You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using Open5GS as the core network, srsRAN to simulate the user and base station, and SMQ to simulate RF hardware to connect the user and base station. In the pcap files saved from this simulated network, I would like to perform integrity protection verification on the RRC messages.
I’ve noticed that the integrity protection verification works for unencrypted RRC messages, but fails for encrypted RRC messages. Specifically, the MAC calculated by me does not match the MAC included in the message. Even if I decrypt the RRC messages and then perform integrity protection verification, the result remains the same.
I truly believe that the RRC flow should be similar to the NAS flow, since all NAS messages can pass integrity protection verification. However, I am really puzzled as to why RRC is not working in the same way.
Could anyone help me understand why the integrity protection verification is failing?
I’ve attached the pcap file. In the gnb_f1ap_enc file, I successfully performed integrity protection verification on Message No. 12 (Security Mode Complete), but the verification fails on Message No. 13. The following are the values I’m using:
Kgnb: fd1b305cda7e7eb5008a614db72de59dfb78a657272abe4053ad301eb6f28f38
KRRCint: 1F49916009C45F343B6145C638865994FD70076ACAA27C58F66C076B40E1FD21
KRRCenc: E8A5E6C7F3B2014D27D741C38B061C9CE583B8EAC5BBB1827C4E89B131665344
For Message No. 13, its RRC MAC is 817F8550. I used the following parameters for the calculation:
Algorithm: 128-NIA2 Key: FD70076ACAA27C58F66C076B40E1FD21 COUNT: 00000003 Direction: downlink BEARER: 0 MESSAGE: 00030d0ee9afbe832c67
The calculated MAC is 72B33E11, which does not match the correct value.
Even after decrypting the message, the resulting MESSAGE is 00033402012001000800, but the calculated MAC: 329010DF is still incorrect.
Setup Details
The setup consists of four virtual machines, each running Ubuntu 22.04. The details are as follows:
1、Open5GS Control Plane (5GC C-Plane): IP Address: 192.168.83.131
2、Open5GS User Plane (5GC U-Plane): IP Address: 192.168.83.130
3、srsRAN Project ZMQ RAN (gNodeB): IP Address: 192.168.83.136
4、srsRAN 4G ZMQ UE (NR-UE): IP Address: 192.168.83.137
Issue Description
Hello everyone,
I am using Open5GS as the core network, srsRAN to simulate the user and base station, and SMQ to simulate RF hardware to connect the user and base station. In the pcap files saved from this simulated network, I would like to perform integrity protection verification on the RRC messages.
I’ve noticed that the integrity protection verification works for unencrypted RRC messages, but fails for encrypted RRC messages. Specifically, the MAC calculated by me does not match the MAC included in the message. Even if I decrypt the RRC messages and then perform integrity protection verification, the result remains the same.
I truly believe that the RRC flow should be similar to the NAS flow, since all NAS messages can pass integrity protection verification. However, I am really puzzled as to why RRC is not working in the same way.
Could anyone help me understand why the integrity protection verification is failing?
I’ve attached the pcap file. In the gnb_f1ap_enc file, I successfully performed integrity protection verification on Message No. 12 (Security Mode Complete), but the verification fails on Message No. 13. The following are the values I’m using:
Kgnb: fd1b305cda7e7eb5008a614db72de59dfb78a657272abe4053ad301eb6f28f38
KRRCint: 1F49916009C45F343B6145C638865994FD70076ACAA27C58F66C076B40E1FD21
KRRCenc: E8A5E6C7F3B2014D27D741C38B061C9CE583B8EAC5BBB1827C4E89B131665344
For Message No. 13, its RRC MAC is 817F8550. I used the following parameters for the calculation:
Algorithm: 128-NIA2
Key: FD70076ACAA27C58F66C076B40E1FD21
COUNT: 00000003
Direction: downlink
BEARER: 0
MESSAGE: 00030d0ee9afbe832c67
The calculated MAC is 72B33E11, which does not match the correct value.
Even after decrypting the message, the resulting MESSAGE is 00033402012001000800, but the calculated MAC: 329010DF is still incorrect.
Setup Details
The setup consists of four virtual machines, each running Ubuntu 22.04. The details are as follows:
1、Open5GS Control Plane (5GC C-Plane): IP Address: 192.168.83.131
2、Open5GS User Plane (5GC U-Plane): IP Address: 192.168.83.130
3、srsRAN Project ZMQ RAN (gNodeB): IP Address: 192.168.83.136
4、srsRAN 4G ZMQ UE (NR-UE): IP Address: 192.168.83.137
rrc_enc_1.zip
To ensure the messages display properly, you can refer to this tutorial:https://docs.srsran.com/projects/project/en/latest/user_manuals/source/outputs.html#f1ap
The text was updated successfully, but these errors were encountered: