TD-LTE中數(shù)據(jù)完整性保護(hù)0算法導(dǎo)致UE無法鑒權(quán)

TD-LTE中數(shù)據(jù)完整性保護(hù)0算法導(dǎo)致UE無法鑒權(quán)TD-LTE中數(shù)據(jù)完整性保護(hù)0算法導(dǎo)致UE無法鑒權(quán)TOC\o"1-5"\h\z一、概述3\o"CurrentDocument"二、現(xiàn)場測試問題如下：3\o"CurrentDocument"三、原因分析：4\o"CurrentDocument"四、解決方案：9\o"CurrentDocument"五、驗(yàn)證結(jié)果：10、概述新購買的TD-LTE測試終端型號E5776S,軟件版本號為B161、B211為目前最新版本測試終端，在上?，F(xiàn)場進(jìn)行LTE測試時發(fā)現(xiàn)無法正常鑒權(quán)附著失敗，導(dǎo)致無法進(jìn)行正常測試。二、現(xiàn)場測試問題如下：SecuritymoderejectTimeI2-20：^D34BTimekandornI2-20：39日昵12:20:40.943I34BI2:20:3970S12.20:39.090Cellsearchfor孫蝕恤ceilCell■:-amponITimeI2-20：^D34BTimekandornI2-20：39日昵12:20:40.943I34BI2:20:3970S12.20:39.090Cellsearchfor孫蝕恤ceilCell■:-amponI220:^03龔*urfienTjcaTioriRe&panseI2:20:40.926ULInformfitinnTransferIW衛(wèi)DHQMSULlnfcitmaTianTransrerI2.20:40.3-434rDLIntormBitinnTr-insferI2.20:40.3-43■RRCCanntctionPjekueI2.20:39.921鼻DLlnfarrrirtinnTrinsferIZZO:B9921AurhfrrncmQriRtquc-si:I2；0:-40MSiDLinrornndTiDnTrinsrer12:旬地.3為#SwuritfNcickCammand|Z-2D：4D343tVkLatVaIuaKI20^CEERSRP-102.0EfiRFtN37SOOCRGkSRQN#硼9'illSV:與I2:2D:4D953■MasurlnForrrI2:20^095345V5lnroTvpelI2.20:50.HO，M-isterInfcrmatiDrfllockIZ:Z0:5EI4D■朝Mbiy心!EPSPINDiredtion;Lt-knkCorrpX^tTiriestatp：12!20!40.343UET楙MW：混2035?(H￥)rtOtO：dj^5i：rinfinabDt;EPSMobityNAsEPSKldsItYManagementMessageType;(UkSf)Senjiymodereiert郵頊*WEcaDaDdcocoI22O：^035912.20:^0.953EMMcause顯示為24Securitymoderejected,unspecifiedAttachreject

Time*日加叫1222-5^046JRRCCarintrtiDnRjecC'fTriguratiDriDORP.CCannectiDnkecc-nl'inuratiDnCampletEDC'122254』花JDLlnforniaJthnTransferTime*日加叫1222-5^046JRRCCarintrtiDnRjecC'fTriguratiDriDORP.CCannectiDnkecc-nl'inuratiDnCampletEDC'122254』花JDLlnforniaJthnTransferDCTZ-22-5^*ALnhe-ndcafnonR±qu±rrEK122￡.5^I.4S4AutticnticationPjes-ponseEK1/.54花4ULlMij仇MiMiTr的5竹DC?4S4，DLlnrorniatinnTraHsfiirDC1222如434#StcuntvMadeCommandEP5]222：54.50D'而?.1??]■■旺1Z2Z：5^.5ODiJLInfomatinnTrsnsrirDC12:22-5^1500JDLlrifornntinnTra-'isfeKDCi1222.5d.50DIEP.CCannectiDnP.elea5tDC-122?5^500IIK強(qiáng)71B?MasuerlHfDrtmdorfilockBCCrjJ1222:547103S^sInfoTypelKiv<>■■KI■I■Time/EvenrsA1222.43.609[_上11TBS■匚lEOtSU■:匚C$53?9D0-20!1222：53.B2BfrdCh：M5Q1RA)1ZZZ530^3Prarh:MsqZ1222:53fl-43Pandomacre-s-s^ucce-s-s1222.53.B-43*PKCWTUD乾0.D75S122^5^50012:225^1GuflPRCr±ha?r1222.5d.50DCellM-irdifarsurtibltcdl|"禁由TIE|camponpnt*y,“1Strearr2SlrsarTDaraSINDataSIFJ3odeQE二口如E：郵CQIOftECQI1Dar^SINR.ENumiR.ENumiT.00.&EMMcause:Protocolerror,unspecified三、原因分析:根據(jù)上面的測試截圖我們發(fā)現(xiàn)，EPS已經(jīng)下發(fā)Securitymodecommand，而且UE側(cè)發(fā)起Securitymodereject，此行為為UE側(cè)拒絕導(dǎo)致attachreject.securitymodecommand一個是NAS層的，一個是PDCP的，我們需要對比的是authentication完成后的securitymodecommand，也就是NAS層的。1、對比正常的測試流程Securitymodecommand（B120版本）與B211、B161版本的UE側(cè)拒絕的Securitymodecommand：正常B120版本的NAS層SecuritymodecommandB211版本的NAS層Securitymodecommand發(fā)現(xiàn)B120與B211版本的Securitymodecommand無任何差異，故懷疑此B211版本UE存在故障。2、為了確定UE故障，我們將此款UE在南京現(xiàn)場進(jìn)行業(yè)務(wù)測試發(fā)現(xiàn)同款UE在南京現(xiàn)場測試正常，測試如下：

