C9 Anninh Mang 4g Tle

TS.
Nguyn Phm Anh Dng
Chng 9
AN NINH TRONG 4G LTE/SAE
Cc ch c trnh by trong chng ny bao gm:
An ninh ca ngi s dng trong EPS
An ninh trong chuyn giao
Cc th tc an ninh khi UE khi xng kt ni n EPS
Th tc an ninh mng truy nhp khng phi 3GPP
Tng kt cc th tc an ninh v to kha trong EPS
An ninh min mng
. An ninh ca ngi s dng LTE trong IMS
Mc ch chng nhm cung cp cho sinh vin cc kin thc v an ninh trong
mng 4G LTE bao gm: giao din v tuyn, mng li v IMS.
hiu c chng ny sinh vin cn c k t liu c trnh by trong chng,
tham kho thm cc ti liu [35] , [42]
4G LTE/SAE c thit k h tr lu lng chuyn mch gi, m bo

di ng lin tc, cht lng dch v (QoS) v tr ti thiu. Chuyn mch gi cho
php h tr tt c cc dch v bao gm c thai thng qua cc kt ni gi. V th
kin trc tr nn n gin v phng hn vi ch cn hai kiu nt l eNodeB
(evolved Node B: Nt B pht trin) v MME/GW (Mobility Management
Entity/Gateway: Thc th qun l di ng/Cng). Thay i chnh trong kin trc
mng l RNC b loi b khi ng truyn s liu v cc chc nng ca n c
tch hp vo eNodeB. Hai trong s cc li ch khi ch dng mt nt trong mang
truy nhp l gim tr v phn b ti x l ca RNC vo nhiu eNodeB. L do c
th lai b RNC trong mang truy nhp mt phn l LTE khng h tr phn tp v
m hay chuyn giao mm.
Chng ny s xt ngn gn kin trc 4G LTE/SAE, trnh by chi tit cc
tnh nng an ninh mng ca h thng.
9.1. KIN TRC H THNG LTE/SAE V IMS

Hnh 9.1 m t kin trc v cc phn t mng 4G LTE/SAE trong ch c
phn truy nhp v tuyn E-UTRAN. Cc nt lgic v cc kt ni trn hnh v th
hin cu hnh kin trc h thng c s.
307
TS. Nguyn Phm Anh Dng
eNodeB nhn nhim v nh RNC

v NodeB ca 3G UMTS
im kt cui ca AS (RRC v
UP)
Chu trch nhim cho di ng trong

EPS v gia cc RAT
Thc hin nhn thc
im cui ca NAS
Chn cng cho UE
LTE-Uu
PCRF
Gx
Gxc
TE
S1-U
eNodeB
P-GW
S-GW
S5/S8
ME
Cu
Rx
X2
AS (RRC & UP)
MME
eNodeB
USIM
SAE GW
S11
SGi
Mng
ngoi: cc
dch v ca
nh khai
thc (IMS)
v Internet
HSS
S6a
S1-MME
S10
NAS
UE
E-UTRAN
EPC
Cc dch v
E-UTRAN: Evolved UMTS Terrestrial Radio Access Network: Mng truy nhp v tuyn UMTS pht trin, EPC: Evolved Packet
Core: Li gi pht trin, MME: Mobility Management Entity: Thc th qun l di ng, SAE: System Architecture Evolution: Pht
trin kin trc h thng, PCRF: Policy and Charging Rules Function: chc nng cc quy tc tnh cc v chnh sch, HSS: Home
Subsscriber Server: Server thu bao nh, S-GW: Serving Gateway: Cng phc v, P-GW: Packet Data Network Gateway: Cng
mng s liu gi
SAE-GW: SAE Gateway: Cng SAE. IMS: IP Multimedia Subbsystem: Phn h a phng tin IP
NAS: Non Access Stratum: tng khng truy nhp. AS: Access Stratum: tng truy nhp. RRC: Radio Resource Control: iu khin
ti nguyn v tuyn, UP: User Plane: mt phng ngi s dng
Hnh 9.1. Kin trc h thng cho mng 4G LTE/SAE ch cho EUTRAN ca
LTE.
Hnh 9.1 cho thy kin trc bao gm bn min chnh: (1) thit b ngi s
dng (UE: User Equipment), (2) mng truy nhp v tuyn UMTS pht trin (EUTRAN), (3) mng li gi pht trin (EPC) v (4) min cc dch v.
Cc min kin trc mc cao c chc nng ging nh cc chc nng hin
c trong cc h thng 3GPP. Pht trin kin trc mi ch yu tp trung ln mng
truy nhp v tuyn v mng li: E-UTRAN v EPC. Cc min UE v dch v
khng i v mt kin trc.
UE, E-UTRAN v EPC cng nhau th hin lp kt ni giao thc internet
(IP). Phn ny cng cn c gi l H thng gi pht trin (EPS: Evolved Packet
System). Chc nng chnh ca lp ny l cung cp kt ni da trn IP. Tt c cc
dch v u c cung cp trn nh IP. Cc cng ngh IP cng l cc cng ngh
ng tr trong truyn ti, ti y tt c u c thit k hot ng trn nh ca
truyn ti IP.
Cng SAE GW bao gm hai cng: (1) cng phc v (Serving Gateway) v
cng mng s liu gi (P-GW) c nh ngha x l mt phng ngi s dng
(UP) trong EPC. Cng c th thc hin chng chung nh l mt SAE-GW, nhng
chng cng c th hot ng tch bit v ni vi nhau qua mt giao din chun.
308
Hnh 9.2 cho thy kin trc IMS (IP Multimedia Subsystem: phn h a
phng tin IP) s dng cho LTE/SAE trong cc CSCF (Connection State
Control Function: Chc nng iu khin trng thi kt ni) ng vai tr ht nhn.
Cc CSCF bao gm:
S-CSCF (Serving CSCF: CSCF phc v) c t trong mng nh ca ngi
s dng, chu trch nhim ng k UE v duy tr trng thi phin.
-CSCF (Intrrogating-CSCF: CSCF hi) c t ti bin ca mng nh, chu
trch nhim tm trng thi ng k ca UE v hoc n nh mt S-CSCF mi
hoc nh tuyn n S-CSCF hin c
P-CSCF (Proxy CSCF: CSCF i din) l nt IMS gn nht m UE tng tc,
chu trch nhim cho tt cc chc nng lin quan n iu khin lp kt ni IP
(EPS).
309

Cc mng
khc
IMS
Cc phn t dch v
AS
MRFC
MRFP
Mb
Mp
ISC
Dh
Mr
Qun l phin v
nh tuyn
ISC,
Sh, Si Ma
Cx
IBCF
Mx
I-CSCF
Mi
Dx
SLF
Ix
IMS
MGW
Mn
AF
Gm
CS
MGCF
Mg
Izi
Min CS
Mj
Proxy
CSCF
Mb
Mk
BGCF
Mw
Cc c s
d liu
TrGW
Mx
Mw
Ut
Mm
Ici
Serving
CSCF
HSS
Cc phn t tng tc
Mb
Rx
SGi
EPC
P-GW
PCRF
Mng truy nhp v tuyn
Lp kt ni IP
EPS
Gx
Thit b ngi s dng

UE
S-CSCH (Serving CSCF: CSCF phc v), I-CSCF (Intrrogating-CSCF: CSCF hi),
P-CSCF (Proxy CSCF: CSCF i din), HSS (Home Subscriber Server: Server thu bao
nh), MRFC (Media Resource Function Controller: B iu khin chc nng ti nguyn),
BGCF (Breakout Gateway Control Function: Chc nng iu khin cng ni xuyn),
IBCF ( Interconnection Border Control Function: Chc nng iu khin bin gii kt ni),
TrGW (Transition Gateway: Cng chuyn tip), MGCF (Multimedia Gate Control
Function: Chc nng iu khin cng a phng tin), IMS-MGW (IMS Multimedia
Gate), AS (Application Server: server ng dng), AF (Application Function: chc nng
ng dng), SLF (Subscription Locator Function: Chc nng nh v thu bao), EPS:
Evolved Packet System: h thng gi pht trin)
Hnh 9.2. Kin trc IMS
310
9.2. AN NINH CA NGI S DNG TRONG EPS

9.2.1. Cc yu cu an ninh i vi cc phn t v cc giao din trong EPS
Trong qu trnh qun l phin thng tin EPS cn thc hin cc c ch an
ninh trong mng v trong UE. Tng quan tn ti hai lnh vc an ninh:
An ninh gia ngi s dng v mng. bo v cc trao i gia
mng v UE trn giao din v tuyn
An ninh min mng. bo v cc giao din gia cc nt mng
trong EPS v IMS
EPS a ra ba loi bo v an ninh cho tng truy nhp khng truy nhp NAS
(Non Access Stratum) v tng truy nhp (AS: Acess Stratum) rt ging vi an
ninh trong cc mng 3G UMTS:
Mt m ha. y l tnh nng an ninh c s ca hu ht cc h thng
khng dy. Mt m ha m bo tnh b mt ca s liu bng cch cung cp
thng tin c bo v chng nghe trm. Trong EPS, mt m ha khng ch
p dng cho s liu ca ngi s dng m c cho bo hiu, s d nh vy v
trong mt s trng hp cc bn tin bo hiu mang nhn dng ca ngi
s dng hoc cc thng tin nhy cm m k tn cng c th li dng
truy nhp tri php n mng hay ph v cc bo v an ninh mng.
Ton vn. y l qu trnh trong thc th thu c kh nng kim tra xem
s liu bo hiu c b thay i mt cc tri php hay khng khi n c gi
i t thc th pht. Trong EPS, ton vn ch p dng cho bo hiu RRC v
NAS. Cc bo hiu lp ng dng (nh RTCP, SIP v SDP) khng c bo
v ton vn v chng c coi nh l s liu ca ngi s dng
Nhn thc tng h. c s dng mt mt mng c th nhn thc
nhn dng thu bao mt khc UE c th nhn thc mng phc v.
Cc yu cu c bn khi xy dng cc c ch an ninh cho LTE nh sau:
Cc th tc an ninh EPS c xy dng trn c s cc thng tin v cc gii
thut an ninh c lu trong USIM module ca UE
Tip tc s dng USIM, ngha la khng cn thay i no trong USIM khi truy
nhp mng EPS. Hay c th s dng li USIM trong mng 3G UMTS. V th
cc th tc an ninh EPS c thit k tng thch ngc vi USIM ca 3G
UMTS
Mc an ninh t nht phi bng hoc tt hn so vi 3G UMTS
Hnh cho thy yu cu an ninh i vi cc phn t v cc giao din trong EPS/
311

