WO1998031162A2 - Method and apparatus for limiting authentication directive initiation in a mobile telephone system - Google Patents

Method and apparatus for limiting authentication directive initiation in a mobile telephone system Download PDF

Info

Publication number
WO1998031162A2
WO1998031162A2 PCT/US1998/000471 US9800471W WO9831162A2 WO 1998031162 A2 WO1998031162 A2 WO 1998031162A2 US 9800471 W US9800471 W US 9800471W WO 9831162 A2 WO9831162 A2 WO 9831162A2
Authority
WO
WIPO (PCT)
Prior art keywords
msc
vlr
message
subscriber
ssd
Prior art date
Application number
PCT/US1998/000471
Other languages
French (fr)
Other versions
WO1998031162A3 (en
Inventor
Pamela J. Jacobs
Original Assignee
Tandem Computers, Incorporated
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tandem Computers, Incorporated filed Critical Tandem Computers, Incorporated
Publication of WO1998031162A2 publication Critical patent/WO1998031162A2/en
Publication of WO1998031162A3 publication Critical patent/WO1998031162A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning

Definitions

  • the invention generally relates to a wireless communication network, and more particularly, relates to an improved authentication center (AC) component in a wireless communication network.
  • AC authentication center
  • Wireless communication is one of the fastest growing segments of the telecommunication industry. With the mobility of the wireless devices, such as cellular phones and pagers, a subscriber to a wireless service can make or receive a call, or receive a message without being restricted to any particular locations. Because of the convenience provided by wireless devices, they have been widely used by average consumers.
  • Airtime fraud is a costly problem for wireless communications providers (also called “operators”). Callers (also called “subscribers”) can gain unauthorized access to cellular networks by "cloning" legitimate cellular phones (also called “handsets,” “Mobile Stations,” or “MSs”). The cloning process duplicates the memory contents of a legitimate cellular phone so that the clone cellular phone appears to be legitimate to the rest of the system. In certain high- crime areas large numbers of cellular phone calls are estimated to be placed from cloned handsets. The challenge to cellular telephone companies lies in determining whether a handset communicating with the system is a legitimate handset or a clone.
  • AC Authentication Center
  • the AC performs authentication in connection with the following events: registration (when a phone roams into a new area); before origination of a call; flashing (which involves, e.g., three way calling, call waiting, or paging); and call termination.
  • MSC Mobile Switching Center
  • AUTHRQST authentication request
  • conventional ACs periodically send "SSD update” messages and "unique challenge” messages to MCS in the system. These messages (also called “authentication messages”) are defined in the ANSI IS-41 standard produced by TIA/EIA for cellular.
  • MSCs from various vendors and not all the MSCs in a system operate in the same way.
  • the MSCs of some vendors perform SSD updates and unique challenge operations via a radio control channel in the MSC.
  • the MSCs of other vendors use a voice channel already in use by the system.
  • systems using a voice channel will perform SSD updates and unique challenges only when a call is in progress and a voice channel is currently assigned to the mobile handset.
  • the AC sends an order to perform an operation such as an SSD update or a unique challenge in response to an AUTHRQST message during registration of a handset.
  • the MSC/VLR will not perform the operation because no voice channel is yet assigned.
  • the MSC/VLR will, however, send a message notifying the AC that the operation was not attempted.
  • the MSC/VLR will, however, send a message notifying the AC that the operation was not attempted. In both cases, the notification sent by the MSC/VLR creates additional traffic in the system and misappropriates precious network resources.
  • AUTHDIR messages are routed by a system component called the Home Location Register (HLR), the AC has no knowledge of their true destination. Thus, conventional ACs may inadvertently "share" SSDs with MSCs that are not supposed to be able to access such information.
  • HLR Home Location Register
  • the present invention provides a method and apparatus for allowing an Authentication Center (AC) to issue SSD update and unique challenge operations only if the receiving MSC/VLR is receptive to performing them.
  • AC Authentication Center
  • the AC determines that an SSD update or a unique challenge is needed for a particular subscriber, it "marks" the subscriber as due for an SSD update or unique challenge in a Subscriber database.
  • the periodic SSD update or unique challenge will then be performed on the next system access that allows its performance.
  • the update or challenge may be performed when the AC receives an AUTHRQST message from the cell phone ("MS") of the subscriber because the cellular phone has entered a new registration area.
  • MS cell phone
  • the AC whenever the AC responds to a AUTHRQST from an MS/VLR, it also determines from the Subscriber database whether there is an SSD update due or a unique challenge due for that subscriber. If an update or challenge is due, the AC sends the operation as a part of the response to the AUTHRQST. MSC The AC also has access to an MPCM file that indicates the circumstances under which each MSC/VLR in the system will perform SSD updates and unique challenges. When it receives an AUTHRQST, the AC first checks the MPCM file to determine whether an order should be sent. If the database indicates that the MSC/VLR will not perform the operation, the AC does not request the operation. The MPCM file holds configuration information for each MSC/VLR in the system.
  • entries in the MPCM will indicate that no SSD updates or unique challenges should be sent during registration (since no voice channel is available).
  • entries in the MPCM file will indicate that no SSD updates or unique challenges should be sent during a call (since the control channel is not available).
  • an AC in accordance with the present invention never sends an SSD to an MSC/VLR in an AUTHDIR message. This ensures that no unauthorized MSC/VLR obtains an SSD.
  • an AC in accordance with the present invention will order SSD update/unique challenge operations when they are manually initiated by the system operator. Under certain circumstances, the AC will also issue AUTHDIR messages to revoke SSD (i.e., order the VLR to discard its copy of the SSD).
  • the present invention includes a method for sending an authentication messages in a cellular telephone system, comprising the steps, performed by a processor of an Authentication Center (AC) portion of the system, of: determining that an AC initiated authentication message needs to be sent to a subscriber; storing in a database for the subscriber an indication that an authentication message needs to be sent; receiving an authentication message from a subscriber via an MSC; accessing the subscriber database to determine that the AC-initiated authentication message needs to be sent; accessing a database for the MSC/VLR to determine whether the MSC/VLR will act in accordance with an authentication message if one is sent; sending the authentication message to the MSC/VLR if the determination of the accessing step is positive; and refraining from sending the authentication message to the MSC/VLR if the determination of the accessing step is negative.
  • AC Authentication Center
  • Fig. 1 depicts a typical SS7 communication network.
  • Fig. 2 is a flow diagram of steps performed when a roaming cellular telephone enters a new roaming area.
  • Fig. 3 is a flow diagram of steps performed when a call is made from one area to another.
  • Fig. 4(a) is a flow diagram of an SSD update operation when the system allows an AC to share Shared Secret Data (SSD) with an MSC.
  • SSD Shared Secret Data
  • Fig. 4(b) is a flow diagram of an SSD update operation when the system does not allow an AC to share Shared Secret Data (SSD) with an MSC.
  • Fig. 5 is a block diagram of subsystems in an AC of a preferred embodiment of the present invention.
  • Fig. 6(a) is a flow chart showing steps performed by the AC in accordance with a preferred embodiment of the present invention when the AC determines that it should order sending of an SSD update or a unique challenge.
  • Fig. 6(b) is a flow chart showing steps performed by the AC in accordance with a preferred embodiment of the present invention when the AC receives an AUTHRQST message and one or more SSD updates or unique challenges are due for the requesting subscriber.
  • Fig. 6(c) is a flow chart showing steps performed by the AC in accordance with a preferred embodiment of the present invention showing the circumstances under which AUTHDIR messages are sent by the AC.
  • Fig. 6(d) is a flow chart showing steps performed by the AC to send a message revoking SSD from a Visitor Location register (VLR).
  • VLR Visitor Location register
  • Figs. 7(a) and 7(b) show parameters of an Authentication Request (AUTHRQST) message received by the AC.
  • Figs. 8(a) and 8(b) show parameters of a response to an Authentication Request (AUTHRQST) message sent by the AC.
  • Figs. 9(a) and 9(b) show paramters of an Authentication Directive (AUTHDIR) message sent by the AC.
  • Fig. 10 shows parameters of a response to an Authentication Directive
  • Fig. 1 1 shows a format of flag bits in a Subscriber (SUBA) file.
  • Figs. 12(a) and 12(b) show a format of an entry in an MSC Point Code Map (MPCM) file.
  • Fig. 13 show an example of values for flags of Fig. 12(b).
  • Fig. 14 is a flowchart of steps performed by the AC to order an SSD update and to order a unique challenge
  • Fig. 15 shows another embodiment of the preferred invention incorporating mated SCPs.
  • Wireless communications are provided through a wireless communication network, which can be realized, for example, as a Signaling System 7 (SS7) network.
  • SS7 Signaling System 7
  • the SS7 network uses the EIA/TIA Interim Standard 41 (IS-41) protocol, which is the standard commonly used in North America.
  • the SS7 network is used for switching data messages pertaining to connecting telephone calls and for maintaining the signaling network.
  • the SS7 network 100 has three different types of nodes or signaling points: Service Switching Point (SSP) 112, Signal Transfer Point (STP) 116, and Service Control Point (SCP) 122.
  • SSP Service Switching Point
  • STP Signal Transfer Point
  • SCP Service Control Point
  • An SSP 112 is an local exchange in the telephone network.
  • An SSP 112 uses the information provided by the calling party (such as dialed digits) and determines how to connect the call.
  • An STP 116 serves as a router in the SS7 network and switches SS7 messages as received from the various SSPs 112 through the network to their appropriate destinations.
