WO2006057627A1 - Apparatuses for establishing a highly secure voice amd data link between communicating parties - Google Patents

Apparatuses for establishing a highly secure voice amd data link between communicating parties Download PDF

Info

Publication number
WO2006057627A1
WO2006057627A1 PCT/SK2005/000022 SK2005000022W WO2006057627A1 WO 2006057627 A1 WO2006057627 A1 WO 2006057627A1 SK 2005000022 W SK2005000022 W SK 2005000022W WO 2006057627 A1 WO2006057627 A1 WO 2006057627A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile communication
security
module
data
secure
Prior art date
Application number
PCT/SK2005/000022
Other languages
French (fr)
Inventor
Igor Kocis
Dusan Kocis
Tomas Kristofic
Original Assignee
Igor Kocis
Dusan Kocis
Tomas Kristofic
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Igor Kocis, Dusan Kocis, Tomas Kristofic filed Critical Igor Kocis
Publication of WO2006057627A1 publication Critical patent/WO2006057627A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Definitions

  • the invention concerns mobile telephony and encryption of communication through mobile communication devices. More precisely, it addresses encryption of a direct communication channel between two mobile communication devices.
  • the invention includes a special security device that provides security and support functionality for such
  • Another problem of security and trust in mobile communication is the fact that data is not encrypted on the side of the provider of mobile communication services, i.e. the mobile operator. Communication is carried over the infrastructure of the mobile operator unencrypted. This means that the communication is accessible to people in the vicinity of this infrastructure. First of all these people include system administrators, technicians, service personnel, service providers and similar institutions together with technical means connected to the infrastructure of the mobile operator. In the case of illegal interest all these people are able to carry out eavesdropping on mobile communication under specific
  • a serious obstacle to deployment of security tools for mobile communication devices is the variety of these devices. This does not only apply to manufacturers of mobile phones, who often offer devices that are not compatible even with their own interfaces, but also to mobile communication systems themselves.
  • the most well-known communication systems are GSM, CDMA (IS95), AMPS (Advanced Mobile Phone Service), Iridium, Tetra (TErrestrial Trunked RAdio).
  • GSM Global System for Mobile Communications
  • CDMA IS95
  • AMPS Advanced Mobile Phone Service
  • Iridium Iridium
  • Tetra TErrestrial Trunked RAdio
  • Each wireless device features a different user interface, a different operating system, and different communication interfaces. This makes the situation for potential manufacturers of encryption devices much worse, because they have to develop devices compatible only with certain mobile devices.
  • a customer who wants to switch to a different type of a mobile phone has to buy a new encryption device for the new phone as well.
  • key management Such systems require key management that meets requirements characteristic for mobile communication, as for example portability, resistance to unauthorized use, etc.
  • the purpose of this key management is to deliver encryption keys for specific algorithms. Renewal of keys takes place at prescribed intervals. In case the same device is used by several users or for several purposes, these users are authenticated so that keys are used only by an authorized user.
  • Secure storage for sensitive personal data is a separate problem in the area of secure communication.
  • storage in a special device has the potential to provide higher level of security of sensitive information as well as to provide authorized access to the data.
  • Current solutions for data storage in mobile phones which highly depend on the user interface provided by the mobile phone manufacturer, provide only very limited possibilities to create such a system.
  • the only standardized element suitable for such storage is the SIM card (subscriber identity module).
  • Connecting or inserting a special dedicated device or module provides a real possibility for creating really secure storage for sensitive data.
  • Such storage is implemented as a separate memory device or a combined device including encryption functionality as well.
  • a smart card is used as the secure storage, which makes these systems more flexible in respect to user requirements and potential compatible systems.
  • the solution described in the US patent application No. 2004/0059921 also belongs to this group of implementations of secure storage.
  • the proposed security method also includes a network component that implements the functionality of key storage and provides general and security functions as well. These procedures are proposed for the environment of IP networks of LAN and WAN type with unspecified infrastructure utilizing "Voice over IP" technology. This solution may also include a card implementing security functions.
  • the patent application does not deal with connecting such a device to a mobile phone. It can only use it in specific cases via a gateway as a part of an IP communication path to another communication device on an IP network of LAN or WAN type.
  • Bluetooth can establish a wireless connection between a mobile phone and another device at the distance of several meters. In this way one can set up a simple network containing a computer, a printer, a handheld, a mobile phone, a keyboard, a mouse, etc. Bluetooth communication itself is relatively secure in respect to both authentication
  • the solution described in the US patent application No. 2002/0114467 also implements secure storage in this way.
  • the described security device uses a Bluetooth wireless interface for communication with a mobile phone.
  • the device implements data encryption, data decryption, and electronic signature as general standardized methods. It also contains storage for encryption keys. It also describes a way to connect a smart card.
  • An external connection in the form of on-line bank terminals or cash registers is preferred.
  • An advantage of this solution is that it does not require any modification to the mobile device in order to provide data encryption and electronic signature, while the connection to the mobile phone is relatively simple.
  • the solution does not address an essential problem how to modify a mobile phone so that the functionality provided by the device is in fact usable.
  • this solution does not cover voice communication by the means of mobile phones. It only deals with data communication using text messages. Its main area of utilization is in the area of on-line banking, bank services, cash registers, and vending machines.
  • the system based on this invention solves problems and eliminates shortcomings and disadvantages of current technology, especially most of those described above.
  • the nature of this invention is a system for secure mobile communication utilizing mobile communication devices in the environment of a mobile communication network to establish highly secure voice and data communication among communicating parties.
  • the system consists of:
  • Audio modules for conversion of analog signal from the microphone into digital signal, further prossessing of this signal, compression and packetization for further modules, decompression of packets, conversion of the decompressed digital signal into analog signal
  • Security device for data encryption and decryption, security and support functions, and generation of encryption keys also containing an authentication part
  • the operator's network serving mainly for data transfer between two mobile communication devices, or between a mobile communication device and a server system;
  • Server system that mainly provides registration services to end users, guarantees validity of certificates together with long-term authentication or other encryption keys, and acts as an intermediary in communication between two or among several mobile
  • the audio module consists of:
  • the secure storage module consist of a separate device, a smart card, a bank card, or a SIM card that can be connected to the security device or the mobile communication device, or a submodule within the security device or a submodule within the mobile communication device.
  • the server system module consists of a separate device, a combination of devices, or a submodule within the mobile communication
  • the security device contains memory, in which a security and control program is
  • This program is subject to modification through a local or remote upgrade.
  • the mobile communication device contains memory, in which a security and control program is loaded.
  • the solution also concerns the security device implemented in the system, which has the following components:
  • the user interface provides services for input of voice, data, and authentication data from the user, output of voice and data for the user, and informing the user about the state of the device.
  • the user interface consists of a voice processing module, a user interface module, and a user authentication module;
  • Security core device providing mainly services for encryption and decryption of data and voice acquired from the user interface or the communication component, services for verification of authentication data from the user interface, implementation of electronic signature.
  • the security device consists of a security module, a control module and local secure data storage.
  • Communication component providing mainly services for transfer of voice, data, and authentication data from the security core of the device to the mobile communication device or a device connected to a computer network.
  • the communication component consists of a wired transfer module or a wireless transfer module.
  • Power supply providing mainly electric power supply to the security device.
  • the power supply consists of a power control module and a battery.
  • the security device contains a wireless interface for communication between the security device (4, 9) and a mobile communication device, usually of Bluetooth, WiFi or IrDA type, alternatively in specific cases also a wired connection like USB, mini USB, or IEEE 1394.
  • a wireless interface for communication between the security device (4, 9) and a mobile communication device, usually of Bluetooth, WiFi or IrDA type, alternatively in specific cases also a wired connection like USB, mini USB, or IEEE 1394.
  • the idea of this invention is to use mobile communication devices, for example, mobile phones or smartphones in the environment of a mobile communication network to set up a highly secure voice and data communication link between communicating parties.
  • Another idea of this invention is development of a highly modular system, which can be adjusted to security and infrastructure requirements to the biggest extent possible.
  • the system can cooperate with a wide scale of supported mobile communication devices from various manufacturers without any need to adjust the system to various types of mobile communication devices.
  • Another feature of this invention is the possibility to easily upgrade relevant modules of the system remotely. This feature is essential in regards to the requirement for the universality of the system and newly introduced types of mobile communication devices.
  • Another feature of this invention is that it provides roaming among those operators of the mobile communication network, who support transfer of data usable for encrypted voice communication.
  • Data transfer itself requires only standard procedures in the process of connection, because specific procedures available only with particular mobile communication devices or within the mobile communication network of a particular operator do not guarantee functionality and roaming in networks of other operators or with other mobile communication devices. In specific cases such functionality can be implemented, but parallel compatibility with abovementioned solution is necessary in order to maintain roaming.
  • Another feature of this invention is development of a compact, ergonomic, highly secure, and affordable security device.
  • This device connects to a mobile communication device through a standard wireless, alternatively wired connection.
  • the device provides security and support functionality to the mobile communication device, and implements key management and secure data and key storage.
  • Another feature of this invention is the usage of a memory card, a SIM card or a smart card as secure data storage. Depending on the properties of the card, it can also be used as an encryption device, an authentication device, or a device providing support functionality.
  • the card is removable and inserted in the security device, possibly in the mobile communication device, if the device supports it.
  • the server system mainly provides registration services to end users and guarantees the validity of certificates together with long-term authentication or other encryption keys.
  • a direct alternative channel which can, for example, be visual (a display), audio, data channel etc.
  • Another feature of this invention is the usage of a server system as an intermediary in communication between two or among several mobile communication devices.
  • a connection may be established due to unavailability of direct connection between two mobile communication devices, when a conference connection among several mobile communication devices is required, for security reasons, due to need for supervision over communication, or in order to provide for the anonymity of a connection between two communicating mobile communication devices.
  • the server system provides connection of mobile communication devices at the level of data transfer. Setting up a direct secure channel is carried out by the mobile communication devices themselves without any
  • Another feature of this invention is provision of high quality real time encryption regardless which module of the system is doing it. Delays in communication or dropouts have to be negligible in regards to the total delay in the system.
  • Another feature of this invention is setting up a direct secure channel between two mobile communication devices or terminals and key management between them.
  • the integrity of the direct communication channel is not broken when further elements of the communication network are present on the communication route between the two mobile communication devices, e.g. routers, firewalls, gateways connecting networks of various types, switching
  • Another feature of this invention is setting up a secure data connection between two mobile communication devices. After a successful synchronization of both mobile communication devices (their modem modules) with the help of algorithms for generation or negotiation of a shared encryption key an encryption key for securing the communication data channel is obtained.
  • Common algorithms for key generation or negotiation are for example of hierarchical type or employ algorithms like Diffie-Hellman, RSA, Station-To- Station. These encryption keys are generated for each voice call separately, if the system allows for it. After the completion of a call these keys are automatically destroyed, if there is no specific reason to store them.
  • Another feature of this invention is implementation of a relatively good audio codec for voice compression and processing compared to common systems, for example GSM.
  • the bit rate of the output compressed stream is sufficiently low in respect to the capacity of the network.
  • the processing of voice also contains features that ensure its high quality and eliminate unwanted artifacts as for example echo, feedback, unwanted noise, dropouts in the communication channel etc.
  • the solutions, described in this patent, use the operator's network for communication between two mobile communication devices.
  • the operator's network can be for example of GSM, CDMA (IS95), AMPS (Advanced Mobile Phone Service), Iridium, Tetra (TErrestrial Trunked RAdio) or WiFi type.
  • devices can also use another way of communication, for example a direct channel through Bluetooth, USB, or an IP network.
  • the principle of the invention lies in the versatility of its modules. From this point of view the most important and critical modules are the mobile communication device and the security device. From the point of versatility and wide compatibility the architectural properties of the software of both modules are essential. In the case of a mobile communication device it is essential to develop such software that can function in mobile communication devices running under given operating system, e.g. Symbian OS, Palm OS, Windows Mobile Pocket PC, Windows Mobile Smartphone or Linux. The software eliminates differences in access to the resources of the mobile communication device, as well as fully
  • the internal structure of the security device is to a big extent autonomous.
  • This device is universal in the system, because it is connected with the mobile communication device through a wireless interface, e.g. Bluetooth, WiFi, or IrDA.
  • Other wired connections e.g. battery recharging, USB, mini USB, or IEEE 1394 serve other purposes or as an alternative connection.
  • the communication interface of the security device complies with relevant standards. For this reason its connection to another device is transparent unlike wire connectors, which are of many types on the mobile communication devices market, and which change in time. These properties ensure that' the security device can also be used as secure data storage, a key manager, or implement support functionality for other devices. Its functionality and usage are not restricted to only those mentioned above.
  • the security device can also be used as a security, transaction, or authentication module not only with a mobile communication device, but also with a parking terminal, cash register, bank terminal, desktop computer, portable computer, pocket computer, vending machine, device for input control, etc.
  • Some mobile communication devices are not able to provide all the functionality that is required for the operation of a system based on this invention.
  • Computational power and access to resources of mobile communication devices are usually set by the manufacturer and are limited by the available operating system. This concerns mainly functions like encryption and decryption in real time, compression and decompression of voice in real time, input from and output to the audio module, full-duplex communication, user authentication etc.
  • the security device provides full support of this functionality to the mobile communication device.
  • Software of a mobile communication device that cannot support this functionality in full extent provides at least limited functionality of secure voice transfer, for example, using less demanding modes of secure voice transfer from the point of computational complexity and real time communication. In this case communication in the form of half-duplex operation, simplex operation, voice messages, etc. is possible.
  • Figure 1 shows a system build on the basis of this invention.
  • Figure 2 shows the block diagram of the device for mobile communication.
  • Figure 3 shows an arrangement of the modules of the system, where the individual modules are implemented as separate devices.
  • Figure 4 shows an arrangement of the modules of the system, where the audio module and the mobile communication device form one indivisible device and the security device is a separate device.
  • Figure 5 shows an arrangement of the modules of the system, where the mobile communication device and the security device form one indivisible device and the audio module is a separate device.
  • Figure 6 shows an arrangement of the modules of the system, where the mobile communication device, the security device, and the audio module form one indivisible device.
  • Figure 7 shows an arrangement of the modules of the system, where the audio module and the security device form one indivisible device, and the mobile communication device is a separate device.
  • Figure 8 shows an arrangement of the modules of the system, where the communicating parties do not communicate directly over the operator's network, but through a server
  • Figure 9 shows an arrangement of the modules of the system, where user registration into the system is implemented by the means of a server system.
  • Figure 10 shows an arrangement of the modules of the system, where the registration of a user into the system is implemented in a separate security device.
  • Figure 11 shows the setup of a connection between a mobile communication device A and a mobile communication device B.
  • Figure 1 shows a system built on the basis of this invention, which consists of the following modules: an audio module 1, ⁇ , a security device 4, 9, secure data storage 5, K), a mobile communication device 6, 8, the operator's network 7, and a server system JA Individual modules of the system communicate either wirelessly of through wired connections.
  • wireless communication are the well-known wireless interfaces like 802.11b, 802.1 Ig, Bluetooth, or over the operator's network.
  • Examples of communication over wired connection are the well-known serial interfaces like USB, RS232, 12C, SPI, or the well-known parallel interfaces like Centronics, ISA, PCI, PCMCIA.
  • the audio module I, JJ converts analogue signal from the microphone 2, V2 into digital signal, further processes this signal, compresses it, and packetizes it for further modules, especially for the security device 4, 9 and the mobile communication device 6, 8.
  • the audio module 1, H further serves for decompression of packets acquired from the security device 4, 9 and the mobile communication device 6, 8,and for conversion of the decompressed digital signal into analog signal for the loudspeaker 3 . , JJ3.
  • the security device 4, 9 serves for encryption and decryption of data acquired especially from the audio module I, IJ, and the mobile communication device 6, 8 using one of the well- known algorithms. Furthermore it serves for generation of encryption keys using some well- known algorithm.
  • the security device 4, 9 may also contain an authentication component, which consists of some or all of the following components: a smart card reader, a wireless smart card reader, a fingerprint reader, a keyboard, or another device verifying the identity of the user of the security device 4, 9.
  • the secure data storage 5, 10 serves for storage of user data. Before data is written to the secure data storage 5, H) it is encrypted with one of the well-known algorithms, especially by the security device 4, 9.
  • the mobile communication device 6, 8 serves for communication between two communicating parties over the operator's network 7. Furthermore it serves for control of communication among other modules of the system, mainly between the security device 4, 9 and the audio module 1, VL.
  • the mobile communication device 6, 8 can be, for example, a
  • the operator's network 7 serves for transfer of data between two mobile communication devices 6, 8, or between a mobile communication device 6, 8 and the server system IA
  • the operator's network 7 can be for example GSM, CDMA, AMPS, Iridium, Tetra or WiFi.
  • the server system 14 mainly provides registration services for end users and guarantees the validity of certificates together with long-term authentication or other encryption keys. Furthermore, the server system 14 can serve as an intermediary in communication between two or among several mobile communication devices 6, 8. The server system 14 communicates with mobile communication devices over the operator's network 7.
  • the device 25 ( Figure 2) serves for encryption and decryption of voice and data acquired from the user interface 3_1, encryption and decryption of voice and data from a mobile device, or a device connected to a computer network 28, user authentication 29, and access to the mobile device, or the device connected to the computer network 28.
  • the device 25 consists of the following parts: a user interface 3_1, a security core 32, a communication component 33,
  • the user interface 3J_ serves for input of voice, data, and authentication data from the user 29, output of voice and data for the user 2JL and informs about the state of the device 25.
  • the user interface 3_1 consists of a voice processing module 1_8, a user interface module 19, and a user authentication module 20.
  • the voice processing module 18 converts analog signal from the microphone 30 into digital signal, further processes the signal obtained in this way, compresses it and packetizes it for other parts of the device, especially for the control module 17 and the security module 15.