Nhn thc tng h gia UE v mng
Bo mt ty chn
Bo v ton vn bt buc cho RRC v NAS,
ty chn cho UP (gii thut SNOW 3G v AES)
Phi bo v b mt MSIN v IMEI
IMEI ch c gi i sau khi tch
cc an ninh NAS
Bo v ton vn, bo mt v pht li

da trn quyt nh ca nh khai thc
Nhn thc tng h gia cc phn t
mng
eNodeB
X2
MME
UE
eNodeB
S-GW
S11
S1-MME
S1-U
O&M
Bo mt v bo v ton
vn khi chuyn phn mm
Nhn thc tng h gia
eNode v O&M
MSIN: Mobile Subscriber Identity Number: S nhn dng thu bao

IMEI: International Mobile Equipement Identity: S nhn dng thit b di ng
Hnh 9.3. Cc yu cu an ninh c bn i vi cc phn t v cc giao din

trong EPS
9.2.2. Cc chc nng an ninh mng EPS
9.2.2.1. Cc chc nng an ninh v cc mc giao thc
Hnh 9.4 cho thy cc chc nng an ninh trong cc mc giao thc.
312

Thc hin x l kha v
bo v ton vn, b mt
NAS
C vai tr x l kha AS
(RRC v UP) v tch cc an
ninh trong PDCP
ng dng/IP
Thc hin bo v ton

vn RRC v bo mt
RRC v UP
NAS
RRC
PDCP
RLC/MAC/L1
Hnh 9.4. Cc chc nng an ninh v cc mc giao thc

9..2.2.2. Cc chc nng an ninh v cc phn t mng EPS
Hnh 9.5 cho thy cc chc nng an ninh v cc phn t mng EPS.
im cui (UE l im
cui u kia) bo v b
mt , ton vn RRC v b
mt UP
Qun l cc kha AS
Khi xng an ninh UE AS
UE
Thc hin nhn thc UE

To ra cc vect AV
AUC/
HSS
im cui (UE l im cui u kia)

bo v b mt v ton vn ca NAS
Qun l cc kha NAS v tham gia x l
kha NAS
Kim tra s cho php UE truy nhp dch
v v mng
Nhn cc AV t HSS
Khi xng
An ninh UE NAS
S6a
MME
eNodeB
S-GW
S11
S1-MME
S1-U
Hnh 9.5. Cc chc nng an ninh v cc phn t mng EPS.
313
9.2.3. Qun l kha an ninh
9.2.3.1. To kha cc an ninh t mt kha chung

m bo an ninh trn tng truy nhp (AS: Acess Stratum) cn c hai
chc nng duy tr an ninh l: (1) mt m ha cho s liu ca mt phng iu
khin (RRC: Radio Resource Control: iu khin ti nguyn v tuyn) bao gm
cc SRB (Signaling Radio Bearer: knh mang bo hiu) v s liu ca mt phng
ngi s dng bao gm tt c cc knh mang v tuyn s liu (DRB: Data Radio
Bearer), (2) bo v tnh ton vn ch s dng cho mt phng iu khin (RRC).
Mt m c s dng bo v cc lung s liu khi b k th ba thu c, cn
vo v ton vn cho php pha thu pht hin c vic chn thm vo gi hay s
thay th gi bi k th ba. RRC lun lun tch cc ng thi c hai chc nng ny
hoc ngay sau thit lp kt ni hoc l b phn ca chuyn giao. Qu trnh to lp,
phn phi v rt ra cc kha c th hin trn hnh 9.6. Qu trnh ny c to
ra t mt kha chung KASME (Access Security Management Entity: thc th qun
l an ninh truy nhp) ch c trong AUC (Authentication Center: trung tm nhn
thc) nm trong HSS (Home Subscriber Server: server thu bao nh) v trong
USIM (Universal Subsscriber Identity Module: mul nhn dng thu bao ton
cu) trong UE. Mt tp cc kha v kim tra tng c to ra ti AC s dng
kha chung v mt s ngu nhin. Cc kha c to ra v cc s ngu nhin
c chuyn n MME (Mobility Management Entity: thc th quan l di ng),
sau MME chuyn cc kha, cc kim tra tng v s ngu nhin nu n UE.
Ti UE, USIM tnh ton tp kha tng t da trn s ngu nhin v kha b mt
chung. Nhn thc hai bn c thc hin bng cch so snh kim tra tng c
tnh trong USIM vi kim tra tng nhn c t mng bng cch s dng giao
thc NAS (Non Acces Stratum).
Khi thit lp kt ni, AS (Access Stratum) rt ra kha gc AS KeNB (kha
c th eNodeB) t kha KASME. KeNB c s dng to ra ba kha an ninh mi
c gi l cc kha c rt ra AS: mt kha cho bo v tnh ton vn ca bo
hiu RRC (SBR: Signalling Bearer: knh mang bo hiu), mt kha cho mt m
bo hiu RRC v mt kha cho mt m s liu ngi s dng (DBR: Data Bearer:
knh mang s liu)
Trong trng hp chuyn giao bn trong E-UTRAN, mt kha gc AS mi
v cc kha dc rt ra AS mi c tnh ton t kha gc AS c s dng
trong ngun. i vi chuyn giao n E-UTRAN t mng UTRAN hay
GERAN, kha gc AS c rt ra t cc kha ton vn v mt m trong UTRAN
v GERAN. Trc y chuyn giao trong LTE c th xt n mt KASME mi (sau
khi nhn thc li bi NAS).
S dng cc kha an ninh cho bo v ton vn v mt m c x l bi
lp PDCP (Packet Data Covergence Protocol: giao thc hi t s liu gi).
314

Kha phn thc th qun l an ninh truy nhp
Cc kha
NAS
KASME
KeNB
AUC/HSS
MME
Kha gc AS
KeNB
Nhn thc v
tha thun
kha
(AKA)
Cc kha c rt ra AS
Bo v tnh ton vn SBR
Mt m ha SBR v DBR
Cc kha c rt ra cho
Bo v ton vn SBR
Mt m ha SBR v DBR
Cc kha
NAS
Kha thc th qun l an ninh truy nhp
eNodeB
UE
Kha gc AS
KeNB
KASME
UE/USIM
Hnh 9.6. To ra cc kha an ninh
9.2.3.2. Phn cp kha EPS

p dng bo v an ninh cho cc lung thng tin khc nhau, chun a ra
phn cp kha nh trn hnh 9.7.
315
K
USIM/AuC
CK/IK
KASME
UE/HSS
NAS (Non
Access
Stratum)
UE/MME
KNAS enc
KNAS int
KeNB
KUP enc
KRRC enc
KRRC int
AS
(Access
Stratum)
UE/eNodeB
NAS: Non Access Stratum: tng khng truy nhp
AS: Access Stratum: tng truy nhp
KASME: kha gc thc th qun l an ninh
Hnh 9.7. Phn cp kha trong EPS
Cc kha trong m hnh phn cp trn hnh 1 nh sau:

K. Kha an ninh c lu vnh vin trong USIM v trong AuC. c s
dng l c s cho tt c cc gii thut rt ra cc kha khc trong 3G UMTS
v EPS
CK (Ciphering Key: kha mt m), IK (Integrity Key: kha ton vn).
c rt ra ti AuC v USIM khi thit lp lin kt an ninh
KASME (Access Security Management Entity Key: Kha thc th qun
l an ninh truy nhp). L mt kha trung gian c rt ra trong UE v
HSS t cc kha CK, IK trong qu trnh AKA (Authentication and Key
Agreement: Nhn thc v tho thun kha). ASME l thc th mng chu
trch nhim thit lp v duy tr cc lin kt an ninh vi UE da trn cc
kha nhn c t HSS. Trong EPS, MME ng vai tr ASME.
KeNB. L mt kha trung gian c UE v MME rt ra t KASME. KeNB c
gi tr ph thuc vo nhn dng ca eNodeB. c eNode s dng rt ra
cc kha cho lu lng RRC v UP.
Qu trnh to ra cc kha trn nh sau:

Khi nhn thc v tha thun kha (AKA: Authentication and Key Agreement)
c thc hin cho yu cu nhn thc tng h, kha CK v IK c to ra ti
AUC v USIM v c chuyn n HSS v ME (Mobile Equipement: thit b
di ng) trong UE.
MME v HSS to ra KASME t cp CK, IK bng cch s dng chc nng to
kha c xy dng trn c s ID ca mng. HSS chuyn KASME n MME
ca mng thng tin c s cho phn cp kha
316
T kha KASME, cc kha KNASenc (NASenc: Non Access Stratum Encryption:

mt m tng khng truy nhp) v KNASint (NASint: Non Access Stratum
Integrity: ton vn tng khng truy nhp) c to ra. y l cc kha dng
cho trao i s liu v bo v bo hiu trong giao thc NAS gia MME v UE.
Khi UE c ni n mng, MME to ra kha KeNB v chuyn n n eNodeB.
T KeNodeB cc kha sau c to ra: (1) KUPenc (User Plane Encryption: mt
m mt phng ngi s dng) mt m ha mt phng ngi s dng, (2)
kha KRRCenc (RRCenc: Radio resource Control Encryption:mt m iu khin
ti nguyn v tuyn) mt m ha mt phng iu khin v (3) KRRCint
(RRCint: Radio Resource Control Integrity: ton vn qun l ti nguyn v
tuyn) bo v ton vn mt phng iu khin.
Kt qu cui cng, nm kha c to ra bo v ton vn v bo mt
cho ba kiu lung: Bo hiu NAS (gia UE v MME), bo hiu AS (RRC) (gia
UE v eNodeB) v s liu mt phng ngi s dng (gia UE v S-GW).
Cc chc nng an ninh trong EPS c phn tch thnh cc chc nng an
ninh AS v NAS. V ch lung s liu ln c truyn khi UE c kt ni, nn
mng ch thit lp cc lin kt an ninh khi UE v eNodeB c kt ni. V th khi
UE trong trng thi ri (IDLE MODE), khng cn duy tr trng thi ny trong
eNodeB. V cc bn tin NAS c trao i vi cc UE ch ri, nn cc lin kt
an ninh c thit lp gia UE v cc nt mng li (MME).
Hnh 9.8 cho thy s dng kha cho lung xung (t mng n UE).
T MME
Bo hiu NAS
KNASint
Ton vn
T S-GW
KNASenc
Mt m
S liu UP
Bo hiu RRC
T eNodeB
KRRCint
Ton vn
KRRCenc
Mt m
PDCP
KUPenc
Mt m
Hnh 9.8. Th d v s dng kha cho cc lung ng xung.

