Documente Academic
Documente Profesional
Documente Cultură
CN Security Optimization
ISSUE 1.0
www.huawei.com
Concept
Why need authentication and
encryption in mobile network?
Definition
Definition
Authentication
Authentication -- Whenever
Whenever aa MS
MS requests
requests
access
access to
to aa network,
network, the
the network
network must
must
authenticate
authenticate the
the MS.
MS. Authentication
Authentication verifies
verifies
the
the identity
identity and
and validity
validity of
of the
the SIM
SIM card
card to
to the
the
network
network and
and ensures
ensures that
that the
the subscriber
subscriber is
is
authorized
authorized access
access to
to the
the network.
network.
HUAWEI TECHNOLOGIES CO., LTD.
Encryption
Encryption -- In
In order
order to
to ensure
ensure the
the secrecy
secrecy
of
of subscriber
subscriber information
information (speech
(speech service
service or
or
non-speech
non-speech service),
service), the
the GSM/UMTS
GSM/UMTS
system
system specially
specially adopts
adopts an
an encryption
encryption
process
process when
when exchanging
exchanging information
information
between
between BTS/nodeB
BTS/nodeB and
and MS
MS
HLR
MSC/VLR
BTS
MS
Store the
authentication
Key Ki of all
subscribers in
HLR
Generate
Store the
Temporarily
authentication
store the authentication
triplet
authentication triplets of all
according to A3
accessed
triplet, and
and A8
subscribers
deliver the
algorithms
authentication
triplet to VLR
RAN/Kc/SRESAUC upon VLRs
request
Ki
RAND
Algorithm
A8
Encryption mode
command
Encryption mode
complete
SIM Card
Succeed in
decrypting
the
encryption
mode
complete
message
Kc
TDMA frame
number
Algorithm A5
Encryption Mode is
Finished
Home Network
Mobile station
RAND
Generate SQN
Generate RAND
SQN
RAND
AUTN
f5
SQN AK
AK
AMF
MAC
AMF
SQN
K
f1
MAC
f2
f3
f4
f5
f1
f2
f3
f4
XRES
CK
IK
AK
XMAC
RES
CK
IK
Serving Network
AV
RAND, AUTH
RES
Encryption
DIRECTION
BEARER
CK
COUNT-C
LENGTH
f8
BEARER
CK
KEYSTREAM
BLOCK
PLAINTEXT
BLOCK
DIRECTION
f8
KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK
Sender
UE or RNC
LENGTH
PLAINTEXT
BLOCK
Receiver
RNC or UE
UMTS security
Protection against active attacks on the radio interface
New integrity mechanism added to protect critical signaling information
on the radio interface
Enhanced authentication protocol provides mutual authentication and
freshness of cipher/integrity key towards the user
Compared with the 3G network, the 2G network lacks an authentication
flow from the MS to the network side
Enhanced encryption
Stronger algorithm, longer key
Encryption terminates in the radio network controller rather than the base
station
Core network security
Some protection of signaling between network nodes
Potential for secure global roaming
Adoption of 3GPP authentication by TIA TR-45 / 3GPP2
SET MAPPARA
TMSI reallocation with cipher
This parameter specifies whether MSOFTX3000 needs to send the cipher mode
command to the BSC or RNC if the MSOFTX3000 reallocates the TMSI to a mobile
subscriber during the authentication of service access or location update
Authset numbers required
he parameter is valid only when MAP version of the MSOFTX3000 is MAP phase2+.
During the network authentication for the service access and location update of a
subscriber, if the MSOFTX3000 needs to send a Send Authentication Information
message to require the HLR/AuC to allocate authentication sets, the parameter
specifies the number of authentication sets that the MSOFTX3000 requires the
HLR/AuC to send once. Value range: 0-5.
MOD VLRCFG
Authentication set reuse times:
It specifies the times that an authentication set stored in the memory of VLR is
reused. It is valid for 2G networks only. Value range: 0 - 255
To query the number of valid authentication sets for a subscriber, run DSP
USRINF .
Remained AV when parallel get AV:
It specifies whether the MSOFTX3000 must originate the parallel obtaining
authentication set operation during the process of the location update or service
access. Value range: 1 - 3
MOD AUTHCFG
If a carrier requires the MSOFTX3000 to execute the authentication flow
according to a proportion for the requests of location update and service access
to improve the network security, run MOD AUTHCFG to modify authentication
configuration parameters. Currently, the MSOFTX3000 provides 17 authentication
options for the carrier
SET MAPACCFG
2G Cipher
During the authentication of service access and location update of a mobile
subscriber, it specifies whether the MSOFTX3000 sends the Cipher mode command
to the BSC on the access network side, that is, whether the MSOFTX3000 requires
the access network to cipher radio channel (air interface)
Cipher algorithm
The parameter is valid when the MSOFTX3000 commands the access network to
cipher radio channel. It indicates a cipher algorithm contained in Cipher mode
command sent by the MSOFTX3000 to BSC or RNC on access network side
MOD TIMER
MM_MTN_WAIT_INIT_AUTH
The timer determines the duration for the MM module to wait for an
Authentication_Response message in response to an Authentication_Request
message. The authentication procedure has been started by the network. The timer
T3260 is running.