  • the voice processing module 1_8 further decompresses packets acquired from the control module 17 and the security module 15, and converts this decompressed digital signal into analog signal for the loudspeaker 30.
  • the user interface 19 contains an interface for input of information from the user 29 ⁇ which is a button or a keypad, possibly both a button and a keypad, and an interface for information from the device 25 for the user 29 ⁇ which are control lights or a display, possibly both control lights and a display.
  • the user authentication module 20 contains some or all of the following components depending on the configuration and requirements for the device 25 : a .smart card reader, a wireless smart card reader, a fingerprint reader, a keyboard, and possibly another device verifying the identity of the user 29 of the device 25.
  • the security core 32 of the device serves for encryption and decryption of data and voice acquired from the user interface 3_1 or the communication component 3_3; verification of authentication data from the user interface 3_L
  • the security core of the device 32 consists of secure data storage 16 , , a security module 15 and a control module 17.
  • the secure data storage 16 serves for storage of data of the user's 29. Before being written to the secure data storage ⁇ 6_ data is encrypted with a well-known algorithm. This encryption is carried out mainly by the security module 15 or the control module _17.
  • the security module 15 contains the following modules:
  • Encryption module for encryption and decryption of data using one of the well-known algorithms, especially data coming from the control module YL, the voice processing module 18, and the secure data storage 16
  • the control module 17 provides data exchange and processing among the following modules: the voice processing module 18, the user interface module 19, the user authentication module 20, the secure data storage V6, the security module 15, the wired transfer module 22, and the wireless transfer module 2L This module also controls other modules, especially the voice processing module 18, the user interface module 19, the user authentication module 20, the secure data storage 16, the security module 15, the wired
  • the communication component 33_ serves for transfer of voice, data, and authentication data from the security core 32 of the device into the mobile device, or the device connected to the computer network 28 using the wired transfer module 22, or the wireless transfer module
  • the wired transfer module 22 serves as a communication interface physically connecting the device 25 with the external mobile device or the device connected to the computer network 28.
  • Examples of a wireless transfer module 22 are the well-known serial interfaces like USB, RS232, 12C, SPI, or the well-known parallel interfaces like Centronics, ISA, PCI, PCMCIA.
  • the wireless transfer module 21 serves a wireless communication interface between the device 25 and the external mobile device or the device connected to the computer network 28.
  • Examples of a wireless transfer module 2_1 are the well-known wireless interfaces like 802.1 Ib, 802.1 Ig, Bluetooth.
  • the power supply 34 provides electric power to the device 25. When an external DC power supply 26 is connected, or the device is powered from the signal bus 27, the battery 24 can be recharged.
  • the power supply 34 consists of a power control module 23 and a battery
  • the power control module 23 controls electric power supply to the device 25 and recharges the battery 24.
  • the device may be powered by the external DC power supply 26, from the signal bus 27 or the battery 24.
  • the battery 24 serves as a backup power supply for the device 25.
  • FIG. 3 An implementation of this invention is shown in Figure 3. Numbers in the sequel refer to Figure 1.
  • the audio module 1, Vl, the security device 4, 9, and the mobile communication device 6, 8 . are implemented as three separate devices. Voice communication between communicating parties is converted from analog signal to digital signal and vice versa in the audio module 1, 1_1_.
  • the audio module I, U . implements compression and decompression of the digital signal and its packetization.
  • the security device 4, 9_ serves for encryption and decryption of digital signal, and generation of encryption keys.
  • the security device 4, 9 consists of secure data storage 5_, Ij), where user and system data is stored.
  • the security device 4, 9_ is connected to the mobile communication device 6, . S 1 either wirelessly or with a wired connection.
  • the mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted
  • the audio module 1, U and the mobile communication device 6, 8 form one indivisible device, while the security device 4, 9 is a separate device, which is connected to the audio module 1, 1_1 and the mobile communication device 6, 8 either wirelessly or through a wired connection ( Figure 4).
  • the audio module i, H converts analog signal into digital signal and vice versa, implements compression and decompression of the digital signal, and its subsequent packetization.
  • Digital signal from the audio module 1_, IX is sent to or received from the security device 4, 9.
  • the security device 4, 9 serves for encryption and decryption of digital signal, and furthermore for generation of encryption keys.
  • the security device 4, 9 also contains secure data storage , 5, l_0, where user and system data is stored.
  • the security device 4, 9 either receives encrypted digital signal from or sends encrypted digital signal to the mobile communication device 6, , 8.
  • the mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted digital signal.
  • the mobile communication device 6, £ and the security device 4, 9 form one indivisible device, while the audio module 1 , 11 is a separate device connected to the mobile communication device 6, 8 and the security device 4, 9 either wirelessly or through a wired connection (Figure 5).
  • the audio module 1, H converts analog signal into digital signal and vice versa, implements compression and decompression of the digital signal, and its subsequent packetization.
  • Digital signal from the audio module 1, JJ is sent to or received from the security device 4, 9.
  • the security device 4, 9 serves for encryption and decryption of digital signal, and furthermore for generation of encryption keys.
  • the security device 4, 9 also contains secure data storage 5, K), where user and system data is stored.
  • the security device 4, 9 either receives encrypted digital signal from or sends encrypted digital signal to the mobile communication device 6, 8.
  • the mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted digital signal.
  • the mobile communication device 6, 8, the security device 4, 9, and the audio module 1, JJ . are one indivisible device.
  • the audio module I, H converts analog signal into digital signal and vice versa, implements compression and decompression of the digital signal, and its subsequent packetization.
  • Digital signal from the audio module I, H is sent to or received from the security device 4, 9.
  • the security device 4, 9 serves for encryption and decryption of digital signal, and furthermore for generation of encryption keys.
  • the security device 4, 9 also contains secure data storage 5, 10, where user and system data is stored.
  • the security device 4, 9 either receives encrypted digital signal from or sends encrypted digital signal to the mobile communication device 6, 8.
  • the mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted digital signal.
  • the audio module I, H and the security device 4, 9 form one indivisible device, while the mobile communication device 6, . 8 is a separate device, which is connected to the audio module 1, H, and the security device 4, 9 either wirelessly or through a wired connection ( Figure 7).
  • the audio module I, IJ converts analog signal into digital signal and vice versa, implements compression and decompression of the digital signal, and its subsequent packetization.
  • Digital signal from the audio module 1, H is sent to or received from the security device 4, 9.
  • the security device 4, 9 serves for encryption and decryption of digital signal, and furthermore for generation of encryption keys.
  • the security device 4, 9 also contains secure data storage 5, K), where user and system data is stored.
  • the security device 4, 9 either receives encrypted digital signal from or sends encrypted digital signal to the mobile communication device 6, S.
  • the mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted digital signal.
  • FIG. 8 Another preferred implementation of the invention is shown in Figure 8.
  • communicating parties does not communicate directly over the operator's network 7, as in examples 3 to 7, but through a server system JA
  • the server system 14 serves as an intermediary in communication between two or among several mobile communication devices 6, 8.
  • the server system 14 communicates with the mobile communication devices 6, 8 over the operator's network 7.
  • the server system 7 is able to provide interconnection of two or several mutually incompatible networks and to provide partial anonymity of the communicating parties.
  • FIG. 9 Another preferred implementation of the invention is shown in Figure 9.
  • the server system 7 provides registration services to end users, and guarantees the validity of certificates together with long-term authentication or other encryption keys.
  • the security device 4, 9 generates a key pair.
  • the public key in the key pair is sent to the mobile communication device 6, 8 . together with data about the user.
  • the mobile communication device 6, 8 sends this data to the server system 14, which generates a certificate signed by the server system 14.
  • the certificate is sent to the mobile communication device 6, S and stored in the secure data storage 5, H).
  • Such registration in the system with help from the server system 14 can be
  • the registration of a user in the system is carried out in the security device 4, 9 itself ( Figure 10).
  • the security device 4, 9 generates a key pair.
  • the public key in the key pair and data about the user are used to generate a certificate for the user.
  • This certificate is next stored in secure data storage 5, K).
  • Such registration into the system can be used in all examples 3 to 8.
  • Another possible implementation of the invention is physically separate secure data storage 5, 10 implemented by a smart card, a memory card, or another memory medium connected through a wired connector or wirelessly via e.g. an RFID interface.
  • the secure data storage 5, 10 stores user and system data, possibly also certificates and contacts to other users of the system.
  • Such a configuration of the secure data storage f>, 10 can be used in all examples 1 to
  • FIG. 11 Another preferred implementation of the invention is shown in Figure 11.
  • Setting up a connection between a mobile communication device A 6 and a mobile communication device B 8 depends upon an exchange of keys that takes place between the security device A 4 and the security device B 9.
  • This exchange of keys is based on some well-known algorithm as for example Diffie-Hellman, Station-to-Station protocol, Shamir's three pass protocol, Comset, EKE etc.
  • the mobile communication device A 6 displays the parameters of the certificate, e.g. the phone number of the mobile communication device B S.
  • the user of the mobile communication device A 6 thus compares the displayed parameters with the parameters of the user, with whom he/she initially established communication. For example, he/she verifies the phone number of the user he/she called with the displayed phone number.
  • the security device A 4 signs the public keys, the certificate of module A, Diffie-Hellman system parameters (p, g), and using the generated key encrypts the abovementioned signature and the certificate with the data of the user of the mobile communication device A 6 - Ek (Cert A ,S A (Cert A , (p, g), g x , £)).
  • the communication module A sends Ek (Cert A 1 SA(CeH A, (p, g), g x , g*')), which is decrypted on the side of the mobile communication device B 8 . .
  • the signature is verified, and the parameters from the certificate of the security device A 4 are displayed.
  • a secure encrypted communication channel between the two mobile communication devices (x, 8 can be established using a well-known symmetric encryption algorithm, for example AES with key length of 256 bits.
  • AES symmetric encryption algorithm

