SE519471C2 - Method for establishing a secure connection between access points and a mobile terminal in a packet switched network - Google Patents

Abstract

In a method for establishing a secure communication in a packet based network comprising an access network (13) having access points (10) for two or more mobile terminals (11) belonging to the access network, a first access point is contacted by one mobile terminal in the intention of initiating a session from the mobile terminal. A secret key is generated using a function f stored in the access points acting on the information from the mobile terminal at the first access point by a converter known by two or more access points. The secret key is sent from the first access point to the mobile terminal using encryption, which is decrypted at the mobile terminal. The secret key is then used as a shared security key in communication between the mobile terminal and any access point knowing the converter.

Description

519 471i 2. represents a potential security risk which enables malicious users to eavesdrop on or falsify control information. Counterfeit packages can interfere with route selection, charging, site manager or other features of the attacked user.

In addition to consistent security functions, wireless access networks therefore have their own mechanisms for verifying and encrypting packets exchanged between mobile devices and wireless access points.

By relaxing local verification and encryption mechanisms from consistent security support, it is ensured that charging and verification information related to a certain mobile user remains protected even when the user is engaged in a "regular", ie. unprotected session. In addition, disconnection allows mobile users to run secure data sessions over a secure wireless network without sharing consistent security keys with the access network. It is further advantageous if the end point of this local security relationship at any time is the access point of mobile origin to which the mobile terminal is actually connected.

This allows packets of mobile origin to be verified as soon as they enter the access network. This is important because mobile outgoing packets can initiate actions related to charging and routing information associated with the sending mobile device.

Various solutions exist to realize secure connections. Acid metric solutions rely on a secure key that is shared between two or your devices. This key must be exchanged between communicating parties before communication and the same key is used for both encryption and decryption. Before sending a package, the sender uses the security key to generate a verification field or to encrypt the load. The recipient uses the same key to verify your verification field or to decrypt the packet. An example of a method for exchanging security keys is presented in the RFC 2409 standard regarding the exchange of Internet keys "Intemet Key Exchange". A security key based on packet verification mechanism is presented in P. Metzger, W: Simpson, "IP Authentication using Keyed MD5", Intemet RFC 1828, August 1995.

Asymmetric security solutions built on pairs of public or private keys. Someone who wants to send verified packages uses their own private, for example secret, key to form the verification field. In addition, the transmitter harmonizes the public key associated with its private key. Verification data generated by a given private key can only be decrypted by using the associated public key. This allows the recipients who have the public key to determine whether the packet was actually sent by the alleged sender.

PGP digital signatures are an example of asymmetric verification. Using PGP software, two binary numbers are formed, the public and the private key. These are saved in a separate file, but the public key is converted to ASCIl format so that it can be distributed to anyone who intends to send messages to the user. The private key must be kept secret and it will also be encrypted before it is saved.

In summary, both symmetrical and asymmetrical security techniques require that the receiver have some form of security information associated with the transmitter. In symmetrical solutions this information is the common secret key while in asymmetric solutions it is the public key of the transmitter. Security information must either be available from the sender or receiver before communication or must be obtained when the communication session is established.

A mobile terminal is allowed to move (roarn) over large areas while maintaining a connection to a fixed network. The terminals can be moved from one access point to another during active communication sessions using handover methods. In an overlearning process, the access point through which the communication is performed changes. Security considerations require that the mobile terminal has a secure connection with the access point to which it is actually connected.

Due to the large number of access points and mobile devices, there are advantages to not having a pre-established secure connection with all access points in an access network. Instead, a secure connection is established when the mobile terminal is moved to an access point.

Conventional solutions require the access point to obtain security information from a central server upon handover. These solutions do not provide soft over-learning due to the time they take and they are therefore in conflict with the quality requirements of the access networks. In addition, such solutions face scalability problems because the load on the central server represents a single fault location. Finally, such server base solutions rely on explicit signaling between access points and servers, giving rise to problems in low-end packet data environments built without the use of signaling, as described in A. Valkó, "Cellular IP - A 10 15 20 25 30 519 4719 4 new approach to Internet Host Mobility "ACM Computer Communication Review, Volume 29, no. 1, January 1999, p. 50-65.

Another solution for the access point is to obtain safety information from an adjacent access point with which the mobile tenninal has been dry-bound before over-learning. While this solution eliminates the scalability problems that occur when using a server, it has similar disadvantages in terms of reliability and the requirement for explicit signaling messages. Furthermore, some access networks may not support direct communication between access points.

