鉴权加密流程.docx

1、鉴权加密流程33102分组域和电路域的鉴权加密流程是互相独立的。目前SGSN实现的时候，可以实现两种处理：1、是否鉴权；2、隔多少次鉴权一次。可以配置间隔的次数。对于加密来说，每次搭建Iu连接，就需要进行加密的重新协商。哪怕是由于进行业务引起的Iu连接建立。但是此时只是重新协商一致性校验的相关参数和加密算法，密钥CK和IK是不会变的（因为密钥的产生是在鉴权流程中根据RAND产生的，所以只有鉴权之后，才会产生新的密钥）。3G是不能重用鉴权参数（5元组）的。因为AUTN中有跟时间同步相关的参数，所以无法重用。a. 鉴权流程Figure 5: Authentication and key agree

2、mentUpon receipt of a request from the VLR/SGSN, the HE/AuC sends an ordered array of n authentication vectors (the equivalent of a GSM triplet) to the VLR/SGSN. The authentication vectors are ordered based on sequence number. Each authentication vector consists of the following components: a random

3、 number RAND, an expected response XRES, a cipher key CK, an integrity key IK and an authentication token AUTN. Each authentication vector is good for one authentication and key agreement between the VLR/SGSN and the USIM.When the VLR/SGSN initiates an authentication and key agreement, it selects th

4、e next authentication vector from the ordered array and sends the parameters RAND and AUTN to the user. Authentication vectors in a particular node are used on a first-in / first-out basis. The USIM checks whether AUTN can be accepted and, if so, produces a response RES which is sent back to the VLR

5、/SGSN. The USIM also computes CK and IK. The VLR/SGSN compares the received RES with XRES. If they match the VLR/SGSN considers the authentication and key agreement exchange to be successfully completed. The established keys CK and IK will then be transferred by the USIM and the VLR/SGSN to the enti

6、ties which perform ciphering and integrity functions.VLR/SGSNs can offer secure service even when HE/AuC links are unavailable by allowing them to use previously derived cipher and integrity keys for a user so that a secure connection can still be set up without the need for an authentication and ke

7、y agreement. Authentication is in that case based on a shared integrity key, by means of data integrity protection of signalling messages (see 6.4).The authenticating parties shall be the AuC of the users HE (HE/AuC) and the USIM in the users mobile station. The mechanism consists of the following p

8、rocedures:A procedure to distribute authentication information from the HE/AuC to the VLR/SGSN. This procedure is described in 6.3.2. The VLR/SGSN is assumed to be trusted by the users HE to handle authentication information securely. It is also assumed that the intrasystem links between the VLR/SGS

9、N to the HE/AuC are adequately secure. It is further assumed that the user trusts the HE.A procedure to mutually authenticate and establish new cipher and integrity keys between the VLR/SGSN and the MS. This procedure is described in 6.3.3.A procedure to distribute authentication data from a previou

10、sly visited VLR to the newly visited VLR. This procedure is described in 6.3.4. It is also assumed that the links between VLR/SGSNs are adequately secure.总的来说，CK和IK当作鉴权五元组中的一部分，存在SGSN/VLR中。但是SGSN/VLR并不把它们下发给UE，而是只下发AUTN和RAND。UE通过对AUTN的鉴权，达到对网络鉴权的目的。然后，如果通过了AUTN的鉴权的话，UE利用RAND，根据USIM中已经写好的算法，算出RES，然后发

11、给SGSN/VLR。SGSN/VLR收到后，将其与鉴权五元组中的XRES相比，如果相同，就代表该UE是合法的。这样就完成了网络对UE的鉴权。然后，UE在USIM中算出CK和IK，同时，SGSN/VLR也采用相同的CK和IK。（这两个CK和IK之所以相同，是由于他们都是通过同一个RAND算出来的。所以这样的话，UE和SGSN/VLR就能采用相同的CK和IK来进行数据加密了。）KSI:UMTS中使用KSI，GSM中使用CKSN。The key set identifier (KSI) is a number which is associated with the cipher and integ

