KR101759191B1 - Method and apparatus for reducing overhead for integrity check of data in wireless communication system - Google Patents

Abstract

The present invention relates to a method and apparatus for reducing overhead for integrity checking of data in a wireless communication system, and a method for reducing an overhead for a message authentication code of a control message in a wireless communication system, Determining whether the message authentication code included in the control message is valid by comparing the identifier of the first authentication key used in the control message with the identifier of the second authentication key; Counting the number of occurrences of the control message including the invalid message authentication code when the number of times of generation of the control message including the invalid message authentication code is not less than a predetermined threshold value, Quot;

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a method and an apparatus for reducing the overhead for integrity checking of data in a wireless communication system,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and apparatus for reducing the overhead for integrity checking of data in a wireless communication system. More particularly, the present invention relates to a method and apparatus for verifying a message using a Cipher-based Message Authentication Code (CMAC) (MAC) protocol data unit (MPDU) according to the overhead due to the CMAC added to the AES-CCM (Advanced Encryption Standard-CTR mode with CBC-MAC) And an apparatus and method for reducing an overhead due to an integrity check vector (ICV) added to each MPDU.

In a wireless communication system, authorization verification and authentication procedures are performed for a terminal to securely provide a service. The authentication function for the terminal is becoming a basic requirement for the stability of the service and the stability of the network.

For example, in IEEE (Institute of Electrical and Electronics Engineers) 802.16 based wireless communication systems, a new security key management protocol (PKMv2) is recommended to provide a stronger authentication framework have. The PKMv2 supports an RSA (Rivest Shamir Adleman) based authentication method for mutually authenticating a terminal and a base station, and an EAP (Extensible Authentication Protocol) based authentication method for performing terminal authentication through an upper authentication protocol. Through various combinations of these authentication methods, terminal authentication, base station authentication, and user authentication are performed.

In addition, in the IEEE 802.16 based wireless communication system, a message authentication code (hereinafter referred to as MAC) is used for authentication of a control message exchanged with each other after the mutual authentication procedure between the terminal and the base station is completed. After a traffic encryption key (TEK) is generated, the TEK is used to transmit a MAC Protocol Data Unit (MAC Protocol Data Unit) in an AES-Advanced Encryption Standard (CBC) Data Unit (hereinafter referred to as "MPDU"). The message authentication code (MAC) is added at the base station and decrypted at the terminal to prove that the message has not been changed by another base station or the terminal when the message is generated at the base station or the terminal. Or added at the terminal and decoded at the base station.

FIG. 1 illustrates a format in which a message authentication code is added to a control message according to the related art. Cipher based Message Authentication Code (CMAC) and Keyed-Hash Message Authentication Code (HMAC) are used as the message authentication code. A case where a CMAC is generated and added to a control message will be described.

1, when a control message is generated, the BS or the MS creates a CMAC 110 and adds the CMAC 110 to the last part of the control message 100, and transmits the control message 100 with the CMAC 110 added thereto. To the terminal or the base station. Upon receiving the control message 100 including the CMAC 110, the receiving terminal or the base station generates the CMAC in the same manner as the transmitting base station or the terminal and compares the CMAC of the received control message, Or the base station performs the integrity check of the control message. The CMAC is generated based on Equation (1) below.

CMAC_KEY_U | CMAC_KEY_D = Dot16KDF (AK, "CMAC_KEYS ", 256)

AKID = Dot16KDF (AK, 0b0000 | AKSN | MSID * | BS ID | "AK", 64)

STID * = Dot16KDF (MS MAC address, BSID | NONCE_BS, 48)

The CMAC is generated by selecting the lower 64 bits (= 8 bytes) out of the 128 bits of the result value of the AES-CMAC (see IETF RFC 4493) as shown in Equation (1).

Here, CMAC_KEY_ * is a CMAC_KEY for Uplink / Downlink generated from an Authorization Key (AK), and CMAC_PN_ * is a value for incrementing the control message by one for each transmission of a control message, and is a packet number counter value for Uplink / Downlink. SIDD is an identifier allocated to the corresponding terminal, BSID is an identifier of the corresponding base station, FID (Flow ID) is an identifier allocated to a connection of the corresponding terminal, MAC_Management_Message is control message content to be transmitted, Lt; / RTI > generated random number. 1, CMAC generation has been described as an example for message authentication, but HMAC may be used for control messages.

FIG. 2 shows a format in which an integrity check value is added to a MAC Protocol Data Unit (MPDU) according to the prior art.