317
Cc th tc an ninh EPS c xy dng trn c s cc kha y nhim an

ninh v cc gii thut c lu trong mul USIM trong UE. Cc th tc EPS
c thit k sao cho USIM c th truy nhp n EPS- m bo tng thch
ngc n cc thu bao 3G UMTS. Kh nng ny c cho php bi cc gii
thut rt ra c th LTE. Cc gii thut ny h tr xy dng cc kha LTE t 3G
UMTS CK v IK cng nh ngc li.
Tuy nhin 2G GSM SIM khng th truy nhp cc mng EPS v an ninh 2G
c coi l khng mnh (trong chun GSM kha mt m Kc c di 64 bit
cn trong chun 3G UMTS cc kha mt m CK v ton vn IK c di 128
bit). Khi chuyn giao t t GSM vo E-UTRAN cn thit lp li ng cnh an ninh
v h thng E-UTRAN ch s quyt nh cc kha mi. Trng hp chuyn giao
t E-UTRAN vo GSM hoc 3G UMTS, cc kha cho GSM v 3GUMTS c
rt ra t cc kha ca h thng EPS.
mt m ha, LTE s dng phng php mt m ha lung trong s
liu cn mt m c cng logic (or/xor) vi lung kha nh trong 3G. Cn nh
rng lung kha ny khng bao gi c s dng li. Cc gii thut c s dng
cho 3G v LTE to ra mt lung kho c di hu hn. V th trnh s dng
li lung kha, lung kha c thay thng k, ngha l khi kt ni mng hoc
khi chuyn giao. Trong 3G, thc hin AKA l cn thit to ra cc lung
kha ny. Qu trnh thc hin AKA c th mt vi trm ms tnh ton kha trn
USIM v kt ni n HSS (Home Subsscriber Server), v th cn b sung mt
chc nng cp nht kha khi khng thc hin AKA t c tc s liu cao
trong LTE. Cng ging nh 3G, AUC v USIM chia s cng mt thng tin b mt
(kha K) t trc. Nh 3G UMTS, lin kt an ninh (tng ng vi cc kha CK
v IK) c nhn dng bi mt KSI (Key Set Identifier: nhn dng tp kha). KSI
c n nh bi mng trong qu trnh nhn thc v c lu trong USIM. Mng
s dng bit cc kha no c lu trong UE v chng c th c s dng li
cho cc yu cu kt ni tip sau. iu ny cho php khi u mt m trn mt kt
ni mi m khng cn nhn thc. Trong EPS, KSI c s dng nhn dng
KASME.
9.2.3.3. Cc gii thut mt m v ton vn ca E-UTRAN
Hin nay mi c hai gii thut mt m v ton vn c xy dng trn c
s SNOW 3G v AES c c t trong 3GPP. ngoi ra cn b sung thm mt
gii thut rng cho mt m ha.
Cc gii thut EEA (EPS Encryption Algorithm: gii thut mt m EPS)
c c t trong 3GPP 33.401. Mi gii thut c gn mt nhn dng 4 bit cng
vi kha 128 bit u vo nh sau:
00002
128-EEA0
Gii thut khng mt m ha
318
00012
128-EEA1
SNOW 3G
00192
128-EEA2
AES
Cc EIA (EPS Integrity Algorithm: gii thut ton vn EPS) c c t
trong 3GPP 33.401. Mi gii thut c gn mt nhn dng 4 bit cng vi kha
128 bit u vo nh sau:
00012
128-EIA1
SNOW 3G
00192
128-EIA2
AES
9.3. AN NINH TRONG CHUYN GIAO
Lp t eNodeB ti mt v tr ngoi tri dn n ri do t s truy nhp ca
nhng k khng c php, nn cn mt gii php an ninh tng ng. V th khi
nim an ninh trc c a vo LTE. Khi nim ny nh sau, khng cn KASME ,
thm ch ch cn KeNB chia s gia UE v eNodeB hin thi, bng tnh ton phc
tp c th ngn chn k xu on c KeNB tng lai s c s dng gia UE
v eNodeB tng lai m UE s u ni n. V th mt m s khng b ph. M
hnh cho truyn dn kha khi chuyn giao c trnh by trn hnh 9.9.
PCI
EARFCN-DL
NAS Uplink Count
KASME
KeNB
KeNB
(ban u)
PCI
EARFCN-DL
KeNB
KeNB
KeNB
KeNB
PCI
EARFCN-DL
NH
PCI
EARFCN-DL
PCI
EARFCN-DL
KeNB
KeNB
NH
NCC=1
KeNB
NCC=2
PCI
EARFCN-DL
PCI
EARFCN-DL
KeNB
KeNB
KeNB
KeNB
KeNB
KeNB
PCI
EARFCN-DL
NCC=0
KeNB
KeNB
Hnh 9.9. M hnh cho truyn dn kha khi chuyn giao

Sau khi ng cnh an ninh AS c chia s gia UE v eNodeB, MME v
UE phi to ra kha KeNB v thng s cho chng sau (NH: Next Hop). KeNB v NH
c to ra t KASME, i vi tng NCC ( NH Changing Counter: b m thay i
NH) c mt cp KeNB v NH. Cc KeNB c to ra cho tng gi tr NH. Trong
thit lp ban u, KeNB c to ra trc tip t KASME v NAS uplink Count (m
NAS ng ln) dn n chui NCC=0. NCC v NH c quan h mt mt v ch
c to ra ti MME v UE, v th trong cc th tc chuyn giao gia eNodeB cc
cp nht mi lun lun c gi t MME n eNodeB phc v.
319
KeNB c s dng lm c s cho thng tin an ninh gia UE v eNodeB.

i vi chuyn giao trc tip gia eNodeB, KeNB (kha mi) c to ra t KeNB
tch cc hay NH. Trn hnh v 9.8, rt ra kha theo chiu ngang m t vic to ra
KeNB kha t KeNB; rt ra kha theo chiu ng m t vic to ra kha t NH vi
cc u vo b sung l EARFCN-DL (E-UTRAN Absolute Radio Frequency
Channel Number-Downlink: s knh tn s ng xung E-UTRAN v PCI
(Physical Cell Identity: nhn dng vt l) ch. Trong chuyn giao s dng rt ra
kha theo chiu ngang, KeNB c to ra t KeNB vi s dung EARFCN-DL v
PCI ch lm cc u vo b sung.
V ch UE v MME c th tnh c NH, nn vic s dng NH cung cp
mt phng php t c an ninh trc trong cc chuyn giao trn nhiu
eNodeB. Trong trng ny, an ninh trc n chng ti thi im chuyn kha
phng thng ng (c nghia l KeNB tng lai) s c s dng khi UE kt ni
n eNodeB khc sau n (trong n bng 1 hoc 2) hay nhiu chuyn giao khng
th on c do tnh ton phc tp. Chc nng ny c th hn ch phm vi xm
hi ngay c khi kha b r r, v kha tng lai s c to ra m khng s dng
KeNB hin thi trong trng hp chuyn theo phng thng ng.
9.4. CC TH TC AN NINH KHI UE KHI XNG KT NI N EPS
9.4.1. Tng quan cc th tc an ninh v bo hiu khi UE khi xng kt ni
n EPS
Hnh 9.10 cho thy cc th tc an ninh khi UE khi xng kt ni n EPS.
320

S1-U
S1
S1-MME
UE
MME
S6
eNodeB
UE cn ng k mng
Tt c cc chi tit v UE v v
tuyn c gi i
Nhn dng UE c th c kim
tra bi mng
C th c bo v an ninh
Nhn thc tng h

Thit lp cc kha an ninh
Tch cc an ninh
SGW
HSS
Yu cunhp mng
S5
PGW
Truy nhp mc v tuyn v knh iu

khin c thit lp
Bng truy nhp ngu nhin, UE truy nhp
c vo eNodeB
Cc bn tin RRC khng c bo v an
ninh
Bn tin NAS t UE c cng trong bn
tin RRC
Bn tin NAS c th hoc khng c bo
v an ninh
AKA v bt u lnh ch an ninh

(SMC)
HSS thng bo UE nm
trong MME no
To lp tuyn n P-GW
P-GW n nh a ch IP
n nh
a ch IP
Dn n hon thnh nhp

mng v thit lp phin
Bn tin RRC c th c gi
i m khng c bo v
Hnh 9.10. Cc th tc an ninh khi UE khi xng kt ni n EPS.

khi xng kt ni ban u n EPS, trc ht UE thc hin truy nhp mng,
cc bo hiu v th tc an ninh trong giai on ny sau:
Truy nhp mc v tuyn v knh iu khin c thit lp

Bng truy nhp ngu nhin, UE truy nhp c vo eNodeB
Cc bn tin RRC khng c bo v an ninh
Bn tin NAS t UE c cng trong bn tin RRC
Bn tin NAS c th hoc khng c bo v an ninh
Sau UE thc hin nhp mng bng cc bo hiu v th tc an ninh sau:
UE cn ng k mng
Tt c cc chi tit v UE v v tuyn c gi i
Nhn dng UE c th c kim tra bi mng
C th c bo v an ninh
321
Sau l giao thc AKA v lnh ch an ninh (SMC: Security Mode

Command) :
Nhn thc tng h

Thit lp cc kha an ninh
Tch cc an ninh
Sau SMC, cc kha mt m v ton ven cho NAS v AS c tnh ton. HSS
thng bo UE nm trong MME no, c th thit lp tuyn n P-GW v P-GW
nh a ch IP cho UE.
9.4.2. Th tc AKA (Authentication and Key Agreement: Nhn thc v tha

thun kha)
Tt c cc hot ng cn thit bo v an ninh ca ngi s dng (rt ra
kha an ninh v nhn thc tng h) c thc hin trong qu trnh AKA. AKA
c s dng trong EPS cng ging nh AKA trong 3G UMTS. Qu trnh ny
c m t trn hnh 9.11.
Gr (S6)
UE (USIM)
Nhn thc USIM:
Kim tra IMSI
HSS
MME
Yu cu nhn thc
Tr li nhn thc
(IMSI)
Yu cu s liu nhn thc (IMSI)

