Providing services with different Quality of Service (QoS) requirements to users at high rates is an active study area for a future-generation wireless mobile communication system. A major future-generation wireless mobile communication system is Institute of Electrical and Electronics Engineers (IEEE) 802.16. Mobile stations operate in three modes in the future-generation wireless mobile communication system, which will be described with reference to FIG. 1.
FIG. 1 is a mode transition diagram in a conventional wireless mobile communication system.
Referring to FIG. 1, a mobile station (MS) communicates with a base station (BS) normally in awake mode 100, thus consuming more power than in sleep mode 110 or idle mode 120. Since the MS is always awake in the awake mode 100, it can fast cope with any request from the BS.
The sleep mode 110 is a mode that minimizes the power consumption of the MS. Thus, the MS cannot transmit and receive traffic in the sleep mode 110.
In the idle mode 120, the MS wakes up periodically to receive signals. The MS can move without being registered to a particular BS in the idle mode 120. Since the MS can move from one BS to another in the idle mode 120, it does not need perform a handover procedure and only has to receive signals broadcast by a BS, periodically waking up. As resources are allocated to the idle-mode MS only upon request of downlink or uplink traffic from the MS, resource consumption is minimized on the part of the BS. Either the MS or the BS can initiate the MS's transition to the idle mode 120.
FIG. 2 is a diagram illustrating a signal flow for a conventional procedure for an MS-initiated transition to idle mode.
Referring to FIG. 2, an MS 200 transmits a De-REGistration-REQuest (DREG-REQ) message to a BS 210, indicating that it wants to transition to the idle mode in step 201. The DREG-REQ message has De-Registration Request Code set to 0x01, which implies that the MS 200 requests the idle mode transition.
In step 203, the BS 210 transmits an MS-info REQ message requesting information about the MS 200 to a Paging Controller (PC) 220. The BS 210 then receives an MS-info RSP message including the MS information from the PC 220 in step 205. The MS information may include information about a context, connection, and operation of the MS 200.
The BS 210 replies to the MS 200 with a De-REGistration CoMmanD (DREG-CMD) message in response to the DREG-REQ message in step 207.
Upon receipt of the DREG-CMD message, the MS 200 transitions to the idle mode.
FIG. 3 is a diagram illustrating a signal flow for a conventional procedure for a BS-initiated transition to idle mode.
Referring to FIG. 3, a BS 310 transmits an MS-info REQ message requesting information about an MS 300 to a PC 320 in step 301. The BS 310 then receives an MS-info RSP message including the MS information from the PC 320 in step 303. The MS information may include information about a context, connection, and operation of the MS 300.
The BS 310 transmits a DREG-CMD message to the MS 300 to request transition to the idle mode in step 305. The DREG-CMD message has Action Code set to 0x05, which implies that the BS 310 requests the MS 300 to transition to the idle mode.
Upon receipt of the DREG-CMD message from the BS 310, the MS 300 transmits a DREG-REQ message with De-Registration Request Code set to 0x02 to the BS 310 in step 307. Then the MS 300 transitions to the idle mode.
After transitioning to the idle mode in the procedure of FIG. 2 or FIG. 3, the MS should update its location periodically or according to any other condition. The location update takes place in the following four cases:
1. when a paging group is changed;
2. when a predetermined time has elapsed;
3. when MS is power-off; and
4. when the MS has not been paged from the BS more than a Medium Access Control (MAC) layer-set number of times.
The location update can be considered in two ways, secure location update and unsecure location update.
FIG. 4 is a diagram illustrating a signal flow of a conventional secure location update procedure for an idle-mode MS.
Referring to FIG. 4, an MS 400 transmits a RaNGing-REQuest (RNG-REQ) message to a BS 420 in step 402. The RNG-REQ message has a ranging purpose indication Type/Length/Value (TLV) bit (bit #1) set to 1, including an IDentifier (ID) of a PC 440 and a Cipher-based Message Authentication Code (CMAC) tuple.
The BS 420 transmits a Location Update-REQuest (LU-REQ) message to the PC 440 in step 404. The PC 440 generates an Authentication Key (AK) context associated with authentication of the MS 400 in step 405 and transmits a Location Update-ReSPonse (LU-RSP) message including the AK context and the PC ID to the BS 420 in step 406.
The BS 420 verifies a CMAC value set in the CMAC tuple using the AK context included in the LU-RSP message in step 407 and transmits a RaNGing-ReSPonse (RNG-RSP) message to the MS 400 in step 408. If the verification is successful, the RNG-RSP message includes the CMAC value and an update response TLV. The BS 420 transmits a Location Update-confirm (LU-confirm) message to the PC 440 in step 410.
FIG. 5 is a diagram illustrating a signal flow for a network re-entry procedure of an idle-mode MS.
Referring to FIG. 5, an MS 500 transmits an RNG-REQ message to a BS 520 in step 502. The RNG-REQ message has a ranging purpose indication TLV bit (bit #0) set to 1, including an ID of a PC 540 and a CMAC tuple.
The BS 520 transmits an MS-info REQ message to the PC 540, requesting information about the MS 500 in step 504. The PC 540 generates an AK context in step 505 and transmits an MS-info RSP message including the AK context to the BS 520 in step 506. The MS information is useful to expedite the network re-entry procedure by skipping or simplifying some parts of the call flows which are the same as the initial network entry procedure.
The BS 520 verifies a CMAC value set in the CMAC tuple using the AK context in step 507, transmits a data path establishment request message to the PC 540 in step 508, and receives a data path establishment response message from the PC 540 in step 510. In step 512, the BS 520 transmits an RNG-RSP message to the MS 500. The RNG-RSP message includes information indicating whether the location update has been successful. The BS 520 transmits a data path establishment Acknowledgment (Ack) message to the PC 540 in step 514.
FIG. 6 is a diagram illustrating a signal flow when the secure location update fails. This case could be abused as a Denial of Service (DoS) attack by malicious users.
Referring to FIG. 6, an MS 600 transmits an RNG-REQ message with a CMA tuple, requesting location update to a BS 620 in step 602. The BS 620 transmits an LU-REQ message to a PC 640 in step 604.
The PC 640 generates an AK context in response to the location update request in step 606 and transmits an LU-RSP message including the AK context to the BS 620 in step 608.
In step 610, the BS 620 verifies a CMAC value set in the CMA tuple received from the MS 600. If the CMAC value turns out invalid, the BS 620 transmits an RNG-RSP message indicating failure of the location update to the MS 600 in step 612 and transmits an LU-confirm message indicating the failed location update to the PC 640 in step 614.
As described above, the MS can protect the RNG-REQ message against forgery or tampering by including a CMAC tuple TLV in the RNG-REQ message during location updates. The BS verifies the CMAC value of RNG-REQ message by comparing it with the locally calculated one using the AK context received from the PC. As a result, the BS can determine whether the RNG-REQ message maintains its integrity.
The CMAC verification should be carried out whenever BS receives a CMAC-protected RNG-REQ message from an MS. In case that the message is corrupted and proved to be invalid, all the resources related with the location update call flows are wasted. For the DoS attacks, a large number of malicious mobile stations do the same thing, which might result in a severe waste of resources.