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephone Function (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention concerns a system and a device for secure mobile communication. The principle lies in the fact that it uses mobile communication devices (6, 8), e.g. mobile phones or smartphones, in the environment of a mobile communication network to establish a highly secure voice and data communication link between communicating parties. The system consists of an audio module (1, 11), a security device (4, 9), secure data storage (5, 10), a mobile communication device (6, 8), the operator's network (7), and a server system (14). The principle of this invention is setting up a direct secure communication link between two mobile communication devices (6, 8) or terminals, and key management between them. Another principle is development of a highly modular system that can be to the most universal extent possible adjusted to security and infrastructure requirements and whose relevant modules can be easily upgraded remotely. The solution also concerns development of a highly secure, compact and ergonomic security device (4, 9).

Description

APPARATUSES FOR ESTABLISHING A HIGHLY SECURE VOICE AMD DATA LINK BETWEEN COMMUNICATING PARTIES
Technology area
The invention concerns mobile telephony and encryption of communication through mobile communication devices. More precisely, it addresses encryption of a direct communication channel between two mobile communication devices. The invention includes a special security device that provides security and support functionality for such
Current state of technology
Usage of mobile phones is almost omnipresent. This phenomenon, almost unknown in the eighties, is today the most common means of communication at longer distances. The most important advantage of this technology is, of course, that it is wireless, independent of fixed connections and fully mobile, only limited by signal coverage.
This means of communication also brings along disadvantages. First of all, it is substantially simpler to eavesdrop on a conversation carried by signal obtained from the environment compared to classical wired connections. Despite the fact, that in general there are legal regulations discouraging one from taking part in communication to which he/she is not a legal party, such attempts are yet more frequent and simpler due to advancing and cheaper technology. The problem is even more aggravated by the fact that such eavesdroppers are almost untraceable, and for this reason they remain in anonymity.
Another problem of security and trust in mobile communication is the fact that data is not encrypted on the side of the provider of mobile communication services, i.e. the mobile operator. Communication is carried over the infrastructure of the mobile operator unencrypted. This means that the communication is accessible to people in the vicinity of this infrastructure. First of all these people include system administrators, technicians, service personnel, service providers and similar institutions together with technical means connected to the infrastructure of the mobile operator. In the case of illegal interest all these people are able to carry out eavesdropping on mobile communication under specific
A serious obstacle to deployment of security tools for mobile communication devices is the variety of these devices. This does not only apply to manufacturers of mobile phones, who often offer devices that are not compatible even with their own interfaces, but also to mobile communication systems themselves. The most well-known communication systems are GSM, CDMA (IS95), AMPS (Advanced Mobile Phone Service), Iridium, Tetra (TErrestrial Trunked RAdio). Each wireless device features a different user interface, a different operating system, and different communication interfaces. This makes the situation for potential manufacturers of encryption devices much worse, because they have to develop devices compatible only with certain mobile devices. Moreover, a customer who wants to switch to a different type of a mobile phone has to buy a new encryption device for the new phone as well. In practice, this brings along another problem. Mobile phones have a relatively short life time. The development of an encryption device for a new type of a mobile phone also takes some time. When a new model is introduced, the older model disappears from the market. This represents a relatively high risk factor to both the customer and the manufacturer. A related problem is certification of such devices for the purpose of government agencies or special customers. Each module requires separate certification. Such a process is often costly and lengthy. For this reason certification of several types of one device is inefficient and financially less rewarding.
In the last ten years several solutions that address these issues have been developed. Some of them are publicly available.
Solutions for encryption of communication over standard digital or analogue communication lines have been developed. Among these is the solution in the US patent No. 6,266,418, which describes a device for coding, encryption, and key management. The device physically attaches to a standard analogue or ISDN phone. However, this device cannot be used with a mobile phone. A similar device is described in the US patent No. 6,044,158. This is again, a separate encryption device designed to securely transfer data across standard phone lines. The device monitors communication. When the device detects a security tone, it routes data through encryption and decryption modules in order to provide a secure
A solution implementing encryption with the help of a special device that connects to standard phone lines or mobile lines is described for example in the US patent No. 5,410,559. This is a separate hardware device for data and voice as well. Its versatility is limited. In the case of wireless portable phones its connection to the communication system requires special modifications to integrate the device into the mobile phone.
This technology has led to more advanced devices that can connect to mobile phones through an electric connector. Such devices are described in the US patent No. 5,787,180. Although in theory this solution allows connection of such an encryption device to most types of mobile phones, for each specific type of a phone, hardware modification to the phone itself and manual intervention into its integrity is required, which may potentially cause damage to the phone. This requires work by a qualified service technician. A similar solution is also described in the US patent application No. 2004/0029562. The device connects to a mobile phone and functions as a proxy server. These issues are marginally addressed in the US patent No. 5,568,553, where scrambling for mobile devices is proposed. The device is based on the principles described above, but it uses scrambling instead of
Certain technologies use the mobile phone as a radio transmitter and receiver, while most functionality is implemented in an external device connected to the phone. Such a solution is, for example, described in the US patent No. 6,782,102. The special device features a separate display and an own keypad. It completely provides processing and encryption of voice. This solution also requires a permanent connection of such a device to the mobile phone. Each series requires a separate interface module together with communication software. A similar solution is also described in the EP patent No. 0818937. In this case a separate encryption device also connects to a supported mobile phone, which functions as a communication means with
In the process of secure communication, certain technologies employ a special server installed on the network, which provides for the operation of the system and some other support functionality as well. Such a system is described in the US Patent No. 6,275,573. Besides a direct encrypted channel between two phone terminals, the system can also be operated indirectly by the means of the server. This provides the possibility to monitor the network by a superordinate authority and to a certain extent to make the identification of communicating parties harder for a third unauthorized party as well. The authors do not address any issues related to the structure and properties of mobile phones or auxiliary
The solution described in the US patent No. 6,137,885 describes a way to connect two mobile terminals communicating directly by radio without any intermediary or at most within the same base station. In this case, encryption could be applied in such a way that data would not travel unprotected in the operator's network. The solution employs existing algorithms for standard encryption of a communication process with all their shortcomings. A real implementation would require substantial changes to mobile phones. Moreover, the operator would have to carry out changes in the end points of the network as well. The key management is standard.
Techniques similar to the approaches described above are, for example, described in the patent No. WO03063409. It proposes a system for ensuring secure communication of data over a mobile network. It mainly deals with establishing a secure communication link in a specific way. Another solution in described in the patent No. WO03061188, which describes a system based on a virtual private network, established by the means of IP sec, which also is able to function in a mobile environment. The solution aims at establishing a secure link in a heterogeneous environment. The US patent application No. 2004/0180694 describes a specific device - a mobile phone with an encryption and decryption module that is able to encrypt and decrypt documents in extended memory. The application does not deal with encrypting voice
The above-mentioned solutions are supported by key management. Such systems require key management that meets requirements characteristic for mobile communication, as for example portability, resistance to unauthorized use, etc. The purpose of this key management is to deliver encryption keys for specific algorithms. Renewal of keys takes place at prescribed intervals. In case the same device is used by several users or for several purposes, these users are authenticated so that keys are used only by an authorized user.
For example, a possible solution is described in the patent No. EP 1376924. The system aims at encrypting a direct communication link between two mobile phones, and key management using removable smart cards. This solution provides for the possibility of changing this card as well as using the card in other systems as well. The shortcomings of this solution are that it does not propose a practical interconnection of this security element with a communication system and possible ways to upgrade the key management. It does not deal
Secure storage for sensitive personal data, first of all, secret encryption keys, private data, certificates, etc., is a separate problem in the area of secure communication. Compared to storing data in a mobile phone, storage in a special device has the potential to provide higher level of security of sensitive information as well as to provide authorized access to the data. Current solutions for data storage in mobile phones, which highly depend on the user interface provided by the mobile phone manufacturer, provide only very limited possibilities to create such a system. In fact the only standardized element suitable for such storage is the SIM card (subscriber identity module). Connecting or inserting a special dedicated device or module provides a real possibility for creating really secure storage for sensitive data. Such storage is implemented as a separate memory device or a combined device including encryption functionality as well. In some systems a smart card is used as the secure storage, which makes these systems more flexible in respect to user requirements and potential compatible systems.
For example, the solution described in the US patent application No. 2004/0059921 also belongs to this group of implementations of secure storage. The proposed security method also includes a network component that implements the functionality of key storage and provides general and security functions as well. These procedures are proposed for the environment of IP networks of LAN and WAN type with unspecified infrastructure utilizing "Voice over IP" technology. This solution may also include a card implementing security functions. The patent application does not deal with connecting such a device to a mobile phone. It can only use it in specific cases via a gateway as a part of an IP communication path to another communication device on an IP network of LAN or WAN type.
These approaches have lead to more advanced technology and devices that can connect to mobile phones wirelessly. A group of leading manufacturers in the area of information and telecommunication technology has agreed upon specification and promotion of a suitable standard for wireless connection of portable computers, wireless headphones, microphones, and similar devices to mobile phones. This technology is designed for communication over shorter distances. It is called Bluetooth. Bluetooth can establish a wireless connection between a mobile phone and another device at the distance of several meters. In this way one can set up a simple network containing a computer, a printer, a handheld, a mobile phone, a keyboard, a mouse, etc. Bluetooth communication itself is relatively secure in respect to both authentication
The solution described in the US patent application No. 2002/0114467 also implements secure storage in this way. The described security device uses a Bluetooth wireless interface for communication with a mobile phone. The device implements data encryption, data decryption, and electronic signature as general standardized methods. It also contains storage for encryption keys. It also describes a way to connect a smart card. An external connection in the form of on-line bank terminals or cash registers is preferred. An advantage of this solution is that it does not require any modification to the mobile device in order to provide data encryption and electronic signature, while the connection to the mobile phone is relatively simple. However, the solution does not address an essential problem how to modify a mobile phone so that the functionality provided by the device is in fact usable. Moreover, this solution does not cover voice communication by the means of mobile phones. It only deals with data communication using text messages. Its main area of utilization is in the area of on-line banking, bank services, cash registers, and vending machines.
Techniques similar to the ones mentioned above and aimed at authentication are, for example, described in the US patent application No. 2003/0095044. It describes a device that implements authentication and possible blocking of a mobile electronic system. This solution prefers the Bluetooth protocol for communication. A comparable solution is described in the US patent No. 6,766,160, which proposes an authenticator for mobile terminals connected through Bluetooth. The mobile phone itself can act as the authenticator. Another solution described in the US patent No. 6,745,326 implements authentication by the service provider through a secure communication link over the telecommunication network.
Solutions that marginally concern the area of secure communication are described, for example, in the US patent No. 6,711,262 - check of applications stored in a SIM module, in the US patent application No. 2004/0030906 - authentication by the means of SMS using the mobile phone's IMEI as the encryption key, in the US patent No. 6,728,553 - integration of a SIM card with a security smart card, and in the US patent application No. 2004/0205248 - encryption and decryption of messages in mobile devices using temporary storage of keys. Transaction and payment systems utilizing security mechanisms in mobile communication are described in US patent No. 6,237,093, US patent No. 6,169,890, US patent No. 2003/0008637, and WO patent application No. 2004/079676.
Despite the fact that principles of voice and data encryption for mobile phones are in general known, many shortcomings and problems yet remain unsolved. The most important unsolved problem is that there is no design of an encryption system that:
• can be really easily deployed with a multitude of mobile devices without any intervention into their integrity, and with minimal extra effort needed for any required specific modifications • does not require additional connected external devices
• maintains high level of security of communication and storage of sensitive data
• provides sufficient quality of connection Nature of the invention
The system based on this invention solves problems and eliminates shortcomings and disadvantages of current technology, especially most of those described above.
The nature of this invention is a system for secure mobile communication utilizing mobile communication devices in the environment of a mobile communication network to establish highly secure voice and data communication among communicating parties. The system consists of:
• Audio modules for conversion of analog signal from the microphone into digital signal, further prossessing of this signal, compression and packetization for further modules, decompression of packets, conversion of the decompressed digital signal into analog signal
• Security device for data encryption and decryption, security and support functions, and generation of encryption keys also containing an authentication part;
• Secure data storage for storage of user and system data;
• Mobile communication device for communication between two communicating parties over the operator's network, and to control communication among other modules of the
• The operator's network serving mainly for data transfer between two mobile communication devices, or between a mobile communication device and a server system;
• Server system that mainly provides registration services to end users, guarantees validity of certificates together with long-term authentication or other encryption keys, and acts as an intermediary in communication between two or among several mobile
Depending on the particular implementation of the invention the audio module consists of:
• Separate device that connects to a mobile communication device or a security device.
• Submodule within the mobile communication device
• Submodule within the security device.
In other implementations of the invention the secure storage module consist of a separate device, a smart card, a bank card, or a SIM card that can be connected to the security device or the mobile communication device, or a submodule within the security device or a submodule within the mobile communication device.
In other implementations of the invention the server system module consists of a separate device, a combination of devices, or a submodule within the mobile communication
The security device contains memory, in which a security and control program is
This program is subject to modification through a local or remote upgrade.
Depending on the particular implementation the mobile communication device contains memory, in which a security and control program is loaded.
The solution also concerns the security device implemented in the system, which has the following components:
• User interface providing services for input of voice, data, and authentication data from the user, output of voice and data for the user, and informing the user about the state of the device. The user interface consists of a voice processing module, a user interface module, and a user authentication module;
• Security core device providing mainly services for encryption and decryption of data and voice acquired from the user interface or the communication component, services for verification of authentication data from the user interface, implementation of electronic signature. The security device consists of a security module, a control module and local secure data storage.
• Communication component providing mainly services for transfer of voice, data, and authentication data from the security core of the device to the mobile communication device or a device connected to a computer network. The communication component consists of a wired transfer module or a wireless transfer module.
• Power supply providing mainly electric power supply to the security device. The power supply consists of a power control module and a battery.
The security device contains a wireless interface for communication between the security device (4, 9) and a mobile communication device, usually of Bluetooth, WiFi or IrDA type, alternatively in specific cases also a wired connection like USB, mini USB, or IEEE 1394.
The idea of this invention is to use mobile communication devices, for example, mobile phones or smartphones in the environment of a mobile communication network to set up a highly secure voice and data communication link between communicating parties.
Another idea of this invention is development of a highly modular system, which can be adjusted to security and infrastructure requirements to the biggest extent possible. The system can cooperate with a wide scale of supported mobile communication devices from various manufacturers without any need to adjust the system to various types of mobile communication devices.
Another feature of this invention is the possibility to easily upgrade relevant modules of the system remotely. This feature is essential in regards to the requirement for the universality of the system and newly introduced types of mobile communication devices.
Another feature of this invention is that it provides roaming among those operators of the mobile communication network, who support transfer of data usable for encrypted voice communication. Data transfer itself requires only standard procedures in the process of connection, because specific procedures available only with particular mobile communication devices or within the mobile communication network of a particular operator do not guarantee functionality and roaming in networks of other operators or with other mobile communication devices. In specific cases such functionality can be implemented, but parallel compatibility with abovementioned solution is necessary in order to maintain roaming.
Another feature of this invention is development of a compact, ergonomic, highly secure, and affordable security device. This device connects to a mobile communication device through a standard wireless, alternatively wired connection. The device provides security and support functionality to the mobile communication device, and implements key management and secure data and key storage.
Another feature of this invention is the usage of a memory card, a SIM card or a smart card as secure data storage. Depending on the properties of the card, it can also be used as an encryption device, an authentication device, or a device providing support functionality. The card is removable and inserted in the security device, possibly in the mobile communication device, if the device supports it.
Another feature of this invention is establishing trust between end users of mobile communication devices. The server system mainly provides registration services to end users and guarantees the validity of certificates together with long-term authentication or other encryption keys. In the case of a system, where no server system is used, total guaranteed trust between end users is also ensured by a direct alternative channel, which can, for example, be visual (a display), audio, data channel etc.
Another feature of this invention is the usage of a server system as an intermediary in communication between two or among several mobile communication devices. Such a connection may be established due to unavailability of direct connection between two mobile communication devices, when a conference connection among several mobile communication devices is required, for security reasons, due to need for supervision over communication, or in order to provide for the anonymity of a connection between two communicating mobile communication devices. In order to maintain high level of security the server system provides connection of mobile communication devices at the level of data transfer. Setting up a direct secure channel is carried out by the mobile communication devices themselves without any
Another feature of this invention is provision of high quality real time encryption regardless which module of the system is doing it. Delays in communication or dropouts have to be negligible in regards to the total delay in the system.
Another feature of this invention is setting up a direct secure channel between two mobile communication devices or terminals and key management between them. The integrity of the direct communication channel is not broken when further elements of the communication network are present on the communication route between the two mobile communication devices, e.g. routers, firewalls, gateways connecting networks of various types, switching