Tr li s liu nhn thc
(cc vect nhn thc)
Chn la vect nhn thc AV

(RAND, XRES.AUTNHSS, KASME,)
Yu cu nhn thc ngi s dng

(RAND,AUTN)
Kim tra AUTN
Tnh RES
Tr li nhn thc (RES)
Tnh CK v IK
So snh RES v
XRES
Mng v UE nhn thc ln

nhau, kha mc cao nht
(KASME) c to lp
Hnh 9.11. Qu trnh AKA
322
Qu trnh AKA c khi ng bi mt yu cu kt ni hay dch v t UE,

trn hnh 9.8 bi bn tin NAS u tin (NAS: Non Access Stratum: tng khng
truy nhp). Bn tin ny c th l mt yu cu nhp mng (Attach Request) hay yu
cu dch v (Service Request). Trong phn ln cc trng hp yu cu kt ni
c thc hin khi ng k UE sau bt ngun. Tuy nhin qu trnh AKA c th
xy ra trong nhiu trng hp nh thay i trng thi t ri (IDLE) vo tch cc
(Active). Bn tin kt ni ban u ny cha nhn dng ngi s dng s c
dng trong phn cn li ca th tc.
Theo yu cu kt ni ca ngi s dng, MME yu cu thng tin nhn thc
t HSS trn giao din Gr (S6). HSS tr li bng mt tp t mt n nm vect
nhn thc (AV: Authentication Vector). Ni AV cha:
RAND. H lnh ngu nhin, l mt trong s cc thng s u vo to
nn bn phn t ca vect
XRES. Expected Response (tr li k vng) c mng s dng nhn
thc USIM
AUTN. Authentication Token (th nhn thc) c USIM s dng nhn
thc mng
KASME: Kha mc cao nht to ra cc kha khc
S dng mt trong s cc vect trong danh sch, MME rng buc th tc
AKA vi USIM. vy MME gi n UE yu cu nhn thc cha cc thng s
RAND v AUTN.
Chi tit th tc ca giao thc EPS AKA nh sau:
Khi UE ng k ln u nhp mang phc v, MME trong mng phc v gi
yu cu nhn dng ngi s dng nhn thc USIM
tr li, UE gi IMSI n MME. MME pht yu cu s liu nhn thc n
HSS cng vi IMSI, SNID (Serving Network Identity: s nhn dng mng bao
gm MCC+MNC v kiu mng phc v
Nhn c yu cu s liu nhn thc t MME, HSS c th c cc vect
nhn thc EPS (EPS AV: EPS Authetication Vector) c tnh ton trc ti
AUC hoc AUC bt u tnh ton theo yu cu v gi n HSS
HSS gi tr li s liu nhn thc n MME cha mt dy n EPS AV(1..n).
Nu n>1, cc EPS AV c sp xp theo th t da trn s th t dy. Chun
khuyn ngh n=1, v th mi ln ch mt AV c gi i. Tr li nhn thc
bao gm bn phn: s ngu nhin RAND, tr li k vng XRES (Expected
Response), kha ch a phng KASME v th nhn thc AUTNHSS
(Authentication Token)
UE kim tra AUTN nhn thc mng v tnh tan RES, CK v IK ri gi tr
li nhn thc cng vi RES n MME
323
MME so snh RES v XRES nhn thc UE, nu ging nhau, th tc nhn
thc thnh cng, tri li MME t chi yu cu truy nhp.
Tnh ton cc thng s ca EPS AKA c m t trn hnh 9.12. Khi MME
bit c IMSI, n yu cu vect nhn thc t HSS/AUC. Da trn IMSI,
HSS/AUC tra cu kha K v mt s trnh t (SQN: Sequence Nember) i km vi
IMSI. AUC tng mt bc SQN v to ra mt h lnh ngu nhin (RAND:
Random Number: s ngu nhin). Nhn cc thng s ny cng vi kha K, cc
hm mt m to ra EPS AV, AV bao gm nm thng s: XRES (tr li k vng),
th nhn thc mng (AUTN) hai kha CK (Ciphering Key: kha mt m) v IK
(Integrity Key: kha ton vn) cng vi RAND.
i vi E-UTRAN tuy nhin CK v IK khng c gi n MME. Thay
vo , HSS/AUC tao ra mt kha mi KASME da trn cc kha CK, IK v cc
thng s khc, chng hn SNID (Seving Network Identity: nhn dng mng phc
vu). SNID gm MCC (Mobile Country Code: m nc di ng) v MNC (Mobile
Network Code: m mng di ng). S dng SNID m bo rng kha c rt
ra t mng phc v khng th s dng trong cc mng khc. Nhn thc tng h
c thc hin bng cch s dng cc thng s RAN, AUTN v XRES. Nhng
ch RAND v AUTN l c gi n UE (hnh 9.13a).
HSS/AUC
MME
IMSI
SQN
LTE K
RAND
Cc hm mt m
XRES
IMSI
AUTNHSS CK
IK
RAND
SQN SNID
KDF
KASME
AUNT, RAND, XRES, KASME
IMSI: International Mobile Subsscriber Identity: s nhn dng thu bao di ng quc t
SNID (=MCC+MNC): Serving Network Identity: s nhn dng mng phc v
MCC: Mobile Country Code: m nhn dng nc di ng
MNC: Mobile Network Code: m nhn dng mng di ng
KDF: Key Derivation function: hm rt ra kha
Hnh 9.12. Tnh ton cc thng s cho EPS AV trong qu trnh AKA.
324

a) EPS AKA gia UE v MME
MME
UE
RAND
AUTNHSS, RAND
AUTNHSS
MME nhn EPS AV

(AUTNHSS, RAND, XRES, KASME)
T HSS
USIM
(vi LTE K)
RES
RES
CK
IK
IMSI
MME kim tra RES=XRES
SQN SNID
KDF
KASME
UE s dng KASME tnh ton cc
kha b sung
MME s dng KASME tnh ton

cc kha b sung
b) Tnh ton cc thng s cho AKA trong UE

UE
SQN
LTE K
RAND
MME
RES
AUTNHSS
Cc hm mt m
RES
IMSI
AUTNUE CK
IK
RAND
=?
=?
SQN SNID
KDF
XRES
AUTNUE
KASME
Hnh 9.13. EPS AKA gia UE v MME
Hai thng s RAND v AUTNHSS c gi n USIM, AUTNHSS l mt

thng s dc tnh ton bi HSS/AUC da trn kho b mt v SQN. Lc nay
USIM da trn kha b mt K v SQN tnh ton ra AUTNUE v so snh n vi
AUTNHSS nhn t MME. Nu chng ging nhau, USIM c mng nhn thc.
Khi ny USIM tnh ton RES tr li bng cch s dng cc hm mt m vi cc
thng s u vo l kha K v RAND. USIM cng tnh ton CK v IK theo cch
ging nh cch c s dng ti UTRAN (hnh 9.13b). Khi UE nhn c RES,
CK v IK t USIM, n gi RES n MME. MME nhn thc UE bng cch so
snh RES v XRES, nu bng nhau th th tc nhn thc tng h kt thc.
Cui cng UE s dng cc CK v IK tnh ton KASME ging nh KASME
c tnh trong HSS/AUC. (lu rng cc kha quan trng nh LTE K, CK, IK
v KASME khng bao gi c gi trn ng v tuyn).
325
9.4.3. NAS SMC (lnh ch an ninh NAS)

Sau AKA, MME nhn c KASME l kha mc cao nht ca phn cp
trong mng. NAS SMC (Security Mode Command: lnh ch an ninh) m phn
cc gii thut ton vn v mt m bng cho NAS. Cc th tc m phn cc gii
thut ton vn v mt m NAS, tnh ton cc kha an ninh v ton vn NAS c
m t trn hnh 9.14.
c lp cu hnh vi mt
danh sch cc gii thut
bo mt v ton vn c th
c s dng theo u tin
UE (USIM)
eNodeB
MME
Chn cc gii thut
u tin cao nht
Tnh ton cc kha mt m v

ton vn NAS
Lnh ch an ninh NAS (eKSI, cc kh nng an ninh UE, NAS EEA, Bt u bo v ton vn NAS
NAS EIA, [yu cu IMEI,], [NONCEue, NONCEmme], NAS-MAC)
Kim tra ton vn NAS
SMC, nu thnh cng, tnh
ton cc kha mt m v
ton vn NAS. Bt u
mt m/gii mt m, bo
v ton vn v gi hon
thnh NAS SMC
NAS SMC hon thnh ([IMEI,] NAS-MAC)
Gii thut c chn cho NAS v cc kha

NAS c to ra. Bt u an ninh NAS
Bt u gii
mt m/ mt
m NAS
Bo v ton vn bng mt gii

thut mi, nu c thay i gii
thut
NAS EEA: NAS E-UTRAN Encryption Algorithm: gii thut mt m E-UTRAN NAS,
NAS EIA: E-UTRAN Integrity Algorithm: gii thut ton vn E-UTRAN NAS, IMEI:
International Mobile Equipement Identity: s nhn dng thit b quc t, NONCEue v
NONCEmme: cc s ngu nhin nhn thc gia UE v MME, NAS-MAC: (NASMessage Authetication Code: m nhn thc bn tin). eKSI ch th KASME hin thi..
Hnh 9.14. NAS SMC (Non Access Stratum Security Mode Command: lnh ch
an ninh tng khng truy nhp): la chn gii thut ton vn v tnh ton cc kha
cho NAS.
Da trn kh nng an ninh ca UE, MME la chn cc gii thut ton vn

v mt m theo mc u tin cao nht. S dng gii thut ton vn NAS v kha
KNASME, MME tnh ton cc kha mt m v ton vn NAS: KNASenc v KNASint.
Bt u t lc ny ton vn NAS c bo v bng cch gn NAS-MAC (NASMessage Authetication Code: m nhn thc bn tin) cho bo hiu t MME n UE.
326
SMC (lnh ch an ninh) gi cc gi thut ton vn v mt m NAS, kh nng

an ninh UE v cc s ngu nhin cho nhn thc gia UE v MME n UE. SMC
c bo v ton vn bng gn thm mt con du NAS-MAC. (NAS-Message
Authetication Code: m nhn thc bn tin). UE Kim tra ton vn NAS SMC, nu
thnh cng, n s dng gii thut mt m v ton vn c chn v kha KASME
tnh tan cc kha mt m v ton vn NAS ging nh MME. Sau bt u
mt m/gii mt m, bo v ton vn v gi hon thnh NAS SMC.
9.4.3. AS SMC (lnh ch an ninh AS)
C th tc m phn cc gii thut v tnh ton cc kha mt m v bo v

ton ven cho AS c m t trn hnh 9.15.
c lp cu hnh vi mt
danh sch cc gii thut
bo mt v ton vn c th
c s dng theo u tin
UE
MME
eNodeB
Thit lp ng cnh an ninh UE AS
Cc kh nng UE c gi n MME
trong qu trnh thit lp kt ni cng vi
gi tri START. Gi tr ny c thng bo
li cho UE c bo v ton vn. UE tr
li li cng gi tri c bo v ton vn.
Tt c trong NAS
Cc kh nng UE, eKSI

