[go: up one dir, main page]

CN1780468A - Method for preventing message from repeating and attacking under idle mode - Google Patents

Method for preventing message from repeating and attacking under idle mode Download PDF

Info

Publication number
CN1780468A
CN1780468A CN200410091346.3A CN200410091346A CN1780468A CN 1780468 A CN1780468 A CN 1780468A CN 200410091346 A CN200410091346 A CN 200410091346A CN 1780468 A CN1780468 A CN 1780468A
Authority
CN
China
Prior art keywords
location update
paging controller
message
terminal
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200410091346.3A
Other languages
Chinese (zh)
Other versions
CN100397945C (en
Inventor
肖正飞
李永茂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2004100913463A priority Critical patent/CN100397945C/en
Publication of CN1780468A publication Critical patent/CN1780468A/en
Application granted granted Critical
Publication of CN100397945C publication Critical patent/CN100397945C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明提供了一种防止重放攻击的方法,用于终端在空闲模式下发起位置更新的过程,第一寻呼控制器保存有终端的注册信息,包括以下步骤:A)终端发送位置更新请求消息,该消息至少包含一个认证信息;B)第一寻呼控制器接收位置更新请求消息,判断所述认证信息是否使用过,若是,则丢弃该消息,结束;否则接受所述位置更新请求消息。其中,当还包括第二寻呼控制器、且终端处于第二寻呼控制器区域内时;终端和第一寻呼控制器之间的消息通过所述第二寻呼控制器进行中转;且步骤B还包括:第一寻呼控制器将保存的终端的注册信息发送给第二寻呼控制器。使用该方法,可以有效抵御空闲模式下的消息重放攻击。

Figure 200410091346

The present invention provides a method for preventing replay attacks, which is used for the terminal to initiate a location update process in idle mode. The first paging controller stores the registration information of the terminal, including the following steps: A) The terminal sends a location update request message, the message contains at least one authentication information; B) the first paging controller receives the location update request message, judges whether the authentication information has been used, if so, discards the message, and ends; otherwise accepts the location update request message . Wherein, when the second paging controller is also included, and the terminal is in the area of the second paging controller; the message between the terminal and the first paging controller is transferred through the second paging controller; and Step B further includes: the first paging controller sends the saved registration information of the terminal to the second paging controller. Using this method, the message replay attack in idle mode can be effectively resisted.

Figure 200410091346

Description

空闲模式下防止消息重放攻击的方法Method of Preventing Message Replay Attack in Idle Mode

技术领域technical field

本发明涉及无线接入系统领域,特别是指一种空闲模式下防止消息重放攻击的方法。The invention relates to the field of wireless access systems, in particular to a method for preventing message replay attacks in idle mode.

背景技术Background technique

802.16e标准定义了移动宽带无线接入系统的空中接口标准,802.16e网络至少由移动用户台(MSS)、基站(BS)组成。多个BS可以组成一个组,称为寻呼组(Paging Group)。寻呼组的目的是构成一个连续的区域,在这个区域内处于空闲模式的MSS没有必要发送上行业务,但是可以通过下行寻呼信道来判断是否有发送给它的下行业务。The 802.16e standard defines the air interface standard of the mobile broadband wireless access system. The 802.16e network is at least composed of a mobile subscriber station (MSS) and a base station (BS). Multiple BSs can form a group, called a paging group (Paging Group). The purpose of the paging group is to form a continuous area. In this area, the MSS in idle mode does not need to send uplink traffic, but can judge whether there is downlink traffic sent to it through the downlink paging channel.

空闲模式是IEEE 802.16e标准定义的一种终端工作模式,其特点是:MSS可以在寻呼组的区域内移动,每隔一定的周期接收下行广播业务消息,以得知是否有下行业务发送;并且,MSS在这个区域内漫游过程中不必在小区内向小区的BS进行注册;当MSS漫游到该区域内不同小区时,也不必进行切换等正常操作流程,以利于MSS节省功率和空口资源。Idle mode is a terminal working mode defined by the IEEE 802.16e standard. Its characteristics are: MSS can move in the area of the paging group, and receive downlink broadcast service messages at regular intervals to know whether there is downlink service to send; Moreover, the MSS does not need to register with the BS of the cell during the roaming process in this area; when the MSS roams to a different cell in the area, it does not need to perform normal operation procedures such as handover, so as to help the MSS save power and air interface resources.

在与某个服务基站(Serving BS)的正常操作过程中,MSS可以通过发送消息请求进入空闲模式。类似的,Serving BS也可以通过发送消息主动要求MSS进入空闲模式。当MSS中断与Serving BS的正常操作过程进入空闲模式后,寻呼控制器(Serving BS或其它控制MSS空闲模式活动的网络实体)需要保存一些MSS业务信息,这里,称寻呼控制器保存的MSS业务信息为MSS注册信息。During normal operation with a serving base station (Serving BS), the MSS can request to enter the idle mode by sending a message. Similarly, the Serving BS can also actively request the MSS to enter the idle mode by sending a message. When the MSS is interrupted and the normal operation process of the Serving BS enters the idle mode, the paging controller (Serving BS or other network entities that control the activities of the MSS idle mode) needs to save some MSS service information. Here, it is called the MSS saved by the paging controller. Service information is MSS registration information.

在空闲模式下,MSS会周期性的向寻呼控制器发起位置更新请求。寻呼控制器接收到MSS发送的位置更新请求消息以后发送响应消息,指示MSS位置更新请求成功或失败。位置更新的意义在于MSS可以定时通知寻呼控制器,它还在这个寻呼组的控制范围内。如果只是在一个寻呼组内漫游,位置更新请求不会引起MSS和寻呼控制器之间的任何动作。当MSS跨越寻呼组漫游时,新的寻呼组控制器在收到MSS的位置更新请求时,发现位置更新请求消息中的寻呼控制器标识(Paging Controller ID)不是自己的PagingController ID,就会发送响应消息,通知MSS位置更新成功,同时通过骨干网通知原寻呼组该MSS已移动到了新的寻呼组,原寻呼组控制器就会将存储的这个MSS的注册信息发送给新寻呼组的寻呼控制器。In idle mode, the MSS will periodically initiate a location update request to the paging controller. After receiving the location update request message sent by the MSS, the paging controller sends a response message, indicating the success or failure of the MSS location update request. The significance of location update is that MSS can regularly notify the paging controller that it is still within the control range of this paging group. If only roaming within a paging group, the location update request will not cause any action between the MSS and the paging controller. When the MSS roams across paging groups, the new paging group controller finds that the paging controller ID (Paging Controller ID) in the location update request message is not its own PagingController ID when it receives the location update request from the MSS, so it A response message will be sent to inform the MSS that the location update is successful, and at the same time notify the original paging group that the MSS has moved to a new paging group through the backbone network, and the original paging group controller will send the stored registration information of the MSS to the new paging group. The paging controller for the paging group.

802.16系统中通过HMAC-Digest对消息实现认证,HMAC-Digest是通信双方基于共享密钥对消息体进行摘要计算得到的一个消息认证码。发送方在发送消息前利用双方在认证过程中交换的共享密钥和消息体(包括消息头)一起计算,得到一个加密的消息摘要,即HMAC-Digest,接收方在收到消息后进行同样的计算得到一个HMAC-Digest,并与随消息发送的HMAC-Digest进行比较,就能实现对消息发送方的认证。In the 802.16 system, HMAC-Digest is used to authenticate messages. HMAC-Digest is a message authentication code obtained by digesting the message body based on the shared key between the communicating parties. Before sending the message, the sender uses the shared key exchanged by both parties during the authentication process and the message body (including the message header) to calculate together to obtain an encrypted message digest, that is, HMAC-Digest, and the receiver performs the same process after receiving the message. By calculating an HMAC-Digest and comparing it with the HMAC-Digest sent with the message, the sender of the message can be authenticated.

MSS在空闲模式下的位置更新请求中包含了HMAC-Digest,由于MSS在空闲模式下漫游到不同BS时,不需要进行切换过程,也就不会和新的BS进行认证。如何对这些管理消息中的HMAC-Digest进行认证,现有的机制是上述的在寻呼控制器上保存MSS注册信息,其中就包括了MSS与进入空闲模式时所在的BS的密钥信息,每次发起的位置更新请求中都指示了当前这些密钥信息所在的寻呼控制器,这些密钥信息可以用于对空闲模式中的管理消息进行HMAC-Digest认证。现有技术中的位置更新请求包含的内容还包括有:寻呼组的寻呼控制器ID,消息的目标BSID和其它相关信息等。The location update request of MSS in idle mode includes HMAC-Digest. Since MSS roams to different BSs in idle mode, it does not need to perform a handover process, so it will not authenticate with the new BS. How to authenticate the HMAC-Digest in these management messages, the existing mechanism is to store the MSS registration information on the paging controller as described above, which includes the key information of the MSS and the BS where it enters the idle mode. The location update request initiated for the first time indicates the current paging controller where the key information is located, and the key information can be used to perform HMAC-Digest authentication on the management message in the idle mode. The content of the location update request in the prior art also includes: the paging controller ID of the paging group, the target BSID of the message and other related information.

重放攻击是一种常见的网络攻击方法,攻击者在通信双方(A、B)的某次交互过程中截获A(或B)发送的消息,在以后的某个合适的时机,向B(或A)重新发送它截获的消息,如果每次消息交互过程都是一样的,而且消息中没有包含足够的信息使得B(或A)能判断消息是第一次发起的还是重放的信息。攻击者就能冒充通信中的一方去欺骗另一方,从而达到攻击网络的目的。Replay attack is a common network attack method. The attacker intercepts the message sent by A (or B) during a certain interaction between the two parties (A, B), and at a suitable time in the future, sends a message to B ( Or A) resends the message it intercepts, if the message interaction process is the same every time, and the message does not contain enough information to enable B (or A) to determine whether the message was initiated for the first time or replayed. Attackers can pretend to be one party in the communication to deceive the other party, so as to achieve the purpose of attacking the network.

现有技术保证了对消息的认证,但是没有提供抵御重放攻击的机制,结合图1,通过下面的分析过程,来介绍攻击者怎样实施重放攻击:The existing technology guarantees the authentication of messages, but does not provide a mechanism to resist replay attacks. Combining with Figure 1, through the following analysis process, we will introduce how attackers implement replay attacks:

步骤101:MSS在寻呼组A中的某个BS上进入空闲模式,该过程是由MSS请求或BS主动通知MSS完成的,MSS进入空闲模式后,需要在寻呼控制器A(ID=1)上保存MSS的相关注册信息(如密钥信息);Step 101: MSS enters idle mode on a certain BS in paging group A. This process is completed by MSS request or BS proactively notifies MSS. ) to save relevant registration information (such as key information) of MSS;

步骤102:MSS从寻呼组A漫游到寻呼组B;Step 102: MSS roams from paging group A to paging group B;

步骤103:MSS在新的寻呼组B中发起第一次位置更新请求,当前BS的BSID=2,所以该位置更新请求包含的信息有:Paging Controller ID=1,Target BSID=2,CID=0等。对该消息进行认证后(这时消息的认证应该送到寻呼控制器A上完成),原来保存在寻呼控制器A(ID=1)上的MSS保留信息通过骨干网转移到寻呼控制器B(ID=2)上;Step 103: MSS initiates the first location update request in the new paging group B, the current BS BSID=2, so the information contained in the location update request is: Paging Controller ID=1, Target BSID=2, CID= 0 etc. After the message is authenticated (at this moment, the authentication of the message should be sent to the paging controller A to complete), the original MSS reservation information stored on the paging controller A (ID=1) is transferred to the paging controller through the backbone network. on device B (ID=2);

步骤104:攻击者(Attacker)在该位置截获MSS发起的这次位置更新请求消息,并保存起来;Step 104: The attacker (Attacker) intercepts the location update request message initiated by the MSS at the location, and saves it;

步骤105:MSS在寻呼组内漫游,最后漫游到BSID=3的小区,中间可能会发起多次位置更新请求,请求消息包含的信息有:Paging ControllerID=2,Target BSID(根据发起位置更新请求时所在的BS而定),CID=0等;Step 105: The MSS roams in the paging group, and finally roams to the cell with BSID=3, and may initiate multiple location update requests in the middle, and the information contained in the request message includes: Paging ControllerID=2, Target BSID (according to the location update request initiated It depends on the BS at the time), CID=0, etc.;

步骤106:MSS从寻呼组B漫游回到寻呼组A;Step 106: MSS roams from paging group B back to paging group A;

步骤107:MSS在寻呼组A内发起位置更新请求,该请求消息包含的信息有:Paging Controller ID=2,Target BSID=4,CID=0等。对消息经过认证后,原来保存在寻呼控制器B(ID=2)上的MSS保留信息通过骨干网转移到寻呼控制器A(ID=1)上;Step 107: The MSS initiates a location update request in the paging group A, and the information contained in the request message includes: Paging Controller ID=2, Target BSID=4, CID=0, etc. After the message is authenticated, the MSS reservation information originally stored on the paging controller B (ID=2) is transferred to the paging controller A (ID=1) through the backbone network;

步骤108:攻击者在MSS漫游到寻呼组B并发起第一次位置更新请求的位置重放它截获的位置更新请求,该重放的请求消息包含的信息有:Paging Controller ID=1,Taget BSID=2,CID=0等。由于这时MSS已经漫游回到寻呼组A,MSS的保留信息也正好存储在寻呼组A的寻呼控制器上,所以重放攻击得以成功,消息经过认证后,保存在寻呼控制器A(ID=1)上的MSS保留信息通过骨干网转移到寻呼控制器B(ID=2)上,而这时MSS的实际位置在寻呼组A中,但系统会认为MSS已经漫游到寻呼组B中,所以会出现寻呼不到MSS的情况。Step 108: The attacker replays the intercepted location update request at the location where the MSS roams to paging group B and initiates the first location update request. The information contained in the replayed request message is: Paging Controller ID=1, Taget BSID=2, CID=0, etc. Since the MSS has roamed back to the paging group A at this time, the reserved information of the MSS is just stored in the paging controller of the paging group A, so the replay attack succeeds, and the message is saved in the paging controller after being authenticated. The MSS reserved information on A (ID=1) is transferred to the paging controller B (ID=2) through the backbone network, and at this time the actual location of the MSS is in the paging group A, but the system will consider that the MSS has roamed to In paging group B, the MSS may not be paged.

从上面的分析可以知道,在空闲模式下,MSS发起位置更新消息时,可以被攻击者截获用于重放攻击,进而会导致终端无法被寻呼到。From the above analysis, we can know that in the idle mode, when the MSS initiates a location update message, it can be intercepted by the attacker for replay attacks, which will cause the terminal to be unable to be paged.

发明内容Contents of the invention

有鉴于此,本发明的主要目的在于提供一种在802.16e系统空闲模式下防止消息重放攻击的方法。In view of this, the main purpose of the present invention is to provide a method for preventing message replay attacks in the idle mode of the 802.16e system.

本发明提供了一种防止重放攻击的方法,用于终端在空闲模式下发起位置更新的过程,第一寻呼控制器保存有终端的注册信息,该方法包括以下步骤:The present invention provides a method for preventing replay attacks, which is used for the terminal to initiate a location update process in idle mode. The first paging controller stores the registration information of the terminal. The method includes the following steps:

A、终端发送位置更新请求消息,该消息至少包含一个认证信息;A. The terminal sends a location update request message, which contains at least one piece of authentication information;

B、第一寻呼控制器接收位置更新请求消息,判断所述认证信息是否使用过,若是,则丢弃该消息,结束;否则响应位置更新操作。B. The first paging controller receives the location update request message, and judges whether the authentication information has been used, and if so, discards the message and ends; otherwise, responds to the location update operation.

其中,所述终端处于第一寻呼控制器区域内,步骤B所述响应位置更新操作为:接受所述位置更新请求消息。Wherein, the terminal is in the area of the first paging controller, and the operation of responding to the location update in step B is: accepting the location update request message.

其中,进一步包括第二寻呼控制器,终端处于第二寻呼控制器区域内;终端和第一寻呼控制器之间的消息通过所述第二寻呼控制器进行中转;步骤B所述响应位置更新操作为:接受所述位置更新请求消息,第一寻呼控制器将保存的终端的注册信息发送给第二寻呼控制器。Wherein, it further includes a second paging controller, the terminal is in the area of the second paging controller; the message between the terminal and the first paging controller is transferred through the second paging controller; described in step B The location update operation in response is: accepting the location update request message, and the first paging controller sends the saved registration information of the terminal to the second paging controller.

