CN108924841B - Security protection method and device, mobile terminal, base station and MME (mobility management entity) equipment - Google Patents
Security protection method and device, mobile terminal, base station and MME (mobility management entity) equipment Download PDFInfo
- Publication number
- CN108924841B CN108924841B CN201710164866.XA CN201710164866A CN108924841B CN 108924841 B CN108924841 B CN 108924841B CN 201710164866 A CN201710164866 A CN 201710164866A CN 108924841 B CN108924841 B CN 108924841B
- Authority
- CN
- China
- Prior art keywords
- nas
- signaling
- mobile terminal
- base station
- rrc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a security protection method, a device, a mobile terminal, a base station and MME equipment for non-access stratum NAS rejection signaling, wherein the method comprises the following steps: acquiring a first NAS rejection signaling sent by a Mobility Management Entity (MME) device; establishing a Radio Resource Control (RRC) security context with the mobile terminal according to the first NAS rejection signaling; the mobile terminal sends an NAS request to the MME device, and the MME device sends the first NAS reject signaling to the base station when rejecting the NAS request. The invention can solve the problem that the base station does not analyze the NAS signaling and directly transmits the NAS signaling, so that a user is forcibly connected to pseudo base station equipment and is attacked by the pseudo base station when entering the coverage range of the pseudo base station.
Description
Technical Field
The invention relates to the technical field of wireless communication, in particular to a security protection method and device for non-access stratum (NAS) rejection signaling, a mobile terminal, a base station and MME equipment.
Background
At present, a pseudo base station sucked into a user through a high-power signal is found in the current network, and a user mobile phone signal is forcibly connected to a pseudo base station device, so that the mobile phone cannot normally use the service provided by an operator, a phenomenon that the mobile phone is recovered to be normal after being disconnected from the network for 8-12 seconds temporarily generally occurs, and part of the mobile phones must be turned on and off to access the network again. In addition, the existence of the pseudo base station can cause the mobile phone user to frequently update the position, so that the wireless network resources in the area are in shortage and network congestion occurs, and the user experience is greatly influenced.
The currently existing pseudo base stations include a 4G pseudo base station and a 2G pseudo base station. The 2G pseudo base station sets a frequency point of an operator GSM (Global System for Mobile Communications), and transmits a high-power signal. When the user enters the coverage range of the pseudo base station, the high-power 4G pseudo base station inhales the user and triggers the user to initiate a Tracking Area Update (TAU) request, the 4G pseudo base station rejects the TAU, the user is redirected to 2G by carrying GSM frequency points as high priority through RRC (Radio Resource Control) Connection Release, and the high-power 2G pseudo base station inhales the user.
Therefore, in the prior art, as the base station does not analyze the NAS signaling and directly transparently transmits the NAS signaling, when a user enters the coverage area of the pseudo base station, the user is forcibly connected to the pseudo base station device and is attacked maliciously, thereby affecting user experience.
Disclosure of Invention
The technical scheme of the invention aims to provide a security protection method and device for non-access stratum NAS rejection signaling, a mobile terminal, a base station and MME equipment so as to prevent a user from being attacked by a pseudo base station.
The invention provides a security protection method for non-access stratum (NAS) rejection signaling, which is applied to a base station, wherein the method comprises the following steps:
acquiring a first NAS rejection signaling sent by a Mobility Management Entity (MME) device;
establishing a Radio Resource Control (RRC) security context with the mobile terminal according to the first NAS rejection signaling; the mobile terminal sends an NAS request to the MME device, and the MME device sends the first NAS reject signaling to the base station when rejecting the NAS request.
Preferably, after the step of establishing a radio resource control, RRC, security context with the mobile terminal according to the first NAS reject signaling, the method further includes:
and issuing a second NAS rejection signaling to the mobile terminal.
Preferably, the security protection method, wherein the step of acquiring the first NAS reject signaling sent by the mobility management entity MME device includes:
receiving an initial context establishment request message sent by the MME equipment; wherein the initial context establishment request message carries NAS signaling and an NAS rejection indication;
and determining the NAS signaling carried in the initial context establishment request message as the first NAS rejection signaling according to the NAS rejection indication.
Preferably, the step of establishing a radio resource control, RRC, security context with the mobile terminal according to the first NAS reject signaling includes:
saving the security capability parameters and the secret key of the mobile terminal recorded in the first NAS rejection signaling;
sending an RRC security mode establishment instruction to the mobile terminal;
and receiving the RRC safety mode completion message fed back by the mobile terminal, and establishing a Radio Resource Control (RRC) safety context with the mobile terminal.
