Terminal authentication system, server device, and terminal authentication method
US-2015350196-A1 · Dec 3, 2015 · US
Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks
US11825310B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11825310-B2 |
| Application number | US-202017095420-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 11, 2020 |
| Priority date | Sep 25, 2020 |
| Publication date | Nov 21, 2023 |
| Grant date | Nov 21, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Roaming spoofing attacks can be initiated during N32-c handshake procedure used for inter-PLMN communication in 5G network. One example solution described herein uses the SEPP to mitigate the N32-c roaming spoofing attacks by cross validating the sender attribute present in N32-c handshake security capability exchange messages against the endpoint identity in the X.509v3 certificate shared during TLS handshake and the remote SEPP identity configured in the SEPP's local database.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for mitigating 5G roaming spoofing attacks, the method comprising: obtaining, by a security edge protection proxy (SEPP) and from a transport layer security (TLS) message from a first node, a first identifier for the first node, wherein the first identifier for the first node is a fully qualified domain name (FQDN) of the first node located in a subject alternative name field of an X.509 certificate in the TLS message; obtaining, by the SEPP and from an N32-c security capability negotiation message from the first node, a second identifier for the first node, wherein the second identifier is an FQDN located in a sender attribute of a SecNegotiateRegData or SecNegotiateRspData information element of the N32-c security capability negotiation message; comparing the first and second identifiers for the first node; when the SEPP determines that first and second identifiers do not match: determining that second identifier for the first node is invalid; and in response to determining that the second identifier for the first node is invalid, blocking inter-public land mobile network (PLMN) communications with the first node; and when the SEPP determines that the first and second identifiers match: performing a lookup for either the first identifier or the second identifier for the first node in a peer SEPP database; and if either of the first identifier or the second identifier is present in the peer SEPP database, allowing inter-public land mobile network (PLMN) communications with the first node. 2. The method of claim 1 wherein the TLS message comprises a TLS certificate message. 3. The method of claim 1 wherein the SEPP is a responding SEPP in an N32-c security capability negotiation procedure and wherein obtaining the second identifier for the first node includes extracting the second identifier for the first node from a sender attribute of the Sec NegotiateReqData information element of the N32-c security capability negotiation message. 4. The method of claim 1 wherein the SEPP is an initiating SEPP in an N32-c security capability negotiation procedure and wherein obtaining the second identifier for the first node includes extracting the second identifier for the first node from a sender attribute of the SecNegotiateRspData information element of the N32-c security capability negotiation message. 5. The method of claim 1 comprising, in response to determining that the first and second identifiers for the first node match and that a matching identifier is not present in the peer SEPP database, blocking inter-PLMN communications from the first node. 6. A system for mitigating 5G roaming spoofing attacks, the system comprising: a security edge protection proxy (SEPP) including at least one processor and a memory; and a 5G roaming spoofing attack mitigation module implemented by the at least one processor and configured to: obtain, from a transport layer security (TLS) message from a first node, a first identifier for the first node, wherein the first identifier for the first node is a fully qualified domain name (FQDN) of the first node located in a subject alternative name field of an X.509 certificate in the TLS message; obtain, from an N32-c security capability negotiation message from the first node, a second identifier for the first node, wherein the second identifier is an FQDN located in a sender attribute of a SecNegotiateReqData or Sec NegotiateRspData information element of the N32-c security capability negotiation message; compare the first and second identifiers for the first node; when the 5G roaming spoofing attack mitigation module determines that first and second identifiers do not match, the 5G roaming spoofing attack mitigation module is configured to: determine that second identifier for the first node is invalid; and in response to determining that the second identifier for the first node is invalid, block inter-public land mobile network (PLMN) communications with the first node; and when the 5G roaming spoofing attack mitigation module determines that first and second identifiers match, the 5G roaming spoofing attack mitigation module is configured to: perform a lookup for either the first identifier or the second identifier for the first node in a peer SEPP database; and if either of the first identifier or the second identifier is present in the peer SEPP database, allow inter-public land mobile network (PLMN) communications with the first node. 7. The system of claim 6 wherein the TLS message comprises a TLS certificate message. 8. The system of claim 6 wherein the SEPP is a responding SEPP in an N32-c security capability negotiation procedure and wherein 5G roaming spoofing attack mitigation module is configured to obtain the second identifier for the first node by extracting the second identifier for the first node from a sender attribute of the SecNegotiateReqData information element of the N32-c security capability negotiation message. 9. The system of claim 6 wherein the SEPP is an initiating SEPP in an N32-c security capability negotiation procedure and wherein the 5G roaming spoofing attack mitigation module is configured to obtain the second identifier for the first node by extracting the second identifier for the first node from a sender information element attribute of the SecNegotiateRspData information element of the N32-c security capability negotiation message. 10. The system of claim 6 wherein the 5G roaming spoofing attack mitigation module is configured to, in response to determining that the first and second identifiers for the first node match and that a matching identifier is not present in the peer SEPP database, block inter-PLMN communications from the first node. 11. A non-transitory computer readable medium having stored thereon executable instructions that when executed by a processor of a computer control the computer to perform steps comprising: obtaining, by a security edge protection proxy (SEPP) and from a transport layer security (TLS) message from a first node, a first identifier for the first node, wherein the first identifier for the first node is a fully qualified domain name (FQDN) of the first node located in a subject alternative name field of an X.509 certificate in the TLS message; obtaining, by the SEPP and from an N32-c security capability negotiation message from the first node, a second identifier for the first node, wherein the second identifier is an FQDN located in a sender attribute of a SecNegotiateRecpata or SecNegotiateRspData information element of the N32-c security capability negotiation message; comparing the first and second identifiers for the first node; when the SEPP determines that first and second identifiers do not match: determining that second identifier for the first node is invalid; and in response to determining that the second identifier for the first node is invalid, blocking inter-public land mobile network (PLMN) communications with the first node; and when the SEPP determines that the first and second identifiers match: performing a lookup for either the first identifier or the second identifier for the first node in a peer SEPP database; and if either of the first identifier or the second identifier is present in the peer SEPP database, allowing inter-public land mobile network (PLMN) communications with the first node. 12. The non-transitory computer readable medium of claim 11 wherein the TLS message comprises a TLS certificate message.
Assignees
Inventors
Classifications
Public Land Mobile systems, e.g. cellular systems · CPC title
- H04W12/10Primary
Integrity · CPC title
Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks · CPC title
Reselecting a network or an air interface · CPC title
- H04W36/0038Primary
of security context information · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11825310B2 cover?
- Roaming spoofing attacks can be initiated during N32-c handshake procedure used for inter-PLMN communication in 5G network. One example solution described herein uses the SEPP to mitigate the N32-c roaming spoofing attacks by cross validating the sender attribute present in N32-c handshake security capability exchange messages against the endpoint identity in the X.509v3 certificate shared duri…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04W12/10. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 21 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).