【5G系列】NAS层安全流程(3)——key的衍生

时间:2024-04-05 12:28:09

文章目录

1 加密算法

【5G系列】NAS层安全流程(3)——key的衍生

加密算法输入:

a 128-bit cipher key named KEY (KNASenc),
a 32-bit COUNT,COUNT := 0x00 || NAS COUNT
a 5-bit bearer identity BEARER,
the 1-bit direction of the transmission i.e. DIRECTION,The DIRECTION bit shall be 0 for uplink and 1 for downlink.
the length of the keystream required i.e. LENGTH.

2 完保算法

【5G系列】NAS层安全流程(3)——key的衍生

完保算法输入:

a 128-bit integrity key named KEY (KNASint)
a 32-bit COUNT, COUNT := 0x00 || NAS COUNT
a 5-bit bearer identity called BEARER
the 1-bit direction of the transmission i.e. DIRECTION,The DIRECTION bit shall be 0 for uplink and 1 for downlink.
the message itself i.e. MESSAGE.
The bit length of the MESSAGE is LENGTH.

3 **衍生

【5G系列】NAS层安全流程(3)——key的衍生

CK’, IK’

鉴权成功后,ME和AUSF网元会生成该**。长度为128bits。

KDF(Key,S), 其中,Key为CK || IK,S值如下:

  • FC = 0x20,

  • P0 = SNN,

  • L0 = length of SNN

  • P1 = SQN Å AK

  • L1 = length of SQN Å AK

输出的前128bits为CK’,后128bits为IK’。

KAUSF

primary authentication过程成功后,ME和AUSF网元会生成该**。长度为256bits。

对于5G AKA:KDF(Key,S), 其中,Key为CK || IK,S值如下:

  • FC = 0x10,

  • P0 = SNN,

  • L0 = length of SNN

  • P1 = SQN Å AK

  • L1 = length of SQN Å AK

对于EAP AKA’: KAUSF为EMSK的前256bits。

KSEAF

ME和AUSF网元会根据KAUSF计算生成KSEAF。AUSF网元会将该**传递给SEAF网元。长度为256bits。

KDF(Key,S),其中Key为KAUSF, S值为:

  • FC = 0x6C,

  • P0 = SNN,

  • L0 = length of SNN.

KAMF

ME和SEAF网元会根据KSEAF计算生成KAMF。长度为256bits。

KDF(Key,S),其中Key为KSEAF, S值为:

  • FC = 0x6D

  • P0 = SUPI

  • L0 = P0 length - number of octets in P0

  • P1 = ABBA parameter

  • L1 = P1 length - number of octets in P1

KNASint

3GPP接入的NAS信令完保**。长度为256bits或者128bits。

KDF(Key,S), 其中,Key为KAMF,S值如下:

  • FC = 0x69,

  • P0 = algorithm type distinguisher,

  • L0 = length of algorithm type distinguisher

  • P1 = algorithm identity

  • L1 = length of algorithm identity

KNASenc

3GPP接入的NAS信令加***。长度为256bits或者128bits。

同KNASint

KgNB

ME和AMF可根据KAMF计算生成KgNB,或者由目标gNB计算生成。长度为256bits。

KDF(Key,S),其中Key为256-bit KAMF, S值如下:

  • FC = 0x6E

  • P0 = Uplink NAS COUNT

  • L0 = length of uplink NAS COUNT (i.e. 0x00 0x04)

  • P1 = Access type distinguisher

  • L1 = length of Access type distiguisher (i.e. 0x00 0x01)

NH

ME和AMF可根据KAMF计算生成NH。长度为256bits。

KDF(Key,S),其中Key为256-bit KAMF, S值如下:

  • FC = 0x6F

  • P0 = SYNC-input

  • L0 = length of SYNC-input (i.e. 0x00 0x20)

KN3IWF

ME和AMF可根据KAMF计算生成KN3IWF。长度为256bits。

KDF(Key,S),其中Key为256-bit KAMF, S值如下:

  • FC = 0x6E

  • P0 = Uplink NAS COUNT

  • L0 = length of uplink NAS COUNT (i.e. 0x00 0x04)

  • P1 = Access type distinguisher

  • L1 = length of Access type distiguisher (i.e. 0x00 0x01)

KRRCint

RRC信令完保**。长度为256bits或者128bits。

KDF(Key,S), 其中,Key为KgNB or KSN,S值如下:

  • FC = 0x69,

  • P0 = algorithm type distinguisher,

  • L0 = length of algorithm type distinguisher

  • P1 = algorithm identity

  • L1 = length of algorithm identity

KRRCenc

RRC信令加***。长度为256bits或者128bits。

同KRRCint

KUPenc

数据面传输的加***。长度为256bits或者128bits。

同KRRCint

KUPint

数据面传输的完保**。长度为256bits或者128bits。

同KRRCint

相关文章