Can someone beside me hear my communications and,
especially, can he understand them?
That is the question we will answer in this video.
我旁边的人可以听到我的通讯,尤其是他能理解他们吗?这是我们将在本视频中回答的问题。
Of course, the answer is NO.
当然,答案是否定的。
We’re going to see the security mechanism
put in place to guarantee the confidentiality of exchanges.
我们将看到实施安全机制以保证交易所的机密性。
Especially ciphering, which is
also called encryption.
特别是加密,也称为加密。
In networks, ciphering is based on a very simple
mathematical operation which is XOR,
in other words the exclusive OR between the clear text
and a sequence generated by the sender.
在网络中,加密基于非常简单的数学运算,即XOR,换句话说,明文与发送者生成的序列之间的异或。
This operation works bit by bit so it takes one bit from
every sequence and produces a bit as output.
此操作逐位工作,因此每个序列需要一位,并产生一个位作为输出。
If the two bits are the same, the result is zero.
如果两个位相同,则结果为零。
For example as shown in the slide, 1 XOR 1 equals 0.
例如,如幻灯片所示,1 XOR 1等于0。
The operation is very simple to implement in hardware.
该操作在硬件中实现非常简单。
In this example, the clear text is in blue
and the ciphering sequence is in red.
在此示例中,明文为蓝色,加密序列为红色。
It should be noted that
the sequence must have the same length in bits as the input data.
应注意,序列必须具有与输入数据相同的位长度。
To get the clear text from the ciphered data in green,
you just need to repeat the operation with the ciphering sequence.
要从加密数据中获取绿色的明文,您只需要使用加密序列重复操作。
There is one big constraint: the ciphering sequence must
be different every time.
有一个很大的限制:加密序列每次都必须不同。
If we use the same sequence several times,
we completely lose all security properties.
如果我们多次使用相同的序列,我们将完全失去所有安全属性。
When we have a very large volume
of data to transmit, we’ll cut it into various
packets and we’ll try to cipher the packets
with different sequences.
当我们要传输大量数据时,我们会将其切割成各种数据包,我们将尝试使用不同的序列加密数据包。
The receiver must possess the same ciphering sequence in
order to be able to get the clear text.
接收器必须具有相同的加密序列才能获得明文。
But how can we obtain a ciphering sequence of an
almost unlimited size?
We use an algorithm that, based on a few input parameters,
generates sequences adapted to the data ciphering.
但是我们怎样才能获得几乎无限大小的加密序列?我们使用一种算法,该算法基于一些输入参数,生成适合于数据加密的序列。
We start with a basic ciphering key that is relatively stable.
我们从一个相对稳定的基本加密密钥开始。
It is conserved, for example, throughout a Web session or
during an entire communication.
例如,它在整个Web会话期间或整个通信期间都是保守的。
This shared key Kenc
is the basis for creating an almost unlimited number
of ciphering sequences.
这个共享密钥Kenc是创建几乎无限数量的加密序列的基础。
The ciphering key is calculated from the number
RAND used for authentication and from the secret K.
加密密钥是根据用于认证的RAND和秘密K计算的。
It is essential to use specialized functions that ensure
that the string of sequences produced is the closest
possible to random values.
必须使用专门的函数来确保生成的序列字符串最接近随机值。
Because these are deterministic algorithms, if all input
parameters are the same, the function will produce the
same ciphering sequence as output.
因为这些是确定性算法,如果所有输入参数相同,则该函数将产生与输出相同的加密序列。
Therefore, we’ll try to add elements known only by the
sender and the receiver which change with all new data sent.
因此,我们将尝试添加仅由发送方和接收方知道的元素,这些元素随发送的所有新数据而变化。
For example, we’ll number each
transmitted packet and integrate
the packet number and the amount of data to cipher in the
input parameter of the algorithm used to calculate the ciphering sequence.
例如,我们将对每个传输的数据包进行编号,并将数据包数量和数据量整合到用于计算加密序列的算法的输入参数中。
We’ll also place a direction indicator
(uplink or downlink) and a bearer number.
