The Research and Design of 3G terminal data confidentiality services

Transcription

1

2 2010 International Conference on E-Business and E-Government The Research and Design of 3G terminal data confidentiality services Fangzhou, Zhang, Xiaoge,Dong Dan, Wang, Xibao,Ma, Chen,Chen School of Computer and Information Technology, Daqing Petroleum Institute, Daqing, China Abstract 3GPP does not supply any active security service interface or available security algorithm model for the terminals, which restricts the initiative ability and configuration ability of security communication on the application layer in a great deal. Focusing on this problem, we firstly brought forward three-layer architecture which guarantees application layer s communication security of 3G terminals, researched secure confidentiality service model which is convenient for developers, the algorithm consultation mechanism used in the application layer and the security algorithm model F8* which guarantees the confidentiality of terminal data transmission are included. It is indicated that models and functions raised in this article are able to be used to supply active, visible and selectable confidentiality service for terminals. 1 Introduction internet, service information and the use of internet source has turned into an urgent issue that needs to be solved [1]. Current available 3G system only provides cell-phones, switching-in security communication service of USIM, but it does not supply any reliable security service mechanism for terminals. The application layer is short of specific security service model and realization which directly faces the application developer. The initiative ability and configurability of the system have been confined badly. The infrastructure of 3G application layer is continuously being completed. However, there are few researches concerning on terminal security service. With respect to this, three-layer architecture in application layer insuring 3G terminals security is brought forward in the first place in this article, based on it, the algorithm consultation mechanism that is acceptable for the application layer is designed according to the needs of terminal security. So as to ensure the security algorithm model F8* of terminal data transmission confidentiality can work well. The design of this terminal security service model supplied users with active and effective channels to protect the individual information security. With the rapid development of communications technology, the third generation mobile communication system (3G) is becoming important communication method in people s daily life. How to insure the security of the 2 Analysis of 3G Security Mechanism /10 $ IEEE DOI /ICEE

3 The most marked security characteristic of 3G is the whole security process is exoteric and transparent [3]. 3G provides exoteric algorithm and standard to its security field. 3G security mechanism can basically guarantee the safety of individual communication, but as to the terminals, 3GPP is not able to provide effective security confidential service interface and available confidential algorithm model. Security characteristic of application domain is depended on application programming developers largely. Users lack self-protected security mechanism. Security system defined in 3G is shown as figure 1. the information exchange between the applications of user domain and ISP (Internet Service Providers) to be safe. 5) The visibility and configurable capacity of the security features ( ): To make sure that whether the security features obtained by the users are in use, and whether the applications from the ISP are safe. As the figure 1 showing, the 3G communication security architecture provides safeguards including network access security, air transport security and HE (hub network) security. But it does not supply any secure confidentiality service in a proactive way, which restricts the security of the users, secure communication and configurability are badly restricted. when the security needs changed. The update process is very complicated, and it hampers the expansion of the 3G open businesses and personalized services business. 3 The three-layer architecture in 3G terminal security communication Figure 1: The security architecture of 3G 1) Access network security ( ): To offer the security mechanism to 3G SN (Service Network) accessing, and to resist the attacks on the wireless link. 2) Network domain security ( ): To guarantee the transmission safe when the network signals, and to withstand the attack on the cable network. 3) User domain security ( ): To guarantee the security of MS (mobile station), including the authentication from user to the USIM, the authentication from USIM to terminals, and the protection of the link between USIM and terminals. 4) Application domain Security ( ) Enable In order to defend the security of the terminals and make it easy for the clients to use, the three-layer architecture was designed in the first place in this article, the system includes infrastructure layer, security service layer and application layer. At the same time, 3G terminal security interface was designed. This interface was built in the protection layer which lies between the user and the application layer, whose aim is to supply active and selectable security service for the users. Terminal security communication architecture of 3G is shown as figure