  • An STP 116 receives messages in packet form from an SSP 112. These packets are either related to call connections or database queries for an SCP 122. If the packet is a request from an SSP 112 to connect a call, the message must be forwarded to the destination where the call will be terminated. The destination is determined by the dialed digits.
  • the destination will be a database.
  • Access to telephone company databases is provided through an SCP 122. These databases are used to store information about subscribers' services, calling card validation, fraud protection, etc.
  • the wireless network is shared by multiple regions 126, such as regions A and B.
  • an SCP 122 is provided in each region 126.
  • Each region 126 is further divided into a number of registration areas 132, each of which is served by a Mobile Switching Center (MSC) 136.
  • An MSC 136 provides wireless communication services to all properly registered cellular phones 142 in the registration area.
  • an SCP 122 contains an Authentication Center (AC) 146 and a Home Location Register (HLR) 152.
  • AC 146 authenticates a subscriber's cellular phone through the use of a number called the A-Key.
  • HLR 152 is used to store information regarding cellular subscribers in the region for which it provides services. HLR 152 also stores information regarding billing, as well as information identifying the services allowed for each subscriber. In addition to these, HLR 152 stores the current locations of cellular phones 142 of those subscriber's who activated their cellular phones through a wireless service provider in the region the HLR serves. This region is also referred to as the "home area" of those subscribers.
  • a backup HLR is also provided in SCP 122.
  • a VLR 156 is used when a cellular phone 142 is not recognized by a local MSC/VLR 156 stores the current locations for the visiting subscribers.
  • Each cell phone (MS) connects to a base station through a connection
  • a MSC/VLR connects to one or more base stations. This connection includes a voice channel and a control channel, which is usually implemented as a radio channel. As discussed below, the types of information sent over the voice channel and the control channel vary between MSC/VLRs from different manufacturers.
  • Fig. 2 illustrates registration of a cellular phone that has "roamed" outside of its home area 212 into a roaming area 216.
  • Home area 212 and roaming area 216 correspond to two regions, such as regions A and B, respectively, shown in Fig. 1.
  • an SCP 222 includes an AC 232 and a HLR 236.
  • An MSC 243 having an associated VLR 256 (jointly called an "MSC/VLR"), is also located in home area 212.
  • an SCP 244 includes an AC 246 and a HLR 252.
  • An MSC 258 is also located in roaming area 216.
  • MSCs are shown as separate entities from the HLR and VLR in the respective areas, in a actual application the HLR/VLR functions may be integrated with the MSCs.
  • the MSC/VLR When an MSC/VLR detects that a phone capable of authentication has roamed into its area, the MSC/VLR sends Authentication Request (AUTHRQST) messages to the AC. As shown in Fig. 2, when a cellular phone roams into a new area, it sends an AUTHRQST message, which is received by the MSC 258 for the area. MSC 258 and AC 232 exchange a plurality of AUTHRQST messages 270, and the AC sends back a response indicating whether the phone is allowed to operate in the new area. (In Fig. 2, responses to messages are indicated by lower case letters). After the phone has been authenticated, it registers its location with its home HLR 222, as shown by messages 272. Both AUTHRQST and REGNOT messages are well-known to persons of ordinary skill in the art and will not be described in detail herein.
  • Call Origination As shown in Fig. 3, when a calling party desires to place a call to a receiving party, the phone sends a call origination (CALL ORG) message, which includes the digits of the phone number to be dialed. Again, the MSC/VLR and AC exchange AUTHRQST messages, to ensure that the calling phone has authorization to place a call. Originating MSC 243 sends a location request (LOCREQ) message containing the dialed digits to HLR 236 in home area 212.
  • LOCREQ location request
  • the HLR 236 Upon receiving the dialed digits, the HLR 236 accesses its internal data structures to find the associated Mobile identification Number (MIN) for the receiving party's cellular phone, in the SUBS file to determine if the receiving party is a legitimate subscriber. HLR 236 sends a routing address request (ROUTREQ) message to VLR 256 in roaming area 216 where the receiving party's cellular phone is currently registered. The current location information about the receiving party's cellular phone was sent to HLR 236 by VLR 256 after the receiving party arrived the roaming area and the cellular phone registered with VLR 252. The ROUTREQ message contains the associated MIN of the receiving party's cellular phone.
  • MIN Mobile identification Number
  • VLR 256 then forwards the ROUTREQ to MSC 258 currently serving the receiving party's cellular phone.
  • MSC 258 is also referred to as a serving MSC.
  • serving MSC 258 consults its internal data structures to determine if the receiving party's cellular phone is already engaged in a call on this MSC. Assuming that the cellular phone is not known to serving MSC 258, serving MSC 258 may then obtain the receiving party's profile from its VLR 256 by sending it a qualification request (QUALREQ) message.
  • QUALREQ qualification request
  • VLR 256 sends the QUALREQ message to HLR 236 in home area 212. HLR 236 then sends a qualreq response to VLR 256.
  • the qualreq response contains relevant information about the receiving party's profile.
  • VLR 256 in turn sends the qualreq response to serving MSC 258.
  • serving MSC 258 allocates a temporary identifier TLDN (Temporary Local Directory Number) and returns this information to VLR 256 in the routreq message.
  • TLDN Temporary Local Directory Number
  • originating MSC 243 When the routreq message is received by HLR 236, it returns a locreq response to originating MSC 243.
  • the locreq response includes routing information including the MSCID of serving MSC 258 and the TLDN.
  • originating MSC 243 establishes a voice path to serving MSC 258 using existing interconnection protocols (e.g., SS7) and the routing information specified in the locreq response, as illustrated at step 388.
  • existing interconnection protocols e.g., SS7
  • the described embodiment of the present invention uses the CAVE (Cellular Authentication and Voice Encryption) algorithm to authenticate cellular phones in the system.
  • the AC periodically orders an MSC/VLR to perform one or both of an SSD update or a unique challenge operation. These orders are typically included as a part of other messages sent by the AC.
  • the AC may issue SSD update orders and unique challenge orders as a part of any of the messages it sends to an MSC/VLR.
  • authrqst message 202 of Fig. 2 may or may not include an order to perform an SSD update or to perform a unique challenge.
  • Fig. 4(a) is a flow diagram of an SSD update operation when the system allows the AC to share SSD (Shared Secret Data) with the VLR.
  • Fig. 4(b) is a flow diagram of an SSD update operation when the system does not allow an AC to share SSD.
  • Figs. 4(a) and 4(b) also include a handset (called a "Mobile Station” or "MS') 406.
  • SSD is a parameter defined in the IS-41 standard. It is used as an intermediate input value to the CAVE algorithm and is stored in both the AC and MS. As indicated in the figures, some MSC/VLRs are allowed to have access to SSD and some are not, depending on how the system is configured.
  • the orders to perform an SSD update (and a unique challenge) are incorporated into the authrqst response messages 407.
  • the format of an authrqst response message is discussed below.
  • the orders to perform an SSD update (and a unique challenge) are incorporated into the AUTHDIR message 404.
  • the format of an AUTHDIR message is discussed below.
  • the specific messages sent during SSD update are not the subject of the present invention. Instead, the present invention is directed toward whether an SSD update order and/or a unique challenge order should be sent to specific MSC/VLRs under specific circumstances.
  • Authentication Center (AC) Fig. 5 is a block diagram of subsystems in an AC of a preferred embodiment of the present invention. It will be understood that each of the subsystems of Fig. 5 is implemented as software instructions stored in a memory and executed by a processor.
  • An AC Call Processing subsystem 502 is responsible for processing of authentication TCAP messages. Thus, AC call processing subsystem 502 handles the following IS-41 authentication messages and associated responses:
  • Each of the above messages can contain orders for an SSD update and/or a unique challenge.
  • Processing of messages includes message parsing, message validation, decision logic processing, event generation, statistics generation, message creation, message sending and database accessing and updating.
  • Inbound messages are received from an HLR. Responses to a message are returned to the same HLR.
  • Outbound messages are preferably generated from the processing of a queue message received from a Queue Management Facility (external to the AC).
  • AC Call Processing subsystem 502 is also responsible for generation of various required random numbers and the generation of Shared Secret Data (SSD).
  • the AC Call Processing subsystem preferably supports the Authentication Algorithm Version C7, and is structured such that the library routines used for the CAVE algorithm and for random number generation can be easily replaced or enhanced.
  • Subsystem 502 also includes library routines for the encryption/decryption of sensitive data used by the CAVE algorithm.
  • AC Call Processing subsystem 502 will also receive challenge due notification messages from an AC Initiated Challenge subsystem 510 via the external Queue Management Facility. These messages include "Initiate Immediate SSD Update” and "Initiate Unique Challenge” events.
  • AC Call Processing subsystem 502 is also responsible for the generation of log events to be sent to the AC Event Logging subsystem 504 for collection and recording in database 506.
  • An ADS Subsystem 514 is responsible for communicating with a "mated" SCP 515 and for ensuring that the databases of the two systems remain in synch.
  • An External Provisioning Interface (EPI) 522 available from Tandem Computers, Inc., provides subscriber and subscriber data using ITU-T ANS.1 standard messages.
  • AC Initiated Challenge subsystem 510 is composed of the AC Initiated Challenge Process, which is responsible for the Authentication Center initiation of periodic authentication verification and SSD updates on a per subscriber basis.
  • AC Initiated Challenge subsystem 510 uses the configuration information provided by an Authentication System Parameters (ACSP) file to determine whether or not periodic unique challenges are in effect, whether or not periodic SSD updates are in effect, and to determine the associated frequency and interval characteristics of the updates and challenges.
  • ACSP Authentication System Parameters