Chn gii thut u tin
cao nht
Tnh ton cc kha mt m cho
RRC, UP v ton vn cho RRC. Bt
u bo v ton vn RRC/UP
AS SMC c bo v ton vn RRC (cc

gii thut ton vn v mt m, MAC-I)
Kim tra ton vn AS SMC, nu thnh
Bt u mt m ha
cng, tnh ton cc kha mt m cho
RRC/UP
RRC, UP v ton vn cho RRC. Bt u
bo v ton vn RRC, gii mt m ng
xung v gi AS SMC hon thnh
AS SMC hon thnh (MAC-I)
Bt u mt m ha
RRC/UP
Bt u gii mt m
ha RRC/UP
La chn cc gii thut

cho AS v to ra cc kha
AS. Bt u an ninh AS
Hnh 9.15. AS SMC (Access Stratum Security Mode Command: lnh ch an ninh
tng truy nhp): la chn gii thut ton vn v tnh ton cc kha cho AS.
Trnh t xy ra cc th tc m phn v tnh ton cc kha AS cng ging

nh i vi trng hp NAS. Ch khc cc kho c tnh trong trng hp ny
l: (1) Cc kha mt m v ton ven cho bo hiu AS: KRRCenc, KRRCint v (2) Cc
327
kha mt m cho s liu (UP: mt phng ngi s dng): KUPenc. Lnh AS SMC
c bo v ton vn bng con du MAC-I (Message Authentication CodeIntegrity: m nhn thc bn tin-ton ven).
9.4.4. Tnh ton cc kha ton vn v mt m
EPS AKA m bo nhn thc, bo mt v ton vn cho mng LTE. Hnh
9.16 cho thy cc ID v cc thng s an ninh, cc kha tham gia nhn thc v bo
mt, ton vn i vi NAS v AS cho LTE.
HSS
IMSI. LTE K
Cc vect nhn thc EPS (AV)

(RAND, AUTN, XRES, KASME)
MME
Bt buc
Ty chn
KNASint/KNASenc
Nhn thc tng h

Bo hiu NAS c:
bo v ton vn/
mt m ha
eNodeB
KRRCint/KRRCenc KUPenc
Bo hiu RRC c:
bo v ton vn/
mt m ha
IMSI. LTE K
UE
Mt m ha mt
phng ngi s dng
KNASint/KNASSenc KRRCint/KRRCenc
KUPenc
Hnh 9.16. Cc thng s an ninh v cc kha c to ra trong qu trnh

khi u kt ni vi mng ca UE.
Tnh ton cc lung kha cho mt m ha v cc m nhn thc (MAC:
Message Authentication Code) bo v ton vn c cho trn hnh 9.17. i vi
mt m ha, KEY s l KNASenc/KRRCenc/KUpenc. i vi bo v ton vn KEY s l
KNASin/KRRCin.
328

9.20)
a) Mt m ha
DIRECTION
COUNT
BEARER
KEY
LENGTH
BEARER
KEY
EEA
LENGTH
EEA
KEYSTREAM
BLOCK
PLAINTTEXT
BLOCK
DIRECTION
COUNT
KEYSTREAM
BLOCK
PLAINTTEXT
BLOCK
CIPHERTEXT
BLOCK
Sender
Receiver
b) Ton vn
COUNT
DIRECTION
BEARER
KEY
LENGTH
EIA
Sender
COUNT
MAC-I/NAS-MAC
DIRECTION
BEARER
KEY
LENGTH
EIA
Receiver XMAC-I/XNAS-MAC
COUNT: m. BEARER: knh mang; DRECTION: phng, LENGTH: di, KEY: kha, Sender: pht, Reciever:
thu, KEYSTREAM BLOCK: khi lung kha, PLAINTEXT BLOCK: khi vn bn th, CIPHERTEXT BLOCK: khi
vn bn mt m, MAC: Message Authentication Code: m nhn thc bn tin, XMAC: Expected MAC: m nhn thc
bn tin k vng. I: Integrity: ton vn, NAS: Non Access Security: an ninh tng khng truy nhp, Sender: my pht,
Receiver: my thu, EEA: EPS Encryption Algorithm: gii thut mt m EPS, EIA: EPS Integrity Algorithm: gii thut
ton vn EPS.
Hnh 9.17. Tnh ton cc lung kha cho mt m ha (Enc) v cc m nhn

thc (MAC: Message Autnetication Code) bo v ton vn
9.5. TH TC AN NINH MNG TRUY NHP KHNG PHI 3GPP

Khi u cui nh truy nhp mng vi truy nhp khng phi 3GPP ( im
truy nhp WLAN chng hn), khng th s dng qu trnh AKA trn. Trong
trng hp ny u cui (s dng USIM) s nhn thc mng thng qua AAA
server s dng cc giao thc khng c h tr bi MME. V th giao thc EAPAKA c nh ngha cho mc ch ny (EAP: Extencible Authentication
Protocol: giao thc nhn thc kh m rng). EAP l mt chng trnh khung
nhn thc v phn phi kha phin do IETF nh ngha h tr nhiu phng
329
php nhn thc. Bn thn giao thc EAP rt ging vi UMTS AKA xt t gc
chc nng.
Hnh 9.18 m t cc bc khc nhau ca th tc EAP-AKA.

Wa
WLAN
UE (USIM)
Wx
AAA server
HSS
Yu cu EAP (s nhn dng)

Tr li EAP (NAI)
Tr li EAP (NAI)
Trao i cc vect nhn dng
v s liu thu bao
Chn vect nhn thc
Yu cu EAP/h lnh AKA (RAND, AUTN, MAC)
Kim tra AUTN
Tnh ton RES
Tr li EAP/h lnh AKA (RES, MAC)
Tnh ton cc kha
So snh RES
v XRES
EAP thnh cng (cc kha)
Lu cc kha
EAP thnh cng
Hnh 9.18. Th tc EAP-AKA
Sau yu cu t im truy nhp WLAN, u cui gi i s nhn dng ca n

dng NAI (Network Address Identifier: s nhn dng a ch mng). S nhn
dng ny c xy dng theo khun dng username@realm ca IETF bng
cch s dng IMSI ca ngi s dng v cc phn MCC, MNC ca n.
Hnh 9.19 cho thy th d ca NAI, Ch s u tin khng thuc IMSI
dng biu th NAI tng ng vi EAP-AKA nu bng 0 hoc SIM-AKA nu
bng 1. SIM-AKA dng cho qu trnh nhn thc 2G GSM s dng SIM.
330

IMSI
0 234 150 999999999@wlan.mnc150.mcc234.3gppnetwork.org
Hnh 9.19. Th d m ha NAI

Thng tin MNC/MCC c WLAN s dng xc nh 3GPP AAA server
lin quan tng ng vi ngi s dung. Khi nhn c s nhn dng EAP, AAA
server tm mt tp cc vect nhn thc ging nh qu trnh UMTS-AKA v chn
mt trong s chng.
Sau 3GPP AAA server gi bn tin h lnh AAA (AAA Challenge) n
u cui cha RAND, AUTN v MAC (Message Authentication Code: m nhn
thc bn tin) , Trong UMTS- AKA, AUTN s c USIM s dng nhn thc
mng, Nu thnh cng, u cui s to ra RES ( mng nhn thc u cui) v
cc kho CK, IK. Sau khi mng nhn thc u cui thnh cng, cc kha ring ca
phin c AAA server pht n WLAN bo v truyn dn sau gia u
cui v im truy nhp dch v.
9.6. TNG KT CC TH TC AN NINH V TO KHA TRONG EPS
EPS
Hnh 9.20 tng kt cc th tc an ninh v to kha trong EPS.
331
eNodeB
UE
Yu cu nhn thc (RAND, AUTN, KSIASME=1)

[khng c mt m, khng c bo v ton vn]
Gii thut EPS AKA
Tr li s liu nhn thc

(cc AV(1..n))
Gii thut EPS AKA

AUTNHSS XRES
Nhn thc mng (HSS)

(AUTNUE=AUTNHSS)
KASME
AUTNUE RES
Vect nhn thc AV=
(RAND, XRES, AUTN, KASME)
Tr li nhn thc (RES) [khng mt m, khng

bo v ton vn]
Lnh ch mt m:SMC (KSIASME=1, pht li kh nng an

ninh UE, gii thut mt m NAS=EEA1, gii thut ton vn
NAS=EIA1, NAS-MAC)
Nhn thc UE
(RES=XRES)
Chn gii thut /mt m /ton vn
Alg-ID, phn bit Alg
KASME
KDF
KDF
Hon thnh lnh ch mt m NAS (NAS-MAC)

(NAS c bo v ton vn)
KNASint
KNASenc
LTE K RAND SQN SN ID
Yu cu s liu nhn thc

(IMSI, SN ID, kiu mng)
LTE
K RAND SQN SN ID
2Thit lp an ninh
NAS
HSS
Yu cu nhp mng
(IMSI/GUTI, kh nng an ninh UE, KSIASME=1)
1 Nhn thc
KASME Alg-ID, phn bit Alg
MME
KNASenc
KNASint
Bo hiu NAS c mt m v bo v ton vn
Tnh ton KeNB
Chp nhn <yu cu thit lp

ng cnh ban u>
(kh nng an ninh UE, KeNB)
3 Thit lp an ninh
AS
KASME NAS Uplink Count

KDF
KeNB
KASME
Alg-ID, phn bit Alg
KDF
KeNB
Lnh ch an ninh (SMC)

AS
(Gii thut mt m=EEA1,
gii thut ton vn=EIA1,
MAC-I)
[bo v ton vn AS]
Hon thnh AS SMC (MAC-I)
[bo v ton vn AS]
KDF
KASME NAS Uplink Count
Chn gii thut /mt m /ton vn

KASME
Alg-ID, phn bit Alg

KDF
KRRCenc KRRCint KUPenc
KRRCenct KRRCint KUPenc
KRRCenc. KRRCint
Bo hiu RRC c bo v
ton vn v mt m
KUPenc
Mt phng ngi s dng

c mt m
KRRCenc. KRRCint
KUPenc
Hnh 9.20. Tng kt cc th tc an ninh v to kha trong EPS.
9.7. AN NINH MIN MNG
9.7.1. Tng quan

An ninh min mng cho IP (NDS/IP: Network Domain Service/IP) nhm
bo v s liu ca ngi s dng v bo hiu trn cc giao din gia cc nt mng
trong EPC hoc trong E-UTRAN.
T gc NDS/IP, mng c dng nh cho trn hnh 9.21.
332
SEG (Security Gateway: cng an ninh) c t ti bin gii mt min an

ninh v c nhim v tp trung tt c lu lng vo v ra min mng. NE (Network
Entity: thc th mng) c th l mt nt mng bt k thuc E-UTRAN, EPC v
IMS nh eNodeB, MME, S-CSCF...
Cc SEG thc hin IKE1 v IKE2 (IKE: Internet Key Exchange) ngoi ra
cng cung cp kh nng lu gi kha lu di. Giao din Zb c nh ngha
cung cp truy nhp an ninh cho an ninh ni mng.
Min an
ninh A
NE
A-1
Zb
Zb
NE
A-2
Min an
ninh B
NE
B-1
Zb
SEG
A
Zb
Za
SEG
B
Zb
Zb
NE
B-2
Phin IKE
Lin kt an ninh ESP
Hnh 9.21. Kin trc NDS cho cc mng da trn IP

