Escolar Documentos
Profissional Documentos
Cultura Documentos
Tm tt: LTE l mng truy nhp di ng s ng vai tr quan trng trong tng th h tng
cung cp cc dch v tng lai. Vi s k tha cc c trng trong lnh vc di ng cng vi
c tnh mng all-IP dn n nhiu yu cu cng nh gii php cho vn an ninh trong min
mng LTE. Bi bo ny s cung cp thng tin tng quan v an ninh trong mng LTE gip cho
cc nh cung cp dch v di ng ti Vit Nam c thm thng tin cn thit trong vic trin khai
cho mng LTE thi gian ti. Phn u bi bo nu ra cc yu cu v an ninh ca mng LTE,
tip theo bi bo gii thiu v kin trc an ninh c a ra bi t chc 3GPP v phn cui bi
bo gii thiu mt s c ch an ninh c th c p dng trn LTE p ng cc yu cu
nu ra.
LTE
(I) (I)
Home
(III) stratum/
Tiu chun 3GPP TS 33.401 a ra cc USIM
(II)
HE Serving
Stratum
yu cu v cc tnh nng an ninh cn c trong (I) (I)
SN
Transport
mng LTE nh sau: ME
(I) (II) stratum
AN
(I)
- m bo an ninh gia ngi dng v
mng, gm: Hnh 1. Kin trc an ninh tng qut ca LTE
Nhn dng ngi dng v bo mt thit - Network access security (I): tp hp cc
b, tnh nngan ninh cung cp kh nng bo
Nhn thc cc thc th, v truy nhp ngi dng ti cc dch v,
v cng bo v chng li cc cuc tn
Bo mt d liu ngi dng v d liu cng trn lin kt truy nhp v tuyn. V
bo hiu, d: s dng USIM cung cp truy nhp
Ton vn d liu ngi dng v d liu c m bo cho ngi dng ti EPC,
bo hiu. bao gm nhn thc tng h v cc tnh
nng ring khc.
- C kh nng cu hnh v hin th an ninh.
- p ng cc yu cu an ninh trn eNodeB.
283
- Network domain security (II): tp hp c la chn. MME cng gi mt
cc tnh nngan ninh cho php cc node KSIASME cho ME s dng cho vic
trao i an ton d liu bo hiu v d liu nhn dng kha KASMEc to ra bi
ngi dng (gia AN v SN, v trong th tc EPS AKA.
AN), v cng bo v chng li cc cuc 3) Sau khi nhn c thng s t MME,
tn cng trn mnghu tuyn. V d: AS USIM kim tra xem AV mi hay
Security, NAS Security, IPsec EPS. khng, bng vic kim tra vic chp
- User domain security (III):tp hp cc nhn AUTN. Nu tha mn, USIM s
tnh nngan ninh bo v truy nhp ti cc tnh ton RES phn hi, ng thi
MS (Mobile Station). V d: kha mn cng tnh ton CK v IK gi ti ME.
hnh, m PIN s dng SIM. ME cng kim tra bit 0 ca AUTN
c thit lp bng 1 hay khng.
- Application domain security (IV): tp
hp cc tnh nngan ninh cho phpbo v 4) ME phn hi bn tin ch thng s RES
cc bn tin trao i ca cc ng dng ti ti MME trong trng hp kim tra
min ngi dng v min nh cung cp. thnh cng. Sau ME tnh ton KASME
V d: https. thng qua CK, IK v SN ID s dng
thut ton KDF. SN ID dng nhn
- Visibility and configurability of security
dng ngm mng phc v khi kha
(V): tp hp cc tnh nngan ninh cho
KASME c s dng.
php thng bo ti ngi dng mt tnh
nng an ninh c ang hot ng hay 5) MME s snh RES v XRES, nu
khng, v cc dch v ang s dng v ging nhau th nhn thc thnh cng.
c cung cp nn ph thuc vo tnh Vic thc thi AKA c th mt vi trm
nng an ninh khng. ms cho vic tnh ton kha trn USIM v cho
Di y chng ta s xem xt mt s vic kt ni ti HSS, do c th p dng
tnh nng an ninh p dng cho mng LTE mt chc nng cho php kha c cp nht
thuc v cc nhm tnh nng an ninh (I) v khng c AKA t c tc cao hn
(II), l nhng nhm tnh nng an ninh c trong LTE.
trng v lin quan trc tip n cc thc th
4.2. H thng phn cp kha
trong mng LTE.
