Method and apparatus for protecting sensitive user plane traffic
By configuring DNS credentials at the application layer of the 5G communication system and utilizing security mechanisms such as DTLS, TLS, and HTTPS, the integrity protection problem of DNS traffic in user plane traffic is solved, achieving effective protection and resource optimization of DNS traffic.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SAMSUNG ELECTRONICS CO LTD
- Filing Date
- 2021-04-30
- Publication Date
- 2026-07-03
AI Technical Summary
Existing 5G communication systems lack effective integrity protection for DNS traffic in user plane traffic, leading to the risk of redirection attacks, and existing methods waste resources on global protection at the PDCP layer.
By using NAS messages carrying new information elements/containers at the application layer, DNS credentials are configured between the UE and the network system to achieve DNS message protection based on a secure channel, including security mechanisms such as DTLS, TLS, and HTTPS, thereby reducing the protection of all data traffic in the PDU session.
It effectively protects DNS traffic, prevents redirection attacks, reduces resource waste, and improves network security and efficiency.
Smart Images

Figure CN115699831B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to wireless communication protection, and more specifically, to methods and apparatus for protecting user plane traffic. Background Technology
[0002] To address the pain points in wireless data traffic since the introduction of 4G communication systems, efforts have been made to develop enhanced 5G or near-5G communication systems. For these reasons, 5G or near-5G communication systems are referred to as super-4G network communication systems or post-LTE systems.
[0003] For higher data transmission rates, 5G communication systems are considered to be implemented on ultra-high frequency bands (mmWave), such as 60 GHz. To mitigate path loss in ultra-high frequency bands and increase radio wave coverage, 5G communication systems consider the following technologies: beamforming, massive MIMO, full-dimensional MIMO (FD-MIMO), array antennas, analog beamforming, and massive MIMO.
[0004] Various technologies are also being developed for 5G communication systems to enhance networks, such as evolved or advanced small cells, cloud radio access networks (cloud RAN), ultra-dense networks, device-to-device (D2D) communication, wireless backhaul, mobile networks, cooperative communication, cooperative multipoint (CoMP), and interference cancellation. Other various other schemes under development for 5G systems include advanced coding and modulation (ACM) schemes such as hybrid FSK (frequency shift keying) and QAM (orthogonal amplitude modulation) modulation (FQAM) and sliding window superposition coding (SWSC), as well as advanced access schemes such as filter bank multicarrier (FBMC), non-orthogonal multiple access (NOMA), and sparse code multiple access (SCMA).
[0005] The internet is evolving from a human-centric network of connections where humans create and consume information to an Internet of Things (IoT) network that transmits and processes information between things or other distributed components. Another emerging technology is the Internet of Everything (IoE), which combines big data processing technology with IoT technology, such as those connected to cloud servers. Realizing the IoT requires technological elements such as sensing technology, wired / wireless communication and network infrastructure, service interface technology, and security technology. Recent research is focused on inter-object connectivity technologies such as sensor networks, machine-to-machine (M2M), or machine-type communication (MTC).
[0006] In the IoT environment, intelligent internet technology (IT) services can be provided to collect and analyze data generated by interconnected things to create new value for human life. Through the transformation or integration of existing information technology (IT) technologies and various industries, IoT can have a variety of applications, such as smart homes, smart buildings, smart cities, smart cars or connected cars, smart grids, healthcare or smart appliance industries, or state-of-the-art medical services.
[0007] Therefore, 5G communication systems are being applied to IoT networks. For example, sensor networks, machine-to-machine (M2M), machine-type communication (MTC), or other 5G technologies are being implemented through solutions such as beamforming, multiple-input multiple-output (MIMO), and array antenna schemes. The aforementioned applications of cloud radio access networks (RAN), as big data processing technologies, can be seen as examples of the convergence of 5G and IoT technologies.
[0008] Generally, in wireless communication networks, for Long Term Evolution Data Radio Portability (LTE DRB) (User Plane) (UP) and / or considering User Equipment (UE) capabilities or applications / services requested on the UE, encryption is enabled but integrity protection is not, thus reducing computational power. The lack of integrity protection can lead to security attacks, such as man-in-the-middle (MitM) manipulation of encrypted text between the UE and the Evolved Node B / Next Generation Radio Access Network Node B (eNB / gNB). Manipulation of encrypted text is a serious threat, especially for signaling messages that can lead to redirection attacks. For example, redirection of Domain Name System (DNS) query messages. Furthermore, attacks can be performed by manipulating the Internet Protocol (IP) address of the DNS server in DNS request messages from the UE, thereby redirecting DNS requests to a malicious DNS server instead of the intended destination under the attacker's control. Therefore, integrity protection is necessary for signaling messages on the user plane.
[0009] 3GPP systems support UP IP at the Packet Data Convergence Protocol (PDCP) layer (PDCP resides within the radio protocol stack). However, it is generally accepted that applying UP IP across the entire Packet Data Unit (PDU) session at the PDCP layer solely for protecting DNS traffic is wasteful. 5G systems, for example, allow enabling and disabling user plane integrity and / or confidentiality protection on a per-PDU session basis. Applying protection to all types of data traffic within a PDU session is ineffective, as not all data traffic types require protection. Therefore, to avoid such waste (avoiding the use of UP IP at the PDCP layer), alternative methods for protecting DNS traffic should be considered.
[0010] Therefore, it is necessary to provide integrity protection for DNS packets through different channels to avoid redirection attacks. Summary of the Invention
[0011] Technical issues
[0012] The main objective of this embodiment is to provide a method for configuring DNS credentials in a UE via a network system during the registration process using a Non-Access Stratum (NAS) message carrying a New Information Element (IE) / container.
[0013] Another objective of this embodiment is to provide a method for configuring DNS credentials in a UE via a network system during a service request process using NAS messages carrying new information elements (IEs) / containers.
[0014] Another objective of this embodiment is to provide a method for configuring DNS credentials in a UE via a network system during the Protocol Data Unit (PDU) session establishment process using NAS messages carrying New Information Elements (IEs) / containers.
[0015] Another objective of this embodiment is to notify the network system that the UE supports secure exchange of DNS messages using the DNS configuration parameters provided by the network system.
[0016] Another objective of this embodiment is to provide a method and apparatus for configuring a UE routing policy (URSP) based on a network security policy over UP IP to carry a special DNN for user plane Internet Protocol (UP IP) for special traffic.
[0017] Solution
[0018] Accordingly, this embodiment provides a method for protecting sensitive user plane traffic in a UE. The method includes the UE transmitting a first NAS message to the network, the first NAS message including an indicator indicating that the UE supports a secure channel for a data network system (DNS); in response to transmitting the first NAS message, the UE receiving a second NAS message including DNS server security information from a network entity; and transmitting DNS based on the secure channel to the network based on the DNS server security information.
[0019] In one embodiment, the first NAS message includes one of a Protocol Data Unit (PDU) session establishment request message, a registration request message, and a service request message.
[0020] In one embodiment, the second NAS message includes one of the following: a PDU session establishment acceptance message, a registration acceptance message, and a service acceptance message.
[0021] In one embodiment, the secure channel includes one of DNS based on Datagram Transport Layer Security (DTLS), DNS based on Transport Layer Security (TLS), and DNS based on Hypertext Transfer Protocol Security (HTTPS).
[0022] In another embodiment, the indicator is included in the protocol configuration options of the first NAS message.
[0023] In yet another embodiment, DNS server security information is included in the protocol configuration options of the second NAS message.
[0024] In one embodiment, the DNS server security information includes at least one of the following: security mechanism information, service port information, authenticated domain name information, user public key information (SPKI), root certificate information, original public key and root certificate information.
[0025] Accordingly, this embodiment provides a network method. The method includes receiving a first NAS message from a UE by the network, the first NAS message including an indicator indicating that the UE supports a secure channel for Domain Name System (DNS); in response to transmitting the first NAS message, transmitting a second NAS message including DNS server security information from the network to the UE; and receiving DNS based on the secure channel from the UE by the network based on the DNS server security information.
[0026] Accordingly, embodiments of this document provide a network. The network includes a memory, a processor, and a transceiver, wherein the processor is configured to receive a first NAS message from a UE by the network, the first NAS message including an indicator indicating that the UE supports a secure channel for Domain Name System (DNS); in response to transmitting the first NAS message, transmit a second NAS message from the network to the UE including DNS server security information; and, based on the DNS server security information, receive DNS based on the secure channel from the UE by the network.
[0027] Accordingly, embodiments of this document provide a UE. The UE includes a memory, a processor, and a transceiver, wherein the processor is configured to transmit a first NAS message from the UE to the network, the first NAS message including an indicator indicating that the UE supports a secure channel for Domain Name System (DNS); in response to transmitting the first NAS message, the UE receives a second NAS message from the network including DNS server security information; and based on the DNS server security information, the UE transmits DNS based on the secure channel to the network.
[0028] These and other aspects of the embodiments herein will be better appreciated and understood when considered in conjunction with the following description and accompanying drawings. However, it should be understood that while the following description indicates preferred embodiments and their numerous specific details, it is given in an illustrative rather than limiting manner. Many variations and modifications can be made within the scope of the embodiments herein without departing from the spirit of these embodiments, and all such modifications are included in the embodiments herein. Attached Figure Description
[0029] The method and apparatus are illustrated in the accompanying drawings, in which reference numerals denote corresponding parts in the various figures. The embodiments described herein will be better understood through the following description with reference to the accompanying drawings, in which:
[0030] Figure 1A A block diagram of a UE for protecting user plane (UP) traffic according to embodiments disclosed herein is shown;
[0031] Figure 1B A block diagram of a user plane security entity according to embodiments disclosed herein is shown;
[0032] Figure 2 A block diagram of a network system for protecting user plane (UP) traffic according to embodiments disclosed herein is shown;
[0033] Figure 3A This is a flowchart illustrating a method for protecting user plane traffic from a UE perspective according to embodiments disclosed herein;
[0034] Figure 3B This is a flowchart illustrating a method for protecting user plane traffic from a network system perspective according to embodiments disclosed herein;
[0035] Figure 4 This is a schematic diagram illustrating an example of a container for storing DNS configuration parameters according to embodiments disclosed herein;
[0036] Figure 5 This is a schematic diagram illustrating an example of the establishment and routing of data packets from an application to a properly established PDU session using an IP packet filter set according to embodiments disclosed herein;
[0037] Figure 6 This is a sequence diagram illustrating a UE configuration update process according to embodiments disclosed herein. Detailed Implementation
[0038] The embodiments described herein, along with their various features and advantageous details, will be more fully explained with reference to the non-limiting embodiments illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques have been omitted to avoid unnecessarily obscuring the embodiments herein. Furthermore, the various embodiments described herein are not necessarily mutually exclusive, as some embodiments may be combined with one or more other embodiments to form new embodiments. As used herein, the term "or" means non-exclusive or unless otherwise stated. The examples used herein are intended only to facilitate understanding of how the embodiments herein can be implemented and to further enable those skilled in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.
[0039] As is customary in the art, embodiments may be described and illustrated as blocks that perform one or more described functions. These blocks, referred to herein as managers, units, modules, hardware components, etc., are physically implemented by analog and / or digital circuitry, such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuitry, etc., and may optionally be driven by firmware. For example, the circuitry may be embodied in one or more semiconductor chips or on a substrate support such as a printed circuit board. The circuitry constituting a block may be implemented by dedicated hardware or by a processor (e.g., one or more programmed microprocessors and associated circuitry) or by a combination of dedicated hardware performing some functions of the block and a processor performing other functions of the block. Each block of an embodiment may be physically separated into two or more interacting and discrete blocks without departing from the scope of this disclosure. Similarly, blocks of an embodiment may be physically combined into more complex blocks without departing from the scope of this disclosure.
[0040] The accompanying drawings are provided to aid in the easy understanding of the various technical features, and it should be understood that the embodiments presented herein are not limited to the drawings. Accordingly, this disclosure should be construed as extending to any changes, equivalents, and substitutions other than those specifically listed in the drawings. Although the terms first, second, etc., may be used herein to describe various elements, these elements should not be limited by these terms. These terms are generally used only to distinguish one element from another.
[0041] Accordingly, this embodiment provides a method and apparatus for configuring a DNS server, DNS service information, or DNS credentials in a UE by a network system. This method provides protection for UP traffic (DNS messages) at the application layer. By applying protection to DNS message exchange at the application layer instead of at the PDCP layer, resource consumption is reduced by not protecting all data traffic of the PDU session.
[0042] In one embodiment, if the UE receives DNS configuration parameters from the network system, it determines that it supports the secure exchange of DNS messages. The UE then informs the network system of its secure DNS message exchange capability via a Non-Access Stratum (NAS) message that includes a DNS server security information indicator. If the network system wants to enforce the use of secure channel-based DNS, it responds to the NAS message by sending the DNS server security information (DNS configuration parameters) to the UE. The UE is then configured with the DNS configuration parameters. The DNS messages are now protected and exchanged with the network system.
[0043] Unlike existing methods and systems, the proposed method provides DNS message protection at the application layer.
[0044] Now refer to the attached diagram, for more specific details. Figures 1A to 6 The preferred embodiments are shown, wherein similar reference numerals consistently denote corresponding features throughout all the figures.
[0045] Figure 1A A block diagram of a UE (100) for protecting sensitive user plane traffic according to embodiments disclosed herein is shown. For example, the UE (100) may be, but is not limited to, a social robot, smartwatch, cellular phone, smartphone, personal digital assistant (PDA), tablet computer, laptop computer, music player, video player, Internet of Things (IoT) device, smart speaker, artificial intelligence (AI) device, etc.
[0046] In one embodiment, the UE (100) includes a memory (110), a processor (120), a communicator (130), an UP security entity (140), and a transceiver (150).
[0047] The memory (110) stores instructions to be executed by the processor (120). The memory (110) may include non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard disks, optical disks, floppy disks, flash memory, or electrically programmable memory (EPROM) or electrically erasable programmable memory (EEPROM). Furthermore, in some examples, the memory 110 may be considered a non-transitory storage medium. The term "non-transitory" may indicate that the storage medium is not embodied in a carrier wave or propagating signal. However, the term "non-transitory" should not be interpreted as the memory (110) being immovable. In some examples, the memory (110) may be configured to store a larger amount of information than a memory. In some examples, a non-transitory storage medium may store data that can change over time (e.g., in random access memory (RAM) or cache). The memory (110) may be an internal storage unit or it may be an external storage unit of the UE (100), cloud storage, or any other type of external storage.
[0048] In one embodiment, the processor (120) communicates with the memory (110), the communicator (130), and the UP security entity (140). The processor (120) is configured to execute instructions stored in the memory (110) and perform various processes. The processor may include one or more processors, which may be general-purpose processors such as central processing units (CPUs), application processors (APs), graphics-only units such as graphics processing units (GPUs), vision processing units (VPUs), and / or artificial intelligence (AI) dedicated processors such as neural processing units (NPUs).
[0049] In one embodiment, the communicator (130) is configured to communicate internally between internal hardware components and with external devices via one or more networks. The communicator (130) includes electronic circuitry specific to standards for implementing wired or wireless communication.
[0050] The UP security entity (140) is responsible for protecting over-the-air DNS packets from redirection attacks by providing integrity protection to Domain Name System (DNS) packets. The UP security entity (140) uses DNS security credentials received from network entities to protect DNS packets.
[0051] The UP security entity (140) is configured to determine, upon receiving DNS configuration parameters, that the UE (100) supports secure exchange of DNS messages with a DNS server. Furthermore, the UE (100) notifies the network system in a NAS message, including a DNS server security information indicator, that the UE (100) supports secure exchange of DNS messages. If the network wants to enforce the use of secure channel-based DNS (e.g., if the SMF wants to disable integrity protection in the PDCP layer and enable DNS security (DTLS / TLS / HTTPS) at the application layer), the UE (100) receives the DNS configuration parameters in response to the NAS message. The UE (100) is then configured to protect the DNS messages using the DNS configuration parameters received from the network. Finally, the protected DNS packets are exchanged with the network system.
[0052] The UP security entity (140) is implemented by processing circuitry, such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuitry, etc., and may optionally be driven by firmware. For example, the circuitry may be embodied in one or more semiconductor chips, or on a substrate support such as a printed circuit board.
[0053] although Figure 1AVarious hardware components of the UE (100) are illustrated, but it should be understood that other embodiments are not limited thereto. In other embodiments, the UE (100) may include fewer or more components. Furthermore, the labels or names of components are for illustrative purposes only and do not limit the scope of the invention. One or more components may be combined to perform the same or substantially similar functions to protect user plane traffic.
[0054] Figure 1B A block diagram of a UP security entity (140) for protecting user plane traffic according to an embodiment of the present disclosure is shown.
[0055] In one embodiment, the UP security entity (140) includes a Protocol Data Unit (PDU) session management entity (144), a UE capability determiner (142), and a DNS security credential engine (146).
[0056] In one embodiment, the UE capability determiner (142) is implemented by processing circuitry, such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuitry, etc., and may optionally be driven by firmware. For example, the circuitry may be embodied in one or more semiconductor chips, or on a substrate support such as a printed circuit board.
[0057] In one embodiment, the UE capability determiner (142) determines in a NAS message during the NAS procedure that the UE (100) supports securely exchanged DNS messages, wherein the DNS messages are exchanged using DNS configuration parameters provided by the network. In one embodiment, the NAS procedure may be a registration procedure for the UE (100). In another embodiment, the NAS procedure may be a Packet Data Network (PDN) connection procedure. In another embodiment, the NAS procedure may be an attach procedure. In yet another embodiment, the NAS procedure may be a service request procedure. In yet another embodiment, the NAS procedure may be a Protocol Data Unit (PDU) establishment procedure. In yet another embodiment, the UE (100) may notify the network system during a UE configuration update procedure.
[0058] In addition, the UE capability determiner (142) informs the PDU session management entity (144) that the UE (100) supports secure exchange of DNS messages (e.g., supports DNS based on Datagram Transport Layer Security (DTLS) and / or DNS based on Transport Layer Security (TLS) and / or DNS based on Hypertext Transfer Protocol Security (HTTPS).
[0059] In one embodiment, the PDU session management entity (144) is implemented by processing circuitry, such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuitry, etc., and may optionally be driven by firmware. For example, the circuitry may be embodied in one or more semiconductor chips, or on a substrate support such as a printed circuit board.
[0060] In one embodiment, during the PDU establishment process, the UE (100) sends a PDU session establishment request to connect to the network system. The PDU session establishment request includes a "Secure DNS Configuration Parameter Request (DNS Server Security Information Indicator)" as part of an extended Protocol Configuration Option (PCO) information element (IE). The Secure DNS Configuration Parameter Request indicates to the network system that the UE (100) is capable of implementing secure DNS exchange functionality and is willing to accept the corresponding DNS server configuration parameters.
[0061] Furthermore, the PDU session establishment request also informs the network system about the secure channel supported by the UE (100). In one embodiment, the secure channel may be DNS based on Datagram Transport Layer Security (DTLS). In another embodiment, the secure channel may be DNS based on Transport Layer Security (TLS). In yet another embodiment, the secure channel may be DNS based on Hypertext Transfer Protocol Security (HTTPS).
[0062] In one embodiment, if the network system accepts a PDU session establishment request, the network system sends a PDU session establishment acceptance message to the UE (100). The PDU session establishment acceptance message contains an extended PCO information element, which includes a container called "Secure DNS Configuration Parameters" containing information mentioned in the DNS server security information.
[0063] Send the container's "Secure DNS Configuration Parameters" to the DNS Security Credentials Engine (146).
[0064] In another embodiment, the UE (100) informs the network system of its ability to exchange secure DNS messages in an attach request message to the network system during the attach procedure. The UE (100) includes a "Secure DNS Configuration Parameter Request" as part of the PCO (Protocol Configuration Option). The Secure DNS Configuration Parameter Request indicates to the network that the UE is capable of exchanging secure channel DNS based on a protocol such as Transport Layer Security (TLS) and is willing to accept the corresponding DNS server configuration parameters.
[0065] The UE (100) receives an "Attach Complete" message from the network system in response to the attach request. The Attach Complete message contains a PCO (Protocol Configuration Options), which includes a container "Secure DNS Configuration Parameters" that contains information mentioned in the DNS server security information.
[0066] In another embodiment, the UE (100) informs the network system of its ability to exchange secure DNS messages in a PDN connection request to the network system during the PDN connection process. The UE (100) includes a "Secure DNS Configuration Parameter Request" as part of the PCO (Protocol Configuration Option) in the PDN connection request. The Secure DNS Configuration Parameter Request indicates to the network that the UE is capable of exchanging DNS over a secure channel based on a security such as Transport Layer Security (TLS) and is willing to accept the corresponding DNS server configuration parameters.
[0067] The UE (100) receives a "PDN Connection Accept" message from the network system in response to the attach request. The PDN Connection Accept message includes a PCO (Protocol Configuration Options) which contains a container "Secure DNS Configuration Parameters" that includes information mentioned in the DNS server security information.
[0068] In another embodiment, the UE (100) informs the network system of its ability to exchange secure DNS messages in a UE registration request to the network system during the registration process. The UE (100) includes a "Secure DNS Configuration Parameter Request" as part of the PCO (Protocol Configuration Option) in the registration request message. The Secure DNS Configuration Parameter Request indicates to the network system that the UE is capable of exchanging DNS over a secure channel based on a security such as Transport Layer Security (TLS) and is willing to accept the corresponding DNS server configuration parameters.
[0069] In response to a registration request from the network (200), the UE (100) receives DNS configuration parameters from the container.
[0070] In the above embodiment, the UE (100) receives from the network (200) an additional parameter indicating whether a specific DNS configuration is valid only on 5GS, only on Evolved Packet System (EPS), or both on EPS and 5GS. If the UE (100) receives an indication that the default DNS configuration is valid only on 5GS, then the UE (100) uses the default DNS configuration only when the UE (100) accesses 5GS. In this case, the network (200) or the UE (100) implicitly (without sending any session management messages) or explicitly (by initiating a PDU session release procedure) releases the associated PDU session during movement from 5GS to EPS.
[0071] In another embodiment, if the UE (100) receives an indication that the default DNS configuration is only valid on the EPS, then the UE (100) uses the default DNS configuration only when the UE (100) accesses the EPS. In this case, the network (200) or the UE (100) releases the associated PDN connection implicitly (without sending any session management messages) or explicitly (initiating a Protocol Data Unit (PDU) session release procedure) during the move from the EPS to the 5GS.
[0072] In another embodiment, if the UE receives an indication that the default DNS configuration is valid for both 5GS and EPS, then the UE (100) uses the default DNS configuration when accessing both 5GS and EPS. During movement between 5GS or EPS, the associated PDU session continues in both EPS and 5GS.
[0073] In one embodiment, the DNS security credential engine (146) is implemented by processing circuitry, such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuitry, etc., and may optionally be driven by firmware. For example, the circuitry may be embodied in one or more semiconductor chips, or on a substrate support such as a printed circuit board.
[0074] The DNS security credential engine (146) determines information about DNS server security information and secure DNS configuration parameters based on the container. The container includes at least one of the following: DNS security mechanism information, DNS security credentials, DNS service port information, security profile, and supported server certificate types. The DNS security mechanism information determines whether it is an HTTPS-based DNS, a TLS-based DNS, or a DTLS-based DNS. The DNS security credentials include the root certificate of the certificate authority or the server's public key used for server certificate verification to establish a TLS session without authentication, user public key information (SPKI), and the authenticated domain name. The DNS service port information indicates that the service port can be 53, 853, or <administrator-defined port>. The security profile information can indicate a strict privacy profile or an opportunistic privacy profile. Supported server certificate types can be RawPublicKey and / or X.509 and / or OpenPGP.
[0075] In one embodiment, by default, a TLS-based DNS-supported server listens for and accepts Transmission Control Protocol (TCP) connections on port 853 unless it communicates with the UE (100) over the network to use a port other than 853 for TLS-based DNS.
[0076] Once the DNS security credential engine (146) determines the DNS configuration parameters, the UE (100) is configured with the DNS configuration parameters and secures DNS messages and exchanges them with the DNS server through the PDU session.
[0077] Figure 2 This is a block diagram of a network (200) communicating with a UE (100) to provide UP traffic protection according to an embodiment of this disclosure. The network (200) may be, for example, but not limited to, an evolved Node B (eNB), a next-generation radio access technology network Node B (gNB), an access and mobility management function (AMF), a session management function (SMF), a mobility management entity (MME), a user plane function (UPF), a domain name system (DNS) server, and an application server, a data network, or a fifth-generation network.
[0078] like Figure 2 As shown, the network (200) includes a memory (210), a processor (220), a communicator (230), a PDU session management entity (240), a DNS security credential unit (250), and a transceiver (260).
[0079] The memory (210) stores instructions to be executed by the processor (220). The memory (210) may include non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard disks, optical disks, floppy disks, flash memory, or electrically programmable memory (EPROM) or electrically erasable programmable memory (EEPROM). Furthermore, in some examples, the memory (210) may be considered a non-transitory storage medium. The term "non-transitory" may indicate that the storage medium is not embodied in a carrier wave or propagating signal. However, the term "non-transitory" should not be interpreted as the memory (210) being immovable. In some examples, the memory (210) may be configured to store a larger amount of information than a memory. In some examples, a non-transitory storage medium may store data that can change over time (e.g., in random access memory (RAM) or a cache). The memory (210) may be an internal storage unit or it may be an external storage unit of a network (200), cloud storage, or any other type of external storage.
[0080] In one embodiment, the processor (220) communicates with memory (210), a communicator (230), a DNS security credential unit (250), and a PDU session management entity (240). The processor (220) is configured to execute instructions stored in memory (210) and perform various processes. The processor may include one or more processors, which may be general-purpose processors such as central processing unit (CPU), application processor (AP), graphics-only units such as graphics processing unit (GPU), vision processing unit (VPU), and / or artificial intelligence (AI) dedicated processors such as neural processing unit (NPU).
[0081] In one embodiment, the communicator (230) is configured to communicate internally between internal hardware components and with external devices via one or more networks. The communicator (230) includes electronic circuitry specific to standards for implementing wired or wireless communication.
[0082] The PDU session management entity (240) is implemented by processing circuitry, such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuitry, etc., and optionally may be driven by firmware. For example, the circuitry may be embodied in one or more semiconductor chips, or on a substrate support such as a printed circuit board.
[0083] In one embodiment, the PDU session management entity (240) receives a "PDU session establishment request" from the UE (100) to connect to the network (200). The PDU session establishment request includes a "secure DNS configuration parameter request" as part of an extended protocol configuration option (PCO). This instructs the UE (100) to implement secure DNS functionality and to accept appropriate DNS server configuration parameters to protect DNS messages exchanged between the network (200) and the UE (100).
[0084] The PDU session management entity (240) accepts the PDU session establishment request received from the UE (100) and sends a "PDU session establishment accept" message to the UE (100). This message includes a PCO (Protocol Configuration Options), which contains a container named "Secure DNS Configuration Parameters". This container contains information mentioned in the DNS server security information and is managed by the DNS security credential unit (250). As an illustrative example, the container... Figure 4 The text provides a detailed explanation.
[0085] In one embodiment, the network (200) sends an "attach complete" message to the UE (100) in response to an attach request from the UE (100). The attach complete message contains a PCO (Protocol Configuration Options) which includes a container "Secure DNS Configuration Parameters" that contains information mentioned in the DNS server security information.
[0086] In one embodiment, the network (200) sends a "PDN Connection Accept" message to the UE (100) in response to a PDN connection request. The PDN Connection Accept message contains a PCO (Protocol Configuration Options) which includes a container "Secure DNS Configuration Parameters" that includes information mentioned in the DNS server security information.
[0087] In another embodiment, the network (200) sends DNS configuration parameters in a container format in response to a registration request from the UE (100).
[0088] In one embodiment, during a UE (100) configuration update process, a network (200) may use the UE (100) configuration update process to update the DNS configuration in the UE (100). When the network (200) system determines that the UE (100) needs to configure "Secure DNS Configuration Parameters", it includes the container "Secure DNS Configuration Parameters" in the UE (100) configuration update command message given to the UE (100).
[0089] In another embodiment, the network (200) notifies the UE (100) of a new DNS configuration. The network (200) decides to change the default DNS configuration and then initiates mobility management (e.g., a network-initiated service request procedure or a Globally Unique Temporary ID (GUTI) relocation procedure) or a network-initiated session management procedure, sending the new DNS configuration during these procedures in a NAS message (e.g., during a network-initiated service request procedure, in a PDU session modification command, or in a PDU session release command or in a 5GSM state service acceptance). When the UE (100) receives the new configuration, the UE (100) acknowledges receipt of the new default DNS configuration by sending a NAS message. The UE (100) then begins using the new DNS configuration.
[0090] In the above embodiments, the network (200) may send additional parameters to the UE (100) to indicate whether the default DNS configuration is valid only on 5GS, only on Evolved Packet System (EPS), or both on EPS and 5GS.
[0091] The DNS security credential unit (250) is implemented by processing circuitry, such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuitry, etc., and optionally driven by firmware. For example, the circuitry may be embodied in one or more semiconductor chips, or on a substrate support such as a printed circuit board.
[0092] The DNS security credential unit (204) sends the DNS configuration parameters to the UE (100) in the form of a container.
[0093] At least one of the aforementioned modules / components can be implemented using an artificial intelligence (AI) model. AI-related functions can be executed via memory 110 and processor 120. One or more processors control the processing of input data based on predefined operating rules or AI models stored in non-volatile memory and volatile memory. Predefined operating rules or AI models are provided through training or learning.
[0094] Here, "learning-provided" means developing predefined operating rules or AI models with desired characteristics by applying a learning process to multiple learning datasets. Learning can be performed within the device itself that executes the AI according to the embodiment, and / or can be implemented via a separate server / system.
[0095] AI models can consist of multiple neural network layers. Each layer has multiple weight values and performs layer operations by computing the previous layer and operating on the weights. Examples of neural networks include, but are not limited to, Convolutional Neural Networks (CNNs), Deep Neural Networks (DNNs), Recurrent Neural Networks (RNNs), Restricted Boltzmann Machines (RBMs), Deep Belief Networks (DBNs), Bidirectional Recurrent Deep Neural Networks (BRDNNs), Generative Adversarial Networks (GANs), and Deep Q-Networks.
[0096] A learning algorithm is a method that uses multiple training datasets to train a predetermined target device (such as a robot) to enable, allow, or control the target device to make determinations or predictions. Examples of learning algorithms include, but are not limited to, supervised learning, unsupervised learning, semi-supervised learning, or reinforcement learning.
[0097] Although Figure 2 Various hardware components of the network (200) are illustrated, and it should be understood that other embodiments are not limited thereto. In other embodiments, the network (200) may include fewer or more components. Furthermore, the labels or names of the components are for illustrative purposes only and do not limit the scope of the invention. One or more components may be combined together to perform the same or substantially similar functions to manage application startup.
[0098] Figure 3AThis is a flowchart illustrating a method for protecting UP traffic from the perspective of a UE (100) according to embodiments disclosed herein.
[0099] In 302a, if DNS configuration parameters are received from the network (200), the UE (100) determines that the UE (100) is capable of securely exchanging DNS messages / packets.
[0100] In 304a, the UE (100) notifies the network (200) of its ability to securely exchange DNS packets / messages during the NAS process. In one embodiment, the UE (100) notifies the network (200) by sending a first Non-Access Stratum (NAS) message. Additionally, the UE (100) initiates a PDU session establishment request. The UE (100) sends the PDU session establishment request to the network (200). The PDU session establishment request includes a "Secure DNS Configuration Parameter Request (DNS Server Security Information Indicator)" as part of the Protocol Configuration Option (PCO) IE. The Secure DNS Configuration Parameter Request indicates to the network system that the UE (100) is capable of implementing secure DNS exchange and is willing to accept the corresponding DNS server configuration parameters. In one embodiment, the PDU session management entity (144) in the UE (100) initiates a PDU session.
[0101] In 306a, if the PDU session establishment request is accepted by the network (200), the UE (100) receives a PDU session establishment acceptance message from the network (200). In one embodiment, the acceptance message is a second NAS message in response to a first NAS message. The PDU session establishment acceptance message contains a PCO, which includes a container called "Secure DNS Configuration Parameters," which includes information mentioned in the DNS server security information.
[0102] In 308a, the UE (100) is configured with DNS configuration parameters for protecting DNS messages and establishes a secure channel with the DNS server in the network.
[0103] In 310a, protected DNS packets / messages are shared with DNS servers in the network (200) via an established secure channel.
[0104] The various actions, behaviors, blocks, and steps in the flowchart can be executed in the order they are presented, in different orders, or simultaneously. Furthermore, in some embodiments, without departing from the scope of the invention, some actions, behaviors, blocks, and steps can be omitted, added, modified, or skipped.
[0105] Figure 3B This is a flowchart illustrating a method for protecting UP traffic from a network system perspective according to embodiments disclosed herein.
[0106] In 302b, the network (200) receives a dedicated PDU session establishment request from the UE (100). The PDU session establishment request includes a "Secure DNS Configuration Parameter Request" as part of the Protocol Configuration Options (PCO). The network (200) determines that the UE (100) is capable of securely exchanging DNS messages / packets and is willing to accept the corresponding DNS server configuration parameters.
[0107] In 304b, the network (200) sends a PDU session establishment accept message to the UE (100) in response to the PDU session establishment request. The PDU session establishment accept message contains a PCO, which includes a container called "Secure DNS Configuration Parameters", which contains information mentioned in the DNS server security information.
[0108] In 306b, if initiated by the UE, the DNS server in the network establishes a secure channel. In 308b, a dedicated PDU session is established and DNS packets are protected.
[0109] In 308b, protected DNS packets / messages are exchanged with the UE (100).
[0110] The various actions, behaviors, blocks, and steps in the flowchart can be executed in the order they are presented, in different orders, or simultaneously. Furthermore, in some embodiments, without departing from the scope of the invention, some actions, behaviors, blocks, and steps can be omitted, added, modified, or skipped.
[0111] Figure 4 This is a schematic diagram illustrating an example of container secure DNS configuration parameters including DNS security credentials according to embodiments disclosed herein.
[0112] As you can see, the containers include information about different security mechanisms. 402 indicates DNS over an HTTP tunnel. 404 indicates DNS over a TLS tunnel. 406 indicates DNS over a DTLS tunnel. 408 indicates a DNS security port, etc. The container identifier content field includes one of the following parameters: security protocol type, port number, authentication domain name, SPKI pin set, root certificate, or raw public key. When more than one parameter needs to be sent, multiple containers with container identifiers indicating DNS server security information are used, each container containing one parameter. The first octet of the container identifier content field for DNS server security information of two octets in length includes the type, and all octets other than the first octet of the container identifier content field for DNS server security information of two octets in length include the value portion. If the DNS server security information of two octets in length includes a security protocol type, the type is set to 0x00; if the security protocol type is TLS, the value portion is set to 0x00; and if the security protocol type is DTLS, it is set to 0x01. If the DNS server security information, which is two octets long, includes a port number, then the type is set to 0x01, and the value part of the content is set to the ephemeral port. If the DNS server security information, which is two octets long, includes an authentication domain name, then the type is set to 0x02, and the value part is set to the authentication domain name. If the DNS server security information, which is two octets long, includes an SPKI pin set, then the type is set to 0x03, and the value part is set to the SPKI pin set (the SPKI pin set should be DER encoded as specified in X 690.3). If the DNS server security information, which is two octets long, includes a root certificate, then the type is set to 0x04, and the value part is set to the root certificate (the root certificate should be DER encoded as specified in X 690). If the DNS server security information, which is two octets long, includes the raw public key, then the type is set to 0x05, and the value part is set to the raw public key (the raw public key should be DER encoded as specified in X 690.3).
[0113] In addition, the container includes DNS security credentials, DNS service port information, security profiles, and supported server certificate types. The DNS security mechanism information determines whether it is HTTP-based, TLS-based, or DTLS-based DNS. DNS security credentials include the root certificate of the certificate authority used for server certificate verification, the server's public key for establishing unauthenticated TLS sessions, user public key information (SPKI), and the authenticated domain name. The DNS service port information indicates that the service port can be 53, 853, or <an administrator-defined port>. The security profile information can indicate a strict privacy profile or an opportunistic privacy profile. Supported server certificate types can be RawPublicKey and / or X.509 and / or OpenPGP.
[0114] Figure 5 This is a schematic diagram illustrating an example of the establishment and routing of data packets from an application to a properly established PDU session using an IP packet filter set according to embodiments disclosed herein.
[0115] Reference Figure 5 For example, a UE (500) connects to a serving network. The serving network can be an AMF, SMF, or URSP. The serving network knows that, for certain DNNs or applications, network policies do not activate encryption and / or integrity protection for PDU sessions. Such network policies may be based on subscription-based UP security policies and / or user plane security policies configured locally by the DNN, Single Network Slice Selection Assistance (S-NSSAI) in the SMF, and / or the maximum supported data rate per UE for DRB integrity protection, and / or the DNS server not supporting secure channels.
[0116] Here, the serving network configures UE routing policy (URSP) rules for the UE (500) so that two PDU sessions (DNN1 and DNN2) need to be established. In one PDU session, security is activated or deactivated based on the user plane security policy from the serving network, and other PDU sessions (such as DNN2) have integrity protection and encryption / unencryption (the user plane security policy from the SMF indicates that UP integrity protection is "required" and UP integrity protection should be applied to all traffic on the PDU session), along with filter information about which application data should pass through the PDU session established for the DNN (DNN2, a special DNN).
[0117] The PCF (H-PCF and / or V-PCF) triggers the UE (500) configuration update process as specified in specification 23.502, sending a UE (500) policy container to the UE (500), including policy information related to UE access selection and PDU session selection. The policy container includes URSP rules indicating that for a specific application or a specific DNN or S-NSSAI, a dedicated PDU session (attached / special DNN) needs to be established, in addition to the normal PDU session (whose security (encryption and / or integrity protection) may not be activated (based on user plane security policies)). The dedicated PDU session should activate PDU session protection to protect (encryption and / or integrity protection) sensitive user plane traffic (e.g., DNS, ICMP, SIP, etc.), i.e., the user plane security policy from the SMF, indicating that UP integrity protection is "required" and should be applied to all traffic on the PDU session. The application in UE (500) (may not know DNN) whenever it requests a PDU session, UE (500) uses URSP and identifies that for the request (DNN type IPv4 in eMBB slice), it matches two DNNs and UE (500) initiates two requests to the network to establish a PDU session by including DNN1 and DNN2 (in turn).
[0118] Once a PDU session is established (based on user plane security enforcement information, NG-RAN provides user plane security policies for the PDU session, and NG-RAN configures the DRB security of the PDU session based on the received policies), the IP packet filter set is responsible for identifying the appropriate PDU session and routing application packets to apply the appropriately configured security mechanisms. The IP packet filter set uses at least 10 combinations to identify the appropriate PDU session. For IP PDU session types, the packet filter set supports packet filtering based on: — source / destination IP address or IPv6 prefix; source / destination port number; protocol ID of the protocol above the IP / next header type; Type of Service (TOS) (IPv4) / Traffic Class (IPv6) and mask; flow label (IPv6); security parameter index; packet filter direction. For illustrative purposes, in Figure 5 In the above, PDU sessions #1, #2, and #3 belong to S-NSSAI-1, PDU session #4 belongs to S-NSSAI-2, and PDU sessions #5 and #6 belong to S-NSSAI-3.
[0119] In one embodiment, a method is provided to avoid man-in-the-middle attacks on DNS server queries. Since consistent and repeated man-in-the-middle attacks are difficult, an alternative to ensuring the UE does not ultimately act on modified DNS messages is to trigger back-to-back repeated DNS queries. The number of such repetitions can be implementation-based. Each response is saved, and after the attempts are complete, the application can select the response with the most repetitions. For example, the UE / application can be configured to trigger 5 DNS query attempts the first time after connecting to 10 PDNs / DNNs. The server addresses received in the responses from all 5 attempts can be saved. The server address with the most repetitions can be considered the correct address received from the DNS server. This ensures that even if several DNS responses are compromised, the UE can ignore them and use the content of the unmodified response 15 from the actual DNS server.
[0120] Retrying can be limited to the first DNS query issued after the PDN / PDU session is established. The interval between consecutive DNS queries and the number of attempts can be determined by the implementation.
[0121] In one embodiment, the network (e.g., gNB / eNB / PGW / UPF) can identify inappropriate TTL values from the UE on user plane traffic (which can be used for specific protocols such as DNS, ICMP, SIP) (e.g., in the case of network tethering, except for 64 / 128 / 255 and 63 / 127 / 254) and discard packets suspected of being manipulated (because EPS / 5GS is the first hop from which packets are received by the UE).
[0122] In one embodiment, the UE (500) (which may be configuration-based) always sends two DNS requests for the same query to both the primary and secondary DNS servers. This allows an attacker to guess that an error might occur.
[0123] In one embodiment, the UE (500) does not use the standard configured TTL value, but instead uses a random value within a range (e.g., between 64 and 255). This makes it impossible to perform any operation on the target IP address and compensate using the TTL.
[0124] In one embodiment, a gateway function in a carrier network (e.g., a PGW or UPF) can rewrite and randomize the IP-Identification field in downlink IP packets if they are not fragmented. This makes it impossible to perform any operations on the target IP address and use the IP-Identification field for compensation.
[0125] In one embodiment, the gateway function in the carrier network (e.g., PGW or UPF) can calculate and rewrite the UDP checksum of the downlink DNS packets. Thus, any operation on the target IP address will invalidate the UDP checksum, and the receiving UE (500) will discard the packet, rendering the attack ineffective.
[0126] Figure 6 This is a sequence diagram illustrating a sequence of update procedures for UE configuration according to embodiments disclosed herein.
[0127] like Figure 6 As shown, the UE (600) communicates with the Policy Control Function (PCF) (606) and the Access and Mobility Management Function (AMF) (604) via the Radio Access Network (RAN) (602), and the PCF decides to update the UE policy.
[0128] At point 0, PCF (608) decides to change the UE (600) policy. At point 1, PCF (608) sends "Namfcommunication_N1N2 message transfer" to AMF (604). At point 2, the network triggers a service request. At point 3, the UE policy is passed to UE (600), AMF (604), and RAN (602). At point 4, the result of the UE policy transmission is shared with AMF (604) and RAN (602). At point 5, "Namf communication_N1 message notify" is shared with PCF (608).
[0129] The above description of the specific embodiments so fully reveals the general nature of the embodiments herein that others, by applying present knowledge, can readily modify and / or adapt these specific embodiments to various applications without departing from the general concept, and therefore such adaptations and modifications should and are intended to be understood within the equivalent meaning and scope of the disclosed embodiments. It should be understood that the wording or terminology used herein is for descriptive purposes and not for limitation. Therefore, although the embodiments herein have been described according to preferred embodiments, those skilled in the art will recognize that the embodiments herein can be practiced with modifications within the spirit and scope of the embodiments described herein.
Claims
1. A method for a user equipment (UE), the method comprising: Transmit a first non-access stratum (NAS) message to the network, the first NAS message including an indicator indicating that the UE supports Domain Name System (DNS) based on Transport Layer Security (TLS) or DNS based on Datagram TLS (DTLS); In response to transmitting the first NAS message, a second NAS message including DNS server security information is received from the network; as well as Based on the DNS server security information, messages are transmitted to the network. The DNS server security information includes security mechanism information, service port information, and authenticated domain name information.
2. The method according to claim 1, wherein, The first NAS message includes one of the following: Protocol Data Unit (PDU) session establishment request message, registration request message, and service request message.
3. The method of claim 1, wherein, The second NAS message includes one of the following: PDU session establishment acceptance message, registration acceptance message, and service acceptance message.
4. The method of claim 2, wherein, The indicator is included in the protocol configuration options in the first NAS message.
5. The method of claim 3, wherein, The DNS server security information is included in the protocol configuration options in the second NAS message.
6. The method of claim 1, wherein, The DNS server security information includes at least one of the following: user public key information (SPKI), root certificate information, and original public key information.
7. A method for a network, the method comprising: Receive a first non-access stratum (NAS) message from a user equipment (UE), the first NAS message including an indicator indicating that the UE supports Domain Name System (DNS) based on Transport Layer Security (TLS) or DNS based on Datagram TLS (DTLS); In response to transmitting the first NAS message, a second NAS message including DNS server security information is transmitted to the UE; as well as Messages are received from the UE based on the DNS server security information. The DNS server security information includes security mechanism information, service port information, and authenticated domain name information.
8. The method of claim 7, wherein, The first NAS message includes one of the following: a Protocol Data Unit (PDU) session establishment request message, a registration request message, and a service request message. The second NAS message includes one of the following: PDU session establishment acceptance message, registration acceptance message, and service acceptance message.
9. The method according to claim 8, wherein, The indicator is included in the protocol configuration options in the first NAS message.
10. The method of claim 8, wherein, The DNS server security information is included in the protocol configuration options in the second NAS message.
11. The method of claim 7, wherein, The DNS server security information includes at least one of the following: user public key information (SPKI), root certificate information, and original public key information.
12. A user equipment (UE), the UE comprising: transceiver; as well as The processor is configured as follows: Transmit a first non-access stratum (NAS) message to the network, the first NAS message including an indicator indicating that the UE supports Domain Name System (DNS) based on Transport Layer Security (TLS) or DNS based on Datagram TLS (DTLS); In response to transmitting the first NAS message, a second NAS message including DNS server security information is received from the network; as well as Based on the DNS server security information, messages are transmitted to the network. The DNS server security information includes security mechanism information, service port information, and authenticated domain name information.
13. A network, the network comprising: transceiver; as well as The processor is configured as follows: Receive a first non-access stratum (NAS) message from a user equipment (UE), the first NAS message including an indicator indicating that the UE supports Domain Name System (DNS) based on Transport Layer Security (TLS) or DNS based on Datagram TLS (DTLS); In response to transmitting the first NAS message, a second NAS message including DNS server security information is transmitted to the UE; as well as Messages are received from the UE based on the DNS server security information. The DNS server security information includes security mechanism information, service port information, and authenticated domain name information.