4 algorithm, to provide proactive data confidential protection service. The proactive and selectable confidential service provided undoubtedly is a self-protection for individual communication, which ensures the application safety in 3G terminals. 4.1 Algorithm and key-length Figure 2: 3G terminal security communication architecture We can see 1 Infrastructure layer supplies different specific function realization, which is consisted of f0 f9 defined in 3GPP function f1 * f5 * redefined algorithm f8* f9*and corresponding functions. 2 Security service layer assembles and encapsulate functions according to functional requirement and service flow to realize different kinds of security service based on terminal application. 3 Application layer locating above the security service layer, the application layer directly faces the end users, supplies all kinds of security application service interface. consultation As the network consultation, the figure 3 shows algorithm consultation of 3G terminals in security service layer. A sends a requirement to B, B sends back a response, add 1 to SYN, when A receives response from B, parameters M,N,P are generated according to regulation algorithm. Then it sends B a response contains M, N, P. When received the message, B deals with M, N, P, returns the response with Mi, Ni, Pi, if there are relevant M, N, P, the value of Mi Ni Pi are the same as M, N, P, else set its value to 0. After A receives the values of Mi Ni Pi, A encrypts the data that is going to be sent according to F8* algorithm, then the data is sent to B. B can decrypt the data using the same method. 4 Design and realization of terminal confidentiality Based upon terminal communication system mentioned above, terminal confidentiality service was designed. For the first time, algorithm consultation mechanism fit for the application layer was designed. Both sides fix security algorithm through consultation. The mechanism offers many algorithm selections and key-length selection scheme in order to satisfy the security configuration needs. Then we designed F8* confidentiality algorithm model which meets the challenge of application Figure 3: Algorithm and key-length consultation 1365

5 4.2 F8 * confidential algorithm model F8* algorithm model is improved in key distributed method, terminal data confidential model F8* is designed by simulation. The algorithm model is as figure 4. taking KASUMI for instance here A though algorithm KASUMI calling function KASUMI put the result into register A. A = KASUMI[A] MODKEY MODKEY= ck^ 0x (random, 32bits ) 4 Calculate the first 64-bits password flow XOR A and BLKCNT, generate a password block using algorithm KASUMI. 5 Receive the ciphertext block get the password block by XOR 64-bits ciphertext block and plaintext block. 6 Add 1 to the value of BLKCNT. 7 XOR password block and context in A, then XOR it with BLKCNT send the result to cryptographic algorithm KASUMI 8 Repeat step 5 until BLKCNT=blocks-1. 5 Conclusion Figure 4: f8* algorithm flow diagram The realization of security algorithm(taking KASUM as an instance AN=0 1 Composing over-all situation amending variable: define *key receive keys, *data receive datas, initialize MODKEY, length indicates the length of the data that is going to be encrypted, grouping the clear text,each 64 byte as a group, suppose Blkcnt as the serial number blocks are total number of the blocks. 2 Initialize the registers in correct way. Send AAK AN DL and to register A For example A=AAK[0]...AAK[31] AN[0]...AN[4] KL[0]... KL[8] eighteen 0 at most in the right AAK is the serial number after the consultation,which is 32bits AN algorithm number 8bits indicates which algorithm should be adopted in the 16 kinds of algorithm and received Mi Ni parameters in the consultation KL key length 9bits to receive Pi in the algorithm consultation. 3 Construct the amended key, alter variable This text analyzed the security mechanism in 3G mobile communication, concerning on the drawback that the application terminals is short of proactive security service interface and available security algorithm models, we brought forward the three-layer architecture which ensures the terminal communication safety in the first place, designed data confidential service model based on terminal application. This model can provide proactive, visible and selectable data confidential service, which is already used in simulated environment and has reached the goal we expected. We will expand the functions of terminal security service, research how to provide proactive and convenient all-around security service for the terminals. References [1]Lin YB,Chen YK. Reducing authentication signaling traffic in third-generation mobile network[j]. IEEE Transactions on Wireless Communications, 2003,2(5): [2]3rd Generation Partnership Program[S/OL].( ) 1366

6 [3]3GPP TS rd Generation Partnership Project(3GPP).Technical Specification Group(TSG)SA 3G Security. Security architecture (Release 6) [4]3GPP TS V GPP system to Wireless Local Area Network (WLAN) interworking: system description(release 6)[S] [5]3GPP G Security Security Threats and Requirements 1367