Referring to FIG. 2, when an MPDU including a MAC header 200 and a plaintext payload 210 is generated, an L-byte plaintext payload 210 is divided into Advanced Encryption Standard CTR mode (AES-CCM) (PN) 202 is added to the front of the encrypted plaintext payload 211, and the encrypted plaintext payload 211 is added to the back of the encrypted plaintext payload 211 An 8-byte integrity check value (hereinafter referred to as "ICV") is added to form an encrypted MPDU. Finally, the encrypted MPDU is composed of the MAC header 200, the PN 202, the encrypted plaintext payload 211, and the integrity check value 220. Accordingly, upon receiving the encrypted MPDU at the receiving end, it decides whether the ICV 220 is valid after decoding the encrypted MPDU, and checks the integrity of the MPDU.

The ICV 220 having a size of 8 bytes is generated by the AES-CCM method with a traffic encryption key (TEK), a MAC header, a PN, and a plaintext payload as inputs.

As described above, overhead of 8 bytes (i.e., 64 bits) is added for the integrity check of the control message and the MPDU, respectively. The overhead increases in proportion to the number of control messages or the number of MPDUs, which may cause a deterioration in system performance.

Accordingly, there is a need for a scheme for reducing the size of the authentication message and the authentication overhead for the MPDU in the wireless communication system.

It is an object of the present invention to provide a method and apparatus for reducing the size of a message authentication code for checking the integrity of a control message in a wireless communication system.

It is another object of the present invention to provide a method and apparatus for reducing the size of an integrity check value for checking the integrity of an MPDU in a wireless communication system.

It is still another object of the present invention to provide a method and apparatus for deciding whether a failure or an integrity check value (ICV) due to a TEK mismatch error is invalid and failed when decrypting an MPDU encrypted with the AES-CCM scheme in a wireless communication system, A method and an apparatus.

According to a first aspect of the present invention, there is provided a method for reducing overhead for a message authentication code of a control message in a wireless communication system, the method comprising the steps of: Comparing the identifier of the authentication key with the identifier of the second authentication key to determine whether the message authentication code is valid; checking if the message authentication code included in the control message is valid; Counting the number of occurrences of the control message including the message authentication code that is not valid; and updating the authentication key when the number of times of generating the control message including the invalid message authentication code is equal to or greater than a predetermined threshold value .

According to a second aspect of the present invention, there is provided a method for reducing an overhead for integrity checking of a MAC Protocol Data Unit (MPDU) in a wireless communication system, the method comprising the steps of: Comparing the EKS of the first cryptographic key with the EKS of the second cryptographic key to determine whether the integrity check value included in the MPDU is valid; checking whether the integrity check value included in the MPDU is valid; The method comprising the steps of: counting the number of occurrences of a control message including an invalid integrity check value; and updating the cryptographic key if the number of occurrences of the MPDU including the invalid integrity check value is greater than or equal to a predetermined threshold value .

According to a third aspect of the present invention, there is provided an apparatus for reducing an overhead for a message authentication code of a control message in a wireless communication system, the apparatus comprising: A message authentication unit comparing the identifier of the authentication key with the identifier of the second authentication key to determine whether the message authentication code is valid and checking whether the message authentication code included in the control message is valid; And counting the number of occurrences of the control message including the message authentication code that has not been validated and updating the authentication key if the number of times of generation of the control message including the invalid message authentication code is greater than or equal to a predetermined threshold value do.

According to a fourth aspect of the present invention, there is provided an apparatus for reducing an overhead for integrity checking of a MAC Protocol Data Unit (MPDU) in a wireless communication system, the apparatus comprising: A message authentication unit for comparing the EKS of the first cryptographic key and the EKS of the second cryptographic key to determine whether the integrity check value contained in the MPDU is valid; And counting the number of occurrences of the control message including the invalid integrity check value and updating the cryptographic key if the number of occurrences of the MPDU including the invalid integrity check value is greater than or equal to a predetermined threshold value .

As described above, after performing the integrity check on the control message and the MPDU in the wireless communication system, by counting the number of incomplete occurrences and changing the authentication key or encryption key before reaching a predetermined security risk level, You can maintain a predefined level of security using a small CMAC (or ICV).