The embodiment of the invention also provides another security protection method for rejecting the signaling by the non-access stratum NAS, which is applied to a mobile terminal, wherein the method comprises the following steps:
after sending an NAS request to MME equipment, receiving an NAS rejection signaling;
judging whether an established Radio Resource Control (RRC) security context exists or not;
generating connection exception information when the RRC security context does not exist.
Preferably, after the generating of the connection exception information, the method further includes:
and when receiving the RRC connection release message carrying the GSM frequency point, refusing to redirect to another cell except the current cell according to the received RRC connection release message.
Preferably, after the step of determining whether there is an established radio resource control RRC security context, the method further includes:
and when the RRC safety context is judged to exist and an RRC connection release message carrying the GSM frequency point is received, redirecting to another cell except the current cell according to the received RRC connection release message.
Preferably, before the step of receiving a NAS reject signaling, the method further includes:
sending a NAS request to an MME device, wherein the NAS request comprises an access request message or a tracking area update request message.
The embodiment of the invention also provides another security protection method for the non-access stratum NAS rejection signaling, which is applied to the MME equipment, wherein the method comprises the following steps:
receiving an NAS request sent by a mobile terminal;
and sending NAS rejection signaling for rejecting the NAS request to a base station corresponding to the mobile terminal according to the NAS request.
Preferably, in the security protection method, in the step of sending a NAS reject signaling for rejecting the NAS request to the base station corresponding to the mobile terminal:
sending an initial context setup request message to the base station; wherein the initial context setup request message carries NAS signaling and a NAS reject indication, and the NAS reject indication indicates that the NAS signaling is the NAS reject signaling.
Preferably, in the step of receiving a NAS request sent by a mobile terminal, the NAS request is an access request message or a tracking area update request message.
The embodiment of the invention also provides a security protection device for rejecting the signaling by the non-access stratum NAS, which is applied to a base station, wherein the device comprises:
a signaling obtaining module, configured to obtain a first NAS reject signaling sent by a mobility management entity MME device;
the first processing module is used for establishing a Radio Resource Control (RRC) security context with the mobile terminal according to the first NAS rejection signaling; the mobile terminal sends an NAS request to the MME device, and the MME device sends the first NAS reject signaling to the base station when rejecting the NAS request.
Preferably, the safety protection device, wherein the device further comprises:
and the first signaling sending module is used for sending the second NAS rejection signaling to the mobile terminal.
Preferably, the safety protection device, wherein the signaling obtaining module includes:
a first message receiving unit, configured to receive an initial context setup request message sent by the MME device; wherein the initial context establishment request message carries NAS signaling and an NAS rejection indication;
an indication confirming unit, configured to determine, according to the NAS rejection indication, that the NAS signaling carried in the initial context setup request message is the first NAS rejection signaling.
Preferably, the safety protection device, wherein the first processing module includes:
a storage unit, configured to store the mobile terminal security capability parameter and the key recorded in the first NAS reject signaling;
an indication sending unit, configured to issue an RRC security mode establishment indication to the mobile terminal;
and the second message receiving unit is used for receiving the RRC security mode completion message fed back by the mobile terminal and establishing a Radio Resource Control (RRC) security context with the mobile terminal.
The invention also provides a base station, which comprises the safety protection device.
The embodiment of the invention also provides another security protection device for rejecting the signaling by the non-access stratum NAS, which is applied to a mobile terminal, wherein the device comprises:
the rejection signaling receiving module is used for receiving an NAS rejection signaling after the NAS request is sent to the MME device;
the judging module is used for judging whether the established radio resource control RRC security context exists or not;
and the information generation module is used for generating abnormal connection information when the RRC security context does not exist.
Preferably, the safety protection device, wherein the device further comprises:
and the second processing module is used for refusing to redirect to another cell except the current cell according to the received RRC connection release message when the RRC connection release message carrying the GSM frequency point is received.
Preferably, the safety protection device, wherein the device further comprises:
and the third processing module is used for redirecting to another cell except the current cell according to the received RRC connection release message when the RRC security context is judged to exist and the RRC connection release message carrying the GSM frequency point is received.
Preferably, the safety protection device, wherein the device further comprises:
a request message sending module, configured to send a NAS request to an MME device, where the NAS request includes an access request message or a tracking area update request message.
The invention also provides a mobile terminal, which comprises the safety protection device.
The invention also provides another security protection device for non-access stratum NAS rejection signaling, which is applied to Mobility Management Entity (MME) equipment, wherein the device comprises:
the request receiving module is used for receiving the NAS request sent by the mobile terminal;
and a second signaling sending module, configured to send, according to the NAS request, NAS reject signaling for rejecting the NAS request to a base station corresponding to the mobile terminal.