12、rity keys derived during authentication. The key set identifier is allocated by the network and sent with the authentication request message to the mobile station where it is stored together with the calculated cipher key CK and integrity key IK. KSI in UMTS corresponds to CKSN in GSM. The USIM stor

13、es one KSI/CKSN for the PS domain key set and one KSI/CKSN for the CS domain key set.KSI用于网络鉴别保存在UE中的CK和IK。The purpose of the key set identifier is to make it possible for the network to identify the cipher key CK and integrity key IK which are stored in the mobile station without invoking the authe

14、ntication procedure. This is used to allow re-use of the cipher key CK and integrity key IK during subsequent connection set-ups.IK:IK有128bit。在CS和PS与UE之间都可以存在各自的IK。如IKcs，IKps。IK用于在UE和RNC之间的RRC层的完整性保护。一致性校验是在RRC层进行的。The UIA（UMTS完整性算法） shall be implemented in the ME and in the RNC.Integrity protection

15、 shall be applied at the RRC layer.由于在UE和网络之间传送的大多数的信令信息是相当敏感的，所以必须保证它们的完整性。Most control signalling information elements that are sent between the MS and the network are considered sensitive and must be integrity protected. A message authentication function shall be applied on these signalling infor

16、mation elements transmitted between the ME and the RNC.After the RRC connection establishment and execution of the security mode set-up procedure, all dedicated MS network control signalling messages (e.g. RRC, MM, CC, GMM, and SM messages) shall be integrity protected. The Mobility Management layer

17、 in the MS supervises that the integrity protection is started (see section 6.4.5).CK:CK有128bit。在CS和PS与UE之间都可以存在各自的CK。如CKcs ，CKps加密是在RLC或者MAC层进行的。是在UE和RNC之间进行的。The ciphering function is performed either in the RLC sub-layer or in the MAC sub-layer, according to the following rules:- If a radio beare

18、r is using a non-transparent RLC mode (AM or UM), ciphering is performed in the RLC sub-layer.- If a radio bearer is using the transparent RLC mode, ciphering is performed in the MAC sub-layer (MAC-d entity).Ciphering when applied is performed in the S-RNC and the ME and the context needed for ciphe

19、ring (CK, HFN, etc.) is only known in S-RNC and the ME.鉴权流程由网络侧发起，其目的是：由网络来检查是否允许终端接入网络；提供鉴权参数五元组中的随机数数组，供终端计算出加密密钥（CK）；同时，供终端计算出与网络侧进行一致性检查的密钥（IK）；最后一个目的是可以提供终端对网络的鉴权。 与GSM的鉴权流程相比，3G的鉴权流程增加了一致性检查的功能及终端对网络的鉴权功能。这些功能使3G的安全特性有了进一步的增强。网络侧在发起鉴权前，如果VLR内还没有鉴权参数五元组，此时将首先发起到HLR取鉴权集的过程，并等待鉴权参数五元组的返回。鉴权参数五元组的

20、信息包含RAND、XRES、AUTN、CK和IK。在检测到鉴权参数五元组的存在后，网络侧下发鉴权请求消息。此消息中将包含某个五元组的RAND和AUTN。用户终端在接收到此消息后，由其USIM验证AUTN，即终端对网络进行鉴权，如果接受，USIM卡将利用RAND来计算出CK与IK和签名XRES。如果USIM认为鉴权成功，在鉴权响应消息中将返回XRES。网络侧在收到鉴权响应消息之后，比较此鉴权响应消息中的XRES与存储在VLR数据库中的鉴权参数五元组的XRES，确定鉴权是否成功：成功，则继续后面的正常流程；不成功，则会发起异常处理流程，释放网络侧与此终端间的连接，并释放被占用的网络资源、无线资源。