An example of a prior art over-learning solution is presented in WO 96/36191 by Motorola of Inc. It describes a system in which the over-learning involves the exchange of control message between access points and (semi) centralizing control points. This system also provides an opportunity security information related to the mobile device is exchanged in the same way. According to this patent application, there is a need for control and transmission of control message upon handover. Another example of a solution that includes control messages between the access points at handover is found in EP 0 85l 633 by Lucent Technologies Inc.

In GSM technology, (Global System for Mobile Telecommunications), a conventional verification is used in which the mobile does not have a secure connection with the access point (base station). Instead, it is certainly related to the MSC. (See M. Mouly, M-B. Pautet, "The GSM System for Mobile Communication", ISBN 2-9507190-0-7). A description of GSM verification details can also be found in WO 97/01943, p. ll, lines 1-25, which is presented as the state of the art.

Thus, existing solutions for establishing a secure connection between mobile terminals and access points have serious limitations. While the server-based application is applicable to cellular telephone networks, it is inefficient in packet data systems, where cell sizes are normally smaller and transmissions are more frequent.

WO 97/01943 instead presents a solution to a problem similar to the invention, ie. avoidance of verification-related messages between the base station and the central server for financial reasons. This known solution uses an idea where messages are instead exchanged via the terminal between the old and the new base stations. The object of the present invention is, however, to find a solution in which the mobile unit must not act as a dependency station in order to avoid using the strained radio resource and the power available to the mobile unit. Furthermore, retransmission through the unit only works if the mobile uses enough time in the area where both access points can be reached via radio. Furthermore, the solution according to this document can only bring about verification once and that is when over-learning is done. An object of the present invention is to find a more general solution, where any message sent between the mobile unit and an access point can use the common secret as security.

The general aim of the invention is to develop a solution which allows mobile terminals to establish secure connections in a very short time at handover.

In addition, due to the recent emergence of (low-end) low-end access network solutions which have no signal support, the purpose of the invention is to develop a solution which does not accept any signal messages for over-learning.

SUMMARY OF THE INVENTION The invention relates to a method in a communication network for establishing secure communication between an access point and a device in packet-based networks comprising an access network with access points for two or your devices belonging to the access network. A first access point is contacted in an access network with the intention of initiating a session from a device in the network. A secret key is created using the information from the device at the first access point by using a converter known by two or fl your access points in the network. The secret key is sent from the first access point to the device using encryption, which is decrypted at the device. The secret key is then used as a common security key in communication between the mobile terminal and any access point in the network that knows the converter.

In the network according to the invention, a function is saved in the access points related to creating a secret key from the units' identification information in the access network. 10 15 20 25 30 519 471 6pcs Initial verification can be performed by the device in which case the initial verification can be performed by communicating device identification information to a first access point in the network to prove the identity of the device.

The identification information is non-encrypted or encrypted using a key shared by all devices in the access network.

The creation of the secret key can be performed by means of a function, f, or by means of a secret number shared by the access points that use it as a parameter for a distributed, well-known function that creates the secret key. The function f can be saved by the access point in a mathematical form or as a look-up table. The value of the function f can be the identification information of the first device and the value can be an arbitrary password.

An important advantage of the invention is that a secure communication between an access point in the access network and the mobile terminal can be achieved without any prior signaling regarding the identity of the mobile terminal. Although according to the invention not every access point knows the password for each mobile unit, this is a solution in which verification and / or encryption can be achieved between a mobile unit and any access point (base station). This is achieved with the function f which is used to create a password for each mobile terminal. For the mobile device, the password is perceived as random, but from the access point's point of view, it is not random as it is created from the same function.

The invention can support any secret-based verification or encryption algorithm, such as CAST or IDEA. CAST is described in Internet RFC 2144.

IDEA is the "Intemational Data Encryption Algorithm" described at http: /wWw.ascom.ch/infosee/ideahtml. No signaling messages are required in the access network, except for the initial distribution of the created secret key.

The avoidance of signaling messages during handover makes handover softer because the only handover delay that is caused is the one it takes to derive the secret key and the actual security calculation in connection with this.

Furthermore, the invention can be combined with other safety techniques, e.g. mobile terminals can use created secret keys for verifying packets and at the same time use the public key of the access network to encrypt these packets. Thanks to the low cost, it can be used to verify each data packet if necessary. In this case, it is advantageous for the access point to temporarily store created secret keys associated with devices that are currently connected to it. Finally, the invention can comprise almost any number of access points and mobile terminals.

In systems where over-learning does not require control information exchange between the old and the new access points or between access points and central control units, it becomes a burden if the security key must be explicitly exchanged between these units. The invention is particularly important in these sisters.

