Cisco Cisco Packet Data Interworking Function (PDIF)
ECS Changes in Release 16
ECS Enhancements for 16.0 ▀
Release Change Reference, StarOS Release 16 ▄
121
CSCuh28420 - Enhance URL Redirection Encryption with AES
Applicable Products: GGSN, P-GW
Feature Changes
Implementation of AES Encryption
In the current StarOS implementation, when a URL redirection is provisioned in a charging action, additional dynamic
fields such as MSISDN, IMEI, username and so on, can be appended to the redirection URL. StarOS currently supports
URL encryption of attributes within the redirection by using Blowfish (64 and 128 bit keys) encryption. However,
Blowfish is no longer considered robust and thus operator now has the option to augment the security of these
redirection parameters with a more robust encryption based on AES Encryption. AES encryption is available for 128
and 256 bit keys. For AES encryption with CBC mode of operation, a key-phrase is taken as configurable field from the
operator. This key phrase is internally converted to a 128/256 bit key. An additional field value ("salt") is also allowed
as a configurable field. This configurable field is optional.
fields such as MSISDN, IMEI, username and so on, can be appended to the redirection URL. StarOS currently supports
URL encryption of attributes within the redirection by using Blowfish (64 and 128 bit keys) encryption. However,
Blowfish is no longer considered robust and thus operator now has the option to augment the security of these
redirection parameters with a more robust encryption based on AES Encryption. AES encryption is available for 128
and 256 bit keys. For AES encryption with CBC mode of operation, a key-phrase is taken as configurable field from the
operator. This key phrase is internally converted to a 128/256 bit key. An additional field value ("salt") is also allowed
as a configurable field. This configurable field is optional.
Security of the subscriber sensitive attributes is enhanced with a more robust encryption algorithm. This helps protect
subscriber specific information sent to different servers, thus helping operators to adhere to regulatory policies.
subscriber specific information sent to different servers, thus helping operators to adhere to regulatory policies.
Previous Behavior: When a URL redirection occurs, dynamic fields such as MSISDN, IMEI, and so on can be
appended to the redirection URL. These dynamic fields can be encrypted or inserted as plaintext. Earlier only 64 and
128 bit Blowfish algorithm was supported in ASR5x00 for such an encryption.
appended to the redirection URL. These dynamic fields can be encrypted or inserted as plaintext. Earlier only 64 and
128 bit Blowfish algorithm was supported in ASR5x00 for such an encryption.
New Behavior: AES-CBC encryption algorithm is also added in ASR5x00. The AES-CBC encryption is available for
128 or 256 bit keys.
128 or 256 bit keys.
Command Changes
flow action redirect-url
A new keyword
aes128 | aes256
has been introduced in the
flow action redirect-url
command.
To redirect-URL action on packet and flow for Session Control functionality and use blowfish or aes encryption, use
this configuration.
this configuration.
configure
active-charging service <ecs_service_name>
flow action redirect-url <redirect_url> [ encryption { blowfish128 | blowfish64 | {
{ aes128 | aes256 } [ salt ] } } [ encrypted ] key <key> ] ]
{ aes128 | aes256 } [ salt ] } } [ encrypted ] key <key> ] ]
end
Notes:
aes128: Specifies to use AES-CBC encryption with 128 bit key for encrypting the dynamic fields
aes256: Specifies to use AES-CBC encryption with 256 bit key for encrypting the dynamic fields.
salt: Specifies to use salt with AES-CBC encryptions of the dynamic fields