其中,终端上保存有序列号,第一寻呼控制器保存的终端注册信息中包含有相同的序列号;步骤A所述认证信息是:将终端所保存的序列号进行一次递增运算所得到的新的序列号;步骤B判断所述认证信息是否使用过的步骤为:判断所述新的序列号是否不大于该寻呼控制器所保存的终端注册信息中包含的序列号;步骤B所述响应位置更新操作的步骤进一步包括:将所保存的终端注册信息中包含的序列号更新为接收到的位置更新请求消息中新的序列号。Wherein, the serial number is saved on the terminal, and the terminal registration information saved by the first paging controller contains the same serial number; the authentication information in step A is obtained by performing an increment operation on the serial number saved by the terminal new serial number; the step of step B judging whether the authentication information has been used is: judging whether the new serial number is not greater than the serial number contained in the terminal registration information saved by the paging controller; The step of responding to the location update operation further includes: updating the serial number contained in the saved terminal registration information to the new serial number in the received location update request message.

其中,步骤A所述认证信息是:终端发送位置更新请求消息时的时间戳;步骤B判断所述认证信息是否使用过的步骤为:判断所述时间戳是否在该寻呼控制器当前时间的允许误差值外。Wherein, the authentication information in step A is: the time stamp when the terminal sends the location update request message; the step of judging whether the authentication information has been used in step B is: judging whether the time stamp is within the current time of the paging controller The allowable error value is outside.

其中,步骤A所述终端发送位置更新请求消息前,进一步包括:使用某算法对所述包含认证信息的位置更新请求消息生成认证码,并携带在所述位置更新请求消息中;步骤B所述接收位置更新请求消息后,进一步包括:使用相同算法对接收到的该位置更新请求消息生成认证码,与该位置更新请求消息中的认证码进行比较认证;若认证失败,则结束,否则继续后续步骤。所述的某算法可为HMAC-Digest算法。Wherein, before the terminal in step A sends the location update request message, it further includes: using an algorithm to generate an authentication code for the location update request message containing authentication information, and carrying it in the location update request message; After receiving the location update request message, it further includes: using the same algorithm to generate an authentication code for the received location update request message, and comparing and authenticating with the authentication code in the location update request message; if the authentication fails, then end, otherwise continue to follow step. Said certain algorithm may be HMAC-Digest algorithm.

其中,步骤B所述响应位置更新操作后进一步包括:D、所述第一寻呼控制器向终端发送响应消息,该响应消息包含其接收到的认证信息;E、终端接收响应消息,判断该消息中的认证信息是否与其发送的位置更新请求消息中的认证信息相同,是,则接收该响应消息,否则丢弃该消息。Wherein, after the operation of responding to the location update in step B, it further includes: D. the first paging controller sends a response message to the terminal, and the response message contains the received authentication information; E. the terminal receives the response message and judges the Whether the authentication information in the message is the same as the authentication information in the location update request message sent, if yes, then receive the response message, otherwise discard the message.

由上述方法可以看出,本发明在位置更新请求消息中加入按一定规则变化的参数,如递增的序列号、时间戳,由寻呼控制器判断该参数是否出现过,来识别出重放消息,并在判断为重放消息时将其丢弃,以进行对重放攻击的抵御。As can be seen from the above method, the present invention adds parameters that change according to certain rules in the location update request message, such as increasing serial numbers and time stamps, and the paging controller judges whether the parameters have occurred to identify the replay message , and discard it when it is judged to be a replay message, so as to resist the replay attack.

附图说明Description of drawings

图1为终端发生位置更新的示意图。FIG. 1 is a schematic diagram of location updating of a terminal.

图2是序列号的位置更新流程图。Fig. 2 is a flow chart of updating the location of the serial number.

图3是使用时间戳的位置更新流程图。Figure 3 is a flowchart of location update using timestamps.

具体实施方式Detailed ways

重放攻击是将先前截获的消息在以后的某个合适的时机不加修改的进行重放,以达到攻击的目的。为了有效的阻止消息的重放攻击,保证发送的消息在足够长的时间里不出现重复是一个有效的方法。The replay attack is to replay the previously intercepted message without modification at a suitable time in the future, so as to achieve the purpose of the attack. In order to effectively prevent message replay attacks, it is an effective method to ensure that the sent messages are not repeated for a long enough time.

实际上,空闲模式下的MSS连续保持空闲模式的时间是有限的,所以只要在消息中加入连续变化并在足够长的一段时间内保持唯一的认证信息,就能有效地阻止攻击者对消息进行重放。因为攻击者在某次交互中截获了MSS发出的位置更新请求消息,它在一定时间里进行重放的话,都会被识别出是个重放的消息,而无法利用这个消息进行重放攻击。而当MSS结束空闲模式进入正常操作模式后,MSS会与网络进行重接入和认证,这时,由于密钥信息的改变,攻击者截获的消息则会彻底失去重放的价值。In fact, the time for an MSS in idle mode to remain in idle mode is limited, so as long as a continuous change is added to the message and the unique authentication information is kept for a long enough period of time, the attacker can effectively prevent the message from being processed. replay. Because the attacker intercepts the location update request message sent by the MSS in a certain interaction, if it is replayed within a certain period of time, it will be recognized as a replayed message, and this message cannot be used to carry out a replay attack. When the MSS ends the idle mode and enters the normal operation mode, the MSS will re-connect and authenticate with the network. At this time, due to the change of the key information, the messages intercepted by the attacker will completely lose the replay value.

下面以一个递增的数值作为连续变化的认证信息为例,并参见图2,对本发明的阻止重放攻击的方法进行详细说明。Taking an increasing numerical value as continuously changing authentication information as an example, and referring to FIG. 2 , the method for preventing replay attacks of the present invention will be described in detail.

预先需要在MSS上设置一个n位(要求n足够大,以保证在足够长的时间内不重复,初始值为0)的数值作为位置更新序列号。MSS请求进入空闲模式时,在当前寻呼组的寻呼控制上将该序列号初始化为0。在MSS空闲状态发起位置更新时,包括以下步骤:It is necessary to set a value of n bits on the MSS in advance (n is required to be large enough to ensure that it does not repeat within a long enough time, and the initial value is 0) as the location update sequence number. When the MSS requests to enter the idle mode, the sequence number is initialized to 0 on the paging control of the current paging group. When the MSS initiates a location update in the idle state, the following steps are included:

步骤201:MSS将自身维护的序列号加1更新,将新的序列号置于位置更新请求消息(RNG-REQ)中,并对该RNG-REQ计算出HMAC-Digest,将HMAC-Digest置于RNG-REQ消息中,一并发送给寻呼控制器B。Step 201: MSS adds 1 to the sequence number maintained by itself, puts the new sequence number in the location update request message (RNG-REQ), calculates the HMAC-Digest for the RNG-REQ, and puts the HMAC-Digest in the location update request message (RNG-REQ). In the RNG-REQ message, it is also sent to paging controller B.

步骤202:寻呼控制器B收到RNG-REQ消息,读取RNG-REQ中记录的寻呼控制器ID(Paging Controller ID),并判断与自身的寻呼控制器ID是否相同,若是,则表示MSS处于本寻呼组内,直接转步骤205;否则,将请求消息转发给RNG-REQ中记录的寻呼控制器ID对应的原寻呼控制器A,执行下一步。Step 202: Paging controller B receives the RNG-REQ message, reads the paging controller ID (Paging Controller ID) recorded in the RNG-REQ, and judges whether it is the same as its own paging controller ID, if so, then Indicates that the MSS is in the paging group, go directly to step 205; otherwise, forward the request message to the original paging controller A corresponding to the paging controller ID recorded in the RNG-REQ, and execute the next step.

步骤203:原寻呼控制器A接收到RNG-REQ,读取出该消息中的位置更新序列号,与自己所保存的该MSS的注册信息中的位置更新序列号进行比较,若读取的RNG-REQ中的序列号小于或等于所保存的序列号,则认为该RNG-REQ是一个重放消息而将其丢弃,并结束当前位置更新过程;Step 203: The original paging controller A receives the RNG-REQ, reads the location update sequence number in the message, compares it with the location update sequence number in the registration information of the MSS saved by itself, if the read If the sequence number in the RNG-REQ is less than or equal to the saved sequence number, then consider that the RNG-REQ is a replay message and discard it, and end the current location update process;

若读取的RNG-REQ中的序列号大于所保存的序列号,则认为该RNG-REQ是一个新的位置更新请求消息,寻呼控制器A用保存的该MSS的注册信息中的密钥对RNG-REQ消息进行认证,认证通过后,生成位置更新成功的响应消息,并在响应消息中包含所接收的RNG-REQ中的序列号并计算HMAC-Digest。同时,寻呼控制器A并用所接收的RNG-REQ中的序列号替换原保存的序列号。If the sequence number in the read RNG-REQ is greater than the saved sequence number, then it is considered that the RNG-REQ is a new location update request message, and the paging controller A uses the key in the saved registration information of the MSS The RNG-REQ message is authenticated, and after the authentication is passed, a response message of successful location update is generated, and the sequence number in the received RNG-REQ is included in the response message and HMAC-Digest is calculated. At the same time, paging controller A replaces the original saved sequence number with the sequence number in the received RNG-REQ.

步骤204:寻呼控制器A将保存的该MSS的注册信息和该位置更新响应消息传送给寻呼控制器B,寻呼控制器B接收并保存所述MSS的注册信息,以及向MSS转发位置更新响应消息,同时,原寻呼控制器A删除其保存的MSS的注册信息,转步骤206。Step 204: Paging controller A transmits the saved registration information of the MSS and the location update response message to paging controller B, and paging controller B receives and saves the registration information of the MSS, and forwards the location to the MSS The response message is updated, and at the same time, the original paging controller A deletes the MSS registration information saved by it, and then goes to step 206 .

步骤205:寻呼控制器B接收RNG-REQ消息,判断是否是消息重放攻击,若是,则将其丢弃,并结束当前位置更新过程;否则进行认证后生成相应的响应信息,寻呼控制器B并用新的序列号替换更新原保存的序列号。该步骤和步骤203所述过程相同,故未具体描述。Step 205: The paging controller B receives the RNG-REQ message, judges whether it is a message replay attack, if so, discards it, and ends the current location update process; otherwise, generates corresponding response information after authentication, and the paging controller B and replace and update the original saved serial number with the new serial number. This step is the same as the process described in step 203, so it is not described in detail.

步骤206:MSS在收到响应消息后,判断消息中的序列号和发送的请求消息中的序列号是否相同。如果相同,表明是一个正确的响应,否则,将其丢弃。Step 206: After receiving the response message, the MSS judges whether the sequence number in the message is the same as that in the sent request message. If the same, it is a correct response, otherwise, it is discarded.

当MSS结束空闲模式并与某个BS成功进行了重接入后,通知当前寻呼控制器删除保存的序列号。上述是以递增的序列号为例进行说明,不难理解,递增的幅度并不局限于上述的1,并且当递增的幅度为负值时,便相当于递减。When the MSS ends the idle mode and successfully re-connects with a certain BS, it notifies the current paging controller to delete the stored sequence number. The above is an example of an incremented serial number. It is not difficult to understand that the increment range is not limited to the above-mentioned 1, and when the increment range is a negative value, it is equivalent to a decrement.

通过上述过程,由于重放消息的序列号记录必然不大于寻呼控制器上记录的序列号,因此可以识别出重放消息而进行防御这种重放攻击。Through the above process, since the sequence number record of the replayed message must not be greater than the sequence number recorded on the paging controller, the replayed message can be identified to defend against this replay attack.

下面再以时间戳作为连续变化的认证信息为例,并参见图3,对本发明的阻止重放攻击的方法进一步详细说明。Next, taking the time stamp as the continuously changing authentication information as an example, and referring to FIG. 3 , the method for preventing replay attacks of the present invention is further described in detail.

采用这种方法的前提是:要求802.16e系统中所有的寻呼控制器都在时钟上达到同步,这一点在现实中已经可以实现,例如,MSS在漫游到新的寻呼组时,通过接收该寻呼组的广播消息,并根据该消息中的时钟便可以和新的寻呼控制器获得时钟同步。The premise of adopting this method is that all the paging controllers in the 802.16e system are required to be synchronized on the clock, which can be realized in reality. For example, when the MSS roams to a new paging group, it will receive The broadcast message of the paging group, and the clock synchronization with the new paging controller can be obtained according to the clock in the message.

采用这种方法,需要修改802.16e中位置更新请求(RNG-REQ)和响应(RNG-RSP)消息的格式,在消息中增加时间戳的TLV(Type Length Value)编码。在802.16协议中增加时间戳的TLV编码(Timestamp Encoding),时间戳的格式可以如下表1所示:  类型Type  长度Length   值Value  4   格式为年-月-日时:分:秒,或为从当年第一天0时刻开始计时的秒数等。(The time information such as yy-mm-dd hh:mm:ss or thenumber of seconds from the 00:00:00 of the first day of thisyear etc.) Using this method, it is necessary to modify the format of the location update request (RNG-REQ) and response (RNG-RSP) messages in 802.16e, and add the TLV (Type Length Value) code of the time stamp to the message. The TLV encoding (Timestamp Encoding) of the timestamp is added to the 802.16 protocol, and the format of the timestamp can be shown in Table 1 below: TypeType LengthLength value 4 The format is year-month-day hour:minute:second, or the number of seconds counted from 0:00 on the first day of the year, etc. (The time information such as yy-mm-dd hh:mm:ss or the number of seconds from the 00:00:00 of the first day of this year etc.)

                                表1 Table 1

在MSS空闲状态发起位置更新时,包括以下步骤:When the MSS initiates a location update in the idle state, the following steps are included:

步骤301:MSS发送位置更新请求消息(RNG-REQ)时,MSS在消息中加入时间戳(Timestamp)信息,并对整个消息体进行HMAC-Digest计算,一并发送给寻呼控制器B。Step 301: When MSS sends a location update request message (RNG-REQ), MSS adds Timestamp (Timestamp) information to the message, performs HMAC-Digest calculation on the entire message body, and sends it to paging controller B together.

步骤302:寻呼控制器B判断MSS是否处于本寻呼组内(判断方法参见步骤202),是,则直接转步骤305;否则,将请求消息转发给RNG-REQ中记录的寻呼控制器ID对应的原寻呼控制器A,执行下一步。Step 302: Paging controller B judges whether the MSS is in the paging group (see step 202 for the judging method), if yes, then directly go to step 305; otherwise, forward the request message to the paging controller recorded in the RNG-REQ For the original paging controller A corresponding to the ID, go to the next step.

步骤303:原寻呼控制器A接收到RNG-REQ,读取出该消息中的时间戳,与自己的时钟进行相比,若在限定的时间差额范围外,则认为该RNG-REQ是一个重放消息而将其丢弃,并结束当前位置更新过程;Step 303: The original paging controller A receives the RNG-REQ, reads the time stamp in the message, and compares it with its own clock. If it is outside the limited time difference range, the RNG-REQ is considered to be a Replay the message and discard it, and end the current location update process;

若在限定的时间差额范围内(如在几十秒内),则认为该RNG-REQ是一个新的消息,寻呼控制器A用保存的该MSS的注册信息中的密钥对RNG-REQ消息进行认证,认证通过后,生成位置更新成功的响应消息,并在响应消息中包含所接收的时间戳并计算HMAC-Digest。If it is within the limited time difference range (such as within tens of seconds), then it is considered that the RNG-REQ is a new message, and the paging controller A pairs the RNG-REQ with the key in the registered information of the MSS saved. The message is authenticated, and after the authentication is passed, a response message of successful location update is generated, and the received timestamp is included in the response message and HMAC-Digest is calculated.

步骤304:寻呼控制器A将保存的该MSS的注册信息和该位置更新响应消息传送给寻呼控制器B,寻呼控制器B接收并保存所述MSS的注册信息,以及向MSS转发位置更新响应消息,同时,原寻呼控制器A删除其保存的MSS的注册信息,转步骤306。Step 304: Paging controller A transmits the saved registration information of the MSS and the location update response message to paging controller B, and paging controller B receives and saves the registration information of the MSS, and forwards the location to the MSS The response message is updated, and at the same time, the original paging controller A deletes the MSS registration information saved by it, and goes to step 306 .

步骤305:寻呼控制器B判断是否是重放消息,判断方法与步骤303相同。并且在判断为重放消息时,结束;判断为不是重放消息时,生成响应消息发送给MSS。Step 305: The paging controller B judges whether it is a replay message, and the judging method is the same as step 303. And when it is judged to be a replay message, it ends; when it is judged not to be a replay message, a response message is generated and sent to the MSS.

步骤306:MSS在收到响应消息后,判断消息中的时间戳和发送的请求消息中的时间戳是否相同。如果相同,表明是一个正确的响应,否则,将其丢弃。Step 306: After receiving the response message, the MSS judges whether the time stamp in the message is the same as the time stamp in the sent request message. If the same, it is a correct response, otherwise, it is discarded.

关于步骤206、306,MSS对该响应消息的判断不会对位置更新过程产生任何影响。但是MSS可以根据该消息中的其它信息,决定在空闲模式下的行为(如什么时候醒来接收寻呼消息等)。这些过程和本专利关系不大,故此处不再详述。Regarding steps 206 and 306, the judgment of the MSS on the response message will not have any impact on the location update process. But the MSS can decide the behavior in the idle mode (such as when to wake up to receive the paging message, etc.) according to other information in the message. These processes have little to do with this patent, so they will not be described in detail here.