In the following, the invention is described by way of example. The intention is not to limit the invention to details in the following description, as details may vary according to the requirements. For example, even if the examples are presented in connection with wireless networks, the invention, in addition to wireless access networks, is applicable to all scenarios where a device needs to establish a secure connection with a number of devices, which are in secure connection with each other. The main idea is that a unit can perform some initial security negotiation with one of the other units and after the initial security negotiation, the unit must be able to start a secure communication without further negotiation and without the units having to communicate with each other in advance.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a schematic view of the net according to the invention, Figure 2 is a general block diagram of the method according to the invention, Figure 3 is a detailed example of an embodiment according to the invention.

DETAILED DESCRIPTION.

In the embodiment according to Figure 1, the method according to the invention is used in a network 14 comprising an access network 13 with access points 10, through which mobile terminals 11 can establish a communication with the access network. The network also includes a server 12 with information about the mobile terminals belonging to the access network.

The access network represents an individual administrative domain and its access points and potentially other entities which have common secrets, such as public encryption keys. In a possible embodiment, an encryption system with public and private keys is used. Thus, all devices share the public encryption keys for encrypting their messages, while each device has its own private encryption key.

All access points are aware of a function f. The function f can in principle be any ktion function as long as each access point knows it. The input value in the function is the identification (identification information) of the mobile terminal and its output value is an arbitrary number.

The f function should not be easy to obtain, but it does not have to be a cryptographically secure function. An example of the function f is to calculate MD5hash, described in R. Rivest, "MD5 Digest Algorithm", RFC 1321, April 1992 from the interconnection of the mobile terminal identifier and the access network secret password which can be any secret common to the access points. Instead of sharing a secret function f, the access points can share a secret number and use this as a parameter for a distributed well-known function. The value of f can be fixed or have variable lengths. Furthermore, it is not necessary to necessarily provide different output values for two different identifier input values. However, it is required that f is known by all access points in the network and is unknown to devices that do not belong to the access network. Access points will normally be stored either as a mathematical form as an algorithm or in the form of a look-up table.

Referring to Figure 2, a mobile terminal III first performs an initial verification when connecting to an access network according to step 1. This step can be excluded in access networks that allow connection to any device. The initial verification process can be identical to the verification solutions commonly used in the Internet, as they are performed only once and the drying delay requirements can be eased. After the initial verification, the access network uses its secret f-function to convert the mobile terminal identifier to an external value which here will be called the created secret key in accordance with step 2.

This value is then sent to the mobile terminal in accordance with step 3 using encryption so that other terminals cannot capture it. After this, communications between the mobile terminal and the access point can take place through the use of the created secret key. The mobile terminal can send messages via the access point and messages from the access point can also be sent by means of the created secret key. 10 15 20 25 30 519 471 9 The created secret key can be used to encrypt packets. Other security aspects are verification, data integrity and non-rejection. In this application, encryption protects the content of a message so that only users who have the correct key can read it. Upon verification, the recipient verifies that the message was sent by the alleged origin and not by anyone else. In non-rejection, the recipient indicates that the sender has sent the message or that the recipient has received the message.

A possible solution for initial verification and transmission of the created secret key is described in Figure 3. Using the same reference numerals as in Figure 1, the access points are indicated by reference numeral 10, the mobile terminals by reference numeral 11 and the server by reference numeral 12.

When a mobile terminal 11 starts a session, it first communicates its global mobile terminal identification to an access point 10 in a network in step 1 '. This allows the access network to find and contact a server 12 in step 2 'which contains security information related to mobile terminal l 1. In step 4' the access network downloads the public encryption key from the mobile terminal ll which was sent from transmitter 12 in step 3 'and uses it for encryption of the secret key formed in step 5 '. Alternatively, the access point can obtain a private encryption key and use it to encrypt the created secret key, since a message can be encrypted using either the public or private encryption key. The access network can receive the mobile terminal's secret private key if the access network has a secure connection with the mobile terminal's "home" or with any server that knows this secret private key. Then it can get the secret private key and use it for encryption.

This does not have to be done by the access point. Instead, the access network can have a central unit that does this. When the mobile terminal first contacts one of the access points, this access point informs the central unit server that the mobile unit has contacted. The central unit then contacts the mobile terminal's home and receives the secret key if there is trust between the access networks. The created secret key is then encrypted using the private key and sent to the terminal.

Then the encrypted created secret key is transmitted over the wireless channel to the mobile terminal 11 as shown in step 6 '. If the mobile terminal 11 is exactly the unit it claims to be, it can decrypt the created secret key in accordance with reference numeral 7 'using its private encryption key. The transmitted message is unusable for any other mobile terminal. The mobile terminal ll can now use the created secret key for verification or encryption of its packets in accordance with reference numeral 8 'and send them to any access point in the access network.

After initial verification, the mobile terminal shares a secret with all access points in the access network. This is achieved without the mobile terminal ever contacting the access points, consequently the method is scalable to very large networks. The mobile terminal and access points can now use available common secret-based security technology.