Mt s tnh nng then cht ca cc giao din NDS Za v NDS Zb c
tng kt trong bng 9.1.
Bng 9.1. Cc chc nng then cht ca giao din NDS Za v NDS Zb
Cc giao din NDS
Za
Zb
Thc hin
Bt buc
Ty chn
Nhn thc/ton vn
Bt buc
Bt buc
Mt m
Ty chn
Ty chn
Ch an ninh
EPS
EPS
Giao thc an ninh
Tunnel
Tunnel
Truyn ti
Phm vi an ninh
Gia cc min
Ni min
Cc im kt cui
SEG-SEG
SEG-NE hay NE-NE
H tr IKE
IKE1 v IKE2
IKE1 v (hoc) IKE2
333
Zb p dng gia cc NE hay gia NE v SEG trong mt min v chu s

iu khin ca mt nh khai thc. Tri li Za ni hai SEG ca cc min an ninh
khc nhau v tun th cc tha thun chuyn mng gia cc nh khai thc. Th d
E-UTRAN v EPC c th c qun l bi cc nh khai thc v v th thuc cc
min an ninh khc nhau. V th giao din S1 c sp xp vo giao din Za. Za
cng c th c s dng gia cc min EPC v IMS.
Mc ch ca NDS/IP l bo v an ninh cho cc thng tin nhy cm
c trao i gia cc nt mng. Thng tin ny bao gm s liu cu ngi s
dng, thng tin ng k thu bao, cc vect nhn thc v s liu mng nh MM
context, chnh sch v thng tin tnh cc cng nh cc thng tin lin quan n
IMS c trao i gia cc nt CSCF.
Chng trnh khung NDS/IP m bo ba loi bo v sau:
Nhn thc ngun gc s liu. Bo v khng cho mt thc th la o
truyn gi n thc th thu
Ton vn s liu. Bo v s nhiu pht khng b thay i
Bo mt s liu. Bo v chng nghe trm (c trm)
Do phi dung ha gia cc yu cu an ninh v cc yu cu x l, nn
khng phi tt c cc yu cu bo v u cn thit trong tt c cc trng hp.
Chng hn bo v ton vn v bo mt cn thit cho bo hiu trn giao din S1
gia eNodeB v MME, v cc thng tin nhy cm c trao i gia eNodeB v
MME (cc kha an ninh) v cc nhn dng ngi s dng.Tuy nhin bo v ton
vn s liu ngi s dng qu quan trng lm, v th mt phng ngi s dng
trn giao din ny ch c mt m ha chng nghe trm.
Cc c ch NDS/IP p dng cho cc giao din EPS c tng kt trong
bng 9.2.
Bng 9.2. Tng kt cc bo v an ninh min mng
Ton vn/nhn thc
Mt phng ngi s dng Khng
S1
Mt phng ngi s dng Khng
X2
Mt phng iu khin S1 C
Mt phng iu khin X2 C
Cc giao din EPC
c
Mt m
C
C
C
C
Ty chn
T quan im NDS/IP, cc nt mng c coi l cc nt IP thun ty

khng ph thuc vo vai tr thc s ca n trong mng. V th NDS/IP trong cc
334
mng 3GPP s dng tp cc th tc an ninh v cc c ch an ninh kinh in do

IETF nh ngha.
An ninh gia cc phn t mng c m bo bi cc tunnel IPsec (hoc
TCAPsec c to lp bi 3GPP)
Nhn thc s liu, ton vn v bo mt c m bo bi ESP
(Encapsulation Security Payload: ng gi ti tin an ninh) trong ch
tunnel
Cc kha an ninh c m phn theo giao thc IKE (Internet Key
Exchange)
9.7.2. ESP (Encapsuling Security Payload: ti tin an ninh bng cch ng
bao)
c t k thut ca 3GPP khuyn ngh bo v cho cc mt phng iu
khin, ngi s dng v qun l ti lp truyn ti ca EPS. Bo v c cung cp
tjng qua chng trnh khung c vch ra trong 33.310. cc dch v an ninh
c khuyn ngh bao gm ton vn, bo mt v chng pht li.
ESP l mt c ch an ninh hon thin m bo ba mc bo v v x l mt
tp giao thc an ninh cho mi mc. Hnh 9.22 cho thy nh hng ca bo v ESP
trong ch tunnel cho th d mt gi s liu c tiu TCP/IP. Ngoi TCP, ESP
c th ng bao mi lp truyn ti k c UDP. Trong ch tunnel, ton b gi
ban u c bo v hon ton trong mt tiu IP mi, tri li EPS trong ch
truyn ti khng bo v tiu IP ban u.
Gi TCP/IP ban u
Tiu IP Tiu TCP
S liu
Tiu IP mi Tiu ESP Tiu IP Tiu TCP
S liu
ui ESP Nh. thc ESP
c mt m
c nhn thc
Hnh 9.22. Hiu ng ca ESP trong ch tunnel
Trong cc mng 3GPP, gii thut bt buc cho bo mt l AES (Advanced

Encryption Standard). Tuy nhin cng c th s dng 3DES (Triple-DES). C th
335
nhn thc v bo v tnh ton vn bng gii thut SHA-1 (bt buc i vi cc
mng 3GPP) hay MD5.
9.7.3. An ninh ng trc eNodeB
ng trc ni n eNode i hi an ninh cao hn v:
Vai tr ca eNodeB trong LTE mnh hn s vi NodeB trong 3G UMTS: LTE
eNodeB bao gm c NodeB v RNC
Vng ph cn m rng lin tc
Chia s h tng
V th khng th lun lun tin cy an ninh lp vt l ca eNodeB v cn phi bo
v lin kt ng trc tt hn. Cc yu cu sau y cng c p dng cho
eNodeB:
Giao thc an ninh: ESP [RFC 4303]
Ch an ninh: tunnel (bt buc) vi truyn ti (ty chn)
Phin bn IKE: IKEv2.
Hnh 9.23 cho thy tin hnh cp chng nhn an ninh cho eNodeB.
SEG
RC/CA
Chng nhn gc ca nh
cung cp thit b c ci
t trc
Trm gc nhn c chng nhn do

nh cung cp k v kha cng khai t
RA/CA bng cch s dng CMPv2
CMPv2
IPsec
Trm gc
Chng nhn chng ch

ca nh khai thc c
ci t trc
Chng nhn trm gc c cp

c s dng trong IKE/IPsec
Chng nhn kha cng

khai trm gc c k bi
nh cung cp
RA: Registration Authority: thm quyn ng k

CA: Certificate Authority: thm quyn chng nhn
CMPv2: Certificate Management Protocol version2: giao thc qun l nhn thc phin bn 2
Hnh 9.23. Qu trnh cp chng nhn an ninh cho eNodeB.

9.7.4. An ninh nt chuyn tip
Cc bin php sau c p dng cho an ninh nt chuyn tip (hnh 9.24):
Nhn thc tng h:
AKA c s dng (ng nhp nt chuyn tip)
Cc u nhim an ninh c lu trong UICC
Thit lp rng buc gia nt chuyn tip v USIM
336
Da trn cc kha chia s trc i xng hay

Da trn cc chng nhn
V tuyn
UE
Nt chuyn
tip
V tuyn
ng trc
eNodeB
Mng li
Hnh 9.24. An ninh nt chuyn tip
9.8. AN NINH CA NGI S DNG LTE TRONG IMS

9.8.1. M hnh an ninh IMS (SIP)
IMS (IP Multimedia Subsystem: phn h IP a phng tin) c k vng l
mt phn t ca LTE/SAE. M hnh an ninh tng qut IMS (SIP c cho trn
hnh 2.25). Min IMS p dng hai kiu th tc an ninh:
IMS AKA Authentication and Key Agreement). m bo nhn thc tng
h gia ngi s dng v S-CSCF
IMS SA (Security Association: lin kt an nhinh). m bo bo v an ninh
cho bo hiu SIP gia UE v P-CSCF.
IMS nh
AKA, RFC
3310
An ninh min mng
Tha thun an
ninh RFC
3329
IMS khch
Bo v ton vn (+bo mt ), IPsec + TS 33.203
Min gi
Hnh 9.25. M hnh an ninh IMS (SIP) tng qut.

Kin trc an ninh IMS c m t tn hnh 9.26 .
337
Mng nh
UE
ISIM
HSS
3
3
5
I-CSCF
4/5
UA
S-CSCF
Mng IP a
phng tin
4/5
Mng
khch/ nh
P-CSCF
Truyn ti
Truy nhp
min PS
Min PS
UA: User Agent: tc nhn ngi s dng

Hnh 9.26. Kin trc an ninh.
Kin trc nh nghi nm lin kt an ninh:
1. Nhn thc tng h m bo nhn thc gia ISIM (IM Services Identity
Module: moun nhn dng cc dch v a phng tin) v HSS thng qua
S-CSCF. HSS y thc iu ny cho S-CSCF nhng n khng chu trch
nhim to ra cc kha v cc h lnh
2. Truy nhp mng (Gm) thit lp ng truyn an ninh v cc lin kt an
ninh gia UE v P-CSCF no v im tham chun Gm. Nhn thc
ngun gc s liu c bo m
3. Min mng (Cx) m bo an ninh trong min mng: (1) gia HSS v ICSCF, (2) gia HSS v C-CSCF bo v giao din Cx. Lin kt ny cng
ng vai tr quan trng trong bo v an ninh kha v cc h lnh trong qu
trnh ng k UE.
4. Min mng (Mw) m bo an ninh gia m bo an ninh gia cc nt c
kh nng SIP (Session Innitiation Protocol: giao thc lhi u phin). Lin
kt an ninh ny ch p dng gia P-CSCF v cc dch v SIP li khc khi
UE chuyn mng n mng khch (VN: Visited Network)
338
5. Min mng (Mw) m bo an ninh ni mng gia cc nut c kh nng SIP.