  • the amount of time between challenges initiated by the AC Initiated Challenge subsystem 510 is variable based upon the last authentication attempt timestamps from the Subscriber Authentication Profile File (SUBA) and upon the AC initiated challenge frequency and interval width information configured in the ACSP file.
  • SUBA Subscriber Authentication Profile File
  • the AC initiated frequency is defined as the desired average frequency of occurrence of a challenge.
  • the AC initiated challenge interval width is defined as the total width of the interval for the AC initiated frequency. For example, if the authentication challenge had an AC initiated frequency of 120 minutes and an AC initiated interval width of 60 minutes, the authentication challenges for a particular subscriber would occur randomly between 90 and 150 minutes.
  • the AC Initiated Challenge Process will sequentially examine each subscriber in the Subscriber Authentication Profile File (SUBA) to determine if it is time to initiate a unique challenge or SSD update for the subscriber. For each SUBA record, the AC Initiated Challenge Process 510 calculates the subscriber's "time to do unique challenge", and "time to update SSD".
  • SUBA Subscriber Authentication Profile File
  • the AC Initiated Challenge Process 510 will update the subscriber record to indicate the operation is needed. The operation will then be performed on the next access of the system by the subscriber.
  • the formulas for the calculation of these subscriber challenger timestamps are defined below.
  • Multiple copies of the AC Initiated Challenge process 510 can be configured for each SCP node with each copy having a subset of the Subscriber Authentication Profile File (SUBA). The subsets will be partitioned among the various copies of the AC Initiated Challenge Process based upon the primary key of the SUBA file. This partitioning methodology allows for balanced workload and prevents I/O contention on the SUBA file.
  • SUBA Subscriber Authentication Profile File
  • LADT last unique challenge attempt timestamp from the subscriber SUBA record
  • AV AC initiated unique challenge width (X ⁇ from ACSP file (minutes)
  • SF AC initiated SSD update frequency (X 2 ) from ACSP file (days)
  • SV AC initiated SSD update width (X 2 ) from ACSP file (days)
  • R Random number between 0 and 1
  • the "time to do unique” challenge timestamp is calculated as follows;
  • the "time to update SSD” challenge timestamp is calculated as follows;
  • Figs. 6(a) through 6(d) are flow charts showing steps performed by the AC in accordance with a preferred embodiment of the present invention. A general discussion is followed by a detailed discussion of message and file formats and by an example.
  • Fig. 6(a) shows steps performed by the AC when it determines that it is time for a periodic AC-initiated SSD update or unique challenge.
  • steps 620 and 630 respectively, the AC determines whether it is time to order sending of either an SSD update or a unique challenge for each subscriber. If so, the AC marks an entry in a Subscriber database as shown in Fig.1 1. To mark an entry in step 622, the AC sets "SSD update needed" flag 1 110 to true if an SSD update is needed for that subscriber.
  • step 632 the AC sets "unique challenge needed" flag 1 106 to true if an SSD update is needed for that subscriber. Possible values for the authentication status, SSD status and unique challenge status fields are: successful, failed and pending.
  • Fig. 6(b) shows steps performed by the AC when an AUTHRQST message is received by the AC. Before the AC sends a responsive message, the AC Call Processing subsystem 510 checks flags 1106 and 11 10 of the Subscriber file of Fig. 1 1 , in step 602, to determine whether an SSD update event is required for the subscriber to whom the message is directed.
  • step 604 the AC accesses a record in the MPCM file for the MSC/VLR from which the message was received to determine whether an SSD update is allowed for messages having a system access type of the message being processed. If the record in the MPCM file indicates that an SSD update is allowed for the type of message to be sent, then, in step 608, the AC orders the SSD update to be included in the message to be sent (as shown in Fig. 14).
  • the AC Call Processing subsystem 510 determines, in step 610, whether a unique challenge event is required for the subscriber associated with the message by checking flag 1106 of the Subscriber database in the entry for that subscriber. If so, in step 612, the AC accesses a record in the MPCM file for the MSC/VLR from which the message was received to determine whether a unique challenge is allowed for the system access type of the message being processed. If the record in the MPCM file indicates that a unique challenge is allowed for the type of message to be sent, then, in step 616, the AC orders the unique challenge to be included in the message to be sent (as shown in Fig. 14).
  • Fig. 6(c) is a flow chart showing steps performed by the AC in accordance with a preferred embodiment of the present invention showing the circumstances under which AUTHDIR messages are sent by the AC.
  • the AC will only initiate AUTHDIR messages that order operations to be performed when one of the following events occurs:
  • Fig. 6(d) is a flow chart showing steps performed by the AC to send a message revoking SSD from a Visitor Location register (VLR).
  • VLR Visitor Location register
  • AUTHDIR messages to revoke SSD i.e., to order a VLR to discard its copy of the
  • An SSD update scheduled to take place on the next system access is manually initiated. (This forces the MSC/VLR to send an AUTHRQST requesting a new SSD and gives the AC a chance to send the new SSD for the manual update). 3) The subscriber's Equipment Serial Number (ESN) has changed (for example, if the subscriber has a different phone), or 4) The Authentication status of the subscriber has just transitioned from enabled to disabled.
  • An AUTHDIR message revokes SSD by including the NOSSD parameter 910 of Fig. 9(a) to a "discard" value.
  • MIN 702 identifies the subscriber making the request.
  • Steps 602 and 604 of Fig. 6 check flags 1 106 and 11 10 of Fig. 1 1 to determine whether an SSD update or unique challenge needs to be sent for the subscriber having the MIN in field 702. Alternate embodiments may use additional methods to determine if an SSD update or unique challenge needs to be sent.
  • a System Access Type 704 identifies the type of system access made by the MS.
  • the possible system access types are: 0 - not used
  • Steps 606 and 614 of Fig. 6 access this field to determine the operation that the MS wants authorization to perform.
  • An MSCID 706 indicates the ID of the MSC/VLR forwarding the AUTHRQST message.
  • Steps 604 and 612 access the MPCM file using this MSCID as a key to determine the system access types for which the particular MSC/VLR will perform to an SSD update or a unique challenge.
  • Figs. 8(a) and 8(b) show parameters of a response to an Authentication
  • This response is returned by the AC in response to an AUTHRQST message from an MSC/VLR and may include an SSD update and/or a unique challenge.
  • the AC issues an SSD update order in step 608 of Fig. 6 values are placed in RANDSSD field 804.
  • values are placed in AUTHU field 802, RANDU field 804.
  • the SSD update or unique challenge is passed to the MSC/VLR with the AC's response to the AUTHRQST message. This SSD will also be sent if it is to be shared.
  • Figs. 9(a) and 9(b) show parameters of an Authentication Directive (AUTHDIR) message.
  • This message is sent from the AC to an MSC/VLR.
  • Steps 602 and 604 of Fig. 6 use a MIN later stored in field 902 to determine whether an SSD update or unique challenge needs to be sent for the subscriber.
  • Steps 604 and 612 access the MPCM file using this MSCID as a key to determine the conditions that the particular MSC/VLR will perform an SSD update or a unique challenge and may include an SSD update and/or a unique challenge.
  • values are placed in RANDSSD field 904.
  • the AC issues a unique challenge order in step 616 of Fig. 6 values are placed in AUTHU field 903, RANDU field 904, and SSD field 908. In this way, the SSD update or unique challenge is passed to the MSC/VLR with the AC's response to the AUTHRQST message.
  • Fig. 10 shows parameters of a response to an Authentication Directive (AUTHDIR) message.
  • AUTHDIR Authentication Directive
  • Fig. 11 shows a format of flag bits in a Subscriber (SUBA) file.
  • the MIN for each subscriber is used as a key for this file.
  • the flags include an authentication enabled flag 1102, indicating whether the AC is to perform authentication for the subscriber; an authentication status flag 1104; a unique challenge needed flag 1106; a unique challenge status flag 1108; an SSD update needed flag 1110; and an SSD update status flag.
  • Other flags exist that are not shown in the Figure.
  • Figs. 12(a) and 12(b) show a format of an entry in an MSC Point Code Map (MSP) file, which uses an MSC ID as a key.
  • An "SSD Sharing allowed flag" 1206 indicates whether SSD should be shared with this MSC/VLR.
  • Each entry in the MPCM preferably includes two bytes of flags 1204, which are shown in detail in Fig. 12(b).
  • Byte 1 contains the following flags:
  • Fig. 13 show an example of values for flags of Fig. 12(b).
  • flag 1304 indicates that the MSC/VLR having the MSC ID in field 1202 of Fig. 12 will initiate SSD updates sent in response to a call origination message (as indicated by system access type field 704 of Fig. 7(a)).
  • Flag 1302 indicates that the MSC/VLR will not perform SSD updates sent in response to an autonomous registration message.
  • Flag 1308 indicates that the MSC/VLR will perform a unique challenge sent in response to a call origination message.
  • Flag 1306 indicates that the MSC/VLR will not perform a unique challenge sent in response to an autonomous registration message.
  • the AC will send an SSD update and a unique challenge for this MSC/VLR when the message is a call origination message, but not when the message is an autonomous registration message.
  • a human operator has initially set the bits of Fig. 12(b) to indicate the capabilities of the MSC/VLR sending the message.
  • an MSC/VLR that uses a voice channel to order SSD updates will have a "0" in flag 1302, while an MSC/VLR that uses a radio channel to initiate MSC/VLR updates will have a "1".
  • Fig. 14 is a flowchart of steps performed by the AC to order an SSD update and to order a unique challenge
  • Fig. 15 shows another embodiment of the preferred invention incorporating mated SCPs.
  • each AC operates in a mated SCP environment with separate AC applications and databases on two physically separated SCP nodes.
  • the mated SCP environment allows subscriber service processing to continue in the event that one of the SCP nodes is no longer accessible to the SS7 network.
  • updates to one AC database must be applied to the associated AC database on the mated SCP node.
  • Tandem's Application Database Synchronization (ADS) subsystem provides the database management services for the synchronization of the AC databases between the mated SCP nodes.
  • ADS Application Database Synchronization

Abstract

A method and apparatus for allowing an Authentication Center (AC) to issue SSD update and unique challenge operations only if the receiving MSC/VLR is receptive to performing them. When the AC determines that an SSD update or a unique challenge is needed for a particular subscriber, it 'marks' the subscriber as due for an SSD update or unique challenge in a Subscriber database. The periodic SSD update or unique challenge will then be performed on the next system access that allows its performance. The AC also has access to an MPCM database that indicates the circumstances under which each MSC/VLR in the system will perform SSD updates and unique challenges. When it receives an AUTHRQST, the AC first checks the MPCM file to determine whether an order should be sent. If the database indicates that the MSC/VLR will not perform the operation, the AC does not request the operation.

Description

METHOD AND APPARATUS FOR AUTHENTICATION DIRECTIVE INITIATION LIMITS IN A MOBILE TELEPHONE SYSTEM
BACKGROUND OF THE INVENTION The invention generally relates to a wireless communication network, and more particularly, relates to an improved authentication center (AC) component in a wireless communication network.
Wireless communication is one of the fastest growing segments of the telecommunication industry. With the mobility of the wireless devices, such as cellular phones and pagers, a subscriber to a wireless service can make or receive a call, or receive a message without being restricted to any particular locations. Because of the convenience provided by wireless devices, they have been widely used by average consumers.
Airtime fraud is a costly problem for wireless communications providers (also called "operators"). Callers (also called "subscribers") can gain unauthorized access to cellular networks by "cloning" legitimate cellular phones (also called "handsets," "Mobile Stations," or "MSs"). The cloning process duplicates the memory contents of a legitimate cellular phone so that the clone cellular phone appears to be legitimate to the rest of the system. In certain high- crime areas large numbers of cellular phone calls are estimated to be placed from cloned handsets. The challenge to cellular telephone companies lies in determining whether a handset communicating with the system is a legitimate handset or a clone.
In the past, operators could only detect fraudulent access after the fact. The detection process involved labor-intensive post-call analysis and did not stop cloned handsets from fraudulently obtaining service. Currently, many conventional cellular systems include one or more Authentication Center (AC) portions. When a calling person activates a handset, the AC checks the profile of the person who is registered for the handset. The AC then initiates a challenge to the handset. If the handset's response matches the AC's challenge, network access is granted. Otherwise, access is denied. The authentication process greatly reduces airtime losses and serves as a deterrent to the crime of cloning.
In many cellular phone systems, the AC performs authentication in connection with the following events: registration (when a phone roams into a new area); before origination of a call; flashing (which involves, e.g., three way calling, call waiting, or paging); and call termination. In general, the MSC (Mobile Switching Center) associated with the area of the handset being authenticated sends an authentication request (AUTHRQST) message to the AC during each of these events. To further authenticate handsets, conventional ACs periodically send "SSD update" messages and "unique challenge" messages to MCS in the system. These messages ( also called "authentication messages") are defined in the ANSI IS-41 standard produced by TIA/EIA for cellular.
Most systems include MSCs from various vendors and not all the MSCs in a system operate in the same way. For example, the MSCs of some vendors perform SSD updates and unique challenge operations via a radio control channel in the MSC. The MSCs of other vendors use a voice channel already in use by the system. To preserve precious resources, systems using a voice channel will perform SSD updates and unique challenges only when a call is in progress and a voice channel is currently assigned to the mobile handset. Thus, for example, in conventional systems, the AC sends an order to perform an operation such as an SSD update or a unique challenge in response to an AUTHRQST message during registration of a handset. If base stations assigned to an MSC/VLR in whose region the handset is located use a voice channel, the MSC/VLR will not perform the operation because no voice channel is yet assigned. The MSC/VLR will, however, send a message notifying the AC that the operation was not attempted. Similarly, when a voice call is in progress, if the AC sends an order to perform one of these operations to an MSC/VLR whose base stations use the control channel, the MSC/VLR will not perform the operations. The MSC/VLR will, however, send a message notifying the AC that the operation was not attempted. In both cases, the notification sent by the MSC/VLR creates additional traffic in the system and misappropriates precious network resources.
Although ACs of conventional systems order SSD update and unique challenge operations by way of AUTHDIR messages at any time the need for them is detected, such conventional systems do not take into consideration that the MSCs are not always in a position to perform these operations. Thus, in an average conventional system, as many as ten thousand AUTHDIR messages a day are sent, but ignored. What is needed is a way to reduce traffic caused by these extra messages. The conventional IS-41 standard, Rev. C, prescribes SSD sharing in AUTHDIR messages. This ability of conventional ACs to share SSDs to MSCs via AUTHDIR messages is troublesome, since the AC has no way of "knowing" the precise recipient of the data. Because AUTHDIR messages are routed by a system component called the Home Location Register (HLR), the AC has no knowledge of their true destination. Thus, conventional ACs may inadvertently "share" SSDs with MSCs that are not supposed to be able to access such information.
SUMMARY OF THE INVENTION
The present invention provides a method and apparatus for allowing an Authentication Center (AC) to issue SSD update and unique challenge operations only if the receiving MSC/VLR is receptive to performing them. When the AC determines that an SSD update or a unique challenge is needed for a particular subscriber, it "marks" the subscriber as due for an SSD update or unique challenge in a Subscriber database. The periodic SSD update or unique challenge will then be performed on the next system access that allows its performance. For example, the update or challenge may be performed when the AC receives an AUTHRQST message from the cell phone ("MS") of the subscriber because the cellular phone has entered a new registration area. Thus, whenever the AC responds to a AUTHRQST from an MS/VLR, it also determines from the Subscriber database whether there is an SSD update due or a unique challenge due for that subscriber. If an update or challenge is due, the AC sends the operation as a part of the response to the AUTHRQST. MSC The AC also has access to an MPCM file that indicates the circumstances under which each MSC/VLR in the system will perform SSD updates and unique challenges. When it receives an AUTHRQST, the AC first checks the MPCM file to determine whether an order should be sent. If the database indicates that the MSC/VLR will not perform the operation, the AC does not request the operation. The MPCM file holds configuration information for each MSC/VLR in the system. If, for example, an MSC/VLR is associated with a base station that communicates with handsets via a voice channel, entries in the MPCM will indicate that no SSD updates or unique challenges should be sent during registration (since no voice channel is available). Similarly, if an MSC/VLR is associated with a base station that communicates with handsets via a control channel, entries in the MPCM file will indicate that no SSD updates or unique challenges should be sent during a call (since the control channel is not available).
The fact that the AC only issues these orders when the MSCs are receptive to performing them, saves system resources, potentially reducing the amount of network traffic by tens of thousands of messages per day. In addition to the reduction of network traffic, both the AC and the MSCs are made more efficient by not having to process these messages. The AC also gains efficiency because it does not have to perform housekeeping functions for the messages that it does not send.
In addition, an AC in accordance with the present invention never sends an SSD to an MSC/VLR in an AUTHDIR message. This ensures that no unauthorized MSC/VLR obtains an SSD.
Lastly, an AC in accordance with the present invention will order SSD update/unique challenge operations when they are manually initiated by the system operator. Under certain circumstances, the AC will also issue AUTHDIR messages to revoke SSD (i.e., order the VLR to discard its copy of the SSD).
In accordance with the above discussion, the present invention includes a method for sending an authentication messages in a cellular telephone system, comprising the steps, performed by a processor of an Authentication Center (AC) portion of the system, of: determining that an AC initiated authentication message needs to be sent to a subscriber; storing in a database for the subscriber an indication that an authentication message needs to be sent; receiving an authentication message from a subscriber via an MSC; accessing the subscriber database to determine that the AC-initiated authentication message needs to be sent; accessing a database for the MSC/VLR to determine whether the MSC/VLR will act in accordance with an authentication message if one is sent; sending the authentication message to the MSC/VLR if the determination of the accessing step is positive; and refraining from sending the authentication message to the MSC/VLR if the determination of the accessing step is negative.