MOD TIMER: MPID=138, TMRIDX=0, TMRSEQ=2, TMRVAL=5;
MM_MTN_WAIT_INIT_CIPH
After sending a security message including ciphering key(s) to a mobile station, MM
module starts this timer to limit the time before completing the procedure from the
mobile station.
MOD TIMER: MPID=138, TMRIDX=0, TMRSEQ=3, TMRVAL=5;
Basic Information
Key performance indexes (KPIs)
The key performance indexes (KPIs) are used to reflect the quality of
service (QoS) of the network and the performance of the equipment on
the network.
The KPI system is formulated to help:
Understand the performance measurement system for communication
equipment.
Establish performance evaluation systems.
Optimize the services and equipment based on the performance
measurement results.
Service
Security
Measurement
Point
Measurement Entity
P1
P2
AUTH Requests
Authentication
AUTH Failures due to Illegal SRES Authentication
TMSI-based AUTH Failures due to Authentication
Illegal SRES
HUAWEI TECHNOLOGIES CO., LTD.
Measurement
Point
P1
P2
Measurement Entity
AUTH Requests
Authentication
Negative AUTH Responses by Subscribers Authentication
Measurement
Point
P1
Measurement Entity
Measurement Unit
Measurement Type
AUTH Requests
Authentication
P2
AUTH No Response
Authentication
KPI formula
Check interworking
between MSC and HLR,
impact on LU
Check interworking
between MSCs, impact
on Inter LU
Check interworking
between MSC and
BSC/RNC, impact
on service access
inconsistent
Xres or
Sres causes
waits for an
auth response,
MSC timeout
occurs
Receive clear
Req/Release
from BSC/RNC
MSC-Date
MHAN04H10/06
MHAN04H11/06
MHAN04H12/06
MHAN04H13/06
MHAN04H14/06
MHAN04H15/06
MHAN04H16/06
Negative
AUTHSE AUTHSE AUTHSE AUTH
AUTH
AUTH
T
T
T
Failures No
Respons
AUTHSET Receipt Request Request due to Respons
AUTH
es by
Receipt
from the s to the s to the Illegal
e
AUTH
Success Subscrib
from the
PVLR(ti HLR(tim PVLR(ti SRES(ti Times(ti Request Times(ti ers(times
HLR(times) mes)
es)
mes)
mes)
mes)
s(times) mes)
)
800543 248545 821607 296181
1773
2 9154832 9060826
4695
805013 277637 826041 327553
1719
1 9408344 9308414
3630
801553 272677 823032 321587
2092
30 9225804 9121637
6729
784826 270703 804699 320443
1541
80 9144115 9044334
6548
771492 267792 788967 318373
1083
0 9090011 8990861
8994
768813 277986 786528 329834
1147
2 8953049 8854549
4749
754944 280504 772026 336440
1211
0 8812575 8713344
3705
MSC-Date
MHAN04H10/06
MHAN04H11/06
MHAN04H12/06
MHAN04H13/06
MHAN04H14/06
MHAN04H15/06
MHAN04H16/06
Negative
AUTH
AUTH
Failures
Responses AUTH
AUTHSET
due to
by
Failures
AUTHSET of PVLR
AUTH Succ Illegal
Subscriber due to
of HLR rate rate
rate
SRES
s
Others
97.44%
83.92%
98.97%
0.02%
0.05%
0.96%
97.45%
84.76%
98.94%
0.02%
0.04%
1.01%
97.39%
84.79%
98.87%
0.02%
0.07%
1.03%
97.53%
84.48%
98.91%
0.02%
0.07%
1.00%
97.79%
84.11%
98.91%
0.01%
0.10%
0.98%
97.75%
84.28%
98.90%
0.01%
0.05%
1.03%
97.79%
83.37%
98.87%
0.01%
0.04%
1.07%
Encryption Requested - LU
Based on LAC
Encryption Requested - Service
Encryption Succ rate
Encryption Successfully - LU
% Auth or Encryption
is failure with SMS
2. Based on call
Authentication Failures
Total Traffic of the Office
% Auth or Encryption
is failure with call
HUAWEI TECHNOLOGIES CO., LTD.
Security Analysis
How to choose cipher algorithm on network?
Which network element decides to choose cipther
algorithm?
Security optimization
1.
2.
3.
4.
Thank You
www.huawei.com