通过上述过程,由于重放消息的时间戳记录的时刻不会与寻呼控制器上的时间相同(在时间差范围内),因此可以识别出重放消息而进行防御这种攻击。Through the above process, since the time recorded by the time stamp of the replayed message will not be the same as the time on the paging controller (within the range of time difference), the replayed message can be identified to defend against this attack.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.

Claims (8)

1、一种防止重放攻击的方法,用于终端在空闲模式下发起位置更新的过程,第一寻呼控制器保存有终端的注册信息,其特征在于,该方法包括以下步骤:1. A method for preventing replay attacks, which is used for the terminal to initiate a location update process in idle mode, the first paging controller saves the registration information of the terminal, and it is characterized in that the method includes the following steps: A、终端发送位置更新请求消息,该消息至少包含一个认证信息;A. The terminal sends a location update request message, which contains at least one piece of authentication information; B、第一寻呼控制器接收位置更新请求消息,判断所述认证信息是否使用过,若是,则丢弃该消息,结束;否则响应位置更新操作。B. The first paging controller receives the location update request message, and judges whether the authentication information has been used, and if so, discards the message and ends; otherwise, responds to the location update operation. 2、根据权利要求1所述的方法,其特征在于,所述终端处于第一寻呼控制器区域内,步骤B所述响应位置更新操作为:接受所述位置更新请求消息。2. The method according to claim 1, wherein the terminal is in the area of the first paging controller, and the operation of responding to location updating in step B is: accepting the location updating request message. 3、根据权利要求1所述的方法,其特征在于,进一步包括第二寻呼控制器,终端处于第二寻呼控制器区域内;终端和第一寻呼控制器之间的消息通过所述第二寻呼控制器进行中转;3. The method according to claim 1, further comprising a second paging controller, the terminal is in the area of the second paging controller; messages between the terminal and the first paging controller pass through the The second paging controller performs relay; 步骤B所述响应位置更新操作为:接受所述位置更新请求消息,第一寻呼控制器将保存的终端的注册信息发送给第二寻呼控制器。The operation of responding to location update in step B is: accepting the location update request message, and the first paging controller sends the stored terminal registration information to the second paging controller. 4、根据权利要求1所述的方法,其特征在于,终端上保存有序列号,第一寻呼控制器保存的终端注册信息中包含有相同的序列号;4. The method according to claim 1, wherein the terminal stores a serial number, and the terminal registration information stored by the first paging controller contains the same serial number; 步骤A所述认证信息是:将终端所保存的序列号进行一次递增运算所得到的新的序列号;The authentication information described in step A is: a new serial number obtained by performing an incremental operation on the serial number stored in the terminal; 步骤B判断所述认证信息是否使用过的步骤为:判断所述新的序列号是否不大于该寻呼控制器所保存的终端注册信息中包含的序列号;The step of step B judging whether the authentication information has been used is: judging whether the new serial number is not greater than the serial number contained in the terminal registration information saved by the paging controller; 步骤B所述响应位置更新操作的步骤进一步包括:将所保存的终端注册信息中包含的序列号更新为接收到的位置更新请求消息中新的序列号。The step of responding to the location update operation in step B further includes: updating the serial number contained in the stored terminal registration information to the new serial number in the received location update request message. 5、根据权利要求1所述的方法,其特征在于,5. The method of claim 1, wherein: 步骤A所述认证信息是:终端发送位置更新请求消息时的时间戳;The authentication information described in step A is: the timestamp when the terminal sends the location update request message; 步骤B判断所述认证信息是否使用过的步骤为:判断所述时间戳是否在该寻呼控制器当前时间的允许误差值外。Step B: The step of judging whether the authentication information has been used is: judging whether the time stamp is outside the allowable error value of the current time of the paging controller. 6、根据权利要求1、4或5所述的方法,其特征在于,6. A method according to claim 1, 4 or 5, characterized in that, 步骤A所述终端发送位置更新请求消息前,进一步包括:使用某算法对所述包含认证信息的位置更新请求消息生成认证码,并携带在所述位置更新请求消息中;Before the terminal in step A sends the location update request message, it further includes: using an algorithm to generate an authentication code for the location update request message containing authentication information, and carry it in the location update request message; 步骤B所述接收位置更新请求消息后,进一步包括:使用相同算法对接收到的该位置更新请求消息生成认证码,与该位置更新请求消息中的认证码进行比较认证;若认证失败,则结束,否则继续后续步骤。After receiving the location update request message in step B, it further includes: using the same algorithm to generate an authentication code for the received location update request message, and comparing and authenticating with the authentication code in the location update request message; if the authentication fails, then end , otherwise continue to the next step. 7、根据权利要求6所述的方法,其特征在于,所述的某算法为HMAC-Digest算法。7. The method according to claim 6, characterized in that said certain algorithm is an HMAC-Digest algorithm. 8、根据权利要求1所述的方法,其特征在于,步骤B所述响应位置更新操作后进一步包括:8. The method according to claim 1, further comprising: D、所述第一寻呼控制器向终端发送响应消息,该响应消息包含其接收到的认证信息;D. The first paging controller sends a response message to the terminal, and the response message includes the received authentication information; E、终端接收响应消息,判断该消息中的认证信息是否与其发送的位置更新请求消息中的认证信息相同,是,则接收该响应消息,否则丢弃该消息。E. The terminal receives the response message, and judges whether the authentication information in the message is the same as the authentication information in the location update request message sent, if yes, then receives the response message, otherwise discards the message.
CNB2004100913463A 2004-11-19 2004-11-19 Method of Preventing Message Replay Attack in Idle Mode Expired - Fee Related CN100397945C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100913463A CN100397945C (en) 2004-11-19 2004-11-19 Method of Preventing Message Replay Attack in Idle Mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100913463A CN100397945C (en) 2004-11-19 2004-11-19 Method of Preventing Message Replay Attack in Idle Mode