Preferably, the security protection apparatus, wherein the second signaling sending module is specifically configured to:
sending an initial context setup request message to the base station; wherein the initial context setup request message carries NAS signaling and a NAS reject indication, and the NAS reject indication indicates that the NAS signaling is the NAS reject signaling.
Preferably, the NAS request received by the request receiving module is an access request message or a tracking area update request message.
The invention also provides Mobility Management Entity (MME) equipment, which comprises the security protection device.
At least one of the above technical solutions of the specific embodiment of the present invention has the following beneficial effects:
according to the method and the device provided by the embodiment of the invention, when an MME (core network) rejects an NAS request of a mobile terminal, NAS reject signaling is sent to a base station, and when the base station receives the NAS reject signaling, an RRC (radio resource control) security context is established between the MME and the mobile terminal, so that the NAS reject signaling rejecting the NAS request is introduced into an S1 interface of the MME and the base station by adopting the mode, and the base station establishes an RRC layer security context according to the NAS reject signaling to protect the NAS reject signaling rejecting the NAS request and enhance the 4G security, so that the problems that when the NAS signaling is not analyzed and directly transmitted by the base station, a user is forcibly connected to pseudo base station equipment and is attacked by the pseudo base station when entering into the coverage range of the pseudo base station are solved.
Drawings
Fig. 1 is a schematic flow chart of a security protection method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a security protection method according to a second embodiment of the present invention;
fig. 3 is a schematic flow chart of a security protection method according to a third embodiment of the present invention;
fig. 4 is a schematic flow chart of a security protection method according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a fifth safety protection device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a safety protection device according to a sixth embodiment of the present invention;
fig. 7 is a schematic structural diagram of a safety protection device according to a seventh embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved by the embodiments of the present invention clearer, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.
Example one
The security protection method for the NAS reject signaling in the non-access stratum according to the embodiment of the present invention is applied to a base station, and as shown in fig. 1, the method includes:
s110, acquiring a first NAS rejection signaling sent by a Mobility Management Entity (MME) device;
s120, establishing a Radio Resource Control (RRC) security context with the mobile terminal according to the first NAS rejection signaling; the mobile terminal sends an NAS request to the MME device, and the MME device sends the first NAS reject signaling to the base station when rejecting the NAS request.
In the security protection method according to the first embodiment of the present invention, when an MME device (core network) rejects an NAS request of a mobile terminal, a first NAS reject signaling is sent to a base station, and when the base station receives the first NAS reject signaling, an RRC security context is established between the base station and the mobile terminal, so that the NAS reject signaling that rejects the NAS request is introduced at an S1 interface between the MME device and the base station in the above manner, and the base station establishes an RRC layer security context according to the NAS reject signaling to protect the NAS reject signaling that rejects the NAS request, and enhance 4G security, thereby solving a problem that the base station is forcibly connected to a pseudo base station device and is attacked by the pseudo base station when the base station does not analyze and directly transparently transmits the NAS signaling, so that a user enters a coverage area of the pseudo base station.
Specifically, in the first embodiment, after the step of establishing the RRC security context with the mobile terminal in step S120, the method for protecting security further includes:
and issuing a second NAS rejection signaling to the mobile terminal.
And after receiving a second NAS rejection signaling sent by the base station, the mobile terminal judges whether an established RRC security context exists or not, if not, the mobile terminal judges that the established RRC security context is abnormal to generate abnormal connection information, and further, when receiving an RRC connection release message carrying a GSM frequency point, the mobile terminal rejects to redirect to another cell outside the current cell according to the received RRC connection release message carrying the GSM frequency point so as to avoid being connected to a pseudo base station.
In addition, in step S120, the step of acquiring the first NAS reject signaling sent by the mobility management entity MME device includes:
receiving an initial context establishment request message sent by MME equipment; the initial context establishment request message carries NAS signaling and NAS rejection indication;
and determining the NAS signaling carried in the initial context establishment request message as the first NAS rejection signaling according to the NAS rejection indication.
Specifically, the NAS reject indication carried in the initial context setup request message sent by the MME device may occupy 1-bit bytes and is visible to the base station, so that the base station may determine, according to the NAS reject indication, that the NAS signaling carried in the initial context setup request message is the NAS reject signaling.
Further, in step S120, the step of establishing the radio resource control RRC security context with the mobile terminal based on the first NAS reject signaling includes:
saving the security capability parameters and the secret key of the mobile terminal recorded in the first NAS rejection signaling;
sending an RRC security mode establishment instruction to the mobile terminal;
and receiving the RRC safety mode completion message fed back by the mobile terminal, and establishing a Radio Resource Control (RRC) safety context with the mobile terminal.
Through the above steps, an RRC security context is established between the base station and the mobile terminal.