Another feature of this invention is setting up a secure data connection between two mobile communication devices. After a successful synchronization of both mobile communication devices (their modem modules) with the help of algorithms for generation or negotiation of a shared encryption key an encryption key for securing the communication data channel is obtained. Common algorithms for key generation or negotiation are for example of hierarchical type or employ algorithms like Diffie-Hellman, RSA, Station-To- Station. These encryption keys are generated for each voice call separately, if the system allows for it. After the completion of a call these keys are automatically destroyed, if there is no specific reason to store them.
Another feature of this invention is implementation of a relatively good audio codec for voice compression and processing compared to common systems, for example GSM. The bit rate of the output compressed stream is sufficiently low in respect to the capacity of the network. The processing of voice also contains features that ensure its high quality and eliminate unwanted artifacts as for example echo, feedback, unwanted noise, dropouts in the communication channel etc.
The solutions, described in this patent, use the operator's network for communication between two mobile communication devices. The operator's network can be for example of GSM, CDMA (IS95), AMPS (Advanced Mobile Phone Service), Iridium, Tetra (TErrestrial Trunked RAdio) or WiFi type. In specific cases devices can also use another way of communication, for example a direct channel through Bluetooth, USB, or an IP network.
The principle of the invention lies in the versatility of its modules. From this point of view the most important and critical modules are the mobile communication device and the security device. From the point of versatility and wide compatibility the architectural properties of the software of both modules are essential. In the case of a mobile communication device it is essential to develop such software that can function in mobile communication devices running under given operating system, e.g. Symbian OS, Palm OS, Windows Mobile Pocket PC, Windows Mobile Smartphone or Linux. The software eliminates differences in access to the resources of the mobile communication device, as well as fully
The internal structure of the security device is to a big extent autonomous. This device is universal in the system, because it is connected with the mobile communication device through a wireless interface, e.g. Bluetooth, WiFi, or IrDA. Other wired connections, e.g. battery recharging, USB, mini USB, or IEEE 1394 serve other purposes or as an alternative connection. The communication interface of the security device complies with relevant standards. For this reason its connection to another device is transparent unlike wire connectors, which are of many types on the mobile communication devices market, and which change in time. These properties ensure that' the security device can also be used as secure data storage, a key manager, or implement support functionality for other devices. Its functionality and usage are not restricted to only those mentioned above. The security device can also be used as a security, transaction, or authentication module not only with a mobile communication device, but also with a parking terminal, cash register, bank terminal, desktop computer, portable computer, pocket computer, vending machine, device for input control, etc.
Some mobile communication devices are not able to provide all the functionality that is required for the operation of a system based on this invention. Computational power and access to resources of mobile communication devices are usually set by the manufacturer and are limited by the available operating system. This concerns mainly functions like encryption and decryption in real time, compression and decompression of voice in real time, input from and output to the audio module, full-duplex communication, user authentication etc. In such a case the security device provides full support of this functionality to the mobile communication device. Software of a mobile communication device that cannot support this functionality in full extent provides at least limited functionality of secure voice transfer, for example, using less demanding modes of secure voice transfer from the point of computational complexity and real time communication. In this case communication in the form of half-duplex operation, simplex operation, voice messages, etc. is possible.
Survey of figures on drawings
The invention is in more detail explained in the following description using examples of implementation referring to attached drawings:
Figure 1 shows a system build on the basis of this invention. Figure 2 shows the block diagram of the device for mobile communication. Figure 3 shows an arrangement of the modules of the system, where the individual modules are implemented as separate devices.
Figure 4 shows an arrangement of the modules of the system, where the audio module and the mobile communication device form one indivisible device and the security device is a separate device.
Figure 5 shows an arrangement of the modules of the system, where the mobile communication device and the security device form one indivisible device and the audio module is a separate device.
Figure 6 shows an arrangement of the modules of the system, where the mobile communication device, the security device, and the audio module form one indivisible device.
Figure 7 shows an arrangement of the modules of the system, where the audio module and the security device form one indivisible device, and the mobile communication device is a separate device.
Figure 8 shows an arrangement of the modules of the system, where the communicating parties do not communicate directly over the operator's network, but through a server
Figure 9 shows an arrangement of the modules of the system, where user registration into the system is implemented by the means of a server system.
Figure 10 shows an arrangement of the modules of the system, where the registration of a user into the system is implemented in a separate security device.
Figure 11 shows the setup of a connection between a mobile communication device A and a mobile communication device B.
Examples of implementation of the invention
Example 1
Figure 1 shows a system built on the basis of this invention, which consists of the following modules: an audio module 1, ϋ, a security device 4, 9, secure data storage 5, K), a mobile communication device 6, 8, the operator's network 7, and a server system JA Individual modules of the system communicate either wirelessly of through wired connections. Examples of wireless communication are the well-known wireless interfaces like 802.11b, 802.1 Ig, Bluetooth, or over the operator's network. Examples of communication over wired connection are the well-known serial interfaces like USB, RS232, 12C, SPI, or the well-known parallel interfaces like Centronics, ISA, PCI, PCMCIA.
The audio module I, JJ, converts analogue signal from the microphone 2, V2 into digital signal, further processes this signal, compresses it, and packetizes it for further modules, especially for the security device 4, 9 and the mobile communication device 6, 8. The audio module 1, H further serves for decompression of packets acquired from the security device 4, 9 and the mobile communication device 6, 8,and for conversion of the decompressed digital signal into analog signal for the loudspeaker 3., JJ3.
The security device 4, 9 serves for encryption and decryption of data acquired especially from the audio module I, IJ, and the mobile communication device 6, 8 using one of the well- known algorithms. Furthermore it serves for generation of encryption keys using some well- known algorithm. The security device 4, 9 may also contain an authentication component, which consists of some or all of the following components: a smart card reader, a wireless smart card reader, a fingerprint reader, a keyboard, or another device verifying the identity of the user of the security device 4, 9.
The secure data storage 5, 10 serves for storage of user data. Before data is written to the secure data storage 5, H) it is encrypted with one of the well-known algorithms, especially by the security device 4, 9.
The mobile communication device 6, 8 serves for communication between two communicating parties over the operator's network 7. Furthermore it serves for control of communication among other modules of the system, mainly between the security device 4, 9 and the audio module 1, VL. The mobile communication device 6, 8 can be, for example, a
The operator's network 7 serves for transfer of data between two mobile communication devices 6, 8, or between a mobile communication device 6, 8 and the server system IA The operator's network 7 can be for example GSM, CDMA, AMPS, Iridium, Tetra or WiFi.
The server system 14 mainly provides registration services for end users and guarantees the validity of certificates together with long-term authentication or other encryption keys. Furthermore, the server system 14 can serve as an intermediary in communication between two or among several mobile communication devices 6, 8. The server system 14 communicates with mobile communication devices over the operator's network 7.
Example 2 The device 25 (Figure 2) serves for encryption and decryption of voice and data acquired from the user interface 3_1, encryption and decryption of voice and data from a mobile device, or a device connected to a computer network 28, user authentication 29, and access to the mobile device, or the device connected to the computer network 28. The device 25 consists of the following parts: a user interface 3_1, a security core 32, a communication component 33,
The user interface 3J_ serves for input of voice, data, and authentication data from the user 29, output of voice and data for the user 2JL and informs about the state of the device 25. The user interface 3_1 consists of a voice processing module 1_8, a user interface module 19, and a user authentication module 20.
The voice processing module 18 converts analog signal from the microphone 30 into digital signal, further processes the signal obtained in this way, compresses it and packetizes it for other parts of the device, especially for the control module 17 and the security module 15. The voice processing module 1_8 further decompresses packets acquired from the control module 17 and the security module 15, and converts this decompressed digital signal into analog signal for the loudspeaker 30.
The user interface 19 contains an interface for input of information from the user 29^ which is a button or a keypad, possibly both a button and a keypad, and an interface for information from the device 25 for the user 29^ which are control lights or a display, possibly both control lights and a display.
The user authentication module 20 contains some or all of the following components depending on the configuration and requirements for the device 25 : a .smart card reader, a wireless smart card reader, a fingerprint reader, a keyboard, and possibly another device verifying the identity of the user 29 of the device 25.
The security core 32 of the device serves for encryption and decryption of data and voice acquired from the user interface 3_1 or the communication component 3_3; verification of authentication data from the user interface 3_L The security core of the device 32 consists of secure data storage 16,, a security module 15 and a control module 17.
The secure data storage 16 serves for storage of data of the user's 29. Before being written to the secure data storage \6_ data is encrypted with a well-known algorithm. This encryption is carried out mainly by the security module 15 or the control module _17.
First of all, the security module 15 contains the following modules:
• Encryption module for encryption and decryption of data using one of the well-known algorithms, especially data coming from the control module YL, the voice processing module 18, and the secure data storage 16
• Module for generation of encryption keys using a well-known algorithm
• Encryption key storage module
• Module needed for authentication of the user 29 with help from the user authentication module 20.
The control module 17 provides data exchange and processing among the following modules: the voice processing module 18, the user interface module 19, the user authentication module 20, the secure data storage V6, the security module 15, the wired transfer module 22, and the wireless transfer module 2L This module also controls other modules, especially the voice processing module 18, the user interface module 19, the user authentication module 20, the secure data storage 16, the security module 15, the wired