我们还将放置方向指示符(上行链路或下行链路)和承载号。
We’ll take a look at bearers in week 4.
我们将在第4周看看承载者。
At this point of the course, we can see it as a stream.
在课程的这一点上,我们可以将其视为一个流。
The ciphering algorithm is executed on the mobile
terminal and on the eNodeB.
加密算法在移动终端和eNodeB上执行。
The algorithm used must be standardized: an operator cannot define
his own ciphering algorithm.
所使用的算法必须是标准化的:操作员不能定义他自己的加密算法。
All radio transmissions
are ciphered, whether they are user data or signaling…
Moreover, data exchanged between the MME and the mobile
terminal are ciphered by both sides.
所有无线电传输都是加密的,无论它们是用户数据还是信令......此外,MME和移动终端之间交换的数据由双方加密。
As for ciphering algorithms, there are several.
至于加密算法,有几种。
Here, you see the three that are currently standardized
in the LTE network.
在这里,您可以看到当前在LTE网络中标准化的三个。
The first, NULL, which does not cipher data is to be
prohibited and only used during network test periods.
第一个NULL,不加密数据是禁止的,仅在网络测试期间使用。
The second, SNOW 3G, is
an algorithm present in third generation networks and
the AES which gives the strongest security
guarantees at this moment.
第二种是SNOW 3G,它是第三代网络中存在的算法和AES,它在此时提供了最强大的安全保障。
Each of the exchange channels illustrated here
can use a different ciphering algorithm.
这里示出的每个交换信道可以使用不同的加密算法。
The ciphering algorithms and the ciphering keys are
negotiated during the terminal authentication phase.
在终端认证阶段协商加密算法和加密密钥。
Now here is an example to
illustrate the different ciphering stages for an IP
packet which contains user data coming from the Internet.
现在这里是一个例子来说明包含来自因特网的用户数据的IP包的不同加密阶段。
Let’s consider a packet arriving at the P-Gateway which
is then routed across the core network where its
confidentiality is guaranteed by the classic mechanisms
of the Internet world before arriving at the eNodeB.
让我们考虑一个到达P网关的数据包,然后通过核心网络进行路由,在到达eNodeB之前,互联网世界的经典机制保证其机密性。
The eNodeB cyphers this packet before sending it
on the radio link.
eNodeB在将该数据包发送到无线电链路之前对其进行加密。
We can imagine that the following values are used to
generate the key used to encrypt the frame: number of the
packet counter between the eNodeB and the terminal,
reference of the bearer, downlink or uplink packet,
and size of the data to encrypt.
我们可以想象以下值用于生成用于加密帧的密钥:eNodeB与终端之间的分组计数器的数量,承载的参考,下行链路或上行链路分组,以及要加密的数据的大小。
The ciphering key negotiated earlier between the mobile
terminal and the eNodeB during the authentication phase
must also be specified.
还必须指定在认证阶段期间在移动终端和eNodeB之间早先协商的加密密钥。
Upon reception, the mobile terminal uses
the same parameters to decrypt the frame.
在接收时,移动终端使用相同的参数来解密帧。
The next IP packet will follow the
same path, but in this case the
frame counter will increment by 1 and so,
even if it uses the same shared secret,
a completely new ciphering sequence will be used.
下一个IP数据包将遵循相同的路径,但在这种情况下,帧计数器将递增1,因此,即使它使用相同的共享密钥,也将使用全新的加密序列。
In summary, Ciphering also called encryption is based on
a stable encryption key Kenc generated with
secret key K and the random number used during authentication.
总之,加密也称为加密是基于使用密钥K生成的稳定加密密钥Kenc和在认证期间使用的随机数。
The ciphering sequence is specific to each packet.
加密序列特定于每个分组。
It is generated with Kenc and parameters
including a packet counter.
它是用Kenc生成的,参数包括数据包计数器。
Ciphering is based on XOR (exclusive Or).
Ciphering and De-ciphering are the same operation.
加密基于XOR(独家或)。加密和解密是相同的操作。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