A fuller understanding of the invention will become apparent and appreciated by referring to the following description and claims taken in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 depicts a typical SS7 communication network.
Fig. 2 is a flow diagram of steps performed when a roaming cellular telephone enters a new roaming area.
Fig. 3 is a flow diagram of steps performed when a call is made from one area to another.
Fig. 4(a) is a flow diagram of an SSD update operation when the system allows an AC to share Shared Secret Data (SSD) with an MSC.
Fig. 4(b)is a flow diagram of an SSD update operation when the system does not allow an AC to share Shared Secret Data (SSD) with an MSC. Fig. 5 is a block diagram of subsystems in an AC of a preferred embodiment of the present invention.
Fig. 6(a) is a flow chart showing steps performed by the AC in accordance with a preferred embodiment of the present invention when the AC determines that it should order sending of an SSD update or a unique challenge. Fig. 6(b) is a flow chart showing steps performed by the AC in accordance with a preferred embodiment of the present invention when the AC receives an AUTHRQST message and one or more SSD updates or unique challenges are due for the requesting subscriber.
Fig. 6(c) is a flow chart showing steps performed by the AC in accordance with a preferred embodiment of the present invention showing the circumstances under which AUTHDIR messages are sent by the AC.
Fig. 6(d) is a flow chart showing steps performed by the AC to send a message revoking SSD from a Visitor Location register (VLR).
Figs. 7(a) and 7(b) show parameters of an Authentication Request (AUTHRQST) message received by the AC.
Figs. 8(a) and 8(b) show parameters of a response to an Authentication Request (AUTHRQST) message sent by the AC.
Figs. 9(a) and 9(b) show paramters of an Authentication Directive (AUTHDIR) message sent by the AC. Fig. 10 shows parameters of a response to an Authentication Directive
(AUTHDIR) message.
Fig. 1 1 shows a format of flag bits in a Subscriber (SUBA) file.
Figs. 12(a) and 12(b) show a format of an entry in an MSC Point Code Map (MPCM) file. Fig. 13 show an example of values for flags of Fig. 12(b). Fig. 14 is a flowchart of steps performed by the AC to order an SSD update and to order a unique challenge
Fig. 15 shows another embodiment of the preferred invention incorporating mated SCPs.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
A. General Discussion of Cellular Telephone Technology
The following section provides an overview of cellular telephone technology and serves as a prelude to a more specific discussion of the present invention.
1. System Overview
Wireless communications are provided through a wireless communication network, which can be realized, for example, as a Signaling System 7 (SS7) network. The SS7 network uses the EIA/TIA Interim Standard 41 (IS-41) protocol, which is the standard commonly used in North America.
The SS7 network is used for switching data messages pertaining to connecting telephone calls and for maintaining the signaling network. As shown in Fig. 1 , the SS7 network 100 has three different types of nodes or signaling points: Service Switching Point (SSP) 112, Signal Transfer Point (STP) 116, and Service Control Point (SCP) 122.
An SSP 112 is an local exchange in the telephone network. An SSP 112 uses the information provided by the calling party (such as dialed digits) and determines how to connect the call. An STP 116 serves as a router in the SS7 network and switches SS7 messages as received from the various SSPs 112 through the network to their appropriate destinations. An STP 116 receives messages in packet form from an SSP 112. These packets are either related to call connections or database queries for an SCP 122. If the packet is a request from an SSP 112 to connect a call, the message must be forwarded to the destination where the call will be terminated. The destination is determined by the dialed digits. If the message is a database query seeking additional information regarding a person who subscribes a wireless service, i.e., a "subscriber", the destination will be a database. Access to telephone company databases is provided through an SCP 122. These databases are used to store information about subscribers' services, calling card validation, fraud protection, etc.
As shown in Fig. 1 , the wireless network is shared by multiple regions 126, such as regions A and B. In each region 126, an SCP 122 is provided. Each region 126 is further divided into a number of registration areas 132, each of which is served by a Mobile Switching Center (MSC) 136. An MSC 136 provides wireless communication services to all properly registered cellular phones 142 in the registration area.
As illustrated in Fig. 1 , an SCP 122 contains an Authentication Center (AC) 146 and a Home Location Register (HLR) 152. AC 146 authenticates a subscriber's cellular phone through the use of a number called the A-Key. HLR 152 is used to store information regarding cellular subscribers in the region for which it provides services. HLR 152 also stores information regarding billing, as well as information identifying the services allowed for each subscriber. In addition to these, HLR 152 stores the current locations of cellular phones 142 of those subscriber's who activated their cellular phones through a wireless service provider in the region the HLR serves. This region is also referred to as the "home area" of those subscribers. Although not shown, a backup HLR is also provided in SCP 122. A VLR 156 is used when a cellular phone 142 is not recognized by a local MSC/VLR 156 stores the current locations for the visiting subscribers. Each cell phone (MS) connects to a base station through a connection
127. A MSC/VLR connects to one or more base stations. This connection includes a voice channel and a control channel, which is usually implemented as a radio channel. As discussed below, the types of information sent over the voice channel and the control channel vary between MSC/VLRs from different manufacturers.
2. Registration and Roaming
Fig. 2 illustrates registration of a cellular phone that has "roamed" outside of its home area 212 into a roaming area 216. Home area 212 and roaming area 216 correspond to two regions, such as regions A and B, respectively, shown in Fig. 1. In home area 212, an SCP 222 includes an AC 232 and a HLR 236. An MSC 243, having an associated VLR 256 (jointly called an "MSC/VLR"), is also located in home area 212. In roaming area 216, an SCP 244 includes an AC 246 and a HLR 252. An MSC 258 is also located in roaming area 216. In Fig. 2, although MSCs are shown as separate entities from the HLR and VLR in the respective areas, in a actual application the HLR/VLR functions may be integrated with the MSCs.
When an MSC/VLR detects that a phone capable of authentication has roamed into its area, the MSC/VLR sends Authentication Request (AUTHRQST) messages to the AC. As shown in Fig. 2, when a cellular phone roams into a new area, it sends an AUTHRQST message, which is received by the MSC 258 for the area. MSC 258 and AC 232 exchange a plurality of AUTHRQST messages 270, and the AC sends back a response indicating whether the phone is allowed to operate in the new area. (In Fig. 2, responses to messages are indicated by lower case letters). After the phone has been authenticated, it registers its location with its home HLR 222, as shown by messages 272. Both AUTHRQST and REGNOT messages are well-known to persons of ordinary skill in the art and will not be described in detail herein.
3. Call Origination As shown in Fig. 3, when a calling party desires to place a call to a receiving party, the phone sends a call origination (CALL ORG) message, which includes the digits of the phone number to be dialed. Again, the MSC/VLR and AC exchange AUTHRQST messages, to ensure that the calling phone has authorization to place a call. Originating MSC 243 sends a location request (LOCREQ) message containing the dialed digits to HLR 236 in home area 212. Upon receiving the dialed digits, the HLR 236 accesses its internal data structures to find the associated Mobile identification Number (MIN) for the receiving party's cellular phone, in the SUBS file to determine if the receiving party is a legitimate subscriber. HLR 236 sends a routing address request (ROUTREQ) message to VLR 256 in roaming area 216 where the receiving party's cellular phone is currently registered. The current location information about the receiving party's cellular phone was sent to HLR 236 by VLR 256 after the receiving party arrived the roaming area and the cellular phone registered with VLR 252. The ROUTREQ message contains the associated MIN of the receiving party's cellular phone. VLR 256 then forwards the ROUTREQ to MSC 258 currently serving the receiving party's cellular phone. MSC 258 is also referred to as a serving MSC. In response to the ROUTREQ, serving MSC 258 consults its internal data structures to determine if the receiving party's cellular phone is already engaged in a call on this MSC. Assuming that the cellular phone is not known to serving MSC 258, serving MSC 258 may then obtain the receiving party's profile from its VLR 256 by sending it a qualification request (QUALREQ) message. If the receiving party's cellular phone is unknown to VLR 256 or if the information requested is not available at VLR 256, VLR 256 sends the QUALREQ message to HLR 236 in home area 212. HLR 236 then sends a qualreq response to VLR 256. The qualreq response contains relevant information about the receiving party's profile. VLR 256 in turn sends the qualreq response to serving MSC 258. Upon receiving the qualreq, serving MSC 258 allocates a temporary identifier TLDN (Temporary Local Directory Number) and returns this information to VLR 256 in the routreq message. VLR 256 in turn sends the routreq message to HLR 236. When the routreq message is received by HLR 236, it returns a locreq response to originating MSC 243. The locreq response includes routing information including the MSCID of serving MSC 258 and the TLDN. Finally, originating MSC 243 establishes a voice path to serving MSC 258 using existing interconnection protocols (e.g., SS7) and the routing information specified in the locreq response, as illustrated at step 388.