Publications (2)

Publication Number Publication Date
CN1780468A true CN1780468A (en) 2006-05-31
CN100397945C CN100397945C (en) 2008-06-25

Family

ID=36770541

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100913463A Expired - Fee Related CN100397945C (en) 2004-11-19 2004-11-19 Method of Preventing Message Replay Attack in Idle Mode

Country Status (1)

Country Link
CN (1) CN100397945C (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102132521A (en) * 2009-06-30 2011-07-20 松下电器产业株式会社 Data exchange processing device and data exchange processing method
CN103259768A (en) * 2012-02-17 2013-08-21 中兴通讯股份有限公司 Method, system and device of message authentication
CN112335213A (en) * 2018-04-16 2021-02-05 瑞典爱立信有限公司 Method for secure handling of early data transmissions
US20210117961A1 (en) * 2019-10-18 2021-04-22 Landis+Gyr Innovations, Inc. Secure tokens for controlling access to a resource in a resource distribution network
US11481851B2 (en) 2019-10-18 2022-10-25 Landis+Gyr Innovations, Inc. Secure tokens for controlling access to a resource in a resource distribution network
US11481852B2 (en) 2019-10-18 2022-10-25 Landis+Gyr Innovations, Inc. Secure tokens for controlling access to a resource in a resource distribution network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6594253B1 (en) * 1998-09-29 2003-07-15 Ericsson Inc. System and method for mobility management for an internet telephone call to a mobile terminal
US6980658B1 (en) * 1999-09-30 2005-12-27 Qualcomm Incorporated Method and apparatus for encrypting transmissions in a communication system
KR100431700B1 (en) * 2002-08-16 2004-05-17 엘지전자 주식회사 System And Method For Synchronizing Time Between SGSN And GGSN
CN1545295A (en) * 2003-11-17 2004-11-10 中国科学院计算技术研究所 A User-Oriented Remote Access Control Method for Network File System

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102132521A (en) * 2009-06-30 2011-07-20 松下电器产业株式会社 Data exchange processing device and data exchange processing method
CN102132521B (en) * 2009-06-30 2014-09-24 松下电器产业株式会社 Data exchange processing device and data exchange processing method
CN103259768A (en) * 2012-02-17 2013-08-21 中兴通讯股份有限公司 Method, system and device of message authentication
CN103259768B (en) * 2012-02-17 2018-06-19 中兴通讯股份有限公司 A kind of message authentication method, system and device
CN112335213A (en) * 2018-04-16 2021-02-05 瑞典爱立信有限公司 Method for secure handling of early data transmissions
CN112335213B (en) * 2018-04-16 2023-04-04 瑞典爱立信有限公司 Method for the secure processing of early data transmissions
US20210117961A1 (en) * 2019-10-18 2021-04-22 Landis+Gyr Innovations, Inc. Secure tokens for controlling access to a resource in a resource distribution network
US11481851B2 (en) 2019-10-18 2022-10-25 Landis+Gyr Innovations, Inc. Secure tokens for controlling access to a resource in a resource distribution network
US11481852B2 (en) 2019-10-18 2022-10-25 Landis+Gyr Innovations, Inc. Secure tokens for controlling access to a resource in a resource distribution network
US11790349B2 (en) * 2019-10-18 2023-10-17 Landis+Gyr Technology, Inc. Secure tokens for controlling access to a resource in a resource distribution network
US11915330B2 (en) 2019-10-18 2024-02-27 Landis+Gyr Technology, Inc. Secure tokens for controlling access to a resource in a resource distribution network
AU2020367794B2 (en) * 2019-10-18 2025-08-07 Landis+Gyr Technology, Inc. Secure tokens for controlling access to a resource in a resource distribution network

Also Published As

Publication number Publication date
CN100397945C (en) 2008-06-25

Similar Documents

Publication Publication Date Title
US11546752B2 (en) System and method for user equipment identification and communications
CN101790210B (en) System and method for optimizing handover in mobile communication system
US8248924B2 (en) Uplink access method of mobile communication system
CN101606421A (en) Apparatus, method and computer program product for providing signaling of inter-Node B cell status information
US20100189026A1 (en) Control channel reception method for receiving broadcast or multicast sevice
US8200254B2 (en) Method for improving paging success ratio in broad bandwith wireless communication system
CN1636375A (en) Time stamp-based replay protection and packet data service node synchronization method in packet control function
CN102860078A (en) Related to the failure event report of distributed wireless access ad hoc network
CN102084674A (en) Ways to Provide Location Privacy
CN101610506A (en) Method and device for preventing network security from being out of step
CN1960567A (en) Communication method for terminal to enter to and exit from idle mode
CN1780468A (en) Method for preventing message from repeating and attacking under idle mode
EP1969783A2 (en) Communications methods and apparatus for using a single logical link with multiple physical layer connections
CN100518394C (en) Location update method under the idle mode
CN100562165C (en) Include hashed service identifiers in paging messages for service group calls
CN1771718A (en) Security methods for use in a wireless communications system
CN1599484A (en) Group system group key managing method
CN1802018A (en) Message authentication method
CN100411484C (en) A method for implementing message flow control in communication equipment
CN1794873A (en) Method of controlling position renewing
CN1909716A (en) Method for dynamic update of user information in colony system
CN1780469A (en) Method for preventing message from repeating and attacking under idle mode
CN102316440B (en) A kind of location updating method and device
CN1717102A (en) Method for realizing position updating process
CN100521820C (en) Method for checking distance measurement requirement information and wireless access network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080625

Termination date: 20131119