edx 4G Network Essentials Week 2 1- Network Attachement and Security Functions

What happens when I turn my terminal on?
How are the security mechanisms organized?
These are the question we will answer in this video.

当我打开终端时会发生什么？
安全机制是如何组织的？
这是我们将在本视频中回答的问题。

When we subscribe, the operator sometimes provides a
terminal, but it especially provides a communication
service in the form of a SIM card.
当我们订阅时，运营商有时会提供终端，但它特别提供SIM卡形式的通信服务。

For the terminal to function correctly on the network,
the SIM card must be present.
要使终端在网络上正常运行，必须存在SIM卡。

It is obviously necessary to identify
each SIM card, or each subscription, in a unique way.
显然有必要以独特的方式识别每张SIM卡或每个订阅。

This is done using an identity called the
International Mobile Subscriber Identity.
这是使用称为国际移动订户身份的身份完成的。

To ensure that two random subscribers,
in the entire world, never have the same
IMSI, the structure is hierarchical.
为了确保整个世界中的两个随机订户永远不会具有相同的IMSI，该结构是分层的。

It starts with three digits indicating
the MCC code – Mobile Country Code – the
country where the user has subscribed, which
is generally where he lives.
它以三位数字开头，表示MCC代码 - 移动国家代码 - 用户订阅的国家/地区，通常是他居住的地方。

After that is the MNC – Mobile Network Code
– which is the code of the network in the country,…
then a number allocated by the operator.
之后是MNC - 移动网络代码 - 这是该国家网络的代码，......然后是运营商分配的号码。

Two subscribers of the same operator never have the same number.
同一运营商的两个用户从不拥有相同的号码。

The result is an identity of 15
digits maximum which is unique
throughout the world.
结果是最多15位数的身份，这在全世界是独一无二的。

The beginning of the IMSI therefore indicates to which
country and operator the subscriber belongs.
因此，IMSI的开始指示订户属于哪个国家和运营商。

For example,
the MCC for France is 208,…
and 10 is the code for SFR.
例如，法国的MCC为208，...和10是SFR的代码。

Here are two examples of IMSIs from
2 subscribers with different French operators.
以下是来自2个具有不同法国运营商的订户的IMSI的两个示例。

The IMSI of a subscriber never changes, unless he changes
unless he changes operators, of course.
订户的IMSI永远不会改变，除非他改变，除非他改变运营商，当然。

It is used when you move through the network.
当您在网络中移动时使用它。

A 4G network enables the terminal to
connect to the Internet.
4G网络使终端能够连接到Internet。

All equipment connected to the internet must have an IP address
to be able to send and receive data.
连接到互联网的所有设备必须具有IP地址才能发送和接收数据。

In most cases, the IP address is
not allocated statically.
在大多数情况下，IP地址不是静态分配的。

It is allocated at power-up, during a process called “attachment".
在称为“附件”的过程中，它在上电时分配。

An operator can provide various types of services.
运营商可以提供各种类型的服务。

For example, a public access or a professional access.
例如，公共访问或专业访问。

During the attachment procedure, the terminal indicates
the type of service it wants,
notably by specifying the APN, the
Access Point Name, which indicates to the network which
P-Gateway to use.
在附加过程中，终端指示它想要的服务类型，特别是通过指定APN，即接入点名称，其向网络指示要使用哪个P网关。

Let’s look at a very simple example of how attachment works.
让我们看一下附件如何工作的一个非常简单的例子。

When I turn on my terminal, it reads the SIM card
to know the country code and the name of my operator.
当我打开终端时，它会读取SIM卡以了解国家/地区代码和运营商的名称。

We’ll assume that I’m in the country where I subscribed.
我们假设我在我订阅的国家。

The terminal searches my operator’s network,
listening to the beacon channels of the surrounding systems.
终端搜索我的运营商网络，收听周围系统的信标频道。

The operator’s code is transmitted
on each beacon channel.
运营商的代码在每个信标信道上传输。

As soon as it finds the right network, it sends an
Attach Request message containing its IMSI.
一旦找到正确的网络，它就会发送包含其IMSI的附着请求消息。

The message is received by the
eNodeB, transmitted to the MME.
该消息由eNodeB接收，发送到MME。