4. MT S CHC NNG V C CH
USIM / AuC K
AN NINH P DNG CHO MNG
LTE CK, IK
UE / HSS
4.1. C ch EPS AKA KASME
UE / MME
L c ch thuc v nhm tnh nngan KNASenc KNASint
284
im ti thiu ha tn hi do mt trong ha v bo v ton vn cho truyn thng
cc kha m ha v bo v ton vn b tn NASs dng cc kha KNASenc v KNASint.
thng. gii quyt vn ny trn LTE, ME MME
H thng phn cp kha hot ng nh Verify NAS SMC integrity. Start uplink
If succesful, start ciphering/ deciphering
sau: deciphering and integrity
protection and send NAS
1) Ging nh mng 3G, USIM v AuC Security Mode Complete.
chia s trc cc thng tin b mt (kha NAS Security Mode Complete ([IMEISV,] NAS-MAC)
2) Khi AKA c thc thi cho nhn thc nh 3. Th tc thc hin ch NAS Security
tng h gia mng v ngi dng, MME gi bn tin NAS Security Mode
kha CK cho m ha v IK cho bo v Command ti UE, bao gm tham s eKSI cho
ton vn c to ra v c trao i xc nh kha KASME, tham s cha kh nng
tng ng t USIM ti ME v t AuC an ninh ca UE, thut ton m ha v ton
ti HSS. vn, v cc tham s NONEUE v NONCEMME
3) ME v HSS to ra kha KASMEtng dng khi chuyn giao. Bn tin ny c bo
ng t cp kha CK v IK. KASME c v ton vn vi kha ton vn NAS trn c
truyn t HSS ti MME ca mng s kha KASME c ch ra t tham s eKSI
phc v nh l thng tin c bn trong trong bn tin. UE kim tra ton vn ca bn
phn cp kha. tin ny, vnu kim tra thnh cng th UE bt
u m ha/gii m ha, bo v ton vn.Sau
4) Kha KNASenc cho m ha giao thc UE gi bn tin phn hi NAS Security
NAS gia UE v MME; v kha Mode Complete ti MME.
KNASint cho bo v tnh ton vn c
to ra t kha KASME. Cn ch AS Security c thc hin
ngay sau khi UE tin vo trng thi kt ni,
5) Khi UE kt ni ti mng, UE v MME v p dng ti tt c kt ni gia UE v eNB,
to ra kha KeNB, sau MME truyn s dng cc kha KRRCenc, KRRCint v KUPenc.
kha ny cho eNodeB. T kha KeNB
ME eNB
ny, cc kha KUPenc cho m ha U- St art RRC
Plane, kha KRRCenc cho m ha RRC integrity protection
AS Security Mode Command (Integrit y algorithm, Cipheri ng algorithm,
v kha KRRCint cho bo v tnh ton MAC-I)
285
eNodeB.eNodeB sau khi nhn bn tin phn
hi th bt u m ha uplink RRC v UP.
Ti nhng ni khng cho php m ha, AS
security c th m phn mt ch cung
cp an ninh khng c m ha.