Lin kt an ninh ny ch p dng gia P-CSCF v cc dch v SIP li khc
khi UE hot ng trong mng nh (HN: Home Network).
Ngoi tr giao din Gm, tt c cc giao din v cc im tham chun khc
trong IMS, d nm trong cng mt min an ninh hay trong cc min an ninh
khc nhau, u c bo v theo chng trnh khung NDS/IP.
9.8.2.Th tc an ninh khi UE truy nhp IMS
Min IMS p dng hai kiu th tc an ninh:
IMS AKA (Authentication and Key Agreement: nhn thc v tha thun
kha): m bo nhn thc tng h gia UE v S-CSCF
IMS SA (Security Association: lin kt an ninh): m bo bo v an ninh
cho bo hiu SIP gia UE v P-CSCF
M hnh an ninh tng qut gia UE, mng v IMS trong AKA c thc
hin gia UE v IMS c cho trn hnh 9.27.
Nhn thc v tha thun kha
S-CSCF
IMS
Mt m/ton vn cho bo hiu SIP
P-CSCF
HSS
Cc vect nhn thc
EPS
MME
Mt m/ton vn NAS
Cung cp kha
Mt m/ton vn
eNodeB
Hnh 9.27. M hnh tng quan an ninh gia ngi s dng v mng v IMS
Ti EPS, trao i s liu gia UE v eNodeB c bo v bi cc c ch
mt m v ton vn (cho s liu ca ngi s dng cng nh bo hiu RRC).
MME s cung cp cc kha an ninh c s dng lm u vo cho cc c ch ny
cho eNodeB sau khi USIM (trong UE ) c MME nhn thc v MME c UE
nhn thc. Ngoi ra bo hiu NAS (Non Access Stratum: tng khng truy nhp)
gia UE v MME c mt m ha v c bo v ton vn bng cc kha ring
bit (iu ny khng c trong 3G UMTS. 3G UMTS ch bo v an ninh trn on
v tuyn gia UE v RNC).
Tng t ti mc IMS, bo hiu SIP c bo v bi cc c ch mt m v
ton vn da trn cc kha do S-SCSF cung cp sau khi thc hin nhn thc
tng h gia UE v S-SCSF. iu ny xy ra khi bo hiu SIP c trao i gia
339
UE v S-CSCF hay server ng dng. Nu mt m c p dng ti P-SCSF, bn

tin SIP c mt m cng c mt m ti eNodeB trc khi truyn trn giao din
v tuyn.
Cc c ch an ninh EPS v IMS u c xy dng trn thng tin b mt
c th ngi s dng c chia s gia mng v USIM (hay ISIM) v s dng
gii thut mt m i xng, trong cc gii thut mt m v gii mt m u
ging nhau.
9.8.3. Th tc IMS AKA

IMS AKA c thc hin nhn thc tng h gia UE v mng nh
(HN). IMS AKA s dng cng mt nguyn tc c s nh cc th tc UMTS/EPS
AKA. IMS AKA c nhim v m bo nhn thc hai chiu gia ISIM (ng dng
IMS tn ti trn phin UICC ca UE) v min IMS. Thng thng IMS AKA
c thc hin khi UE ng k vi mng li IMS CN. IMS AKA to lp ng cnh
an ninh IMS. Ngoi ra, IMS AKA cng cung cp cc phng tin ph hp vi cc
kha phin trn mng v trn UE thit lp lin kt an ninh IMS gia UE v PCSCF v bo v bo hiu SIP bng bo mt v ton vn. IMS AKA l mt qu
trnh bt buc v c thc hin trc khi thu bao c th nhn c cc dch v
IMS.
Hnh 9.28 m t th tc IMS AKA. Ta thy rt ging vi UMTS AKA, th
tc IMS AKA c xy dng trn c s cng cc gii thut rt ra kha, kim tra
AUTN v to ra XRES cho nhn thc tng h. im khc bit chnh l IMS
AKA s dng bo hiu SIP (thay v cc bn tin c th 3GPP) v cc thng s u
vo khc nh kha di hn c th IMS (tng ng vi K) kt hp vi nhn
dng IMS ring ca ngi s dng.
n gin, hnh v khng trnh by I-CSCF, vai tr ca n cng nh PCSCF trong qu trnh IMS AKA ch gii hn nh tuyn bo hiu SIP v nhn
dng S-CSCF.
340
UE (ISIM)
S-CSCF
P-CSCF
HSS
REGISTER (nhn dng ngi s dng)

ng k
Yu cu nhn thc (IMSI)
Tr li nhn thc (cc vect nhn thc)
Chn vect nhn thc
(RAND, XRES, CK, IK, AUTN)
401 khng trao quyn (RAND, AUTN)
Kim tra AUTN
Tnh ton RES
REGISTER (RES)
So snh RES
V XRES
Tnh ton CK v IK
200 OK (CK, IK)

Lu CK v IK
200 OK
Hnh 9.28. Th tc IMS AKA

IMS AKA bao gm cc bc sau:
1. Thu nhn s liu nhn thc
2. Nhn thc UE
3. Mt m v ton bn
Thu nhn s liu nhn thc
Thng tin nhn thc c thu nhn t HSS trong mng nh theo yu cu t
S-CSCF trong IMS CN. Yu cu ny c gi trn giao din Cx. Yu cu nhn
thc bao gm IMPI (IP Multimedia Private Identity: nhn dng ring a phng
tin IP), IMPU (IP Multimedia Public Identity: nhn dng cng khai a phng
tin IP), S-CSCF-id v s lng AV (Authetication Vector: vect nhn thc c
yu cu) m S-CSCF chun b nhn.
Sau khi nhn c yu cu nhn thc t S-CSCF, HSS gi n S-CSCF
mt hay nhiu IMS AV trong tr li yu yu cu nhn (cc AV gm: RAND,
XRES, AUTN, CK v IK c sp xp theo th t trong mt dy AV). Mi AV
chi hp l cho mt giao dch IMS AKA gia UE v S-CSCF.
341
Nhn thc tng h

Nhn thc c khi xng bi S-CSCF. Nu S-CSCF khng c bt k
mt IMS AV no, n s yu cu HSS trc khi nhn thc UE. Khi ny S-CSCF
chn mt AV trong danh sch AV nhn c t HSS v pht h lnh nhn thc
n P-CSCF vi cc thng s sau: RAND, AUTN, IK v CK. P-CSCF lu AV
nhn t S-CSCF v chuyn h lnh nhn thc ny n UE sau khi loi b CK
v IK (hai kha ny khng bao gi c truyn trn ng v tuyn).
UE phi tr li bng lnh tr li nhn thc (cha XRES) sau khi x l
thnh cng s liu h lnh nhn thc. Khi ny CK v IK c tnh ton trong UE.
P-CSCF nhn tr li nhn thc t UE v gi n n S-CSCF. Sau khi kim tra
s ng n ca XRES thu c, IMS AKA hon thnh.
Bo v bo mt v ton vn
Mt c ch mt m c th c s dng m bo bo mt bo hiu SIP
gia UE v P-CSCF ti im tham chun Gm. Tng t c ch bo v chng pht
li v ton vn c th c s dng m bo tnh ton vn ca bo hiu SIP
gia UE v P-CSCF ti im tham chun Gm.
IPsec c s dng cung cp bo mt v ton vn cho cc bn tin SIP
trao i trn giao din Gm. Bng 9.3 cho thy cc tnh nng Ipsec c s dng.
Bng 9.3. Cc tnh nng IPsec cho bo mt v ton vn cc bn tin SIP
Giao thc an ninh
EPS: Encapsulating Security Payload (RFC 2406)
Ch an ninh
Truyn ti
Tunnel c ng bao UDP (RFC 3948)
Gii thut mt m
Rng (RFC 2410)
(bo mt)
3DES-CBC (RFC 2505/2551( vi kha 3x64 bit,
kch thc khi 64 bit)
AES-CBC (RFC 3620) vi kha 128 bit, kch thc
khi 128 bit
Gii thut nhn thc
HMAC-SHA-1-96 (RFC 2404) vi kha 160 bit, kch
(ton vn)
thc khi 512 bit
Cc lin kt an ninh
Hai cp SA n hng c chia s bi TCP/UCP
9.8.4. IMS SA (Security Association: lin kt an ninh)
IMS SA (Security Association: lin kt an ninh) c thit lp trong qu trnh
ng k SIP v l mt phn ca th tc ng k c nhn thc. Hai cp SA n
hng c thit lp gia UE v P-CSCF sau khi ng k thnh cng. Tha thun
lin quan n cc gii thut mt m v ton vn s c s dng nh l mt b
phn ca ca cc thng s ca SA.
342
Cc lin kt an ninh c nhn dng bi cc thng s sau y ti u thu:

SPI (Security Parameter Index: ch s thng s an ninh
a ch IP ni nhn (u cui SA)
Giao thc an ninh (EPS trong NDS/IP).
Kha mt m CKESP v IKESP p dng cho c hai cp SA c thit lp
ng thi. Cc kha ny c rt ra t CKIv IKIM.
Mt th tc thit lp ch an ninh c s dng m phn cc thng
s SA s c s dng bo v ton ven v bo mt cho IMS. Cc thng s ny
c lit k trong bng 9.4.
Bng 9.4. Cc thng s SA s dng cho bo v ton vn v bo mt IMS
Thng s
Gi tr
Trng thi m
phn
Ch an ninh
Truyn ti
C
Tunnel UDP c ng bao
(RFC 3948)
Cac gii thut mt m Rng (RFC 2410)
(bo mt)
3DES-CEC (RFC 2450/2451)
c
AES-CBC (RFC 3602)
di kha bo mt
Ty theo gii thut mt m c khng
chn
Nhn thc
HMAC-SHA-1-96 (RFC 2404)
C
(ton vn)
HMAC-MD5-1-96 (RFC 2403)
di kha ton vn
Ty theo gii thut ton vn c khng
chn
Ch s thng s
c n nh cho cc SA trong Khng
mng, mt cho tng SA
Kiu thi hn
giy
khng
Thi gian tn ti
232-1
khng
Tt c cc bn tin SIP c trao i SA u cn c bo v ESP. Cc bn tin
khng c bo v ch c trao trn cc c khng c bo v (xem 33.203). .
Hnh 9.29 cho thy chui bn tin thit lp SA.
SM1: REGISTER(Security-setup = SPI_U, Port_U, UE integrity and encryption
algorithms list) . Bn tin ng k nycha cc thng s ni b UE gm: SPI (SPIU) v cc s ca (Port-U) s s dng cho client v cc ca server tai UA trong SA
v cc gii thut ton vn v mt m c UE h tr
SM6: 4xx Auth_Challenge(Security-setup = SPI_P, Port_P, P-CSCF integrity and

encryption algorithms list). -CSCF chn cc SPI (SPI-P) v cc s ca (Port-P) s
s dng cho client v cc ca server ca cc SA. P-CSCF cng chn mt gii
343
thut mt m v mt gii thut ton vn bng cch i chiu danh sch gii thut
m n h tr vi cc gii thut c gi n t UE. N gi cc la chn ny n
UE: SPI-P, Port-P, v danh sch gii thut ton vn v mt m trong bn tin SM6
ny.
SM7: REGISTER(Security-setup = SPI_U, Port_U, SPI_P, Port_P, P-CSCF
integrity and encryption algorithms list). UE tr li bng: SPI-U, SPI-U, SPI-P,
Port-P v danh sch gii thut bo v ton vn v bo mt ca P-CSCF s c s
dung.
SM8: REGISTER(Integrity-Protection = Successful, IMPI). Bn tin thng bo
thit lp SA thnh cng n S-CSCF gm c IMPI ( IP Multimedia Private
Identity: nhn dng ring a phng tin IP)
SM10: bn tin thng bo thnh cng t UE n P-CSCF
S-CSCF
P-CSCF
UE
(SM1) ng k
(SM2) ng k
(SM4) H lnh nhn thc 4xx
(SM6) H lnh nhn thc 4xx
(S7) ng k
(S8) ng k
(SM10) OK nhn thc 2xx
(SM12) OK nhn thc 2xx
Hnh 9.29. Chui bn tin thit lp SA.

