Network security and IMS Security Mechanism

Source: Internet
Author: User
Tags hmac
The following points must be taken into account for network security:
  1. User identity authenticationAre you sure you want to contact me?
  2. Ensure content confidentialityAnd cannot let others know what we are talking about.
  3. Ensure content integrityEnsure that the information I receive is the information sent by the other party, rather than forged by others.
Cryptography
  • Symmetric Key Algorithm
    • Des
    • Rijndael (strong)
    • Triple DES
  • Asymmetric Key Algorithm
    • RSA
  • Message Digest (key not required)
    • MD5
    • SHA-1
Digital Signature

The meaning of digital signature is:

  • The recipient can strictly fulfill the sender's declared identity
  • The sender cannot deny the content of the message in the future.
  • It is impossible for the receiver to fabricate such information by itself.
  • Digital signature using public keys
(alice)P-->Da(P)-->Eb(Da(P))------------->Da(P)=Db(Eb(Da(P)))-->Ea(Da(P))-->P(bob)
  1. Alice sends plaintext P and encrypts it with her own private key da to ensure that this information is sent by Alice.
  2. Bob's public key eb is used for encryption to ensure that this information can only be seen by Bob.
  3. Bob uses his own private key dB for decryption
  4. Use Alice's public key to decrypt and restore P
  • Use the message digest Digital Signature

Sometimes only authentication is required, and content confidentiality is not required.

(alice)P-->H=SHA-1(P)-->Da(H)+P------------------>bob
  1. Alice uses SHA-1 to calculate the P hash value H.
  2. Encrypt h with the private key
  3. Bob decrypts the key of Alice to obtain the hash value H.
  4. Bob uses SHA-1 to calculate the P hash value and H for plaintext P. If the hash value is the same, it means that the packet is sent by Alice and the content has not been modified by others.
Authentication
  • Shared Secret Key-based authentication

The premise is that both parties have shared keys and no third party knows them.

    • Method 1:
alice -----A-----> Bobalice <----Rb----- Bobalice ---Kab(Rb)-> Bobalice -----Ra----> Bobalice <--Kab(Ra)-- Bob
    • Method 2:

Absolute security authentication method:

alice ------------Ra-----------> Bobalice <-Rb,HMAC(Ra,Rb,A,B,Kab)-- Bobalice ------HMAC(Ra,Rb,Kab)----> Bob
  1. Alice first sends bob a temporary value Ra.
  2. Bob selects his own temporary value Rb and sends it back together with an HMAC. HMAC is formed in this way: first, a data structure is established, which includes Alice's temporary value, Bob's temporary value, their identification, and shared secret key KAB; then hash the data structure and the hash result is HMAC.
  3. When Alice received message 2, she now had the identity of Ra, Rb, both sides, and secret key KAB, so she could also calculate HMAC. if the calculated HMAC is the same as the HMAC in the message, she knows that she is talking to Bob.
  4. Alice also gave Bob an HMAC, but this HMAC only contains two temporary values and KAB
IMS securiy

Here we mainly talk about the security between UE and the network. For ease of understanding, I simplified some steps:

Xmac = MAC = F1 (sqn, Rand, K)
Xres = res = F2 (RAND, K)
Ck = F3 (RAND, K)
Ik = F4 (RAND, K)
AV = Rand + xres + ck + ik + auth
Auth = sqn + Mac
Nonce = Rand + auth

  1. The user sends a register request to the IMS network.
  2. S-CSCF request to HSS
  3. HSS returns a series of authentication data AV, including
    1. Random Number Rand,
    2. Response xres,
    3. The password CK used to ensure communication confidentiality,
    4. The ik password used to ensure the integrity of the communication content.
    5. Authentication Information Auth. Auth consists of sqn and Mac. each of the HSS and the terminal maintains an sqn value. Among them, the sqn of the terminal is allocated as sqn when the terminal is successfully registered. therefore, the sqn Of The HSS must be greater than the sqn of the terminal. mac is the hash value generated based on K (user's key), sqn, Rand.
  4. The S-CSCF saves xres and returns 401 to the P-CSCF, which contains nonce and CK, IK.
  5. The P-CSCF saves CK, ik is used to decrypt and encrypt the information after successful verification, and returns 401 to the interrupt, which contains only nonce.
  6. The information obtained by the terminal is Rand, sqn, and Mac. First, determine whether your sqn is smaller than the sqn Of The HSS.
  7. Then, xmac is generated based on K, sqn, and Rand to see if it matches the Mac. This indicates that the message is sent from the IMS network.
  8. Then generate res Based on K and Rand and put the value in the attribute response of the next register.
  9. And generates CK and IK Based on K and Rand. encrypts and decrypts Subsequent messages based on these two keys.
  10. The S-CSCF matches the Response Property in register with the xres value, and if it is the same, it is verified.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.