安全--終端錯報其支持祖沖之算法導(dǎo)致無法駐留LTE網(wǎng)絡(luò)_第1頁
安全--終端錯報其支持祖沖之算法導(dǎo)致無法駐留LTE網(wǎng)絡(luò)_第2頁
安全--終端錯報其支持祖沖之算法導(dǎo)致無法駐留LTE網(wǎng)絡(luò)_第3頁
安全--終端錯報其支持祖沖之算法導(dǎo)致無法駐留LTE網(wǎng)絡(luò)_第4頁
安全--終端錯報其支持祖沖之算法導(dǎo)致無法駐留LTE網(wǎng)絡(luò)_第5頁
已閱讀5頁,還剩3頁未讀 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

1、文檔名稱文檔密級終端錯報其支持祖沖之算法導(dǎo)致無法駐留LTE網(wǎng)絡(luò)1 現(xiàn)象描述1、A型號手機在所有站下都無法駐留4G網(wǎng)絡(luò)。2、其它手機可以正常駐留。3、Mifi可以正常駐留4G。2 告警信息不涉及3 原因分析附著過程中的信令發(fā)現(xiàn)“Security mode reject”,原因為“security mode rejected unspecified”。 eNodeB下發(fā)給終端的NASSecurityModeCommand消息中下發(fā)的加密和完整性保護(hù)算法分別為EEA3和EIA3。 但Mifi網(wǎng)絡(luò)下發(fā)的RRC SecuritymodeCommand消息中下發(fā)的SecurityAlgorithmConf

2、ig下發(fā)的加密和完整性保護(hù)算法分別為EEA2和EIA2。經(jīng)核查,X運營商要求打開祖沖之算法,核心網(wǎng)側(cè)改成了“優(yōu)選祖沖之算法”,當(dāng)終端支持祖沖之算法時,優(yōu)先使用祖沖之算法。當(dāng)終端不支持祖沖之算法時,選用其他算法?;緜?cè)的加密算法配置: 終端probe信令,收到核心網(wǎng)下發(fā)的NAS安全祖沖之算法后,返回安全模式失敗。 協(xié)議33.401對NAS安全過程的一個描述:7.2.4.4            NAS security mode command procedureThe NAS SMC

3、procedure consists of a roundtrip of messages between MME and UE. The MME sends the NAS security mode command to the UE and the UE replies with the NAS security mode complete message. The NAS security mode command message from MME to UE shall contain the replayed UE security capabilities, the select

4、ed NAS algorithms, the eKSI for identifying KASME, and both NONEUE and NONCEMME in the case of creating a mapped context in idle mobility (see clause 9.1.2). This message shall be integrity protected (but not ciphered) with NAS integrity key based on KASME indicated by the eKSI in the message (see f

5、igure 7.2.4.4-1). The UE shall verify the integrity of the NAS security mode command message. This includes ensuring that the UE security capabilities sent by the MME match the ones stored in the UE to ensure that these were not modified by an attacker and checking the integrity protection using the

6、 indicated NAS integrity algorithm and the NAS integrity key based on KASME indicated by the eKSI. In addition, when creating a mapped context for the case described in clause 9.1.2, the UE shall ensure the received NONCEUE is the same as the NONCEUE sent in the TAU Request and also calculate K'

7、ASME from CK, IK and the two nonces (see Annex A.11). If the MME receives no response to a NAS Security Mode Command that included nonces to create a mapped context and it wishes to try again to create the mapped context, the MME shall use the same values of NONCEUE and NONCEMME. If the UE receives

8、a re-transmitted NAS Security Mode Command, i.e one containing the nonces, after it has successfully received a previous one (and hence created a mapped EPS NAS security context), the UE shall process the message as above, except that it is not required to re-generate the K'ASME or check the NON

9、CE UE if it does not re-generate the K'ASME. If the checks of the NAS Security Mode Command pass the UE shall respond with a NAS Security Mode Complete. The UE shall delete NONCE_UE once the TAU procedure is complete.If successfully verified, the UE shall start NAS integrity protection and ciphe

10、ring/deciphering with this security context and sends the NAS security mode complete message to MME ciphered and integrity protected The NAS security mode complete message shall include IMEISV in case MME requested it in the NAS SMC Command message.The MME shall de-cipher and check the integrity pro

11、tection on the NAS Security Mode Complete using the keys and algorithms indicated in the NAS Security Mode Command. NAS downlink ciphering at the MME with this security context shall start after receiving the NAS security mode complete message. NAS uplink deciphering at the MME with this context sta

12、rts after sending the NAS security mode command message. If any verification of the NAS security mode command is not successful in the ME, the ME shall reply with a NAS security mode reject message (see TS 24.301 9). The NAS security mode reject message and all following NAS messages shall be protec

13、ted with the EPS NAS security context, i.e., the EPS NAS security context used prior to the NAS security mode command that failed (until a new EPS NAS security context is established, e.g., via a new NAS security mode command procedure). If no EPS NAS security context existed prior to the NAS securi

14、ty mode command, the NAS security mode reject message cannot be protected. 由協(xié)議可知, 1、如果NAS層加密成功,終端需要給MME發(fā)送security mode complete消息。2、如果NAS security mode command消息認(rèn)證不成功,終端應(yīng)該回復(fù)reject消息。 從這一點看,因終端沒有發(fā)security mode complete消息,所以推斷A型號終端要么不支持祖沖之算法,要么因為別的原因安全模式失敗。 需聯(lián)系終端公司分析A型號在NAS安全的時候失敗的原因。查看信令:終端發(fā)的附著請求中攜帶了所支持的加密算法: 附著請求解碼后:可見終端上報的能力是支持祖沖之算法的。 再找終端確認(rèn)發(fā)現(xiàn)當(dāng)前版本并不支持祖沖之算法。由于終端版本誤報的終端能支持的加密算法導(dǎo)致。需要升級版本解決。 升級后終端版本,從attach request消息中看終端上報的加密算法已經(jīng)不支持祖沖之(EEA3&EIA3算法)。升級后驗證發(fā)現(xiàn),終端上報的加密算法去掉了祖沖之算法,這樣即使網(wǎng)絡(luò)支持祖沖之算法,因為終端不支持,最終協(xié)商結(jié)果也不會下發(fā)祖沖之算法給終端。所以,終端升級后,解決了之前版本

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

最新文檔

評論

0/150

提交評論