4. SSD Updates and Unique Challenges
The described embodiment of the present invention uses the CAVE (Cellular Authentication and Voice Encryption) algorithm to authenticate cellular phones in the system. Using the CAVE algorithm, the AC periodically orders an MSC/VLR to perform one or both of an SSD update or a unique challenge operation. These orders are typically included as a part of other messages sent by the AC. For example, in Figs. 2 and 3, the AC may issue SSD update orders and unique challenge orders as a part of any of the messages it sends to an MSC/VLR. Thus, for example, authrqst message 202 of Fig. 2 may or may not include an order to perform an SSD update or to perform a unique challenge. Similarly, authrqst message 302 of Fig. 3 may include such orders if the AC determines that they are needed for a particular subscriber. The format of these orders are discussed below. The parameters of an authrqst response is discussed below. Fig. 4(a) is a flow diagram of an SSD update operation when the system allows the AC to share SSD (Shared Secret Data) with the VLR. In contrast, Fig. 4(b) is a flow diagram of an SSD update operation when the system does not allow an AC to share SSD. Figs. 4(a) and 4(b) also include a handset (called a "Mobile Station" or "MS') 406. SSD is a parameter defined in the IS-41 standard. It is used as an intermediate input value to the CAVE algorithm and is stored in both the AC and MS. As indicated in the figures, some MSC/VLRs are allowed to have access to SSD and some are not, depending on how the system is configured.
In Fig. 4(a), the orders to perform an SSD update (and a unique challenge) are incorporated into the authrqst response messages 407. The format of an authrqst response message is discussed below. In Fig. 4(b), the orders to perform an SSD update (and a unique challenge) are incorporated into the AUTHDIR message 404. The format of an AUTHDIR message is discussed below. The specific messages sent during SSD update are not the subject of the present invention. Instead, the present invention is directed toward whether an SSD update order and/or a unique challenge order should be sent to specific MSC/VLRs under specific circumstances.
5. Authentication Center (AC) Fig. 5 is a block diagram of subsystems in an AC of a preferred embodiment of the present invention. It will be understood that each of the subsystems of Fig. 5 is implemented as software instructions stored in a memory and executed by a processor. An AC Call Processing subsystem 502 is responsible for processing of authentication TCAP messages. Thus, AC call processing subsystem 502 handles the following IS-41 authentication messages and associated responses:
Authentication directive, Authentication Failure Report, Authentication Request, Authentication Status Report,
Base Station Challenge, Security Status Report.
Each of the above messages (except the Base Station Challenge) can contain orders for an SSD update and/or a unique challenge. Processing of messages includes message parsing, message validation, decision logic processing, event generation, statistics generation, message creation, message sending and database accessing and updating. Inbound messages are received from an HLR. Responses to a message are returned to the same HLR. Outbound messages are preferably generated from the processing of a queue message received from a Queue Management Facility (external to the AC).
AC Call Processing subsystem 502 is also responsible for generation of various required random numbers and the generation of Shared Secret Data (SSD). The AC Call Processing subsystem preferably supports the Authentication Algorithm Version C7, and is structured such that the library routines used for the CAVE algorithm and for random number generation can be easily replaced or enhanced. Subsystem 502 also includes library routines for the encryption/decryption of sensitive data used by the CAVE algorithm.
AC Call Processing subsystem 502 will also receive challenge due notification messages from an AC Initiated Challenge subsystem 510 via the external Queue Management Facility. These messages include "Initiate Immediate SSD Update" and "Initiate Unique Challenge" events.
AC Call Processing subsystem 502 is also responsible for the generation of log events to be sent to the AC Event Logging subsystem 504 for collection and recording in database 506.
An ADS Subsystem 514 is responsible for communicating with a "mated" SCP 515 and for ensuring that the databases of the two systems remain in synch. An External Provisioning Interface (EPI) 522, available from Tandem Computers, Inc., provides subscriber and subscriber data using ITU-T ANS.1 standard messages.
AC Initiated Challenge subsystem 510 is composed of the AC Initiated Challenge Process, which is responsible for the Authentication Center initiation of periodic authentication verification and SSD updates on a per subscriber basis. AC Initiated Challenge subsystem 510 uses the configuration information provided by an Authentication System Parameters (ACSP) file to determine whether or not periodic unique challenges are in effect, whether or not periodic SSD updates are in effect, and to determine the associated frequency and interval characteristics of the updates and challenges. To help reduce fraud by randomizing these operations, the amount of time between challenges initiated by the AC Initiated Challenge subsystem 510 is variable based upon the last authentication attempt timestamps from the Subscriber Authentication Profile File (SUBA) and upon the AC initiated challenge frequency and interval width information configured in the ACSP file. The AC initiated frequency is defined as the desired average frequency of occurrence of a challenge. The AC initiated challenge interval width is defined as the total width of the interval for the AC initiated frequency. For example, if the authentication challenge had an AC initiated frequency of 120 minutes and an AC initiated interval width of 60 minutes, the authentication challenges for a particular subscriber would occur randomly between 90 and 150 minutes. The AC Initiated Challenge Process will sequentially examine each subscriber in the Subscriber Authentication Profile File (SUBA) to determine if it is time to initiate a unique challenge or SSD update for the subscriber. For each SUBA record, the AC Initiated Challenge Process 510 calculates the subscriber's "time to do unique challenge", and "time to update SSD". If any of these calculated timestamps are less than or equal to the current timestamp, the AC Initiated Challenge Process 510 will update the subscriber record to indicate the operation is needed. The operation will then be performed on the next access of the system by the subscriber. The formulas for the calculation of these subscriber challenger timestamps are defined below. Multiple copies of the AC Initiated Challenge process 510 can be configured for each SCP node with each copy having a subset of the Subscriber Authentication Profile File (SUBA). The subsets will be partitioned among the various copies of the AC Initiated Challenge Process based upon the primary key of the SUBA file. This partitioning methodology allows for balanced workload and prevents I/O contention on the SUBA file.
The following formulas are used for the calculation of the three subscriber challenge timestamps:
LADT = last unique challenge attempt timestamp from the subscriber SUBA record
LSDT = last SSD update attempt timestamp from the subscriber SUBA record
AF = AC initiated unique challenge frequency (X^ from ACSP file
(minutes)
AV = AC initiated unique challenge width (X^ from ACSP file (minutes) SF = AC initiated SSD update frequency (X2) from ACSP file (days) SV = AC initiated SSD update width (X2) from ACSP file (days)
R = Random number between 0 and 1
The "time to do unique" challenge timestamp is calculated as follows;
LADT + AF + (R - 0.5) * AV
The "time to update SSD" challenge timestamp is calculated as follows;
LSDT + SF + (R - 0.5) * SV
B. Selective Sending of SSD Updates and Unique Challenges
Figs. 6(a) through 6(d) are flow charts showing steps performed by the AC in accordance with a preferred embodiment of the present invention. A general discussion is followed by a detailed discussion of message and file formats and by an example. Fig. 6(a) shows steps performed by the AC when it determines that it is time for a periodic AC-initiated SSD update or unique challenge. In steps 620 and 630, respectively, the AC determines whether it is time to order sending of either an SSD update or a unique challenge for each subscriber. If so, the AC marks an entry in a Subscriber database as shown in Fig.1 1. To mark an entry in step 622, the AC sets "SSD update needed" flag 1 110 to true if an SSD update is needed for that subscriber. Similarly, in step 632, the AC sets "unique challenge needed" flag 1 106 to true if an SSD update is needed for that subscriber. Possible values for the authentication status, SSD status and unique challenge status fields are: successful, failed and pending. Fig. 6(b) shows steps performed by the AC when an AUTHRQST message is received by the AC. Before the AC sends a responsive message, the AC Call Processing subsystem 510 checks flags 1106 and 11 10 of the Subscriber file of Fig. 1 1 , in step 602, to determine whether an SSD update event is required for the subscriber to whom the message is directed. If so, in step 604, the AC accesses a record in the MPCM file for the MSC/VLR from which the message was received to determine whether an SSD update is allowed for messages having a system access type of the message being processed. If the record in the MPCM file indicates that an SSD update is allowed for the type of message to be sent, then, in step 608, the AC orders the SSD update to be included in the message to be sent (as shown in Fig. 14).