The communication component 33_ serves for transfer of voice, data, and authentication data from the security core 32 of the device into the mobile device, or the device connected to the computer network 28 using the wired transfer module 22, or the wireless transfer module
The wired transfer module 22 serves as a communication interface physically connecting the device 25 with the external mobile device or the device connected to the computer network 28. Examples of a wireless transfer module 22 are the well-known serial interfaces like USB, RS232, 12C, SPI, or the well-known parallel interfaces like Centronics, ISA, PCI, PCMCIA.
The wireless transfer module 21 serves a wireless communication interface between the device 25 and the external mobile device or the device connected to the computer network 28. Examples of a wireless transfer module 2_1 are the well-known wireless interfaces like 802.1 Ib, 802.1 Ig, Bluetooth. The power supply 34 provides electric power to the device 25. When an external DC power supply 26 is connected, or the device is powered from the signal bus 27, the battery 24 can be recharged. The power supply 34 consists of a power control module 23 and a battery
The power control module 23 controls electric power supply to the device 25 and recharges the battery 24. The device may be powered by the external DC power supply 26, from the signal bus 27 or the battery 24.
The battery 24 serves as a backup power supply for the device 25.
Example 3
An implementation of this invention is shown in Figure 3. Numbers in the sequel refer to Figure 1. In this case the audio module 1, Vl, the security device 4, 9, and the mobile communication device 6, 8. are implemented as three separate devices. Voice communication between communicating parties is converted from analog signal to digital signal and vice versa in the audio module 1, 1_1_. Furthermore, the audio module I, U. implements compression and decompression of the digital signal and its packetization. The audio module L i-Lis connectedjo the security device 4, 9^ either wirelessly or through a wired connection. The security device 4, 9_serves for encryption and decryption of digital signal, and generation of encryption keys. The security device 4, 9 consists of secure data storage 5_, Ij), where user and system data is stored. The security device 4, 9_is connected to the mobile communication device 6, .S1 either wirelessly or with a wired connection. The mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted digital signal.
Example 4
In another implementation of the invention the audio module 1, U and the mobile communication device 6, 8 form one indivisible device, while the security device 4, 9 is a separate device, which is connected to the audio module 1, 1_1 and the mobile communication device 6, 8 either wirelessly or through a wired connection (Figure 4). The audio module i, H converts analog signal into digital signal and vice versa, implements compression and decompression of the digital signal, and its subsequent packetization. Digital signal from the audio module 1_, IX is sent to or received from the security device 4, 9. The security device 4, 9 serves for encryption and decryption of digital signal, and furthermore for generation of encryption keys. The security device 4, 9 also contains secure data storage ,5, l_0, where user and system data is stored. The security device 4, 9 either receives encrypted digital signal from or sends encrypted digital signal to the mobile communication device 6, ,8. The mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted digital signal.
Example 5
In another efficient implementation of the invention the mobile communication device 6, £ and the security device 4, 9 form one indivisible device, while the audio module 1 , 11 is a separate device connected to the mobile communication device 6, 8 and the security device 4, 9 either wirelessly or through a wired connection (Figure 5). The audio module 1, H converts analog signal into digital signal and vice versa, implements compression and decompression of the digital signal, and its subsequent packetization. Digital signal from the audio module 1, JJ, is sent to or received from the security device 4, 9. The security device 4, 9 serves for encryption and decryption of digital signal, and furthermore for generation of encryption keys. The security device 4, 9 also contains secure data storage 5, K), where user and system data is stored. The security device 4, 9 either receives encrypted digital signal from or sends encrypted digital signal to the mobile communication device 6, 8. The mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted digital signal.
Example 6
Another preferred implementation of the invention is shown in Figure 6. The mobile communication device 6, 8, the security device 4, 9, and the audio module 1, JJ. are one indivisible device. The audio module I, H converts analog signal into digital signal and vice versa, implements compression and decompression of the digital signal, and its subsequent packetization. Digital signal from the audio module I, H is sent to or received from the security device 4, 9. The security device 4, 9 serves for encryption and decryption of digital signal, and furthermore for generation of encryption keys. The security device 4, 9 also contains secure data storage 5, 10, where user and system data is stored. The security device 4, 9 either receives encrypted digital signal from or sends encrypted digital signal to the mobile communication device 6, 8. The mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted digital signal.
Example 7
In another efficient implementation of the invention the audio module I, H and the security device 4, 9 form one indivisible device, while the mobile communication device 6, .8 is a separate device, which is connected to the audio module 1, H, and the security device 4, 9 either wirelessly or through a wired connection (Figure 7). The audio module I, IJ, converts analog signal into digital signal and vice versa, implements compression and decompression of the digital signal, and its subsequent packetization. Digital signal from the audio module 1, H is sent to or received from the security device 4, 9. The security device 4, 9 serves for encryption and decryption of digital signal, and furthermore for generation of encryption keys. The security device 4, 9 also contains secure data storage 5, K), where user and system data is stored. The security device 4, 9 either receives encrypted digital signal from or sends encrypted digital signal to the mobile communication device 6, S. The mobile communication device 6, 8 serves for setting up a connection over the operator's network 7 with another communicating party and for transmission and reception of encrypted digital signal.
Example 8
Another preferred implementation of the invention is shown in Figure 8. In this implementation communicating parties does not communicate directly over the operator's network 7, as in examples 3 to 7, but through a server system JA The server system 14 serves as an intermediary in communication between two or among several mobile communication devices 6, 8. The server system 14 communicates with the mobile communication devices 6, 8 over the operator's network 7. In this way the server system 7 is able to provide interconnection of two or several mutually incompatible networks and to provide partial anonymity of the communicating parties. Such communication by the means of the server Example 9
Another preferred implementation of the invention is shown in Figure 9. In this case the registration of a user in the system is carried out by the server system 7. The server system 7 provides registration services to end users, and guarantees the validity of certificates together with long-term authentication or other encryption keys. The security device 4, 9 generates a key pair. The public key in the key pair is sent to the mobile communication device 6, 8. together with data about the user. The mobile communication device 6, 8 sends this data to the server system 14, which generates a certificate signed by the server system 14. Next the certificate is sent to the mobile communication device 6, S and stored in the secure data storage 5, H). Such registration in the system with help from the server system 14 can be
Example 10
In another efficient implementation of the invention the registration of a user in the system is carried out in the security device 4, 9 itself (Figure 10). The security device 4, 9 generates a key pair. The public key in the key pair and data about the user are used to generate a certificate for the user. This certificate is next stored in secure data storage 5, K). Such registration into the system can be used in all examples 3 to 8.
Example 11
Another possible implementation of the invention is physically separate secure data storage 5, 10 implemented by a smart card, a memory card, or another memory medium connected through a wired connector or wirelessly via e.g. an RFID interface. The secure data storage 5, 10 stores user and system data, possibly also certificates and contacts to other users of the system. Such a configuration of the secure data storage f>, 10 can be used in all examples 1 to
Example 12
Another preferred implementation of the invention is shown in Figure 11. Setting up a connection between a mobile communication device A 6 and a mobile communication device B 8 depends upon an exchange of keys that takes place between the security device A 4 and the security device B 9. This exchange of keys is based on some well-known algorithm as for example Diffie-Hellman, Station-to-Station protocol, Shamir's three pass protocol, Comset, EKE etc. One of possible implementations is the Station-to-Station protocol, where first a random number x is generated using a noise generator in the security device A 4, then a public Diffie-Hellman key k = gx mod p is generated, which is subsequently sent to the security device B 9. Subsequently the security device B 9 generates a random number y using a noise generator and computes a shared key k = g91 mod p. Then the public keys, the certificate of the security device B 9, the Diffie-Hellman system parameters (p, g) are signed and encrypted with the generated key. The abovementioned signature and the certificate with data of the user of the mobile communication device B 8 are encrypted, especially the phone number, which will later be verified - Ek (CertB,SB(CertB, (p, g), £, gx)). The public key of the module B k - ^ modp is sent to the security device A 4 together with Ek (CertB,Sβ(CertB, (p, g), £, g*)), where a common key k = g^ mod p is generated. After decryption and verification of the signature the mobile communication device A 6 displays the parameters of the certificate, e.g. the phone number of the mobile communication device B S. The user of the mobile communication device A 6 thus compares the displayed parameters with the parameters of the user, with whom he/she initially established communication. For example, he/she verifies the phone number of the user he/she called with the displayed phone number. Next the security device A 4 signs the public keys, the certificate of module A, Diffie-Hellman system parameters (p, g), and using the generated key encrypts the abovementioned signature and the certificate with the data of the user of the mobile communication device A 6 - Ek (CertA,SA(CertA, (p, g), gx, £)). The communication module A sends Ek (Cert A1SA(CeH A, (p, g), gx, g*')), which is decrypted on the side of the mobile communication device B 8. . The signature is verified, and the parameters from the certificate of the security device A 4 are displayed. The user A as well as the user B now have an opportunity to verify the displayed digital fingerprint (hash), which is computed by the corresponding security device 4, 9. By mutual reading they can verify it, which provides protection of the key exchange against man in the middle attack. After a key exchange has been carried out in this way or using any other well-known algorithm for key exchange, a secure encrypted communication channel between the two mobile communication devices (x, 8 can be established using a well-known symmetric encryption algorithm, for example AES with key length of 256 bits. Such connection establishment can be used in all examples 1 to 9.

