How are the different security procedures executed during the attachment?如何在附件中执行不同的安全程序?
In this video, we’ll take another look at how thevery first attachment procedure works, but in more detail.在本视频中,我们将再次了解第一个附件程序的工作原理,但更详细。
First, the terminal sends anattachment request to the networkin which it includes thesubscriber’s IMSI and its capacities in terms of security.首先,终端向网络发送附着请求,其中它包括用户的IMSI及其在安全性方面的能力。
After receiving this request, the MME needs anauthentication vector to authenticate the terminal.
在接收到该请求之后,MME需要认证向量来认证终端。
It sends a request to the HSS indicating the subscriber’sIMSI and the network to which it wants to attach.它向HSS发送一个请求,指示用户的IMSI和它想要连接的网络。
The network is identified by the country code MCC and bythe operator code MNC.网络由国家代码MCC和运营商代码MNC识别。
If the subscriber is in his network, the country and operator codes are the same asthose in the IMSI.如果订户在他的网络中,则国家和运营商代码与IMSI中的相同。
If the subscriber is abroad, the MCC and the MNC arethose of the visited network.如果订户在国外,则MCC和MNC是访问网络的那些。
The HSS generates several authenticationvectors and sends them to the MME.HSS生成多个认证向量并将它们发送到MME。
The MME uses one of these vectors.MME使用这些向量之一。
It begins the authentication procedure of the terminal.它开始终端的认证过程。
The terminal authenticates the network thanks to theauthentication token AUTN and sendsthe response RES.由于认证令牌AUTN,终端验证网络并发送响应RES。
The MME verifies that the RES sentcorresponds to the XRES that it has in its authentication vector.MME验证发送的RES对应于其在其认证向量中具有的XRES。
Once authentication is finalized, the MME calculates several keys:K_NAS_Enc, K_NAS_Int for cipheringand integrity and K_eNB.一旦认证完成,MME计算几个密钥:K_NAS_Enc,K_NAS_Int用于加密和完整性以及K_eNB。
The network and the mobile terminal then exchangeseveral messages to correctly activate ciphering and integrity.然后,网络和移动终端交换多个消息以正确地激活加密和完整性。
The procedures are designed to avoid ending upin problematic situations where one side is cipheringmessages with one algorithm and the otherside is receiving them without trying to de-cipher.这些程序旨在避免在一方使用一种算法加密消息而另一方正在接收它们而不试图解密的问题情况。
The MME activates ciphering of the terminal with Security Mode Command.MME使用安全模式命令激活终端的加密。
It indicates the encryptionand integrity algorithms to use for the rest of thecommunications with the MME.它指示用于与MME进行的其余通信的加密和完整性算法。
Note that this message is not ciphered.请注意,此消息未加密。
Following this command, the terminal activates cipheringand data integrity with the indicated algorithms.遵循此命令,终端使用指示的算法激活加密和数据完整性。
It responds to the MME and thistime, the response is ciphered and signed.它响应MME,这次,响应被加密和签名。
I mean it includes a MAC, message authentication code.我的意思是它包括MAC,消息验证码。
The MME allocates the necessary resourcesbetween the P-Gateway and the S-Gateway so that the SGWcan relay the user data.MME在P网关和S网关之间分配必要的资源,以便SGW可以中继用户数据。
We’ll see this in week four.我们将在第四周看到这一点。
Then, the MME sends a message to the eNodeB tolet it know that the user has been authenticatedand to give, among other things, the K-eNodeB key.然后,MME向eNodeB发送消息,以使其知道用户已被认证并且除其他之外还给出K-eNodeB密钥。
The eNodeB calculates the integrity key K_RRCint and the encryption key K_RRCenc.eNodeB计算完整性密钥K_RRCint和加密密钥K_RRCenc。
It activates encryptionof the radio channel in the same way that the MMEactivated encryption between itself and the terminal.它以与MME在其自身和终端之间激活加密的相同方式激活无线电信道的加密。
The eNodeB sends the Security Mode command with theencryption and integrity algorithms to use on the radiochannel which can be different from the algorithms chosenby the MME.eNodeB发送具有加密和完整性算法的安全模式命令以在无线电信道上使用,该命令可以与MME选择的算法不同。
Once again, this first message is signed but not ciphered.再次,第一条消息已签名但未加密。
However, the confirmation Security Mode Complete is ciphered and signed.但是,确认安全模式完成已加密并签名。
Finally, the MME sends the connectivity parameters to the mobileterminal in complete security.最后,MME以完全的安全性将连接参数发送到移动终端。
These parameters contain, among other things, its GUTIand IP address.这些参数包含其GUTI和IP地址等。
How is the mobile terminal’s IP address allocated?After the terminal’s response which activates cipheringbetween it and the MME, the MME takes care ofchoosing the S-Gateway and the P-Gateway.如何分配移动终端的IP地址?在终端响应激活其与MME之间的加密后,MME负责选择S-Gateway和P-Gateway。
The MME asks the HSS to givethe subscriber profile.MME要求HSS提供订户简档。
The HSS answers and also gives the subscriber’sconnectivity parameters.HSS回答并给出用户的连接参数。
The main parameter is the APN – Access Point Name – which indicates the symbolic name of the P-Gateway.主要参数是APN - 接入点名称 - 表示P网关的符号名称。
The MME selects the S-Gateway and sends a message to it.MME选择S-Gateway并向其发送消息。
The S-Gateway contacts the P-Gateway identified.S-Gateway与已识别的P-Gateway联系。
The PGW allocates an IP address.PGW分配IP地址。
The response is transmitted from the S-Gateway to the MME.响应从S网关传输到MME。
The MME then sends this information to the mobileterminal via the eNodeB.然后,MME经由eNodeB将该信息发送到移动终端。
From this moment, the mobile terminal can communicatewith the rest of the world.从此刻起,移动终端可以与世界其他地方进行通信。
转载于:https://www.cnblogs.com/sec875/articles/9947884.html