21、（不成功的处理见后面的描述）在成功的鉴权之后，终端将会把CK（加密密钥）与IK（一致性检查密钥）存放到USIM卡中。鉴权失败的话，SGSN会发起一个鉴权失败报告消息给HLR，此时HLR可能会发起一个cancle location （也就是HLR发起的分离流程啦）。（33102。6.3.3）VLR/SGSN可能会发起一次新的鉴权加密流程。Upon receipt of user authentication response the VLR/SGSN compares RES with the expected response XRES from the selected authentica

22、tion vector. If XRES equals RES then the authentication of the user has passed. The VLR/SGSN also selects the appropriate cipher key CK and integrity key IK from the selected authentication vector. If XRES and RES are different, VLR/SGSN shall initiate an Authentication Failure Report procedure towa

23、rds the HLR as specified in section 6.3.6. VLR/SGSN may also decide to initiate a new identification and authentication procedure towards the user.33102. 6.3.6 Reporting authentication failures from the SGSN/VLR to the HLRThe purpose of this procedure is to provide a mechanism for reporting authenti

24、cation failures from the serving environment back to the home environment.The procedure is shown in Figure 13.Figure 13: Reporting authentication failure from VLR/SGSN to HLRThe procedure is invoked by the serving network VLR/SGSN when the authentication procedure fails. The authentication failure r

25、eport shall contain the subscriber identity and a failure cause code. The possible failure causes are either that the network signature was wrong or that the user response was wrong.The HE may decide to cancel the location of the user after receiving an authentication failure report.b. 加密1、在A/Gb模式下，

26、手机在发送了Authentication and Ciphering Response消息后，就开始加密了。2G的加密是在LLC层的。其中在Authentication and Ciphering request消息中带有2G的加密算法。In A/Gb mode, the scope of ciphering is from the ciphering function in the SGSN to the ciphering function in the MS. Ciphering is done in the LLC layer, and from the perspective of

27、the existing GSM MS-BTS radio path, an LLC PDU is transmitted as plain text.SGSN在收到一个正确的Authentication and Ciphering Response消息后，就开始加密。In A/Gb mode, the MS starts ciphering after sending the Authentication and Ciphering Response message. The SGSN starts ciphering when a valid Authentication and Ciph

28、ering Response message is received from the MS.2、在Iu模式下，加密的开始是受 security mode setup 流程控制的。当发送了security mode command 下行消息后，下行的消息（包括该消息）就开始了一致性校验；当UE返回了security mode complete 消息后，上行的消息（包括该消息）就开始了一致性校验。加密的相关信息，包括CK的选择、加密算法的选择，则是在加密模式设定（security mode setup ）的流程中确定的。所以，根据流程图，可以看到在3G里面，是在security mode com

29、plete 消息发送后，UE和UTRAN才开始进行加密的（因为通过前面的消息交互，确定了相关的CK和算法）。这个加密是在RLC层的。加密是在RLC（确认和非确认模式），透明模式的RLC加密在MAC层，都属于空口层二，数据链路层。针对业务数据和信令。一致性检查在RRC，针对信令。Security mode set-up procedureThis section describes one common procedure for both ciphering and integrity protection set-up. It is mandatory to start integrity

30、protection of signalling messages by use of this procedure at each new signalling connection establishment between MS and VLR/SGSN. The four exceptions when it is not mandatory to start integrity protection are:- If the only purpose with the signalling connection establishment and the only result is

31、 periodic location registration, i.e. no change of any registration information.- If there is no MS-VLR/SGSNsignalling after the initial L3 signalling message sent from MS to VLR/SGSN, i.e. in the case of deactivation indication sent from the MS followed by connection release.- If the only MS-VLR/SG

32、SN signalling after the initial L3 signalling message sent from MS to VLR/SGSN, and possible user identity request and authentication (see below), is a reject signalling message followed by a connection release.- If the call is an emergency call teleservice as defined in TS22.003, see section6.4.9.2 below.When the integrity protection shall be started, the only procedures between MS and VLR/SGSN that are allowed after the initial connection request (i.e. the initial Layer 3 message sent to VLR/SGSN) and before the security mode set-up