已解决问题
关闭所有答案回应
最佳答案
我的理解,其中有一个原因是,最早的版本还不支持有效的算法,只支持空算法。即先搭一个security的框架,在随后的版本中再支持有效的security算法。目前的实际测试中都不再使用空算法了。至于为什么还保留空算法,或许有别的目的。
|
回应该答案 (0) |
回答时间:2011-12-16 08:33
其他答案 ( 6 条 )
在某些国家,ZF会要求运营商不得加密,以方便强力部门进行监听、监控
顺便说一句,咱们天朝的GSM就没有加密
顺便说一句,咱们天朝的GSM就没有加密
NAS的安全性是可选的,但是AS层是必选的,所以没问题
空加密算法好像是在attach for emergency service的情况下才用的,当采用空加密算法时,也认为是加密的,空加密!=不加密,不知道理解的对不对
这个想法比较有意思。不过我一直认为空加密就是不加密。求证!
正解!
2/3G现网中确实少见NAS层加密。LTE下NAS层加密倒是见过,但是一般试验局都是关掉省得不好troubleshooting
空口上数据相对容易获得,RRC加密必选;s1传输的NAS层在IP上承载,一般由运营商掌控,相对来说还算安全,不加密NAS也说得过去。不一定只针对emergency call,普通call不加密NAS也是正常的。
LTE下加密/完整性架构固定,同意空加密=不加密的说法。说白了就是一个字段没置位而已。
Security header type (octet 1)
8 7 6 5
0 0 0 0 Plain NAS message, not security protected
Security protected NAS message:
0 0 0 1 Integrity protected
0 0 1 0 Integrity protected and ciphered
0 0 1 1 Integrity protected with new EPS security context (NOTE 1)
0 1 0 0 Integrity protected and ciphered with new EPS security context (NOTE 2)
Non-standard L3 message:
1 1 0 0 Security header for the SERVICE REQUEST message
1 1 0 1 These values are not used in this version of the protocol.
to If received they shall be interpreted as ‘1100’. (NOTE 3)
1 1 1 1
All other values are reserved.
NOTE 1: This codepoint may be used only for a SECURITY MODE COMMAND message.
NOTE 2: This codepoint may be used only for a SECURITY MODE COMPLETE message.
NOTE 3: When bits 7 and 8 are set to '11', bits 5 and 6 can be used for future extensions of the SERVICE REQUEST message.
8 7 6 5
0 0 0 0 Plain NAS message, not security protected
Security protected NAS message:
0 0 0 1 Integrity protected
0 0 1 0 Integrity protected and ciphered
0 0 1 1 Integrity protected with new EPS security context (NOTE 1)
0 1 0 0 Integrity protected and ciphered with new EPS security context (NOTE 2)
Non-standard L3 message:
1 1 0 0 Security header for the SERVICE REQUEST message
1 1 0 1 These values are not used in this version of the protocol.
to If received they shall be interpreted as ‘1100’. (NOTE 3)
1 1 1 1
All other values are reserved.
NOTE 1: This codepoint may be used only for a SECURITY MODE COMMAND message.
NOTE 2: This codepoint may be used only for a SECURITY MODE COMPLETE message.
NOTE 3: When bits 7 and 8 are set to '11', bits 5 and 6 can be used for future extensions of the SERVICE REQUEST message.
热点问题