Similar steps are performed when the AC sends a response to an AUTHRQST message and there is a unique challenge event required for the subscriber. Before the AC sends a message, the AC Call Processing subsystem 510 determines, in step 610, whether a unique challenge event is required for the subscriber associated with the message by checking flag 1106 of the Subscriber database in the entry for that subscriber. If so, in step 612, the AC accesses a record in the MPCM file for the MSC/VLR from which the message was received to determine whether a unique challenge is allowed for the system access type of the message being processed. If the record in the MPCM file indicates that a unique challenge is allowed for the type of message to be sent, then, in step 616, the AC orders the unique challenge to be included in the message to be sent (as shown in Fig. 14).
Fig. 6(c) is a flow chart showing steps performed by the AC in accordance with a preferred embodiment of the present invention showing the circumstances under which AUTHDIR messages are sent by the AC. In the described embodiment, the AC will only initiate AUTHDIR messages that order operations to be performed when one of the following events occurs:
1) a unique challenge has been manually initiated by a human operator, or
2) an SSD update has been manually initiated by a human operator. In either case, the AC fills in values in an AUTHDIR message buffer prior to sending the AUTHDIR message to the MS whose MIN was indicated by the operator. Fig. 9(b) indicates which values should be sent under manual updates and/or manual challenges.
Fig. 6(d) is a flow chart showing steps performed by the AC to send a message revoking SSD from a Visitor Location register (VLR). The AC will issue
AUTHDIR messages to revoke SSD (i.e., to order a VLR to discard its copy of the
SSD) when any of the following events occur:
1) The AC detects that a periodic SSD update is due,
2) An SSD update scheduled to take place on the next system access is manually initiated. (This forces the MSC/VLR to send an AUTHRQST requesting a new SSD and gives the AC a chance to send the new SSD for the manual update). 3) The subscriber's Equipment Serial Number (ESN) has changed (for example, if the subscriber has a different phone), or 4) The Authentication status of the subscriber has just transitioned from enabled to disabled. An AUTHDIR message revokes SSD by including the NOSSD parameter 910 of Fig. 9(a) to a "discard" value.
As discussed above, the AC sends SSD updates and unique challenges as a part of several different types of messages. The following section describes message and file formats used by the steps of Fig. 6. These formats are known to persons of ordinary skill in the art and are included here for clarity of example. Only relevant fields are discussed. Columns marked either "R" or "C" indicate that the field is required or contingent (optional). Figs. 7(a) and 7(b) show parameters in an Authentication Request
(AUTHRQST) message. This message is sent from an MSC/VLR the AC. Mobile Identification Number (MIN) 702 identifies the subscriber making the request. Steps 602 and 604 of Fig. 6 check flags 1 106 and 11 10 of Fig. 1 1 to determine whether an SSD update or unique challenge needs to be sent for the subscriber having the MIN in field 702. Alternate embodiments may use additional methods to determine if an SSD update or unique challenge needs to be sent.
A System Access Type 704 identifies the type of system access made by the MS. In the described embodiment, the possible system access types are: 0 - not used
2 - Flash request 1 - Unspecified
3 - Autonomous registration
4 - Call origination 5 - Page response
6 - No access
7 - Power down registration
8 - SMS page response.
Steps 606 and 614 of Fig. 6 access this field to determine the operation that the MS wants authorization to perform. An MSCID 706 indicates the ID of the MSC/VLR forwarding the AUTHRQST message. Steps 604 and 612 access the MPCM file using this MSCID as a key to determine the system access types for which the particular MSC/VLR will perform to an SSD update or a unique challenge. Figs. 8(a) and 8(b) show parameters of a response to an Authentication
Request (AUTHRQST) message of Fig. 7. This response is returned by the AC in response to an AUTHRQST message from an MSC/VLR and may include an SSD update and/or a unique challenge. When the AC issues an SSD update order in step 608 of Fig. 6, values are placed in RANDSSD field 804. When the AC issues a unique challenge order in step 616 of Fig. 6, values are placed in AUTHU field 802, RANDU field 804. In this way, the SSD update or unique challenge is passed to the MSC/VLR with the AC's response to the AUTHRQST message. This SSD will also be sent if it is to be shared.
Figs. 9(a) and 9(b) show parameters of an Authentication Directive (AUTHDIR) message. This message is sent from the AC to an MSC/VLR. Steps 602 and 604 of Fig. 6 use a MIN later stored in field 902 to determine whether an SSD update or unique challenge needs to be sent for the subscriber. Steps 604 and 612 access the MPCM file using this MSCID as a key to determine the conditions that the particular MSC/VLR will perform an SSD update or a unique challenge and may include an SSD update and/or a unique challenge. When the AC issues an SSD update order in step 608 of Fig. 6, values are placed in RANDSSD field 904. When the AC issues a unique challenge order in step 616 of Fig. 6, values are placed in AUTHU field 903, RANDU field 904, and SSD field 908. In this way, the SSD update or unique challenge is passed to the MSC/VLR with the AC's response to the AUTHRQST message.
Fig. 10 shows parameters of a response to an Authentication Directive (AUTHDIR) message.
Fig. 11 shows a format of flag bits in a Subscriber (SUBA) file. As discussed above, the MIN for each subscriber is used as a key for this file. The flags include an authentication enabled flag 1102, indicating whether the AC is to perform authentication for the subscriber; an authentication status flag 1104; a unique challenge needed flag 1106; a unique challenge status flag 1108; an SSD update needed flag 1110; and an SSD update status flag. Other flags exist that are not shown in the Figure. Figs. 12(a) and 12(b) show a format of an entry in an MSC Point Code Map (MSP) file, which uses an MSC ID as a key. An "SSD Sharing allowed flag" 1206 indicates whether SSD should be shared with this MSC/VLR. Each entry in the MPCM preferably includes two bytes of flags 1204, which are shown in detail in Fig. 12(b). Byte 1 contains the following flags:
H = reserved G = Reserved
F = Page response for SSD update
E = Call origination for SSD update
D = Autonomous registration for SSD update
C = Flash for SSD update B = Unspecified for SSD update
A = Other for SSD update Byte 0 contains the following flags:
H = Reserved
G = Reserved F = Page response for unique challenge
E = Call origination for unique challenge
D = Autonomous registration for unique challenge
C = Flash for Unique challenge
B = Unspecified for unique challenge A = Other for unique challenge
In these flags, "0" is false and "1" is true.
Fig. 13 show an example of values for flags of Fig. 12(b). In the example, flag 1304 indicates that the MSC/VLR having the MSC ID in field 1202 of Fig. 12 will initiate SSD updates sent in response to a call origination message (as indicated by system access type field 704 of Fig. 7(a)). Flag 1302 indicates that the MSC/VLR will not perform SSD updates sent in response to an autonomous registration message. Flag 1308 indicates that the MSC/VLR will perform a unique challenge sent in response to a call origination message. Flag 1306 indicates that the MSC/VLR will not perform a unique challenge sent in response to an autonomous registration message. Thus, in the example, the AC will send an SSD update and a unique challenge for this MSC/VLR when the message is a call origination message, but not when the message is an autonomous registration message. In the example, a human operator has initially set the bits of Fig. 12(b) to indicate the capabilities of the MSC/VLR sending the message. Thus, for example, an MSC/VLR that uses a voice channel to order SSD updates will have a "0" in flag 1302, while an MSC/VLR that uses a radio channel to initiate MSC/VLR updates will have a "1".
Fig. 14 is a flowchart of steps performed by the AC to order an SSD update and to order a unique challenge Fig. 15 shows another embodiment of the preferred invention incorporating mated SCPs. In Fig. 15, each AC operates in a mated SCP environment with separate AC applications and databases on two physically separated SCP nodes. The mated SCP environment allows subscriber service processing to continue in the event that one of the SCP nodes is no longer accessible to the SS7 network. As a consequence, updates to one AC database must be applied to the associated AC database on the mated SCP node. Tandem's Application Database Synchronization (ADS) subsystem provides the database management services for the synchronization of the AC databases between the mated SCP nodes. While the invention has been described in conjunction with specific embodiments, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art in light of the foregoing description. Accordingly, it is intended to embrace all such alternatives, modifications and variations as fall within the spirit and scope of the appended claims.