Th d v vic s dng hai cp SA c hng c trnh by trn hnh 9.29.
344
P-CSCF
UE
ng k (SM1)
401 khng nhn thc (SM6)
RAND||AUTN
Port-Uc
ng k (SM7)
Tr li
OK (SM12)
Khng c bo v
Dc bo v bi cp SA1
c bo v bi cp SA2
Port-Ps
Invite (mi)
Port-Us
108 chung
200 OK
Port-Pc
Port: ca, U: UE, P: PCSCF, C: Client, S: Server
Hnh 9.27 Th d v s s dng hai cp SA n hng.

9.8.5. Phn cp kha IMS
Bng 9.5 tng kt phn cp v cc quan h gia cc kha an ninh khc nhau
c s dng trong IMS AKA trn giao din Gm.
Bng 9.5. Cc kha an ninh cho IMS AKA trn giao din Gm
Kha
Mc ch
di Rt
M t
ra t
IKIM
Kha ton vn gc 128
Kha ton vn c rt ra
cho IMS
nh mt b phn ca IMS
AKA
IKESP
Kha ton vn cho 128
IKIM
IKESP=IKIM
Gm
HMAC-MD5-96
Kha mt m cho Gm 128
IKIM
IKESP=IKIM+38 ui 0
HMAC-SHA-196
Cng mt kha IKEPS p dng cho c hai cp SA c thit lp ng thi
CKIM
Kha mt m gc cho 128
Kha mt m c rt ra nh
IMS
mt b phn ca IMS AKA
CKIM=CKIM1||CKIM2 mi khi
64 bit
CKESP Kha mt m cho Gm 192
CKIM CKESP=CKIM1||CKIM2||CKIM1
DES-EDE3-CBC
Kha mt m cho Gm 126
CKIM CKESP=CKIM
AES-CBC
345
9.8.6. An ninh mng li IMS CN

c t 33.203 khuyn ngh bo v cho tt c cc giao din IMS CN ti lp
truyn ti ca mng. Bo v ny c xy dng trn c s chng trnh khung an
ninh NDS/IP phc tho trong 33.210. Bo v phi bao gm: cc dch v ton vn
bo mt v chng pht li.
Cc yu cu di y cn c thc hin trong eNodeB:
Giao thc an ninh ESP [RFC 4303]
Ch an ninh: tunnel (bt buc) vi truyn ti (ty chn)
Phin bn IKE: IKEv2
SEG c th l ty chn ti u cui EPC cho kt cui SA. Nu cc giao din
c bo v (mi trng tin tng), c th khng cn chng trnh khung an ninh
NDS/IP.
9.9. TNG KT
H thng di ng th h bn LTE/SAE da trn thnh cng ca cc mng
GSM/GPRS, 3GUMTS v a ra cc tnh nng an ninh mi v tng cng ci
thin an ninh v bo v cc dch v mi m cc h thng thng tin di ng trc
khng th c.
c im cc tnh nng an ninh ca LTE/SAE nh sau:
An ninh mt phng ngi s dng kt cui ti eNodeB
Phn cp kha c m rng
Bao gm c tng tc vi cc mng khng phi 3GPP
Cc gii thut mt m da trn AES v SNOW 3G
Ngoi ra 3GPP cng ang c t mt s chun mi ra trn gii thut mt
m mnh hn.
An ninh truy nhp EPS c phn cha thnh NAS (Non Access Stratum: tng
truy nhp khng truy nhp) v AS (Acess Stratum: tng truy nhp). EPS a ra ba
loi bo v an ninh cho NAS v AS rt ging vi an ninh trong cc mng 3G
UMTS:
Mt m ha.
Ton vn.
Nhn thc tng h.
Cc c ch an ninh cho LTE c xy dng trn cc yu cu sau:
346
Cc th tc an ninh EPS c xy dng trn c s cc thng tin v cc gii

thut an ninh c lu trong USIM module ca UE
Tip tc s dng USIM, ngha l khng cn thay i no trong USIM khi truy
nhp mng EPS. Hay c th s dng li USIM trong mng 3G UMTS. V th
cc th tc an ninh EPS c thit k tng thch ngc vi USIM ca 3G
UMTS
Mc an ninh t nht phi bng hoc tt hn so vi 3G UMTS
IMS (IP Multimedia Subsystem: phn h IP a phng tin) c k vng l
mt phn t ca LTE/SAE. V th an ninh min IMS cng c c t trong cc
khun ngh ca 3GPP.
IMS AKA Authentication and Key Agreement). m bo nhn thc tng
h gia ngi s dng v S-CSCF
IMS SA (Security Association: lin kt an nhinh). m bo bo v an ninh
cho bo hiu SIP gia UE v P-CSCF.
Th tc IMS AKA cng ging nh th tc 3G UMTS AKA.
9.10. CU HI
1. Trnh by cc yu cu an ninh c bn i vi cc phn t v cc giao din
trong EPS
2. Trnh by cc chc nng an ninh trong cc mc giao thc
3. Trnh by cc chc nng an ninh trong cc phn t mng EPS
4. Trnh by m hnh to ra cc kha an ninh
5. Trnh by phn cp kha trong EPS
6. Trnh by s dng kha cho cc lung ng xung
7. Trnh by cc gii thut mt m v ton vn ca E-UTRAN
8. Trnh by m hnh cho truyn dn kha khi chuyn giao
9. Trnh by cc th tc an ninh khi UE khi xng kt ni n EPS
10. Trnh by th tc AKA
11. Trnh by tnh ton cc thng s cho EPS AV trong qu trnh AKA.
12. Trnh by qu trnh dn n la chn gii thut ton vn v tnh ton cc kha
cho NAS
13. Trnh by qu trnh dn n la chn gii thut ton vn v tnh ton cc kha
cho AS.
14. Trnh by to ra cc thng s an ninh v cc kha trong qu trnh khi u

kt ni vi mng a UE
15. Trnh by tnh ton cc lung kha cho mt m ha (Enc) v cc m nhn
thc (MAC: Message Autnetication Code) bo v ton vn
16. Trnh by th tc EAP-AKA cho mng truy nhp khng phi LTE
17. Trnh by lu tng kt cc th tc an ninh v to kha trong EPS
347
18. Trnh by kin trc min mng (NDS) cho cc mng da trn IP
19. Trnh by ESP
20. Trnh by qu trnh cp chng nhn an ninh cho eNodeB
21. Trnh by an ninh nt chuyn tip
22. Trnh by in trc an ninh IMS
23. Trnh by th tc an ninh khi UE truy nhp IMS
24. Trnh by th tc IMS AKA IMS
25. Trnh by thu nhn s liu nhn thc v nhn thc tng h IMS
26. Trnh by bo v bo mt v ton vn IMS
27. Trnh by lin kt an ninh v chui bn tin thit lp SA cho IMS
28. Trnh by phn cp kha IMS
348

C9 Anninh Mang 4g Tle

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

C9 Anninh Mang 4g Tle

Diunggah oleh

Hak Cipta:

Format Tersedia

TS.

Nguyn Phm Anh Dng

4G LTE/SAE c thit k h tr lu lng chuyn mch gi, m bo

9.1. KIN TRC H THNG LTE/SAE V IMS

TS. Nguyn Phm Anh Dng

eNodeB nhn nhim v nh RNC

Chu trch nhim cho di ng trong

AS (RRC & UP)

TS. Nguyn Phm Anh Dng

TS. Nguyn Phm Anh Dng

Mng truy nhp v tuyn

Thit b ngi s dng

Hnh 9.2. Kin trc IMS

TS. Nguyn Phm Anh Dng

9.2. AN NINH CA NGI S DNG TRONG EPS

TS. Nguyn Phm Anh Dng

Bo v ton vn, bo mt v pht li

MSIN: Mobile Subscriber Identity Number: S nhn dng thu bao

Hnh 9.3. Cc yu cu an ninh c bn i vi cc phn t v cc giao din

TS. Nguyn Phm Anh Dng

Thc hin bo v ton

Hnh 9.4. Cc chc nng an ninh v cc mc giao thc

Thc hin nhn thc UE

im cui (UE l im cui u kia)

Hnh 9.5. Cc chc nng an ninh v cc phn t mng EPS.

TS. Nguyn Phm Anh Dng

9.2.3. Qun l kha an ninh

9.2.3.1. To kha cc an ninh t mt kha chung

TS. Nguyn Phm Anh Dng

Kha thc th qun l an ninh truy nhp

Hnh 9.6. To ra cc kha an ninh

9.2.3.2. Phn cp kha EPS

TS. Nguyn Phm Anh Dng

Hnh 9.7. Phn cp kha trong EPS

Cc kha trong m hnh phn cp trn hnh 1 nh sau:

Qu trnh to ra cc kha trn nh sau:

TS. Nguyn Phm Anh Dng

T kha KASME, cc kha KNASenc (NASenc: Non Access Stratum Encryption:

Hnh 9.8. Th d v s dng kha cho cc lung ng xung.

TS. Nguyn Phm Anh Dng

Cc th tc an ninh EPS c xy dng trn c s cc kha y nhim an

TS. Nguyn Phm Anh Dng

NAS Uplink Count

Hnh 9.9. M hnh cho truyn dn kha khi chuyn giao

TS. Nguyn Phm Anh Dng

KeNB c s dng lm c s cho thng tin an ninh gia UE v eNodeB.

TS. Nguyn Phm Anh Dng

Nhn thc tng h

Truy nhp mc v tuyn v knh iu

AKA v bt u lnh ch an ninh

Dn n hon thnh nhp

Hnh 9.10. Cc th tc an ninh khi UE khi xng kt ni n EPS.

Truy nhp mc v tuyn v knh iu khin c thit lp

TS. Nguyn Phm Anh Dng

Sau l giao thc AKA v lnh ch an ninh (SMC: Security Mode

Nhn thc tng h

9.4.2. Th tc AKA (Authentication and Key Agreement: Nhn thc v tha

Yu cu s liu nhn thc (IMSI)

Chn la vect nhn thc AV

Yu cu nhn thc ngi s dng

Mng v UE nhn thc ln

Hnh 9.11. Qu trnh AKA

TS. Nguyn Phm Anh Dng