Security problems in 3G Mobile Station Main-call access process

Source: Internet
Author: User
Tags requires resource safe mode

This paper analyzes the security problems in the current 3G reverse link call and call process, and discusses the relationship between MS and BS, such as AKA, signaling integrity protection, data confidentiality and intrusion detection. In addition, security and mobility management are combined appropriately in the discussion, and some new ideas and solutions are put forward according to the security problems in practical application.

1 Preface

The third generation mobile communication system is a broadband mobile communication system working in 2GHz band, it differs from the second generation mobile communication system mainly: global roaming, support up to 2mbit/s Multimedia service, especially on the internet has a better and wider service. There are also many security risks involved, so it is necessary to make a 3G security discussion. The main call process of Mobile station is an important process, and it is of great significance to discuss the security of the whole system.

When a mobile station initiates a call to another mobile or fixed network user on a random access channel, the PLMN system network begins a series of operations. First, when Ms initiates a call, the Wireless Resource Management unit in the mobile Taichung establishes the signaling link through the random access process. The process sends a channel request message and a security capability message (i.e., security capability) to the base station on a random access channel. If the base station is successfully received, the request is sent to the Wireless Resource Management unit in the base station, which assigns a dedicated channel and sends an immediate assignment message on the access-allowed channel. Ms also sets the timer at the start of the main call process and repeats the call at certain intervals.  If the call repeats at a predetermined number of times and the response is still not received, the call is discarded. When the MS receives an immediate assignment message and converts it to the specified dedicated channel, it establishes a main signaling link with BS. After that, all the previous signaling to the wireless service channel allocation is done on this dedicated channel, and the signaling in the call process after the business channel is connected is carried out in the control channel. The connection Management unit in MS continues to initiate the process of establishing a data link using a business request message sent to the data link layer. The business request is embedded with a complete third-level message, and the BS is forwarded to MSC. (Computer science)

2 Mutual authentication and key negotiation process (AKA)

Ms sends a process access request message to the associated Access location Register (VLR) so that it obtains the parameters of the mobile station. Network issue authentication request, including a random number, MS according to a certain algorithm for this random number processing, send authentication response to the network, by the network to determine the legality of the user.

A brief description of the process:

(1) MS to visit the bureau VLR send IMSI and its vesting bureau HLR information.

(2) VLR sends the authentication request to the HLR.

(3) HLR receives the VLR authentication request, generates the serial number and the random number, calculates the authentication vector AV, and sends it to the VLR.

(4) VLR received AV, the random number and authentication token autn sent to MS, requesting users to produce authentication data.

(5) Ms receives the authentication request, first calculates the Xmac, and compares with the Mac in Autn, if different, sends the Reject authentication message to the VLR, and abandons this process. Also verify that the received serial number sqn is in a valid range, if not, Ms sends a sync failure message to VLR and discards the process. After both of these are passed, Ms calculates the RES with F2, calculates the CK with F3, calculates the IK using the F4 algorithm, and sends the RES to VLR.

(6) VLR received from the MS Res, the res and AV xres comparison, the same certification success, or certification failure.

Because MS and HLR compute CK are all the same algorithm F3, so the CK must be the same, so MS and VLR after mutual authentication and password negotiation, the process of CK, IK as a later MS and RNC confidential communication. 3 Signaling Integrity protection and encryption process

If the authentication through, the network sends the password mode message to the MS, will the information about the user data encrypt passes through the BS to the mobile station. MS to return password mode completion message to this message via BS and VLR to MSC.

The specific process is as follows:

The core network (MSC/VLR or SGSN) determines which integrity algorithms and cryptographic algorithms to use, and sends a secure mode command to the SRNC, carrying parameters such as F8, F9, IK, CK channel parameters, and MSC assigning wireless channel instructions to the base station. SRNC compares MS-supported security algorithm capabilities with its licensed cryptographic algorithms, chooses which algorithm in the F8 and F9 used in safe mode, and sends concurrent messages to MS to initiate integrity protection.

Ms Docking received messages for integrity testing, and sending Safe mode settings have completed messages to SRNC (this later if there are sacch and FACCH transmission in the process of signaling, is similar to the processing).

If pass, Send Safe Mode setting message to the core network, notify the security algorithm adopted. After all the signaling should be integrity protection, MS's mobile management also monitors the initiation of integrity protection.

The core network received a message from the Safe mode setting of the base station, and the security control process started successfully. If you need encryption, after the activation of a certain time, MS and SRNC can start to carry out business data, channel identification, signaling and other encryption protection.

After the VLR sends the password mode message to MSC, the user's business type and other data are transmitted to MSC. At this point the mobile station in the VLR registration is completed, if necessary, VLR will temporarily allocate a tmsi to MS, in the area after the right to use this tmsi, if also continue to update the area to redistribute a tmsi.

After responding to the password mode, MS and MSC carry out a series of signaling exchanges, and the MSC allocates the terrestrial channel and BS to assign the wireless service channel TCH. The process is:

MS sends setup messages to MSC to continue the call creation process. When MSC receives a message, it sends a message to VLR to obtain the call parameters from VLR. If successful, VLR will return the call completion message to MSC, sending the call process message to Ms. In addition, MSC distributes the ground channel for this call and requires BS to allocate wireless service channel TCH. The ground channel identification is included in the assignment request command so that the call process is not reached.

In the process of signaling integrity protection and encryption, and then passed to Bs,bs first signaling integrity verification, through the business information and signaling information to decrypt, decrypted business information and signaling information through the core network communicated to another BS.

In addition, if during the call process, the position of the mobile station changes, it is necessary to carry out the re aka and registration process, steps (1) to (6), only at this time is not used IMSI but tmsi, and because each random number is different, so that each generated IK and CK are different from the previous IK and CK, To prevent replay attacks.

Similarly, the mobile station is called the process similar to this, in the random access process after the same security process and reverse link.

4 Intrusion Detection

During the authentication process and the call process may appear the stolen MS utilizes the previous legality to carry on the frequent call and the call, the intrusion detection system can effectively prevent and prevent this kind of behavior. By designing the status of the user activity in the IDS monitoring and reporting system for the mobile communication network, the potential intrusion activity can be detected as real time as possible to avoid the frequent attacks on the system by dishonest legitimate users and illegal users.

The system can verify the user's moving speed and the machine, so the fast intrusion detection is carried out. It requires IDs to be able to count the normal behavior of MS and create the user's normal behavior contour configuration. In this context, if an intruder requests a network service, it will inevitably produce a significant deviation from the behavior profile of the legitimate user (such as frequent switching and calling on a low density user area switch may have an intrusion warning), thus IDs can detect intruders based on the unusual activity of intruders.

CPD (Calling Profile Database) is the core of the entire IDs, which records the normal communication behavior characteristics of legitimate users in the system. MSC is responsible for the real-time transmission of the user's communication behavior to the CPD and its centralized processing. A warning message is issued when CPD thinks there is an unlawful invasion. CPD also access the PSTN. Users can contact the CPD center directly by telephone to confirm that their mobile phone is stolen, and users can modify their communication behavior descriptions in CPD at any time.

In practical applications, wireless location services may also be involved, the service also needs to authenticate to the Certification center authorization, before the start of positioning operations, after receiving MS request positioning information, by the base station or base station Mobile station joint measurement of data sent to the core network for positioning calculation, and then return the results to Ms. The data encryption process between MS and BS is similar to the preceding.

5 concluding remarks

The above is only from mutual authentication and key negotiation process, signaling integrity protection and encryption, intrusion detection and other aspects of the mobile platform to discuss the main call process security issues. It should be recognized that security in mobile communications also requires more technology to protect.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.