Claims

WHAT IS CLAIMED IS:
1 . A method for sending an authentication messages in a cellular telephone system, comprising the steps, performed by a processor of an Authentication Center (AC) portion of the system, of: determining that an AC initiated authentication message needs to be sent to a subscriber; storing in a database for the subscriber an indication that an authentication message needs to be sent; receiving an authentication message from a subscriber via an MSC; accessing the subscriber database to determine that the AC-initiated authentication message needs to be sent; accessing a database for the MSC/VLR to determine whether the MSC/VLR will act in accordance with an authentication message if one is sent; sending the authentication message to the MSC/VLR if the determination of the accessing step is positive; and refraining from sending the authentication message to the MSC/VLR if the determination of the accessing step is negative.
2. The method of claim 1 , wherein the authentication message includes an order for an SSD update.
3. The method of claim 1 , wherein the authentication message includes an order for a unique challenge.
4. The method of claim 1 , wherein a system access type of the authentication message received by the AC is one of: page response, call origination, autonomous registration, and flash.
5. The method of claim 1 , wherein a memory of the AC holds flags for the MSC/VLR indicating for what system access types the authentication message should be sent.
6. The method of claim 1 , further comprising the steps of: determining that an AC-initiated authentication message has been manually initiated and needs to be sent to a subscriber; and sending the manually initiated AC-initiated message in accordance with instructions from a human user.
7. The method of claim 1 , wherein the AC never sends an SSD via an Authentication Directive (AUTHDIR) message.
PCT/US1998/000471 1997-01-11 1998-01-09 Method and apparatus for limiting authentication directive initiation in a mobile telephone system WO1998031162A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US78126397A 1997-01-11 1997-01-11
US08/781,263 1997-01-11

Publications (2)

Publication Number Publication Date
WO1998031162A2 true WO1998031162A2 (en) 1998-07-16
WO1998031162A3 WO1998031162A3 (en) 1998-11-12

Family

ID=25122193

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1998/000471 WO1998031162A2 (en) 1997-01-11 1998-01-09 Method and apparatus for limiting authentication directive initiation in a mobile telephone system

Country Status (1)

Country Link
WO (1) WO1998031162A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999026443A1 (en) * 1997-11-14 1999-05-27 Telefonaktiebolaget Lm Ericsson (Publ) Method of controlling a stand-alone authentication center in a radio telecommunications network
WO2000035215A2 (en) * 1998-12-09 2000-06-15 Telefonaktiebolaget Lm Ericsson (Publ) Method of performing a base station challenge in a cellular telecommunications network
WO2000067516A1 (en) * 1999-04-30 2000-11-09 Telefonaktiebolaget Lm Ericsson (Publ) System and method for reducing network signaling load in a radio telecommunications network
US9820216B1 (en) 2014-05-12 2017-11-14 Sprint Communications Company L.P. Wireless traffic channel release prevention before update process completion

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0690648A2 (en) * 1994-06-30 1996-01-03 AT&T Corp. Temporary storage of authentication information throughout a personal communication system
US5497412A (en) * 1994-04-07 1996-03-05 Gte Telecommunication Services Incorporated Enhanced call delivery system for roaming cellular subscribers

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5497412A (en) * 1994-04-07 1996-03-05 Gte Telecommunication Services Incorporated Enhanced call delivery system for roaming cellular subscribers
EP0690648A2 (en) * 1994-06-30 1996-01-03 AT&T Corp. Temporary storage of authentication information throughout a personal communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MOHAN S: "NETWORK IMPACTS OF PRIVACY AND AUTHENTICATION PROTOCOLS FOR PCS" COMMUNICATIONS - GATEWAY TO GLOBALIZATION. PROCEEDINGS OF THE CONFERENCE ON COMMUNICATIONS, SEATTLE, JUNE 18 - 22, 1995, vol. 3, 18 June 1995, pages 1557-1561, XP000535021 INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999026443A1 (en) * 1997-11-14 1999-05-27 Telefonaktiebolaget Lm Ericsson (Publ) Method of controlling a stand-alone authentication center in a radio telecommunications network
WO2000035215A2 (en) * 1998-12-09 2000-06-15 Telefonaktiebolaget Lm Ericsson (Publ) Method of performing a base station challenge in a cellular telecommunications network
WO2000035215A3 (en) * 1998-12-09 2000-10-26 Ericsson Telefon Ab L M Method of performing a base station challenge in a cellular telecommunications network
WO2000067516A1 (en) * 1999-04-30 2000-11-09 Telefonaktiebolaget Lm Ericsson (Publ) System and method for reducing network signaling load in a radio telecommunications network
US6397056B1 (en) 1999-04-30 2002-05-28 Telefonaktiebolaget L M Ericsson (Publ) System and method for reducing network signaling load in a radio telecommunications network
US9820216B1 (en) 2014-05-12 2017-11-14 Sprint Communications Company L.P. Wireless traffic channel release prevention before update process completion

Also Published As

Publication number Publication date
WO1998031162A3 (en) 1998-11-12

Similar Documents

Publication Publication Date Title
US6097939A (en) Method and apparatus for event data maintenance per MIN/ESN pair in a mobile telephone system
US6173174B1 (en) Method and apparatus for automated SSD updates on an a-key entry in a mobile telephone system
EP0976278B1 (en) Preventing misuse of a copied subscriber identity in a mobile communication system
USRE41075E1 (en) Methods and systems to substantially prevent fraudulent use of a wireless unit roaming in a visited system
US7190969B1 (en) Method and system for controlling service to multiple mobile stations having a common subscriber identifier
US6081705A (en) Cellular telephone network support of international mobile station identity (IMSI)
FI106604B (en) A method for protecting subscriber identity
US6889328B1 (en) Method and apparatus for secure communication
US6112079A (en) Method and apparatus for providing fraud protection mediation in a mobile telephone system
US6026298A (en) Method and apparatus for providing switch capability mediation in a mobile telephone system
WO1998000986A1 (en) Signaling gateway system and method
WO2000028772A1 (en) Method and systems for providing information to a home system regarding a wireless unit roaming in a visited system
US7215943B2 (en) Mobile terminal identity protection through home location register modification
US6226511B1 (en) Method and apparatus for configuration of authentication center operations in a mobile telephone system
US5615267A (en) Method for adaptively switching between PCS authentication schemes
US6668166B1 (en) Apparatus and method for mobile authentication employing international mobile subscriber identity
FI98333C (en) A method for implementing a service in a mobile communication system, a mobile communication system and a base station
EP0886979B1 (en) Short code dialling
WO1998031162A2 (en) Method and apparatus for limiting authentication directive initiation in a mobile telephone system
WO1999049688A1 (en) System and method of authenticating a mobile station's identity and handling authentication failures in a radio telecommunications network
WO1998031163A2 (en) Method and apparatus for implementing alias mobile id numbers in a mobile telephone system
KR20010004463A (en) Method for user authentication using User Identity Module in digital cellular telecommunication system
Mohan Network impacts of privacy and authentication protocols for PCS

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): CA JP

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): CA JP

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: JP

Ref document number: 1998531161

Format of ref document f/p: F

122 Ep: pct application non-entry in european phase