In another aspect of the embodiments of the present invention, a mobile terminal sends an NAS request to an MME device, and the MME device sends a first NAS reject signaling to a base station when rejecting the NAS request, where the NAS request sent by the mobile terminal to the MME device may be an access (Attach) request message or a Tracking Area Update (TAU) request message.
In the security protection method according to the first embodiment of the present invention, the 4G security is enhanced through the above process, and a security protection mechanism for NAS reject signaling of the 4G network is provided, where MME equipment needs to send NAS reject signaling to a base station, and the base station establishes an RRC security context according to the received NAS reject signaling, so as to prevent a user from being relocated to a 2G pseudo base station after being inhaled into the 4G pseudo base station.
Example two
The security protection method for non-access stratum NAS reject signaling according to the second embodiment of the present invention is applied to a mobile terminal, and as shown in fig. 2, the method includes:
s210, after sending an NAS request to MME equipment, receiving an NAS rejection signaling;
s220, judging whether the established Radio Resource Control (RRC) security context exists or not;
and S230, generating abnormal connection information when the RRC security context does not exist.
Further, after step S230, the method further includes:
and when receiving the RRC connection release message carrying the GSM frequency point, refusing to redirect to another cell except the current cell according to the received RRC connection release message.
By adopting the mode, a safety protection mechanism aiming at the NAS rejection signaling of the 4G network is formed, after the mobile terminal receives the NAS rejection signaling, whether the established RRC safety context exists needs to be judged firstly, if not, the established RRC safety context exists, and when an RRC connection release message carrying GSM frequency points is received, the mobile terminal refuses to be redirected to another cell except the current cell so as to prevent the cell from being redirected to the 2G pseudo base station after being sucked into the 4G pseudo base station.
In addition, in another aspect of the method according to the embodiment of the present invention, after step S220, the method further includes:
and when the RRC security context exists and an RRC connection release message carrying the GSM frequency point is received, redirecting to another cell except the current cell according to the received RRC connection release message.
After step S220, when it is determined that the RRC security context exists, it is determined that the connection is currently normal, and the RRC security context can be redirected to another cell other than the current cell according to the received RRC connection release message.
In addition, in step S210, before the step of receiving a NAS reject signaling, the method further includes:
sending a NAS request to an MME device, wherein the NAS request comprises an access (Attach) request message or a Tracking Area Update (TAU) request message.
In step S210, the received NAS reject signaling is sent by the base station or the MME device according to the NAS request.
In the security protection method according to the second embodiment of the present invention, after receiving the NAS reject signaling, the mobile terminal needs to first determine whether an established RRC security context exists, and if not, determines that an exception exists, so as to perform security protection on the NAS reject signaling, and prevent the NAS reject signaling from being re-assigned to the 2G pseudo base station after being sucked into the 4G pseudo base station.
EXAMPLE III
The security protection method for the NAS reject signaling in the non-access stratum according to the third embodiment of the present invention is applied to a mobility management entity MME device, where as shown in fig. 3, the method includes:
s310, receiving an NAS request sent by a mobile terminal;
s320, according to the NAS request, sending NAS rejection signaling for rejecting the NAS request to a base station corresponding to the mobile terminal.
The security protection method in the foregoing embodiment enhances the security of 4G, and when rejecting the NAS request of the mobile terminal, the MME device needs to send an NAS reject signaling to the base station, so that the base station establishes an RRC security context according to the received NAS reject signaling, thereby preventing the user from being relocated to the 2G pseudo base station after being inhaled into the 4G pseudo base station.
Preferably, in step S320, in the step of sending a NAS reject signaling for rejecting the NAS request to the base station corresponding to the mobile terminal:
sending an initial context setup request message to the base station; wherein the initial context setup request message carries NAS signaling and a NAS reject indication, and the NAS reject indication indicates that the NAS signaling is the NAS reject signaling.
Specifically, the NAS reject indication carried in the initial context setup request message sent by the MME device may occupy 1-bit bytes and is visible to the base station, so that the base station may determine, according to the NAS reject indication, that the NAS signaling carried in the initial context setup request message is the NAS reject signaling.
In addition, in step S310, in the step of receiving the NAS request transmitted by the mobile terminal, the NAS request is an access request message or a tracking area update request message.
In the security protection method according to the third embodiment of the present invention, when rejecting the NAS request of the mobile terminal, the MME device needs to send an NAS reject signaling to the base station, so that the base station establishes an RRC security context according to the received NAS reject signaling, thereby performing security protection on the NAS reject signaling, implementing security enhancement of 4G, and preventing the user from being relocated to the 2G pseudo base station after being inhaled into the 4G pseudo base station.