The MME checks if it has the
subscriber’s profile in its database.
MME检查其数据库中是否具有订户的配置文件。

That’s not the case here, because we’re assuming
that this is the first time I’ve turned my terminal on.
这不是这里的情况，因为我们假设这是我第一次打开终端。

The MME will then verify with the HSS if the subscriber
is known and
has access to the network.
然后，MME将向HSS验证订户是否已知并且可以访问网络。

The HSS searches for
the subscriber and transfers his profile, as we saw during the first week.
正如我们在第一周看到的那样，HSS搜索订户并转移他的个人资料。

The message includes the APN, Access Point Name.
该消息包括APN，接入点名称。

Once the MME has stored the profile, it informs the HSS.
一旦MME存储了配置文件，它就会通知HSS。

We still haven’t spoken about an IP address.
我们还没有谈到IP地址。

An IP address is linked to a location.
IP地址链接到某个位置。

In this case, the IP address is linked to the P-Gateway.
在这种情况下，IP地址链接到P网关。

The choice was made by the designers of 4G networks,
on one hand to allow dynamic address allocation and, on
the other, to leave this allocation up to the P-Gateway.
选择由4G网络的设计者做出，一方面允许动态地址分配，另一方面将这种分配留给P-Gateway。

The MME sends a message to the S-Gateway…
which it resends to the P-Gateway.
MME向S-Gateway发送消息...它重新发送到P-Gateway。

The P-Gateway can allocate an IP address.
P-Gateway可以分配IP地址。

This IP address is
then sent from the P-Gateway to the S-Gateway,…
then from the S-Gateway to the MME…
to finally arrive at the mobile terminal.
然后将该IP地址从P网关发送到S网关，然后从S网关发送到MME ...最后到达移动终端。

From the moment the terminal has an IP address, it can work.
从终端具有IP地址的那一刻起，它就可以工作。

What are the possible problems?
Let’s imagine that I tamper with my terminal so that it
sends the IMSI of my neighbor.
有什么可能的问题？让我们想象一下，我篡改了我的终端，以便它发送我邻居的IMSI。

I could use the network at his expense:
The network must verify that, when a terminal accesses a
network, it corresponds to a valid subscription, to an
SIM card actually issued by the operator.
我可以自费使用网络：网络必须验证，当终端访问网络时，它对应于有效订阅，对应于运营商实际发布的SIM卡。

This is the authentication mechanism.
这是身份验证机制。

With a receiver set to the frequency of
the base station, it is very easy to listen to what it transmits.
将接收器设置为基站的频率，很容易听到它传输的内容。

A person with malicious intent could learn the
information transmitted to me.
有恶意的人可以学习传送给我的信息。

This must be prevented.
必须防止这种情况。

This is enabled by the encryption mechanism.
这是通过加密机制实现的。

An attacker with a transceiver can
very easily change the IP address that was allocated to me
during the attachment procedure by superposing a
signal on the one transmitted by the base station.
具有收发器的攻击者可以通过在基站发送的信号上叠加信号，非常容易地改变在附着过程期间分配给我的IP地址。

To prevent this, a mechanism was developed that enables
the recipient of a message to control the integrity
of this message.
为了防止这种情况，开发了一种机制，使消息的接收者能够控制该消息的完整性。

When a terminal activates a service,
it must identify itself.
当终端激活服务时，它必须标识自己。

By default, the identifier used is the IMSI.
默认情况下，使用的标识符是IMSI。

If an attacker listens to the exchanges on the
radio band and detects an
IMSI, it knows which subscriber is nearby.
如果攻击者收听无线电频段上的交换机并检测到IMSI，则它知道哪个用户在附近。

Therefore, we avoid transmitting the IMSI.
因此，我们避免传输IMSI。

Instead, we use
a temporary identity which is regularly renewed.
相反，我们使用定期更新的临时身份。

Authentication, encryption, integrity, allocation of a
temporary identity are the mechanisms which we’ll see in
this week’s videos.
身份验证，加密，完整性，临时身份的分配是我们将在本周的视频中看到的机制。

This will bring us to look again at the attachment
procedure, looking at how the security mechanisms are implemented.
这将使我们再次查看附件过程，查看安全机制的实现方式。

转载于:https://www.cnblogs.com/sec875/articles/9868046.html