Claims

PATENT CLAIMS
1. A system for secure mobile communication using mobile communication devices in the environment of a communication mobile network for establishing highly secure voice and data communication among communicating parties, wherein the system consists of:
• audio module (1, 11) that converts analog signal from the microphone (2, 12) into digital signal, further processes the signal obtained in this way, compresses it, and packetizes it for further modules, decompresses packets, converts the decompressed digital signal into analog signal for the loudspeaker (3, 13);
• security device (4, 9) for data encryption and decryption that provides security and support functionality for encryption key generation and also contains an authentication
• secure data storage (5, 10) for storing user and/or system data;
• mobile communication device (6, 8) for communication between two communicating parties over the operator's network (7), and for management of communication among other modules of the system;
• the operator's network (7) providing data transfer between two mobile communication devices (6, 8), or a mobile communication device (6, 8) and a server system (14);
• server system (14) that mainly provides registration services for end users and guarantees the validity of certificates together with long-term authentication or other encryption keys, and acts as an intermediary in communication between two or among several mobile communication devices (6, 8).
2. The system of claim 1, wherein the audio module (1, 11) is implemented as a separate device that can connect to a mobile communication device (6, 8) or a security device (4, 9).
3. The system of claim 1, wherein the audio module (1, 11) is implemented as a submodule within the mobile communication device (6, 8).
4. The system of claim 1, wherein the audio module (1, 11) is implemented as a submodule within the mobile communication device (4, 9).
5. The system of claim 1, wherein the secure data storage module (5, 10) is implemented as a separate device, a smart card, a bank card, or a SIM card that can connect to the security device (4, 9) or the mobile communication device (6, 8).
6. The system of claim 1, wherein the secure data storage module (5, 10) is implemented as a submodule within the security device (4, 9).
7. The system of claim 1, wherein the secure data storage module (5, 10) is implemented as a submodule within the mobile communication device (6, 8).
8. The system of claim 1, wherein the security device module (4, 9) is implemented as a separate device that can connect to the mobile communication device (6, 8).
9. The system of claim 1, wherein the security device module (4, 9) is implemented as a submodule within the mobile communication device (6, 8).
10. The system of claim 1, wherein the server system module (14) is implemented as a separate device or a combination of devices.
11. The system of claim 1, wherein the server system module (14) is implemented as a submodule within the mobile communication device (6, 8).
12. A system of any of claims 2 to 11, wherein the security device (4, 9) contains memory, into which a security and control program is loaded.
13. A system of claim 12, wherein the program is subject to modification by means of local and/or remote upgrade.
14. A system of any of claims 2 to 11, wherein the mobile communication device (6, 8) contains memory, into which a security and control program is loaded.
15. A system of claim 14, wherein the program is subject to modification by means of local and remote upgrade.
16. A system of any of claims 2 to 11, wherein real time encryption is provided regardless which device the security module is implemented in.
17. A system of any of claims 2 to 11, wherein a virtual direct secure channel is present.
18. A system of claim 17, wherein an encryption communication key is used, which is obtained via a data channel between the communicating parties, mainly by its generation, creation from a certificate, exchange using a negotiated protocol.
19. A system of claim 17, wherein the system contains an encryption communication key obtained via another channel between the communicating parties, mainly via a messenger, direct exchange while the devices are directly connected at a short distance, or through the mediation of trust by a third party or a server system (14).
20. A system of claim 17, wherein an alternative channel is present.
21. A system of claim 20, wherein an alternative channel is used, especially a visual channel (display), sound and voice channel, backup data channel.
22. A system of claims 10 or 11, wherein the server system (14) contains registration of authorized users, which it uses to assign privileges and issue certificates required for acceptance of these users in the system.
23. A system of claims 10 or 11, wherein a server system (14) that is used as an intermediary in communication between two or among several mobile communication devices is present.
24. A security device (4, 9) implemented in the system of claim 8, wherein the security contains the following components:
• User interface providing services for input of voice, data, and authentication data from the user, output of voice and data for the user, and informing the user about the state of the device. The user interface consists of a voice processing module, a user interface module, and a user authentication module;
• Security core device providing mainly services for encryption and decryption of data and voice acquired from the user interface or the communication component, services for verification of authentication data from the user interface, implementation of electronic signature. The security device consists of a security module, a control module and local secure data storage.
• Communication component providing mainly services for transfer of voice, data, and authentication data from the security core of the device to the mobile communication device or a device connected to a computer network. The communication component consists of a wired transfer module or a wireless transfer module.
• Power supply providing mainly electric power supply to the security device. The power supply consists of a power control module and a battery.
25. Security device (4, 9) implemented in a system of claim 8, wherein a wireless interface for connection between the security device (4, 9) and the mobile communication device (6, 8), mainly of Bluetooth, WiFi or IrDA type, alternatively in specific cases also a wired connection, mainly USB, mini USB, and IEEE 1394 is used.
PCT/SK2005/000022 2004-11-23 2005-11-23 Apparatuses for establishing a highly secure voice amd data link between communicating parties WO2006057627A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SK404-2004A SK4042004A3 (en) 2004-11-23 2004-11-23 System and device for secure mobile communication
SKPP404-2004 2004-11-23

Publications (1)

Publication Number Publication Date
WO2006057627A1 true WO2006057627A1 (en) 2006-06-01

Family

ID=35592255

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SK2005/000022 WO2006057627A1 (en) 2004-11-23 2005-11-23 Apparatuses for establishing a highly secure voice amd data link between communicating parties

Country Status (2)

Country Link
SK (1) SK4042004A3 (en)
WO (1) WO2006057627A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102007012953A1 (en) * 2007-03-14 2008-09-18 Bundesdruckerei Gmbh Telecommunication method with subscriber authentication
US9059971B2 (en) 2010-03-10 2015-06-16 Koolspan, Inc. Systems and methods for secure voice communications
EP2963854A1 (en) * 2014-07-02 2016-01-06 SECVRE GmbH Device for secure peer-to-peer communication for voice and data
CN105405271A (en) * 2015-11-21 2016-03-16 惠州Tcl移动通信有限公司 Health intelligent system and health intelligent management method for reminding user of airing quilt in time
GB2553944A (en) * 2014-12-31 2018-03-21 Google Inc Secure host communications
JP2018521551A (en) * 2015-05-29 2018-08-02 ナグラビジョン エス アー Method and system for establishing an encrypted audio session
US10972450B1 (en) 2019-04-15 2021-04-06 Wells Fargo Bank, N.A. Systems and methods for securely migrating data between devices
WO2021158868A1 (en) * 2020-02-06 2021-08-12 Quantum Cloak, Inc. Securing communications via computing devices

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998002991A1 (en) * 1996-07-12 1998-01-22 Ulrich Seng Key distribution process between two units in an isdn/internet connection
US20020183005A1 (en) * 2001-05-24 2002-12-05 Yl Yi Sang Security codeless phone unit using bluetooth
EP1376924A2 (en) * 2002-06-27 2004-01-02 Nokia Corporation End-to-end encryption key management in mobile communications system
WO2004032557A1 (en) * 2002-10-07 2004-04-15 Telefonaktiebolaget Lm Ericsson (Publ) Security and privacy enhancements for security devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998002991A1 (en) * 1996-07-12 1998-01-22 Ulrich Seng Key distribution process between two units in an isdn/internet connection
US20020183005A1 (en) * 2001-05-24 2002-12-05 Yl Yi Sang Security codeless phone unit using bluetooth
EP1376924A2 (en) * 2002-06-27 2004-01-02 Nokia Corporation End-to-end encryption key management in mobile communications system
WO2004032557A1 (en) * 2002-10-07 2004-04-15 Telefonaktiebolaget Lm Ericsson (Publ) Security and privacy enhancements for security devices

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102007012953A1 (en) * 2007-03-14 2008-09-18 Bundesdruckerei Gmbh Telecommunication method with subscriber authentication
US9059971B2 (en) 2010-03-10 2015-06-16 Koolspan, Inc. Systems and methods for secure voice communications
EP2963854A1 (en) * 2014-07-02 2016-01-06 SECVRE GmbH Device for secure peer-to-peer communication for voice and data
US20160006710A1 (en) * 2014-07-02 2016-01-07 Secvre Gmbh Device for secure peer-to-peer communication for voice and data
GB2553944A (en) * 2014-12-31 2018-03-21 Google Inc Secure host communications
US9948668B2 (en) 2014-12-31 2018-04-17 Google Llc Secure host communications
GB2553944B (en) * 2014-12-31 2019-08-07 Google Llc Secure host communications
JP2018521551A (en) * 2015-05-29 2018-08-02 ナグラビジョン エス アー Method and system for establishing an encrypted audio session
CN105405271A (en) * 2015-11-21 2016-03-16 惠州Tcl移动通信有限公司 Health intelligent system and health intelligent management method for reminding user of airing quilt in time
US10972450B1 (en) 2019-04-15 2021-04-06 Wells Fargo Bank, N.A. Systems and methods for securely migrating data between devices
US11924187B2 (en) 2019-04-15 2024-03-05 Wells Fargo Bank, N.A. Systems and methods for securely migrating data between devices
WO2021158868A1 (en) * 2020-02-06 2021-08-12 Quantum Cloak, Inc. Securing communications via computing devices

Also Published As

Publication number Publication date
SK4042004A3 (en) 2006-08-03

Similar Documents

Publication Publication Date Title
US7793102B2 (en) Method for authentication between a portable telecommunication object and a public access terminal
JP3816337B2 (en) Security methods for transmission in telecommunications networks
US7761095B2 (en) Secure transmission over satellite phone network
US20070239994A1 (en) Bio-metric encryption key generator
EP1976322A1 (en) An authentication method
WO2006057627A1 (en) Apparatuses for establishing a highly secure voice amd data link between communicating parties
US20060189298A1 (en) Method and software program product for mutual authentication in a communications network
US8032763B2 (en) Multi-network cryptographic device
CN101384042A (en) Mobile phone ciphering method based on safe digital interface ciphering card
CN101164315A (en) System and method for utilizing a wireless communication protocol in a communications network
KR20010114272A (en) Method and apparatus for initializing secure communications among, and for exclusively pairing wireless devices
RU2495532C2 (en) Method and apparatus for end-to-end encrypted communication
EP2963854A1 (en) Device for secure peer-to-peer communication for voice and data
CN105337740A (en) Identity verification method, client, relay device and server
CN101909290A (en) Method, system and mobile terminal for encrypting voice call
US20050209975A1 (en) System, method and computer program product for conducting a secure transaction via a network
US20050210234A1 (en) Reach-back communications terminal with selectable networking options
US20070154015A1 (en) Method for cipher key conversion in wireless communication
CN112182624A (en) Encryption method, encryption device, storage medium and electronic equipment
CN100367701C (en) Apparatus and method for implementing data safety transmission of mobile communication apparatus
GB2342817A (en) Secure session setup based on wireless application protocol
AU772998B2 (en) Internal line control system
CN112054905B (en) Secure communication method and system of mobile terminal
WO2000059244A1 (en) Method and system for the transmission of information
JP2003309552A (en) Control system for electronic certificate by portable telephone

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05807870

Country of ref document: EP

Kind code of ref document: A1