PDCP層Securitymodecommand再次對比南京現(xiàn)場測試的NAS層Securitymodecommand與上?，F(xiàn)場的信令Securitymodecommand信息南京現(xiàn)場的Securitymodecommand信息上?，F(xiàn)場的Securitymodecommand信息南京路測的截圖，與上海的差別就是Typeofintegrityprotectionalgorithm不一樣，南京是128-EIA1，上海是EIA0，為數(shù)據(jù)完整性保護(hù)算法不相同，eNODEB側(cè)參數(shù)設(shè)置完全一至均為EIA2。所以可以確定為核心網(wǎng)側(cè)integrityprotectionalgorithm設(shè)置存在差異。但從UE上報(bào)的能力來看EIA0算法是可以支持的如下圖UE信息：EPSMMDire：ction:UplinkCqiiipLiterTlmeatjaiTip:13:2.1:OS.UE■nmMtamp:{m=}—Attd^eJ-iRequest?Wuui_i「i±￥Heacde^rtvP=:Plaint-JASnotsecuritvproprotocol_diBcrlminater;EPSMobilityManas&rnentNASEPSMobililvMsinag>=mentMessageTvpc:￡口*:41)AttacJir^stT^peofsecuritycontieMtfls口CT5d):(O^NstivesecuritycontextNA5ke/ideiitifier:《T5)Nokev5p^reblt<s):□EPSatt^ditypes山EPSattacJ-iI—IEPSmobileide-ntity-OldGL-TTIo-rIM2ILEi~■口th；5口匚LeBodd/evenindie:1T^peofidentity;Cl>IMSIIMSI:460aaZ9A-5QOC030瑚|JEnetworkcapabilityLength;耳ocyLjf=EEAd:<13SupportEEAL;fl)Support11ZS-EEAZ：(1>supportEEA3:<03NotsupportEEA^F:NotGupport-EEA5!<03NotSJUpportEEA^!Notsuippo-rtEEAZsfQ?NotguiDpQrttElA2:[1>Support:E1A3：￡□>NotsupportEIA-4;Not￡uppor±=E1A5:￡□>NotsupportEIA6:CO)NotsupportElA7:3)Notsuppor-tUEAO：<1.)Support3、參照規(guī)范：3GPP33.401關(guān)于完整性保護(hù)算法AH^Igonthmsspeanedinthrssutdausearealgorithrns理i■:haISB-tninputkeyUGTED^laDcnsfromthsabovereqjirernentharvetcbsirdicatedejipliatt；.忤thealgondimtdentriierlistbFmy.EediiEPS[nreedryAlgOBtftm(EIA)willaEEigntdal-bicidjentifSet.CuiiBjiMty,ch?vain的havelwendefied■3QW\ItAO&UItiK^nr-ftowcflcrfl睚utiMiTOC\o"1-5"\h\zT*]012s128-EIA1SHOW3G"cm.12B-E1A2.AE5"COLl；'12S-EP33JCTherernsinin='/alueshsvebeenrest^Edf(Ffutureuse.UEsandeNBsshallinnpleinen^123-E^Aland12￡-EIA2forKRCsignallingintegrityprctecdon.UEsandeNEIsmayimplement128-EIA3RRCsignallingintegrityprotecticn.UPsandMMEsShaltimpleirent12&EIA1and12￡-4lA2farNASsignallingintegritypratettkui.UEsandMMEs.m我rmpleinent12S-EIA2forNA5signallingintegritypnoteciinn.____.址tThittlHTFtl而n:E何norIm迷ntyproienlai尸N45andFl5：rsignalling.￥speci^edinclause5..1.a.lofthis甲知節(jié)瓦Icm.ElWts臉皿itfor[哩明跟well土EIAOsh#llnot哭im鄰/JtyprotflctionbetweenRNandDeNB-_——nplernen^ticnEAOinMMEsandeNBsisoptimal.E：A&!pinplernensed,shalltefli^bledinhAlEsende^IQs叮shedeplG^fnencswheen」叩irtofun^uthenEicatEdEniE\g曰n叫匚々llin￡isnotwregulatury-equrtmen■:.MME應(yīng)該包含3GPP定義了的所有的完整性和加密算法（核心網(wǎng)三種都支持），NAS層建立連接時，終端上報(bào)安全能力，那么MME根據(jù)終端能力選擇算法。我們的問題在于MME上配置的listsofalgorithms和UE上報(bào)的securitycapabilities列表沒交集，所以發(fā)生鑒權(quán)失敗了。同時hisi芯片廠家反映：芯片硬件本身是支持EIA0的，現(xiàn)在用新協(xié)議要求不允許只使用0算法（NullIntegrityProtectionalgorithm），E1AO主要針對緊急呼叫的，安全性無法保障，目前統(tǒng)一用A1算法南京皿￡Algorithmselected如下:

■g偵斗!尖.X次Ad心以/OYimTWAuJi虹Via”▼|gFiLtLrauHr▼^pplicalienCrcdt-rPoi^ieBtTcksCs4.~~wmmn—nnv劃手|園國.A曳扇.sFirnJ|+]田InterfBceProtie田田腳sFirnJ|+]田InterfBceProtie田田腳rre面PreflcEl田Pag>h§PflbcyEffiPrbrityProfileKIECSFBPianoPriorityPretie曲田Atocaiion/Reteiiiiflin<arp)E)田ESMLo-cdlionCentre(EaULC)@ffiEriefgtatyNuiftt*-List國IBFrrerfleicyPncifi^田卜Ezene-;&uedMnbieSwrtchwiflCenlcfServsi0PariPCMD)LtJ田CriicalParfcnrAncHIndiciter(CPI)l-]~EEPSEicryphcn^iQDrlhmiEtA：一CO[0Rrlerly,PrkriyiCO田PriDrt}.PrkKiy2CdfflPriority:Prioriy3—Cd田PriDrih"PtwiyH囹EPSirr:印嘮枷lecmnAiwonirmiXlA：iCd田Prhrll).Prlcrty1。口由Priority：Prioriy2—CdEEIPri&rty*gxiy3l+|E[PSLHMifyusn日oememmsE的1如止柱山?田GhtaPasaniEterE.SECdlTmEEiGIchBl^elljmgl±)-田Ffcrms枷ml±)-田Timer(+1EMess-age：Rctnanstnisscns0田QoStapping；l±l里SG/TOftcSParflinKUriteEP$QCI^^pinj目ElAPriarrty-Ca10.4-CJ35B。即略TWtGeneralCuncntCLChi$0'及?如果UE只是用緊急呼叫的話，應(yīng)該只帶上來EIA0；?如果UE3個都帶了，那對于核心網(wǎng)來說，應(yīng)該選擇非EIA0的完整性保護(hù)算法；四、解決方案：給出3點(diǎn)解決建議，滿足一項(xiàng)即可：對華為新出的終端也是對EIA0做限制，在終端在上報(bào)支持能力時就不上報(bào)了EIA0了MME側(cè)把NASsecurityalgorithm中EIA0改成128-EIA13.如果終端上報(bào)支持EIA0，在核心網(wǎng)做完整性保護(hù)算法選擇時，也不會優(yōu)先選擇EIA0,應(yīng)該是EIA1或者EIA2,同時打開3個完整性保護(hù)算法開關(guān)。五、驗(yàn)證結(jié)果:最終用戶協(xié)調(diào)經(jīng)華為對核心網(wǎng)算法的修正（方案3），經(jīng)測試驗(yàn)證,同款UE（UE前后的能力沒有改變）巳經(jīng)可以接入網(wǎng)絡(luò)了，Time12:11:56.92112-11:57.1251?11:57.14012.11:57.14012:11:57.34312-11:57.2421211：57.34312.11:59.Q1512:11:59.01512:11:59.0151211:59.015令DetactiR.eques1■fr<RCCannectionRequeat4*RRCGannedlonSeriJisirSC:nnsdionSetupComplsteJRRCCannedionReconhguraton。RRCConnectionReleaseRPCConngdlonRoconnguraiionCcimplolc?粗血血防竹材imE.iQG^。Sys)他Type!*EPSMMCCCH_ULgCFLD.DCCH_UL^2DCCH_DLDCCH_DLDCCH_LII.ECCH-BCBCCH_eCBCCH_SCBCCH.SCTypearri-nbty:{b;GUTL12.11:59.2131^-11:59.218L^RCC^nreclionRequestCCCHIL1211：59.2134rRRCCannerH<jnSebJPCCCH_[L12.11:59.213fRRGCarTdflcilonSetupCompleteDCCH_l12.11:59.23.4*RRCCcnnedianReo^nfiguraiionDCCH_[L1Z11:59.234rRRCCcnnertiQnRecflnriguraflcinCDmpleteDCCH_lL1211：59.234iiJECapabilityEnquir?DGCH_[12.11:59.23^VUECapabilifeInformiaiianDCCH_l1罷.11前.弈3IfSecur^lodeCditmandDCCH_C-12:11:59.451L3ArnrJj.-L1ririPi~?nmplAtPrji7?ra-^_L-1211：59.45J4RRGConnedloriReDannQuraiionDGCH_DL12.11:59.^3RRCCannedi'DnReCTnnguraiionCDmpleleDCCH_UL12:11:69.453Arx整度■EPSMI.11Z11:59.452，F(xiàn)￡flvsleDFlaLiltEPSBearerCam&ttRequestEPSSM1211:59.^53lAdkaieDefaultEPSBearerConie.itacdgpiEPSSM12:11:59.453.AJtiachCompleteEPSMH12:11:59