Cc thut ton m ha v bo v ton
vn s dng trn LTE c da trn c s
Snow 3G v AES (Advanced Encryption
Standard) c chun ha, v thut ton Hnh 5. Kin trc trin khai NDS trn mng
s dng cho AS c m phn c lp vi LTE
thut ton s dng cho NAS. Hai thut ton - Mng LTE c chia thnh hai loi min
ny cung cp y tnh nng an ninh, v an ninh gm min E-UTRAN v min
khc nhau v cu trc s dng c bn trong EPC. Trong :
3GPP. Do trong trng hp mt thut ton
b hy hoi th thut ton cn li vn tip tc Min EPC: ti bin t cc SEG
m bo cho h thng LTE. (Security Gateway), v trong min c
cc NE l cc node mng c trin
4.4. Bo v nhn dng (Identity
khai; v d nh MME,
Protection)
Nhm tnh nng an ninh (I) cng cung Min E-UTRAN: do s lng min E-
UTRAN ln v kt ni vi nhau qua
cp tnh nng an ninh thng qua vic s dng
mt mng li phc tp do cng tn ti
hai thng s nhn dng vnh vin UE l:
hai giao din S1 v X2 nn gii php
- IMEI: dng nhn dng thit b phn t SEG ti bin ca mi min
cng. IMEI ch c gi ti MME trn EUTRAN l khng hp l. V vy ti
NAS, sau khi NAS Security c thit cc min E-UTRAN ch c cc NE l
lp thnh cng (bo v c m ha v cc node mng (eNodeB) .
ton vn).
- Giao din Za (gia cc SEG) song hnh
- IMSI: dng nhn dng thu bao. cng giao din S8 gia Home-PLMN v
IMSI hn ch gi qua mi trng v Visited-PLMN, hoc gia Home-PGW v
tuyn, m thay vo l tham s tm Visited-PGW.
thi GUTI.
- Giao din Zb (gia cc NE hoc gia NE
4.5. NDS (Network Domain Security) v SEG) song hnh cng giao din S1 v
bo v cho cc lu lng trn c s X2 trong mt mng LTE ca mt nh
IP ti cc giao din ca mng truy cp/truyn cung cp. Giao din ny phi c trin
ti (E-UTRAN), ca mng li (EPC), hay khai ging vi giao din Za, nhng khng
gia cc mng li vi nhau, 3GPP a ra cn y chc nng ca SEG.
chc nng NDS/IP (tr giao din S1-U do - Giao din Zb gia SEG v NE ca EPC l
y l giao din c bo v ca 3GPP). ty chn do cc node c th c bo v
NDS c nh ngha trong tiu chun 3GPP v mt vt l (cng mt mng LAN).
TS 33.210 v l chc nng thuc nhm tnh
- NDS/IP khng m bo an ninh cho kt
nng an ninh (II).
ni gia EPC v Internet (giao din SGi).
i vi mng LTE, kin trc NDS c
NDS/IP cung cp cc dch v an ninh
trin khai nh sau:
nh sau:
- Nhn thc d liu gc: bo v mt node
khi cc d liu khng r ngun gc.
- Ton vn d liu: bo v d liu c
truyn khng b thay i (man-in-the-
middle).
286
- Bo v chng qu trnh replay.
- Bo mt d liu: bo v chng li vic
nh cp d liu (eavesdropping).
- Bo v gii hn chng li vic phn tch
lung d liu.
Cc c ch bo v c thc hin thng
qua IPsec, c bit l IPsec ESP
(Encapsulating Security Payload) trong ch Hnh 6. M hnh chui kha cho chuyn giao
ng hm, vi IKE (Internet Key
Exchange) c s dng thit lp mi lin Khi AS Security cn c thit lp gia
h an ninh IPsec gia cc SEG hoc gia UE v eNodeB, MME v UE phi to ra cc
SEG v NE. IPsec EPS cung cp cc tnh kha KeNB v NH t kha KASME.Trong thit
nng bo v an ninh, m mi tnh nng l tp lp khi to, KeNB c to ra trc tip t
hp ca nhiu thut ton an ninh: KASME v NAS uplink COUNT, tng ng
chui kha NCC = 0.Kha KeNB c s
- Nhn thc: cung cp ban u thng qua dng lm kha c s cho vic bo v truyn
nhn thc tng h v trao i kha bo thng gia UE v eNodeB. Tip kha NH
mt gia cc SEG hoc SEG v NE s c to ra t KASMEv KeNB trn, v kha
dng giao thc IKE, v thng qua AH ny c s dng cho chui kha NCC=1
(Authentication Header) ca cc gi tin hoc ln hn.Khi chuyn giao trc tip gia
IPsec m bo nhn thc trn mi gi, cc eNodeB xy ra, th mt kha mi KeNB*
v d nh s dng SHA-1. c to ra t kha KeNB ang hot ng
- Ton vn: cung cp thng qua c ch bm hoc t NH.Qu trnh ly kha KeNB* t KeNB
gi m ha IPsec, v d SHA-1. ang tn ti c m t bi qu trnh ly
kha theo chiu ngang, KeNB* c to ra t
- Bo mt: cung cp thng qua vic m ha KeNB vi thng s EARFCN-DL (E-UTRAN
IPsec ng gi gi tin, v d AES. Absolute Radio Frequency Channel Number
- Anti-replay. Downlink) ca kt ni v PCI (Physical
Cell Identity) ca mc tiu..Cn qu trnh ly
- Bo mt gii hn lung d liu. kha KeNB* t NH c m t bi qu trnh
4.6. Forward Security ly kha theo chiu dc, KeNB* c to ra t
NH vi thng s EARFCN-DL v PCI.