Example four
With reference to fig. 4, when the mobile terminal, the base station, and the MME device respectively adopt the security protection method for the NAS reject signaling in the non-access stratum according to the embodiment of the present invention, the method specifically includes the following steps:
s410, the mobile terminal sends an NAS request to MME equipment through a base station;
s420, the MME device sends an initial context establishment request message to a base station corresponding to the mobile terminal, wherein the initial context establishment request message carries NAS signaling and an NAS rejecting indication, and the NAS rejecting indication indicates that the NAS signaling is NAS rejecting signaling (such as Attach rejecting signaling or TAU rejecting signaling);
s430, the base station judges the carried NAS signaling as NAS rejection signaling according to the received initial context establishment request message and the NAS rejection indication in the initial context establishment request message; saving the security capability parameters and the secret keys of the mobile terminal recorded in the initial context establishment request message;
s440, sending an RRC security mode establishment instruction to the mobile terminal;
s450, receiving an RRC security mode completion message fed back by the mobile terminal, and establishing a radio resource control RRC security context with the mobile terminal;
s460, sending NAS rejection signaling to the mobile terminal;
s470, the mobile terminal receives the NAS rejection signaling, judges whether the established RRC security context exists, and judges that the connection is abnormal if the established RRC security context does not exist.
By adopting the process, the safety of the 4G can be enhanced, and the safety protection of the NAS rejection signaling of the 4G network is realized, so that the problem that the NAS signaling is not analyzed and directly transmitted by the base station, and the user is forcibly connected to the pseudo base station equipment and is attacked by the pseudo base station when entering the coverage range of the pseudo base station is solved.
EXAMPLE five
An embodiment of the present invention provides a security protection device for non-access stratum NAS reject signaling, which is applied to a base station, and referring to fig. 5, the security protection device includes:
a signaling obtaining module, configured to obtain a first NAS reject signaling sent by a mobility management entity MME device;
the first processing module is used for establishing a Radio Resource Control (RRC) security context with the mobile terminal according to the first NAS rejection signaling; the mobile terminal sends an NAS request to the MME device, and the MME device sends the first NAS reject signaling to the base station when rejecting the NAS request.
In the security protection device according to the fifth embodiment of the present invention, an NAS reject signaling for rejecting an NAS request is introduced to an S1 interface between an MME device and a base station, and the base station establishes an RRC layer security context according to the NAS reject signaling to protect the NAS reject signaling rejecting the NAS request, so as to enhance 4G security, thereby solving a problem that the NAS signaling is not analyzed and directly transparently transmitted by the base station, so that a user is forcibly connected to a pseudo base station device and is attacked by the pseudo base station when entering a coverage area of the pseudo base station.
Preferably, as shown in fig. 5, the apparatus further includes:
and the first signaling sending module is used for sending the second NAS rejection signaling to the mobile terminal.
And after receiving a second NAS rejection signaling sent by the base station, the mobile terminal judges whether an established RRC security context exists or not, if not, the mobile terminal judges that the established RRC security context is abnormal to generate abnormal connection information, and further, when receiving an RRC connection release message carrying a GSM frequency point, the mobile terminal rejects to redirect to another cell outside the current cell according to the received RRC connection release message carrying the GSM frequency point so as to avoid being connected to a pseudo base station.
Specifically, the signaling obtaining module includes:
a first message receiving unit, configured to receive an initial context setup request message sent by the MME device; wherein the initial context establishment request message carries NAS signaling and an NAS rejection indication;
an indication confirming unit, configured to determine, according to the NAS rejection indication, that the NAS signaling carried in the initial context setup request message is the first NAS rejection signaling.
Specifically, the NAS reject indication carried in the initial context setup request message sent by the MME device may occupy 1-bit bytes and is visible to the base station, so that the base station may determine, according to the NAS reject indication, that the NAS signaling carried in the initial context setup request message is the NAS reject signaling.
With further reference to fig. 5, the first processing module comprises:
a storage unit, configured to store the mobile terminal security capability parameter and the key recorded in the first NAS reject signaling;
an indication sending unit, configured to issue an RRC security mode establishment indication to the mobile terminal;
and the second message receiving unit is used for receiving the RRC security mode completion message fed back by the mobile terminal and establishing a Radio Resource Control (RRC) security context with the mobile terminal.
The embodiment of the invention also provides a base station, which comprises the safety protection device. Those skilled in the art should understand the specific structure of the base station including the above-mentioned safety protection device, and will not be described in detail herein.
EXAMPLE six
An embodiment of the present invention provides a security protection device for rejecting signaling in a non-access stratum NAS, which is applied to a mobile terminal, and as shown in fig. 6, the security protection device includes:
the rejection signaling receiving module is used for receiving an NAS rejection signaling after the NAS request is sent to the MME device;
the judging module is used for judging whether the established radio resource control RRC security context exists or not;
and the information generation module is used for generating abnormal connection information when the RRC security context does not exist.
