

38、ded. Because of that the MS can have two ciphering and integrity key sets, the network must indicate which key set to use. This is obtained by including a CN type indicator information in the Security mode command message. Before sending this message to the MS, the SRNC generates the MAC-I (Message

39、Authentication Code for Integrity) and attaches this information to the message.8.At reception of the Security mode command message, the MS controls that the "UE security capability" received is equal to the "UE security capability" sent in the initial message. The same applies t

40、o the GSM ciphering capability if it was included in the RRC Connection Establishment. The MS computes XMAC-I on the message received by using the indicated UIA, the stored COUNT-I and the received FRESH parameter. The MS verifies the integrity of the message by comparing the received MAC-I with the

41、 generated XMAC-I.9.If all controls are successful, the MS compiles the RRC message Security mode complete and generates the MAC-I for this message. If any control is not successful, the procedure ends in the MS.10.At reception of the response message, the SRNC computes the XMAC-I on the message. Th

42、e SRNC verifies the data integrity of the message by comparing the received MAC-I with the generated XMAC-I.11.The transfer of the RANAP message Security Mode Complete response, including the selected algorithms, from SRNC to the VLR/SGSN ends the procedure.The Security mode command to MS starts the

43、 downlink integrity protection, i.e. this and all following downlink messages sent to the MS are integrity protected using the new integrity configuration. The Security mode complete from MS starts the uplink integrity protection, i.e. this and all following messages sent from the MS are integrity p

44、rotected using the new integrity configuration. When ciphering shall be started, the Ciphering Activation time information that is exchanged between SRNC and MS during the Security mode set-up procedure sets the RLC Sequence Number/Connection Frame Number when to start ciphering in Downlink respective Up