1 is a diagram illustrating a message format in which a message authentication code is added to a control message according to the related art,
2 is a diagram illustrating a format in which an integrity check value is added to a MAC Protocol Data Unit (MPDU) according to the prior art,
3 is a flowchart illustrating a BS operation for reducing an overhead for integrity checking of a control message in a wireless communication system according to an exemplary embodiment of the present invention.
FIG. 3 is a flowchart illustrating a procedure for processing a control message when a UE receives a control message in a wireless access system according to the present invention.
4 is a flowchart illustrating an operation of a base station for reducing an overhead for integrity checking of an MPDU encrypted based on AES-CCM in a wireless communication system according to an embodiment of the present invention.
5 is a signal flow diagram for updating an encryption key (PKM and AK) when a base station according to the present invention receives a control message from the corresponding terminal,
6 is a signal flow diagram for updating an encryption key (PKM and AK) when a terminal receives a control message from a base station,
7 is a signal flow diagram for updating an encryption key (TEK or EKS) when a base station according to the present invention receives an MPDU from a corresponding terminal,
8 is a flowchart for updating an encryption key (TEK, EKS) when a base station according to the present invention receives an MPDU from a corresponding terminal,
9 is an apparatus for reducing the overhead for checking the integrity of data in a wireless communication system.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions of the present invention, and these may be changed according to the intention of the user, the operator, or the like. Therefore, the definition should be based on the contents throughout this specification.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a method and apparatus for reducing overhead for data integrity protection in a wireless communication system will be described. In particular, when an invalid control message and the number of occurrences of MPDUs are counted and an exceeded number of occurrences is exceeded, an Authorization Key (AK) or a Traffic Encryption Key (TEK) is newly generated, An apparatus and method for reducing the overhead for integrity check will be described.

FIG. 3 is a flowchart of a base station operation for reducing the overhead for integrity checking of a control message in a wireless communication system according to an embodiment of the present invention.

Referring to FIG. 3, in step 300, the BS initializes an Invalid_CMAC COUNTER for counting the integrity of a control message received from a corresponding MS to zero.

In step 302, the BS receives a control message including the CMAC for checking the integrity of the control message from the corresponding MS. The CMAC is generated by the corresponding terminal using at least one of CMAC_KEY, AKID, CMAC_PN, STID, FID, and MAC_Management_Message information as in Equation (1). Conventionally, the CMAC is 64 bits (8 bytes) in size, but 32 bits (4 bytes) are used in the present invention.

Then, the BS extracts an AK identifier (AKID) and the CMAC used by the corresponding terminal to generate the CMAC from the control message including the CMAC received in step 304. [ The AK is derived by PMK (Pair-wise Master).

Then, in step 306, the BS compares the AK identifier (AKID) used by the corresponding terminal with the AKID negotiated in the mutual authentication procedure to check the validity of the received control message or AK .

If the control message received in step 306 is not valid, the BS proceeds to step 308 to discard the received control message and wait for a next control message or a retransmitted control message. According to another embodiment, the PMK for deriving the AK may be used to check the validity of the control message received from the corresponding terminal.

On the other hand, if the control message received in step 306 is valid, that is, if the identifier of the AK used to generate the CMAC included in the received control message is valid, the base station transmits the CMAC included in the control message received from the terminal Check the validity. In other words, the BS checks whether the CMAC included in the control message received from the corresponding terminal and the CMAC generated by the BS are identical to each other, and checks the integrity of the control message received from the corresponding terminal.

If the CMAC included in the control message received from the MS is valid in step 310, the BS proceeds to step 312 and normally processes the received control message and waits for the next control message.

On the other hand, if the CMAC included in the control message received from the MS is not valid in step 310, the BS proceeds to step 314 to increment the Invalid_CMAC COUNTER by 1, counts the number of invalid CMACs generated, Discard the message.

Thereafter, if the Invalid_CMAC COUNTER increased in step 316 is smaller than the predetermined threshold, the BS maintains the currently used AK and waits for a next control message or a control message to be retransmitted.

If the Invalid_CMAC COUNTER increased in step 316 is greater than or equal to the predetermined threshold, the BS proceeds to step 318 and updates the AK used when generating the CMAC. This will be described in detail with reference to FIGS. 5 and 6 below. Depending on the implementation, the PMK that derives AK instead of AK may be updated.

Thereafter, the BS resets Invalid_CMAC COUNTER to 0 every time the AK is updated in step 320.

As described above, in the present invention, the 4-byte CMAC value having a smaller overhead than that of the prior art is used. However, the number of occurrences in which an invalid message passes the integrity check is counted and the number of occurrences is 2 ¹² ). By updating the key to generate the CMAC, the probability that an invalid message passes the integrity check satisfies 2 ^-20 . That is, according to the National Institute of Standards and Technology (NIST) standard, when the required risk is 2 - ²⁰ , and the number of incidents when an invalid message passes the integrity test is 2 ^{12 or} more, (Threshold / risk). Therefore, it is possible to maintain the security level even with a 32-bit or 4-byte CMAC.

On the other hand, conventionally, the number of occurrences in which an invalid message passes an integrity check is not counted.

FIG. 3 illustrates a case where the BS receives a control message from the corresponding BS. However, the present invention can also be applied to a case where the BS receives a control message from the BS.

4 is a flowchart of a base station operation for reducing an overhead for integrity checking of an MPDU encrypted based on AES-CCM in a wireless communication system according to an embodiment of the present invention. AES is an open, symmetric key cryptosystem that NIST replaces with the next generation international standard encryption of data encryption standard (DES).

Referring to FIG. 4, in step 400, the base station initializes an Invalid_TEK COUNTER value for counting the integrity of the MPDU encrypted with the AES-CCM received in the corresponding terminal.

In step 402, the BS receives an MPDU including a value (ICV) for the integrity check of the MPDU from the corresponding MS. The integrity check value (ICV) is generated in a CCM (Counter with Cipher Block Chaining Message) mode using at least one of a Traffic Encryption Key (TEK), a MAC header, a PN (Packet Number)

In step 404, the BS extracts the TEK and the ICV used for generating the ICV from the MPDU including the ICV received from the corresponding terminal.

In step 406, the base station checks the EKS for the TEK used for encryption. If the EKS is not valid, the base station proceeds to step 408 to allow the mobile station to synchronize with the TEK and discard the received MPDU. The base station transmits an Invalid_TEK message to the corresponding terminal to synchronize with the TEK and performs key negotiation with the base station such that the corresponding terminal that received the Invalid_TEK message matches the TEK of the base station. The synchronization procedure for the TEK will be described below with reference to FIGS. 7 and 8. FIG.

On the other hand, if the EKS is valid in step 406, the base station proceeds to step 410 and decodes the MPDU received from the corresponding terminal to inspect the ICV.

If the ICV is valid, the MPDU is normally processed in step 412. On the other hand, if the ICV is not valid, the process proceeds to step 414 to increment the Invalid_TEK COUNTER by 1, counts the number of invalid ICV occurrences, and discards the received MPDU.

Thereafter, if the Invalid_TEK_COUNTER increased in step 416 is smaller than the predetermined threshold, the BS maintains the currently used TEK and waits for the next MPDU or the MPDU to be retransmitted.

Thereafter, if the Invalid_TEK_COUNTER increased in step 416 is greater than or equal to the predetermined threshold, the BS proceeds to step 418 and updates the new TEK. Here, the TEK is firstly updated by the base station.

If the Invalid_TEK_COUNTER is equal to or greater than the predetermined threshold value, the base station discards the existing TEK_D and replaces the existing TEK_U with the TEK_D (TEK_D: = TEK_U: ). Then, COUNTER_TEK is incremented by one and a new TEK is generated according to Equation (2) (TEK_U: = new TEK).

At this time, since the TEK_U having a high risk of the existing exposure continues to use the TEK_D, the base station recognizes that the terminal has completed the TEK update in the TEK update process in order to reduce the risk of exposure, By performing the TEK update procedure, TEK_D that is at risk of exposure can be discarded and a new TEK can be created so that both TEK_D and TEK_U are free from exposure risk.

The base station may perform the TEK update procedure based on a key agreement process or a reauthentication process.

In the key agreement process, a key agreement process is performed by the base station transmitting a key agreement MSG # 1 message to the UE, and the upper cryptographic keys such as PMK and AK are updated through the key agreement process to induce the TEK update. At this time, since the TEK_U and TEK_D are keys generated from the previous upper encryption key (for example, AK), the base station uses TEK_U as TEK_D, generates a new TEK and uses it as TEK_U, The BS may discard the TEK_D again, use the TEK_U as the TEK_D, generate a new TEK, and use the new TEK as the TEK_U so as to discard the TEK with the risk of exposure through the two TEK update processes.

In other words, the first TEK update process replaces the first TEK_U with the first TEK_D, discards the previous TEK_D, creates a new TEK and sets it to the second TEK_U. Thereafter, the second TEK update process replaces the second TEK_U with the second TEK_D, discards the first TEK_D, creates a new TEK, and sets it to the third TEK_U

In the re-authentication process, the base station sends an EAP-Transfer message to the mobile station to allow the mobile station to perform a network re-authentication process. After the re-authentication process, the base station performs the key agreement process, The TEK renewal process can be used to discard TEKs that are exposed to risk.

On the other hand, if the Invalid_TEK COUNTER is equal to or larger than the predetermined threshold value, the terminal transmits an Invalid_TEK message and notifies the base station of the result of the TEK update procedure in the environment where the terminal receives the MPDU from the base station. Upon receiving the Invalid_TEK message from the UE, the BS discards the existing TEK_D and replaces the existing TEK_U with the TEK_D (TEK_D: = TEK_U). Then, COUNTER_TEK is incremented by one and a new TEK is generated according to Equation (2) (TEK_U: = new TEK).

Thereafter, when the MS recognizes that the MPDU received from the BS is encrypted with the TEK_U held by the MS, the MS transmits a key request (including SAID) message to the BS, and the BS transmits a key reply message (SAID, AK SN, and COUNTER_TEK) to the terminal. If the COUNTER_TEK is updated, the terminal also updates the TEK. That is, the existing TEK_D is discarded and the existing TEK_U is replaced with TEK_D (TEK_D: = TEK_U). Then, COUNTER_TEK is incremented by one and a new TEK is generated according to Equation (2) (TEK_U: = new TEK).

The TEK is generated based on Equation (2) below.

Here, TEK is generated from AK and the lifetime of TEK is equal to AK. In addition, the COUNTER_TEK is incremented by 1 each time a new TEK is generated, a SAID (Security Association ID) is an identifier of the corresponding SA, and the terminal and the base station each use two TEKs (TEK_U is used when the terminal encrypts , And TEK_D is used by the base station to encrypt). When decrypting, TEK (one of TEK_U and TEK_D) used for encrypting by the sender is used.

Thereafter, the BS resets the Invalid_TEK COUNTER to 0 every time the TEK is updated in step 420.

As described above, in the present invention, a 4-byte ICV having a smaller overhead than the conventional technique is used. However, the number of occurrences in which an invalid MPDU passes the integrity check is counted and the number of occurrences is 2 ¹² , It updates the TEK for generating the ICV so that the ineffective MPDU satisfies the probability 2 ^-20 that passes the integrity check. That is, when the required risk is 2 - ²⁰ , and the number of occurrences of invalid MPDUs passing the integrity test is 2 ^{12 or} more, according to NIST standard, the size of ICV is log (threshold / risk) ICV of the security level can be maintained.

On the other hand, conventionally, the number of occurrences in which an invalid MPDU passes the integrity check is not counted.

FIG. 4 illustrates a case where a base station receives an MPDU from a corresponding terminal, but may also be applied to a case where the terminal receives an MPDU from the base station.

FIG. 5 illustrates a procedure for updating an encryption key (PKM and AK) when a base station according to the present invention receives a control message from the corresponding terminal.

In step 500, when the Invalid_CMAC COUNTER becomes equal to or greater than a predetermined number of times, the BS transmits a Key_agreement MSG # 1 message to the corresponding MS in order to update a new cryptographic key (PKM and AK).

After receiving the Key_agreement MSG # 1 message in step 510, the MS transmits a Key_agreement MSG # 2 message to the BS.

In step 520, the BS transmits a Key_layment MSG # 3 message to the corresponding MS in response to the Key_agreement MSG # 2.

Therefore, the corresponding terminal and the base station share the new cryptographic keys (PKM and AK) by exchanging information necessary for updating the AK or PKM with each other through a Key_agreement message.

FIG. 6 illustrates a procedure for updating the encryption keys (PKM and AK) when a terminal according to the present invention receives a control message from a base station.

In step 600, when the Invalid_CMAC COUNTER becomes equal to or greater than a predetermined number, the MS transmits an Invalid CMAC message to the BS.

Upon receiving the Invalid CMAC message in step 610, the BS transmits a Key_agreement MSG # 1 message to the corresponding MS in order to update the new cipher keys (PKM and AK).

In step 620, upon receiving the Key_agreement MSG # 1 message, the MS transmits a Key_agreement MSG # 2 message to the BS.

In step 630, the BS transmits a Key_agreement MSG # 3 message to the corresponding MS in response to the Key_agreement MSG # 2.

Therefore, the corresponding terminal and the base station share the new cryptographic keys (PKM and AK) by exchanging information necessary for updating the AK or PKM with each other through a Key_agreement message.

7 shows a procedure for updating an encryption key (TEK) when a base station according to the present invention receives an MPDU from a corresponding terminal.

Referring to FIG. 7, if the EKS is not valid in step 700, an invalid TEK message is transmitted to the terminal.

In step 710, the MS receiving the Invalid TEK message transmits a Key-REQ message to the BS.

In step 720, the BS transmits a Key-RSP message to the MS in response to the Key-REQ message.

Therefore, the corresponding terminal and the base station share the information for generating the TEK, so that they use the same TEK.

FIG. 8 shows a procedure for updating an encryption key (TEK) when a terminal according to the present invention receives an MPDU from a corresponding base station.

Referring to FIG. 8, if the EKS is not valid in step 800, the terminal transmits a Key-REQ message to the base station.

In step 810, the BS transmits a Key-RSP message to the MS in response to the Key-REQ message.

Therefore, the corresponding terminal and the base station share the information for generating the TEK, so that they use the same TEK.

FIG. 9 shows an apparatus (base station or terminal) for reducing the overhead for checking the integrity of data in a wireless communication system.

9, the terminal includes a duplexer 900, a receiving unit 910, a data processing unit 920, a message authentication unit 930, a controller 940, ), A data generation unit 950, and a transmission unit 960.

The duplexer 900 transmits the transmission signal provided from the transmission unit 960 through the antenna according to the duplex scheme and provides the reception signal from the antenna to the reception unit 910. For example, in the case of using a time division duplexing (TDD) scheme, the duplexer 900 transmits a transmission signal provided from the transmission unit 960 through an antenna during a transmission interval, To the receiving unit 910. The receiving unit 910 receives the received signal.

The receiving unit 910 converts the high frequency signal received from the duplexer 900 into a baseband signal, demodulates and decodes the baseband signal, and outputs the baseband signal. For example, the receiving unit 910 includes an RF processing block, a demodulation block, a channel decoding block, and the like. The RF processing block converts a high frequency signal received through an antenna into a baseband signal and outputs the baseband signal. The demodulation block converts a signal received from the RF processing block into a frequency band signal through Fast Fourier Transform (FFT) conversion. The channel decoding block may include a demodulator, a deinterleaver, and a channel decoder.

At this time, the receiver 910 receives a signal using the assigned terminal identifier. The receiving unit 910 provides the control unit 940 with control information obtained through demodulation and decoding and provides the data to the data processing unit 920.

The data processing unit 920 detects a packet from the data received from the receiving unit 910. Thereafter, the data processing unit 920 determines whether the packet is a control message and whether a packet is encrypted through the header information of the detected packet.

If the packet is a control message, the data processing unit 920 extracts a control message from the packet and transmits the control message to the message authentication unit 930.

On the other hand, if the packet is encrypted, the data processing unit 920 transmits the packet to the decryption unit 922. The decryption unit 922 determines the validity of the packet through the EKS and the integrity check value (ICV) of the packet received from the data processing unit 920. If the EKS is not valid, the controller 940 generates a KEY-REQ message and transmits the KEY-REQ message to the base station along with the authentication information through the message authentication unit 930, And receives information on the TEK currently used by the base station.

If the ICV of the packet is not valid, the decoding unit 922 counts the number of Invalid_TEK COUNTERs. When the Invalid_TEK COUNTER reaches the predetermined number, the controller 940 generates an Invalid TEK message and transmits it to the base station along with the authentication information through the message authentication unit 930, and the base station updates the TEK. On the other hand, when the packet is valid, the decoding unit 922 decodes the packet and processes the packet.

The message authentication unit 930 determines whether the control message provided from the data processing unit 920 is valid. At this time, the message authentication unit 930 determines whether the CMAC value is valid if the AK identifier used in generating the CMAC is valid. If it is determined that the message is invalid, the message authentication unit 630 counts the number of Invalid_CMAC COUNTERs. When the Invalid CMAC COUNTER reaches the predetermined number, the controller 940 generates an Invalid CMAC message and transmits the Invalid CMAC message to the BS together with the authentication information through the message authentication unit 630. The control unit 940 sends the Key_agreement MSG # 1 and updates the encryption keys (i.e., PMK and AK) through a key agreement procedure. Meanwhile, the controller 940 transmits the control message determined to be valid to the CMAC.

The message authentication unit 930 adds a message authentication code (CMAC) to the control information when the control unit 940 receives the control information requiring message authentication from the control unit 940 and transmits the control information to the data generation unit 950 do. At this time, the message authentication unit 930 generates the message authentication code (CMAC) using the authentication key AK generated using the information of the target base station obtained through the extended authentication protocol (EAP).

The data generation unit 950 generates and outputs a packet including the control information provided from the message authentication unit 930. For example, the data generation unit 950 generates a packet including an Invalid CMAC message and an Invalid TEK message to which a message authentication code provided from the message authentication unit 930 is added.

The transmitter 960 converts the data provided from the data generator 950 and the control information provided from the controller 940 into a high frequency signal and transmits the high frequency signal to the duplexer 900. For example, the transmitter 960 includes a channel code block, a modulation block, and an RF processing block. The channel coded block includes a channel encoder, an interleaver, and a modulator. The modulation block converts a signal received from the modulator into a time-domain signal through Inverse Fast Fourier Transform (IFFT). The RF processing block converts the baseband signal provided from the modulation block into a high frequency signal and transmits the high frequency signal to the duplexer 900.

In the embodiment described above, the controller 940 and the message authentication unit 930 are configured independently. In another embodiment, the controller 940 and the message authentication unit 930 may be configured as a single module.

9, the base station includes a duplexer 900, a receiving unit 910, a data processing unit 920, a message authentication unit 930, and a controller (not shown) 940, a data generation unit 950, and a transmission unit 960.

The duplexer 900 transmits a transmission signal provided from the transmission unit 960 through an antenna according to a duplexing scheme and provides a reception signal from an antenna to a reception unit 910. For example, in the case of using a time division duplexing (TDD) scheme, the duplexer 900 transmits a transmission signal provided from the transmission unit 960 through an antenna during a transmission interval, To the receiving unit 910. The receiving unit 910 receives the received signal.

The receiving unit 910 converts the high frequency signal received from the duplexer 900 into a baseband signal, demodulates and decodes the baseband signal, and outputs the baseband signal. For example, the receiving unit 910 includes an RF processing block, a demodulation block, a channel decoding block, and the like. The RF processing block converts a high frequency signal received through an antenna into a baseband signal and outputs the baseband signal. The demodulation block converts a signal received from the RF processing block into a frequency band signal through Fast Fourier Transform (FFT) conversion. The channel decoding block may include a demodulator, a deinterleaver, and a channel decoder.

At this time, the receiving unit 910 receives a signal of the mobile station using the mobile station identifier used. The receiving unit 910 provides the control unit 940 with control information obtained through demodulation and decoding and provides the data to the data processing unit 920.

The data processing unit 920 detects a packet from the data received from the receiving unit 910. Thereafter, the data processing unit 920 determines whether the packet is a control message and whether a packet is encrypted through the header information of the detected packet.

If the packet is a control message, the data processing unit 920 extracts a control message from the packet and transmits the control message to the message authentication unit 930.

On the other hand, if the packet is encrypted, the data processing unit 920 transmits the packet to the decryption unit 922. The decryption unit 922 determines the validity of the packet through the EKS value and the integrity check value (ICV) of the packet received from the data processing unit 920. If the EKS value is not valid, the controller 940 generates a KEY-REQ challenge message and transmits it to the terminal along with the authentication information through the message authentication unit 930. In response to the KEY-REQ challenge message, And the base station transmits information on the currently used TEK to the terminal through the KEY-RSP message in response to the KEY-REQ message.

If the ICV of the packet is not valid, the decoding unit 922 counts the number of Invalid_TEK COUNTERs. When the Invalid_TEK COUNTER value reaches the predetermined number, the controller 940 updates the TEK. On the other hand, when the packet is valid, the decoding unit 922 decodes the packet and processes the packet.

The message authentication unit 930 determines whether the control message provided from the data processing unit 920 is valid. At this time, if the identifier of AK used in CMAC generation is valid, the message authentication unit 930 determines whether CMAC is valid. When it is determined that the CMAC is not valid, the message authentication unit 630 counts the number of Invalid_CMAC COUNTERs. When the Invalid_CMAC COUNTER value reaches the predetermined number, the message authentication unit 630 generates a Key_agreement MSG # 1 message through the controller 940, (930), and updates the cryptographic keys (i.e., PMK and AK) through a key agreement procedure. Meanwhile, the controller 940 transmits the control message determined to be valid by the CMAC.

The message authentication unit 930 adds a message authentication code (CMAC) to the control information when the control unit 940 receives the control information requiring message authentication from the control unit 940 and transmits the control information to the data generation unit 950 do. At this time, the message authentication unit 730 generates the message authentication code (CMAC) using the authentication key AK generated using the base station information acquired through the extended authentication protocol (EAP).

The data generation unit 950 generates and outputs a packet including the control information provided from the message authentication unit 930. For example, the data generation unit 950 generates a packet including a key_agreement MSG # 1 message to which a message authentication code provided from the message authentication unit 930 is added.

The transmitter 960 converts the data provided from the data generator 950 and the control information provided from the controller 940 into a high frequency signal and transmits the high frequency signal to the duplexer 900. For example, the transmitter 960 includes a channel code block, a modulation block, and an RF processing block. The channel coded block includes a channel encoder, an interleaver, and a modulator. The modulation block converts a signal received from the modulator into a time-domain signal through Inverse Fast Fourier Transform (IFFT). The RF processing block converts the baseband signal provided from the modulation block into a high frequency signal and transmits the high frequency signal to the duplexer 900.

In the embodiment described above, the controller 940 and the message authentication unit 930 are configured independently. In another embodiment, the controller 940 and the message authentication unit 930 may be configured as a single module.

While the present invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not limited to the disclosed embodiments, but is capable of various modifications within the scope of the invention. Therefore, the scope of the present invention should not be limited by the illustrated embodiments, but should be determined by the scope of the appended claims and equivalents thereof.

Control unit 940, Message authentication unit 930

Claims (64)

delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete A method of operating a base station in a wireless communication system,
Detecting an integrity check value (ICV) error of the received message;
Performing a key update procedure for a second key used for data encryption by the terminal at a first time point as the integrity check value error is detected;
Performing a key update procedure for a key used for data encryption by the terminal at a second time point,
The step of performing the key update procedure at the first time point may include:
Discarding a first key used for encrypting transmission data from the base station,
Using the second key as the first key used for encrypting the transmission data;
And deriving a first new key for data encryption by the terminal,
Wherein the step of performing the key update procedure at the second time point comprises:
Discarding the second key,
Using the first new key as the second key,
And deriving a second new key for data encryption by the terminal.
40. The method of claim 39,
Further comprising the step of counting the number of times the integrity check value error occurs when there is an integrity check value error in the received message,
Wherein the key update procedure is performed when the number of times the integrity check value error occurs is greater than or equal to a threshold value.
delete 40. The method of claim 39,
Wherein the first key is one of an Authorization Key (AK) and a Traffic Encryption Key (TEK).
40. The method of claim 39,
Wherein the received message is one of a control message and a Medium Access Control Protocol Data Unit (MPDU).
40. The method of claim 39,
The process of detecting an integrity check value error of the received message comprises:
And detecting an integrity check value error of the received message by comparing the first integrity check value and the second integrity check value,
Wherein the first integrity check value and the second integrity check value are generated based on an ICV (Integrity) based on a Cipher-based Message Authentication Code (CMAC) and an Advanced Encryption Standard-Counter (CBC) Check Vector).
40. The method of claim 39,
Discarding the received message when an integrity check value error is detected in the received message.
40. The method of claim 39,
And receiving a next message using the first new key.
45. The method of claim 44,
Wherein the first integrity check value is a value included in the received message,
Wherein the second integrity check value is a value derived from the first key.
40. The method of claim 39,
Further comprising transmitting to the terminal a notification message indicating that the current keys are not valid.
40. The method of claim 39,
Determining whether an Encryption Key Sequence (EKS) for the first key is synchronized;
Transmitting a traffic encryption key invalid (TEK_Invalid) message to the MS when the EKS is not synchronized;
Receiving a traffic encryption key request (TEK_Request) message transmitted from the terminal in response to the TEK_Invalid message;
And transmitting a traffic encryption key response (TEK_reply) message to the terminal in response to the TEK_Request message.
40. The method of claim 39,
Wherein the first key is updated based on a key agreement algorithm.
40. The method of claim 39, further comprising: determining whether the first key is valid;
Discarding the received message if the first key is not valid.
A base station apparatus in a wireless communication system,
A message authentication unit for detecting an integrity check value (ICV) error of the received message;
A key update procedure for a second key used for data encryption by the terminal is performed at a first point in time, and at a second point in time, And a controller for performing a key update procedure for the key,
Wherein the control unit discards a first key used for encrypting transmission data from the base station at the first time point and uses the second key as the first key used for encrypting the transmission data, Deriving a first new key for data encryption by the terminal,
Wherein the control unit discards the second key at the second time point, uses the first new key as the second key, and derives a second new key for data encryption by the terminal.
53. The method of claim 52,
Wherein the control unit counts the number of times the integrity check value error occurs when there is an integrity check value error in the received message and if the number of times the integrity check value error occurs is greater than or equal to a threshold value, A device to perform.
delete 53. The method of claim 52,
Wherein the first key is one of an Authorization Key (AK) and a Traffic Encryption Key (TEK).
53. The method of claim 52,
Wherein the received message is one of a control message and a Medium Access Control Protocol Data Unit (MPDU).
53. The method of claim 52,
The message authenticating unit,
Detecting an integrity check value error of the received message by comparing the first integrity check value and the second integrity check value,
Wherein the first integrity check value and the second integrity check value are generated based on a Cipher-Based Message Authentication Code (CMAC) and an Advanced Encryption Standard-Counter (CBC) Check Vector).
53. The method of claim 52,
And the control unit discards the received message when the integrity check value error is detected.
53. The method of claim 52,
And the control unit receives the next message using the first new key.
58. The method of claim 57,
Wherein the first integrity check value is a value included in the received message,
Wherein the second integrity check value is a value derived from the first key.
53. The method of claim 52,
And the control unit transmits to the terminal a notification message indicating that the current keys are not valid.
53. The method of claim 52,
Wherein,
Determining whether the Encryption Key Sequence (EKS) for the first key is synchronized,
When the EKS is not synchronized, transmits a TEK_Invalid message to the terminal,
In response to the TEK_Invalid message, a traffic encryption key request (TEK_Request) message transmitted from the terminal,
And transmits a traffic encryption key response (TEK_reply) message to the terminal in response to the TEK_Request message.
53. The method of claim 52,
Wherein the first key is updated based on a key agreement algorithm.
53. The method of claim 52,
Wherein the control unit determines whether the first key is valid and discards the received message if the first key is not valid.

Images