By adopting the safety protection device of the embodiment of the invention, after the mobile terminal receives the NAS rejection signaling, whether the established RRC safety context exists or not needs to be judged, if not, the abnormity exists, so that the safety protection is carried out on the NAS rejection signaling, and the NAS rejection signaling is prevented from being re-positioned to the 2G pseudo base station after being sucked into the 4G pseudo base station.
Thus, in connection with fig. 6, the apparatus further comprises:
and the second processing module is used for refusing to redirect to another cell except the current cell according to the received RRC connection release message when the RRC connection release message carrying the GSM frequency point is received.
In addition, the apparatus further comprises:
and the third processing module is used for redirecting to another cell except the current cell according to the received RRC connection release message when the RRC security context is judged to exist and the RRC connection release message carrying the GSM frequency point is received.
Furthermore, the apparatus further comprises:
a request message sending module, configured to send a NAS request to an MME device, where the NAS request includes an access request message or a tracking area update request message.
The safety protection device of the embodiment of the invention needs to judge whether the established RRC safety context exists or not after the mobile terminal receives the NAS rejection signaling, judges that the established RRC safety context exists if the established RRC safety context does not exist, and rejects to redirect to another cell except the current cell when receiving the RRC connection release message carrying the GSM frequency point so as to prevent the cell from being redirected to the 2G pseudo base station after being sucked into the 4G pseudo base station.
The embodiment of the invention also provides a mobile terminal which comprises the safety protection device. Those skilled in the art will be able to understand the mobile terminal including the above security protection device, and will not be described in detail herein.
EXAMPLE seven
A seventh embodiment of the present invention provides a security protection device for non-access stratum NAS reject signaling, which is applied to a mobility management entity MME device, and as shown in fig. 7, the security protection device includes:
the request receiving module is used for receiving the NAS request sent by the mobile terminal;
and a second signaling sending module, configured to send, according to the NAS request, NAS reject signaling for rejecting the NAS request to a base station corresponding to the mobile terminal.
In the security protection apparatus in the foregoing embodiment, when rejecting the NAS request of the mobile terminal, the MME device needs to send an NAS reject signaling to the base station, so that the base station establishes an RRC security context according to the received NAS reject signaling, thereby preventing the user from being redirected to the 2G pseudo base station after being inhaled into the 4G pseudo base station.
Preferably, the second signaling sending module is specifically configured to:
sending an initial context setup request message to the base station; wherein the initial context setup request message carries NAS signaling and a NAS reject indication, and the NAS reject indication indicates that the NAS signaling is the NAS reject signaling.
In addition, the NAS request received by the request receiving module is an access request message or a tracking area update request message.
An embodiment of the present invention further provides a mobility management entity MME apparatus, including the security protection device described in any of the above, and those skilled in the art should understand that the MME apparatus including the security protection device described above is not described in detail here.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (15)
1. A security protection method of non-access stratum (NAS) rejection signaling is applied to a base station, and is characterized in that the method comprises the following steps:
receiving an initial context establishment request message sent by MME equipment; the initial context establishment request message carries NAS signaling and NAS rejection indication; wherein, the mobile terminal sends NAS request to the MME equipment, and the MME equipment sends the initial context establishment request message to the base station when rejecting the NAS request; the NAS request is an access request message or a tracking area updating request message;
determining that the NAS signaling carried in the initial context establishment request message is a first NAS rejection signaling according to the NAS rejection indication;
establishing a Radio Resource Control (RRC) security context with the mobile terminal according to the first NAS rejection signaling;
and issuing a second NAS rejection signaling to the mobile terminal.
2. The security protection method according to claim 1, wherein the step of establishing a radio resource control, RRC, security context with the mobile terminal according to the first NAS reject signaling comprises:
saving the security capability parameters and the secret key of the mobile terminal recorded in the first NAS rejection signaling;
sending an RRC security mode establishment instruction to the mobile terminal;
and receiving the RRC safety mode completion message fed back by the mobile terminal, and establishing a Radio Resource Control (RRC) safety context with the mobile terminal.
3. A security protection method of non-access stratum (NAS) rejection signaling is applied to a mobile terminal, and is characterized by comprising the following steps:
after sending an NAS request to MME equipment, the MME equipment sends an initial context establishment request message to a base station corresponding to the mobile terminal when rejecting the NAS request, and under the condition that the initial context establishment request message carries NAS signaling and an NAS rejection indication, Radio Resource Control (RRC) security context is established between the mobile terminal and the corresponding base station; the base station determines that NAS signaling carried in the initial context establishing request message is first NAS rejection signaling according to the NAS rejection indication;
after establishing an RRC security context between the base station and the mobile terminal, the mobile terminal receives a second NAS rejection signaling sent by the base station;
judging whether an established Radio Resource Control (RRC) security context exists or not according to the second NAS rejection signaling;
generating connection exception information when the RRC security context does not exist;
wherein the method further comprises:
sending a NAS request to an MME device, wherein the NAS request comprises an access request message or a tracking area update request message.