At the same time, the access network may have different secrets to share with different mobile terminals. Although the mobile terminal can use the created secret key for verification and / or encryption of its packets, the identification of the mobile terminal is never encrypted by means of the created secret key. The identifier is either not encrypted at all or is encrypted using another key shared by all mobile terminals, such as the access network's public encryption keys. This allows the access points to identify the alleged transmitter of received packets. The access point then uses the method to calculate the created secret key for the alleged transmitter.

Using the created secret key, the mobile terminal can then decrypt the authentication information to verify the identity of the transmitter and / or can decrypt the packet. Similarly, access points can use the created secret key for encrypting or verifying a packet sent to a particular mobile terminal which can then decrypt or verify the packet using its own created secret key.

If a sequence of verified / encrypted packets from the same mobile terminal is likely to arrive at the access point, then the access point can temporarily store the mapping of mobile terminal identifiers to create secret keys later to avoid frequent recalculation of created secret keys.

In systems using non-encrypted wireless channels, the transmission of mobile terminal identifiers in the form of plain text is not acceptable if the identity of connected mobile devices is to be kept secret. In these cases, the initial verification process may involve setting a possible temporary identification of the mobile terminal or a temporary identification may be created by encrypting the correct identification using the network's public cryptographic key. The secret key will then be created using the temporary identification, but in other aspects the mechanism remains the same. Some wireless channels have built-in security, while others do not have such functionality. In the latter case, safety information will be provided by the right layers. The solution is applicable in both cases.

Claims (18)

10 15 20 25 30 5 19 4 7 l 12 PATENT REQUIREMENTS A method in a packet-based communication network (14) for establishing a secure connection between an access point (10) and a mobile terminal (1 1), the communication network comprising an access network (13) with a plurality of access points (10), characterized by the following steps : a) receiving identification information from the mobile terminal (10) in a first access point (10), b) generating a secret key, based on the received identification information, by a converter known from at least two access points (10) in the access network (13), c) sending the generated secret key from the first access point (10) to the mobile terminal (1 1) using encryption, d) decrypting the generated secret key in the mobile terminal (1 1), 'e) using the generated secret key as a common security key in the communication between the mobile terminal (1 1) and one of the at least two access points (10) known to the converter. Method according to claim 1, characterized in that step a) is performed by performing initial verification of the mobile terminal (1 1). Method according to claim 1, characterized in that the identification information received in step a) is encrypted by using a key which is shared by the access points (10) in the access network (13). Method according to Claim 1, characterized in that the identification information is unencrypted. Method according to claims 1 ~ 4, characterized in that the generation of the secret key in step b) is performed by using a function f. Method according to claims 1-4, characterized in that the generation of the secret key in step b) is performed by using a secret number divided by the access points (10) which use the secret number as a parameter for a distributed function which generates the secret key. the key. 10 15 20 25 30 519 4712 13 Method according to claim 5, characterized in that the function f is stored, in the at least two access points known to the converter, in the form of a mathematical formula or a look-up table. Method according to claim 5, characterized in that an input value for the friction f is the received identification information and that the output value is a password. Method according to claims 1-8, characterized in that after step a) receiving the identification information, a public encryption key associated with the mobile terminal (11) is received from a server (12), which is downloaded and used for the encryption in step c). Method according to claims 1-8, characterized in that after step a) receiving the identification information, a private encryption key associated with the mobile terminal (1 1) is received from a server (12), which is downloaded and used for the encryption in step c). 11. ll. Method according to claims 1 - 10, characterized in that the encryption in step c) is performed in the first access point (1 1). Method according to claim 9 or 10, characterized in that the encryption in step c) is performed in the server (12). Method according to claims 1 - 12, characterized in that the decryption in step d) is performed by using a private encryption key in the mobile terminal (10). Method according to claims 1 - 13, characterized in that in step e), the generated secret key is used by the mobile terminal (1 1) for verification, data integrity, non-rejection and / or encryption of transmitted data packets. Method according to claim 14, characterized in that the information for the verification or the transmitted data packets is decoded at the access point (11) by using the generated secret key. 10 519 471 14 Method according to claims 1 ~ 15, characterized in that the generated secret key is used by one of the at least two access points (10) known to the converter to send protected messages to the mobile terminal (11). Packet-based communication network comprising an access network (13) with a number of access points (10), which allows a secure connection between any of the access points (10) and a mobile terminal (1 l), characterized by a function f, stored in the access points (10), for generating a secret key based on identification information received from the mobile terminal (11). Packet-based communication network according to claim 17, characterized in that the function f is stored in the access points (10) in the form of a mathematical formula or a look-up table.