安全--終端錯(cuò)報(bào)其支持祖沖之算法導(dǎo)致無(wú)法駐留LTE網(wǎng)絡(luò)_第1頁(yè)
安全--終端錯(cuò)報(bào)其支持祖沖之算法導(dǎo)致無(wú)法駐留LTE網(wǎng)絡(luò)_第2頁(yè)
安全--終端錯(cuò)報(bào)其支持祖沖之算法導(dǎo)致無(wú)法駐留LTE網(wǎng)絡(luò)_第3頁(yè)
安全--終端錯(cuò)報(bào)其支持祖沖之算法導(dǎo)致無(wú)法駐留LTE網(wǎng)絡(luò)_第4頁(yè)
安全--終端錯(cuò)報(bào)其支持祖沖之算法導(dǎo)致無(wú)法駐留LTE網(wǎng)絡(luò)_第5頁(yè)
已閱讀5頁(yè),還剩3頁(yè)未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

1、文檔名稱文檔密級(jí)終端錯(cuò)報(bào)其支持祖沖之算法導(dǎo)致無(wú)法駐留LTE網(wǎng)絡(luò)1 現(xiàn)象描述1、A型號(hào)手機(jī)在所有站下都無(wú)法駐留4G網(wǎng)絡(luò)。2、其它手機(jī)可以正常駐留。3、Mifi可以正常駐留4G。2 告警信息不涉及3 原因分析附著過(guò)程中的信令發(fā)現(xiàn)“Security mode reject”,原因?yàn)椤皊ecurity mode rejected unspecified”。 eNodeB下發(fā)給終端的NASSecurityModeCommand消息中下發(fā)的加密和完整性保護(hù)算法分別為EEA3和EIA3。 但Mifi網(wǎng)絡(luò)下發(fā)的RRC SecuritymodeCommand消息中下發(fā)的SecurityAlgorithmConf

2、ig下發(fā)的加密和完整性保護(hù)算法分別為EEA2和EIA2。經(jīng)核查,X運(yùn)營(yíng)商要求打開(kāi)祖沖之算法,核心網(wǎng)側(cè)改成了“優(yōu)選祖沖之算法”,當(dāng)終端支持祖沖之算法時(shí),優(yōu)先使用祖沖之算法。當(dāng)終端不支持祖沖之算法時(shí),選用其他算法。基站側(cè)的加密算法配置: 終端probe信令,收到核心網(wǎng)下發(fā)的NAS安全祖沖之算法后,返回安全模式失敗。 協(xié)議33.401對(duì)NAS安全過(guò)程的一個(gè)描述:7.2.4.4            NAS security mode command procedureThe NAS SMC

3、procedure consists of a roundtrip of messages between MME and UE. The MME sends the NAS security mode command to the UE and the UE replies with the NAS security mode complete message. The NAS security mode command message from MME to UE shall contain the replayed UE security capabilities, the select

4、ed NAS algorithms, the eKSI for identifying KASME, and both NONEUE and NONCEMME in the case of creating a mapped context in idle mobility (see clause 9.1.2). This message shall be integrity protected (but not ciphered) with NAS integrity key based on KASME indicated by the eKSI in the message (see f

5、igure 7.2.4.4-1). The UE shall verify the integrity of the NAS security mode command message. This includes ensuring that the UE security capabilities sent by the MME match the ones stored in the UE to ensure that these were not modified by an attacker and checking the integrity protection using the

6、 indicated NAS integrity algorithm and the NAS integrity key based on KASME indicated by the eKSI. In addition, when creating a mapped context for the case described in clause 9.1.2, the UE shall ensure the received NONCEUE is the same as the NONCEUE sent in the TAU Request and also calculate K'

7、ASME from CK, IK and the two nonces (see Annex A.11). If the MME receives no response to a NAS Security Mode Command that included nonces to create a mapped context and it wishes to try again to create the mapped context, the MME shall use the same values of NONCEUE and NONCEMME. If the UE receives

8、a re-transmitted NAS Security Mode Command, i.e one containing the nonces, after it has successfully received a previous one (and hence created a mapped EPS NAS security context), the UE shall process the message as above, except that it is not required to re-generate the K'ASME or check the NON

9、CE UE if it does not re-generate the K'ASME. If the checks of the NAS Security Mode Command pass the UE shall respond with a NAS Security Mode Complete. The UE shall delete NONCE_UE once the TAU procedure is complete.If successfully verified, the UE shall start NAS integrity protection and ciphe

10、ring/deciphering with this security context and sends the NAS security mode complete message to MME ciphered and integrity protected The NAS security mode complete message shall include IMEISV in case MME requested it in the NAS SMC Command message.The MME shall de-cipher and check the integrity pro

11、tection on the NAS Security Mode Complete using the keys and algorithms indicated in the NAS Security Mode Command. NAS downlink ciphering at the MME with this security context shall start after receiving the NAS security mode complete message. NAS uplink deciphering at the MME with this context sta

12、rts after sending the NAS security mode command message. If any verification of the NAS security mode command is not successful in the ME, the ME shall reply with a NAS security mode reject message (see TS 24.301 9). The NAS security mode reject message and all following NAS messages shall be protec

13、ted with the EPS NAS security context, i.e., the EPS NAS security context used prior to the NAS security mode command that failed (until a new EPS NAS security context is established, e.g., via a new NAS security mode command procedure). If no EPS NAS security context existed prior to the NAS securi

14、ty mode command, the NAS security mode reject message cannot be protected. 由協(xié)議可知, 1、如果NAS層加密成功,終端需要給MME發(fā)送security mode complete消息。2、如果NAS security mode command消息認(rèn)證不成功,終端應(yīng)該回復(fù)reject消息。 從這一點(diǎn)看,因終端沒(méi)有發(fā)security mode complete消息,所以推斷A型號(hào)終端要么不支持祖沖之算法,要么因?yàn)閯e的原因安全模式失敗。 需聯(lián)系終端公司分析A型號(hào)在NAS安全的時(shí)候失敗的原因。查看信令:終端發(fā)的附著請(qǐng)求中攜帶了所支持的加密算法: 附著請(qǐng)求解碼后:可見(jiàn)終端上報(bào)的能力是支持祖沖之算法的。 再找終端確認(rèn)發(fā)現(xiàn)當(dāng)前版本并不支持祖沖之算法。由于終端版本誤報(bào)的終端能支持的加密算法導(dǎo)致。需要升級(jí)版本解決。 升級(jí)后終端版本,從attach request消息中看終端上報(bào)的加密算法已經(jīng)不支持祖沖之(EEA3&EIA3算法)。升級(jí)后驗(yàn)證發(fā)現(xiàn),終端上報(bào)的加密算法去掉了祖沖之算法,這樣即使網(wǎng)絡(luò)支持祖沖之算法,因?yàn)榻K端不支持,最終協(xié)商結(jié)果也不會(huì)下發(fā)祖沖之算法給終端。所以,終端升級(jí)后,解決了之前版本誤

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論