4. The security protection method according to claim 3, wherein after the generating of the connection exception information, the method further comprises:
and when receiving the RRC connection release message carrying the GSM frequency point, refusing to redirect to another cell except the current cell according to the received RRC connection release message.
5. The security protection method according to claim 3, wherein after the step of determining whether the established Radio Resource Control (RRC) security context exists, the method further comprises:
and when the RRC safety context is judged to exist and an RRC connection release message carrying the GSM frequency point is received, redirecting to another cell except the current cell according to the received RRC connection release message.
6. A security protection method for non-access stratum (NAS) rejection signaling is applied to a Mobility Management Entity (MME) device, and is characterized by comprising the following steps:
receiving an NAS request sent by a mobile terminal;
sending an initial context establishment request message to a base station corresponding to the mobile terminal according to the NAS request, wherein the initial context establishment request message carries NAS signaling and an NAS reject indication, and the NAS reject indication indicates that the NAS signaling is first NAS reject signaling, so that the base station establishes a Radio Resource Control (RRC) security context with the mobile terminal according to the first NAS reject signaling, and issues a second NAS reject signaling to the mobile terminal;
the NAS request is an access request message or a tracking area update request message.
7. A safety protection device of non-access stratum (NAS) rejection signaling is applied to a base station, and is characterized in that the device comprises a signaling acquisition module, a first processing module and a first signaling sending module, wherein:
the signaling acquisition module comprises a first message receiving unit and an indication confirmation unit; the first message receiving unit is configured to receive an initial context setup request message sent by an MME device; wherein the initial context establishment request message carries NAS signaling and an NAS rejection indication; the indication confirming unit is configured to determine, according to the NAS reject indication, that the NAS signaling carried in the initial context setup request message is a first NAS reject signaling;
the first processing module is configured to establish a radio resource control RRC security context with the mobile terminal according to the first NAS reject signaling; wherein the mobile terminal sends an NAS request to the MME device, and the MME device sends the first NAS reject signaling to the base station when rejecting the NAS request;
the first signaling sending module is used for sending a second NAS rejection signaling to the mobile terminal;
wherein the NAS request is an access request message or a tracking area update request message.
8. The safety protection device according to claim 7, wherein the first processing module comprises:
a storage unit, configured to store the mobile terminal security capability parameter and the key recorded in the first NAS reject signaling;
an indication sending unit, configured to issue an RRC security mode establishment indication to the mobile terminal;
and the second message receiving unit is used for receiving the RRC security mode completion message fed back by the mobile terminal and establishing a Radio Resource Control (RRC) security context with the mobile terminal.
9. A security protection device for non-access stratum (NAS) rejection signaling is applied to a mobile terminal, and is characterized in that the device comprises:
a reject signaling receiving module, configured to send an initial context setup request message to a base station corresponding to the mobile terminal when the MME rejects the NAS request after sending the NAS request to an MME device, where a radio resource control RRC security context is established between the initial context setup request message and the corresponding base station under the condition that the initial context setup request message carries NAS signaling and an NAS reject indication; after RRC security context is established between the base station and the mobile terminal, receiving second NAS rejection signaling sent by the base station; the base station determines that NAS signaling carried in the initial context establishing request message is first NAS rejection signaling according to the NAS rejection indication;
a judging module, configured to judge whether an established RRC security context exists according to the second NAS reject signaling;
an information generating module, configured to generate connection exception information when the RRC security context does not exist;
a request message sending module, configured to send the NAS request to an MME device, where the NAS request includes an access request message or a tracking area update request message.
10. The safety protection device of claim 9, further comprising:
and the second processing module is used for refusing to redirect to another cell except the current cell according to the received RRC connection release message when the RRC connection release message carrying the GSM frequency point is received.
11. The safety protection device of claim 9, further comprising:
and the third processing module is used for redirecting to another cell except the current cell according to the received RRC connection release message when the RRC security context is judged to exist and the RRC connection release message carrying the GSM frequency point is received.