y l c ch thuc nhm tnh nng an
ninh (I), c a ra ngn chn vic l Do NH ch c th tnh ton duy nht bi
thng tin cc kha KeNB. C ch ny m bo UE v MME, nn vic s dng qu trnh ly
rng mt eNodeB vi cc thng tin v kha kha t NH m bo c c ch Forward
KeNB chia s gia n v UE, s khng th tnh Security cho qu trnh chuyn giao qua nhiu
ton c cc kha KeNB tng lai c dng eNodeB.Chc nng ny c th gii hn phm
gia UE y vi cc eNodeB khc. c bit vi ca tn hi, thm ch nu mt kha b r r,
hn, c ch N-hop Forward Security m bo bi v cc kha tng lai s c to ra m
rng mt eNodeB khng th tnh ton cc khng s dng kha KeNB hin ti trong
kha s c s dng gia mt UE v cc trng hp ly kha theo chiu dc.
eNodeB khc m UE s kt ni sau N ln
5. KT LUN
hoc nhiu hn N ln chuyn giao (N=1 hoc
2).C ch ny c thc hin thng qua kha Cu trc mng LTE l khc bit so vi
NH (Next-Hop) c lu tr trn MME. cc mng di ng trc nn mng LTE
c p dng nhiu c ch khc nhau p
Nguyn l hot ng c th ca c ch ng cc yu cu an ninh c t ra. Trong
Forward Security nh sau: , mt s c ch l k tha t cc c ch ca
mng 3G nh EPS AKA, Identity Protection,
hay NDS. Mt s c ch l s pht trin mi
dnh ring cho mng LTE nh h thng phn
287
cp kha, AS Security, NAS Security hay 2. Alf Zugenmaier, Hiroshi Aono,
Forward Security. Cc c ch ny c th trin Technology Reports: Security
khai mt cch d dng trn thc t do c Technology for SAE/LTE, NTT
k tha t mng 3G (cc c ch k tha) DOCOMO Technical Journal Vol. 11
hoc c gn lin vi hot ng ca mng No. 3;
LTE (cc c ch mi). Ngoi cc c ch 3. Stoke, Inc WHITE PAPER - LTE
trn, cn cc c ch khc thuc nhm tnh Security Concepts and Design
nng an ninh (I) v (II), c cung cp cho Considerations;
LTE nhng khng cp chi tit trong bi
bo ny nh Home eNodeB Security, M2M 4. 3GPP TS 33.401 v12.9.0 3GPP System
(Machine-to-Machine) Security, Security for Architechture Evolution (SAE);
VoLTE. V to thnh mt kin trc an Sercurity architecture (Release 12);
ninh y cho mng LTE, cc c ch an 5. 3GPP TS 33.210 v12.2.03G security;
ninh cho cc nhm tnh nng an ninh (III), Network Domain Security (NDS); IP
(IV), (V) cng cn c s dng. network layer security (Release 12);
6. TI LIU THAM KHO 6. 3GPP TS 33.310 v12.0.0 Network
1. Dan Forsberg, Gunther Horn, Wolf- Domain Security (NDS); Authentication
Dietrich Moeller, Valtteri Niemi Framework (AF) (Release 12);
(2010), LTE Sercurity, Wiley;
288