12. A security protection device for non-access stratum (NAS) rejection signaling is applied to a Mobility Management Entity (MME) device, and is characterized by comprising:
the request receiving module is used for receiving the NAS request sent by the mobile terminal;
a second signaling sending module, configured to send an initial context setup request message to a base station corresponding to the mobile terminal according to the NAS request, where the initial context setup request message carries an NAS signaling and an NAS reject indication, and indicates that the NAS signaling is the first NAS reject signaling through the NAS reject indication, so that the base station establishes a radio resource control RRC security context with the mobile terminal according to the first NAS reject signaling, and issues a second NAS reject signaling to the mobile terminal; wherein, the NAS request received by the request receiving module is an access request message or a tracking area update request message.
13. A base station, characterized in that it comprises a safety arrangement according to any of claims 7 to 8.
14. A mobile terminal, characterized in that it comprises a security device according to any one of claims 9 to 11.
15. A mobility management entity, MME, apparatus comprising the security protection device of claim 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710164866.XA CN108924841B (en) | 2017-03-20 | 2017-03-20 | Security protection method and device, mobile terminal, base station and MME (mobility management entity) equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710164866.XA CN108924841B (en) | 2017-03-20 | 2017-03-20 | Security protection method and device, mobile terminal, base station and MME (mobility management entity) equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108924841A CN108924841A (en) | 2018-11-30 |
| CN108924841B true CN108924841B (en) | 2021-11-19 |
Family
ID=64402302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710164866.XA Active CN108924841B (en) | 2017-03-20 | 2017-03-20 | Security protection method and device, mobile terminal, base station and MME (mobility management entity) equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108924841B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101505479A (en) * | 2009-03-16 | 2009-08-12 | 中兴通讯股份有限公司 | Safe context negotiation method and system in authentication process |
| CN102187599A (en) * | 2008-08-15 | 2011-09-14 | 三星电子株式会社 | Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system |
| WO2013066350A1 (en) * | 2011-11-04 | 2013-05-10 | Panasonic Corporation | Apparatus and method for delayed response handling in mobile communication congestion control |
| WO2014047933A1 (en) * | 2012-09-29 | 2014-04-03 | Qualcomm Incorporated | Method and apparatus for rrc message combining |
-
2017
- 2017-03-20 CN CN201710164866.XA patent/CN108924841B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102187599A (en) * | 2008-08-15 | 2011-09-14 | 三星电子株式会社 | Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system |
| CN101505479A (en) * | 2009-03-16 | 2009-08-12 | 中兴通讯股份有限公司 | Safe context negotiation method and system in authentication process |
| WO2013066350A1 (en) * | 2011-11-04 | 2013-05-10 | Panasonic Corporation | Apparatus and method for delayed response handling in mobile communication congestion control |
| WO2014047933A1 (en) * | 2012-09-29 | 2014-04-03 | Qualcomm Incorporated | Method and apparatus for rrc message combining |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108924841A (en) | 2018-11-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108353444B (en) | User device, base station, connection establishment method, and context information acquisition method | |
| EP2890166B1 (en) | METHOD, USER EQUIPMENT AND REMOTE MANAGEMENT PLATFORM FOR HANDOVER BETWEEN OPERATOR NETWORKs | |
| CN108696872B (en) | Redirection method and device | |
| CN105722090A (en) | Control method and device for automatically identifying pseudo base station | |
| CN104883217A (en) | Method, system and device of transmitting satellite messages | |
| US11109222B2 (en) | Information processing method and device, computer-readable storage medium and electronic device | |
| CN108882278B (en) | Data link monitoring method, device, apparatus and computer readable storage medium | |
| CN108093404B (en) | Information processing method and device | |
| CN106488456A (en) | A kind of base station login method and apparatus and mobile terminal | |
| CN112369056A (en) | Apparatus and method operable to recover user equipment capability identity | |
| US10511956B2 (en) | Device association method and related device | |
| CN103413091B (en) | The method for supervising of malicious act and device | |
| EP3200485A1 (en) | All-group calling method, system, related device and computer storage medium | |
| US9338611B2 (en) | Wireless communication apparatus, data distribution apparatus, and data updating method | |
| KR20160043003A (en) | Call service implementation method and device, and indication information delivery method and device | |
| CN108924841B (en) | Security protection method and device, mobile terminal, base station and MME (mobility management entity) equipment | |
| CN111565478B (en) | Pseudo network equipment identification method, device, equipment and storage medium | |
| CN102858026A (en) | Terminal and method and system for triggering terminal at specific location | |
| CN108282735B (en) | Control method in communication, base station and terminal | |
| KR101809239B1 (en) | Apn changing apparatus and method, wireless terminal for apn change and record medium | |
| CN112770107B (en) | Modification method of load bearing and related device | |
| TW201446030A (en) | Dynamic public warning system deactivation | |
| CN112567780B (en) | Pseudo base station identification method and device | |
| WO2022058017A1 (en) | Early data transmission (edt) for radio access networks with separated cu-cp | |
| CN112738789A (en) | SIM card locking method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |