EP1129594A1 - Transfert securise de l'information temporaire d'abonne de mobile et systeme a cet effet - Google Patents

Transfert securise de l'information temporaire d'abonne de mobile et systeme a cet effet

Info

Publication number
EP1129594A1
EP1129594A1 EP99958568A EP99958568A EP1129594A1 EP 1129594 A1 EP1129594 A1 EP 1129594A1 EP 99958568 A EP99958568 A EP 99958568A EP 99958568 A EP99958568 A EP 99958568A EP 1129594 A1 EP1129594 A1 EP 1129594A1
Authority
EP
European Patent Office
Prior art keywords
random number
pseudo random
generator means
network
mobile station
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP99958568A
Other languages
German (de)
English (en)
Inventor
Johan Rune
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Publication of EP1129594A1 publication Critical patent/EP1129594A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention is directed to a system and method for improving the security of a cellular subscriber within a telecommunications system, and, particularly, to improving subscriber confidentiality during network access.
  • GSM Global System for Mobile Communication
  • PLMN Public Land Mobile Network
  • wireless network 10 which in turn is composed of a plurality of areas 12, each with a Mobile Services switching Center (MSC) 14 and an integrated Visitor Location Register (VLR) 16 therein.
  • LA Location Areas
  • Each Location Area 12 is divided into a number of cells 22.
  • Mobile Station (MS) 20 is the physical equipment, e ⁇ ., a car phone or other portable phone, used by mobile subscribers to communicate with the wireless network 10, each other, and users outside the subscribed network, both wireline and wireless.
  • the MSC 14 is in communication with at least one Base Transceiver Station (BTS) 24.
  • BTS Base Transceiver Station
  • the BTS 24 is the physical equipment, illustrated for simplicity as a radio tower, that provides radio coverage to the geographical part of the cell 22 for which it is responsible.
  • BSC Base Station Controller
  • BSC Base Station Controller
  • BSS Base Station System
  • the PLMN Service Area or wireless network 10 includes a Home Location Register (HLR) 26, which is a database maintaining all subscriber information, e.g., user profiles, current location information, International Mobile Subscriber Identity (IMSI) numbers, and other administrative information.
  • HLR Home Location Register
  • the HLR 26 may be co-located with a given MSC 14, integrated with the MSC 14, or alternatively can service multiple MSCs 14, the latter of which is illustrated in FIGURE 1.
  • the VLR 16 is a database containing information about all of the Mobile Stations 20 currently located within the MSC/VLR area 12. If a MS 20 roams into a new MSC/VLR area 12, the VLR 16 connected to that MSC 14 will request data about that Mobile Station 20 from its home HLR database 26 (simultaneously informing the HLR 26 about the current location of the MS 20). Accordingly, if the user of the MS 20 then wants to make a call, the local VLR 16 will have the requisite identification information without having to reinterrogate the home HLR 26. In the aforedescribed manner, the VLR and HLR databases 16 and 26, respectively, contain various subscriber information associated with a given MS 20.
  • Each user in a cellular network such as the GSM network 10 shown in FIGURE 1, has an International Mobile Subscriber Identity (IMSI) number associated therewith, a unique identity number to uniquely identify each subscriber.
  • IMSI International Mobile Subscriber Identity
  • the secret subscriber key used for generating the authentication response must remain confidential lest an unscrupulous third party impersonate a given subscriber, incurring phone and other charges by virtue of this identity theft. Since the mobile station 20 maintains its identity within a given Location Area 18, e.g., in the VLR 16, the IMSI number need not be transmitted until the subscriber leaves the given LA 18 to another LA 18 within which it is not known.
  • the transmission of the IMSI is not done in an effort to avoid the tracking of a subscriber's location and movements by listening to the IMSI (which is not secret).
  • the goal is to protect the subscriber's privacy and integrity.
  • GSM To thwart obvious eavesdropping of confidential information, GSM employs a Temporary Mobile Subscriber Identity (TMSI) as an alias for the true subscriber identity (IMSI) in order to avoid transmitting the IMSI in clear on the radio path.
  • TMSI numbers are allocated by the network on an LA 18 basis for unambiguously referring to a particular MS 20 therein.
  • This subscriber identity confidentiality is a feature employed in many cellular networks today, e.g., in GSM.
  • TMSI numbers attempt to thwart eavesdroppers from tracking the location or the movements of a subscriber merely by listening in on the communication between the respective BTS 24 and the MS 20.
  • the temporary identity is preferably replaced at every network access, e.g., call, location update, etc.
  • the TMSI When the TMSI is assigned to the mobile station 20 by the network 10, the TMSI must be transferred from the network to the MS 20. It should be understood that at this moment there is a risk that an eavesdropper may intercept the transfer, thereby being able to couple the TMSI with the particular IMSI which the aliasing TMSI replaces. This interception would also make it possible for the eavesdropper to track the subscriber's location and movements despite the use of TMSI identifiers.
  • the temporary identity is encrypted during this transfer, thereby preventing the eavesdropper from tracking the subscriber by monitoring the subsequent replacements of temporary identities.
  • the TMSI number is used by the MS 20 to identify itself to the network 10, it cannot be encrypted since the network 10, not yet knowing the identity of the subscriber, would not know which encryption key to utilize in decrypting the temporary identity.
  • the TMSI number must not only be replaced at every network access but it must also be encrypted when transferred from the network to the MS 20, creating a significant amount of signaling across the radio interface and consuming valuable radio resources.
  • the present invention is directed to telecommunications systems and methods for preventing the interception of temporary identifiers utilized in network access by and interaction with mobile stations.
  • a mobile station and the subscriber network synchronize a pseudo random number generator, the initial seed value for which is exchanged in encrypted form.
  • Subsequent temporary identifiers for the mobile station are derived from successive values of a pseudo random number generator algorithm or other, like algorithms.
  • FIGURE 1 is a block diagram of a telecommunications system that employs the principles of the present invention.
  • a preferred mechanism to safely permit the exchange of temporary identity numbers after each network access is to utilize a series of values that are difficult, if not nearly impossible, to predict. For example, if an eavesdropper listens to a series of temporary identity assignments, they may ascertain a pattern in those assignments and decode the information garnered. To avoid prediction, a series of successive values are needed that can be not only unambiguously calculated independently by both the network 10 and the MS 20, but at the same time are unpredictable to anyone else, i.e., a potential eavesdropper.
  • pseudo-random number generators One category of number-generating algorithms that satisfies the criteria of unpredictableness is pseudo-random number generators. As the name suggests, a series of seemingly (pseudo) random numbers are created, numbers having no obvious relationship to one another. Instead, the mechanism for creating the numbers employs elaborate calculations to mimic a purely random selection of numbers. Such number generators, however, require a starting or "seed" value, from which a particular series of numbers emanate. In other words, if a network 10 element and the MS 20 employ the same pseudo-random number generator (PRNG) and utilize a common seed value as input, an identical stream of numbers are generated, whereby the network 10 and the MS 20 are in synchronicity. Of course, a different seed value results in a different series of numbers.
  • PRNG pseudo-random number generator
  • a seed value is transferred from the network to the MS 20.
  • This transference corresponds to the assignment of the initial temporary identity in conventional systems, and, consequently, the seed value must be encrypted to prevent an eavesdropper from synchronizing their own algorithm with the subscriber's, thereby enabling the eavesdropper to track the subscriber's movements.
  • the temporary identity can be changed after every subsequent network access, without the transference of any subsequent information over the radio interface, by simply having the algorithm generate the next number in the pseudo random number series from the common, initial seed value.
  • the network 10 and the mobile station 20 were synchronized with the common seed value, the resulting sequences and identities will match.
  • a practical problem arises in that there is no guarantee as to the uniqueness of the temporary identity, which are normally only locally unique.
  • the range of possible values is kept small (to keep the identifier short) and the temporary identities are regularly reused as subscribers come and go through the local area of uniqueness, e.g., the location areas 18 in GSM, as shown in FIGURE 1.
  • the difficulty arises when many subscribers are present within the same LA 18 (or other uniqueness area), each subscriber employing the same instance of the PRNG algorithm. With a new temporary identity being produced after every network access and the pool of such identities being low, over time a new temporary identity number for a given subscriber will be produced that matches that already being utilized by another subscriber in the same area.
  • TMSI conflicts One obvious countermeasure against such TMSI conflicts is, of course, to extend the temporary identity, e.g., by adding one or two bits thereto.
  • the intent here is less that of accommodating increasing subscriber numbers, but more that of reducing the risk of creating a temporary identity conflict. It should be understood, however, that although the risk of conflict is reduced by these extension bits, it is not eliminated, leaving the need to cope with the conflict scenario.
  • the value is then stored in the network, the corresponding field in the array marked 'occupied', and if the network had to skip a number of values in the pseudo random number series (to arrive at an unoccupied value), the mobile terminal is informed of the number of skipped values. The mobile terminal can then skip the same number of values to keep the algorithm synchronized with the network.
  • the extension of the temporary identity also adds to the consumed radio resources, but this is a very small addition compared to what is saved by eliminating the many message exchanges assigning new temporary identities to the mobile terminal at every network access.
  • the messages to establish the ciphering mode can be eliminated in some cases. For instance, during a location update, the only reason to establish the ciphering mode is to be able to transfer a new temporary identity encrypted to the mobile terminal. Otherwise the network only sends a simple acknowledgment, which does not have to be encrypted. Accordingly, if using the present invention, a new temporary identity can be assigned without establishing the ciphering mode.
  • Suitable pseudo random number generators for use in the preferred embodiment of the present invention include a lagged Fibonnacci PRNG using addition and another, as yet unnamed, PRNG, both of which are described hereinbelow.
  • the n th number in this sequence is calculated as follows:
  • N n (N n _ k - N n .,) mod M
  • k and 1 are the lags (the largest of which should be at least about 1,000 to about 10,000 in order to achieve good results) and M defines the range within which the generated pseudo random numbers are kept.
  • M should be set to 1.
  • the bit patterns formed by floating point numbers can be utilized to produce temporary identities. For example, the extraction of a number of bits, pursuant to a rule such as starting from the low order bit, from a generated pseudo random number may be used to form a temporary identity number.
  • integer arithmetic is preferably employed, particularly using a large value of M. Should floating point arithmetic be used, however, both the network and the particular mobile station must use the same number representation (interims of size and structure), as well as the same floating point arithmetic algorithms and roundoff rules.
  • Another technique also produces pseudo random numbers distributed between 0 and 1.
  • the seeds X 0 , Y 0 and Z 0 in this alternative embodiment of the present invention are initially set to integer values between 1 and 30,000.
  • the pseudo random numbers N n are then calculated in this embodiment according to the following:
  • n th number pursuant to this unnamed technique may be calculated as follows:
  • N n [FLOAT(X n )/30269 + FLOAT(Y n )/30307 + FLOAT (Z n )/30323) AMOD 1
  • the floating point numbers generated by this algorithm also form bit patterns that can be used to create the desired temporary identities.
  • Mixture generator is used, for example, in RPK cryptographic systems.
  • Mixture generators are used to define private keys and derive public keys, and are useful in encryption and decryption, as is well understood to those skilled in the art.
  • the mixture generator which can be considered a simple finite state or Turing machine, normally produces only one bit at a time, so to produce a bit sequence that can be used as a temporary identifier of length n the mixture generator has to be stepped n times.
  • the temporary identities can be derived from the different states of the mixture generator. In the latter case, the mixture generator only has to be stepped once for each temporary identity it generates.
  • the 'seed' for a mixture generator can be defined as a certain number of steps from a predefined initial state. It should be understood that the sequence of outputs generated by the mixture generator will be the same regardless of how the mixture generator happened to arrive at that state. Additionally, as with the aforedescribed Fibonacci and the other technique, the generated outputs are complex and unpredictable in a well- defined sense so as to make it difficult for an eavesdropper or other observer to measure the output sequence and determine the details of the internal state in an effort to predict future outputs, thereby compromising the user's identity and confidentiality in the manner aforedescribed. Further details on the intricacies of mixture generators may be found in numerous treatises, patents and Internet documents on Public Key Cryptography, e.g., various writings by William M. Raike at the website www.rpk.co.nz.
  • the benefits of the various embodiments for the proposed solution include reducing the control signaling load put on the radio interfaces while maximizing the use of the requisite confidentiality features.
  • a large number of messages needed to assign new temporary identities are eliminated, and in some instances the messages to establish the ciphering mode area is also eliminated.
  • the temporary identity can be replaced after every network access, which is not always the case in existing systems since in those systems there is a trade off between the gained privacy and the consumed radio resources.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne des systèmes et des procédés de télécommunications visant à empêcher le suivi des déplacements d'un abonné par interception d'identificateurs temporaires mis en oeuvre avec interaction avec les stations mobiles (20) pour l'accès au réseau (10). Selon une réalisation préférée de l'invention, une station mobile (20) et le réseau de l'abonné (10) synchronisent un générateur de nombre pseudo-aléatoire dont la valeur initiale de la souche fait l'objet d'un échange. Les identificateurs temporaires ultérieurs destinés à la station mobile (20) sont dérivés de valeurs successives d'un algorithme partagé de génération de nombre pseudo-aléatoire.
EP99958568A 1998-11-12 1999-11-08 Transfert securise de l'information temporaire d'abonne de mobile et systeme a cet effet Withdrawn EP1129594A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US19101698A 1998-11-12 1998-11-12
PCT/SE1999/002019 WO2000030391A1 (fr) 1998-11-12 1999-11-08 Transfert securise de l'information temporaire d'abonne de mobile et systeme a cet effet
US191016 2002-07-08

Publications (1)

Publication Number Publication Date
EP1129594A1 true EP1129594A1 (fr) 2001-09-05

Family

ID=22703785

Family Applications (1)

Application Number Title Priority Date Filing Date
EP99958568A Withdrawn EP1129594A1 (fr) 1998-11-12 1999-11-08 Transfert securise de l'information temporaire d'abonne de mobile et systeme a cet effet

Country Status (5)

Country Link
EP (1) EP1129594A1 (fr)
JP (1) JP2002530960A (fr)
CN (1) CN1333987A (fr)
AU (1) AU1590700A (fr)
WO (1) WO2000030391A1 (fr)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100353786C (zh) * 2003-07-25 2007-12-05 华为技术有限公司 移动用户的消息跟踪方法
US7308250B2 (en) * 2004-03-16 2007-12-11 Broadcom Corporation Integration of secure identification logic into cell phone
EP1992188B1 (fr) 2006-02-10 2012-09-19 Qualcomm Incorporated Occultation d'identités temporaires d'équipement d'utilisateur
JP4587229B2 (ja) * 2007-04-12 2010-11-24 Necアクセステクニカ株式会社 ファクシミリデータ送受信システム、ファクシミリ装置及びファクシミリデータ送受信方法
CN102378302B (zh) * 2010-08-12 2014-12-17 华为技术有限公司 一种接入网络的方法和系统
EP2456242A1 (fr) * 2010-11-23 2012-05-23 Alcatel Lucent Communication impliquant un réseau et un terminal
US20150003328A1 (en) * 2011-12-16 2015-01-01 Telefonaktiebolaget L M Ericsson (Publ) Circuit switched fallback proxy

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE1803062C1 (de) * 1968-10-15 1999-02-25 Telefunken Patent Einrichtung zur Synchronisation von Zufallszeichengeneratoren
EP0028273B1 (fr) * 1979-11-03 1983-09-28 PATELHOLD Patentverwertungs- & Elektro-Holding AG Procédé et dispositif pour la génération de clés secrètes
US5237593A (en) * 1989-05-04 1993-08-17 Stc, Plc Sequence synchronisation
US5412730A (en) * 1989-10-06 1995-05-02 Telequip Corporation Encrypted data transmission system employing means for randomly altering the encryption keys
US5185796A (en) * 1991-05-30 1993-02-09 Motorola, Inc. Encryption synchronization combined with encryption key identification
US5740247A (en) * 1995-12-22 1998-04-14 Pitney Bowes Inc. Authorized cellular telephone communication payment refill system
US5954582A (en) * 1997-12-12 1999-09-21 Zach; Robert W. Wagering system with improved communication between host computers and remote terminals

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0030391A1 *

Also Published As

Publication number Publication date
JP2002530960A (ja) 2002-09-17
AU1590700A (en) 2000-06-05
CN1333987A (zh) 2002-01-30
WO2000030391A1 (fr) 2000-05-25

Similar Documents

Publication Publication Date Title
EP0506637B1 (fr) Système cellulaire de vérification et de validation
KR0181566B1 (ko) 통신 시스템의 효율적인 실시간 사용자 확인 및 암호화 방법 및 그 장치
EP0788688B1 (fr) Procede et dispositif destine a l'identification securisee d'un utilisateur itinerant dans un reseau de communication
CA2087433C (fr) Methode d'authentification et de protection des abonnes d'un systeme de telecommunication
EP0841770B1 (fr) Procédé d'émission d'un message sécurisé dans un système de télécommunications
EP0856233B1 (fr) Authentification d'abonne dans un systeme mobile de communications
US6373949B1 (en) Method for user identity protection
KR101170029B1 (ko) 자체-동기화 인증 및 키 동의 프로토콜
GB2297016A (en) Identity confidentiality using public key encryption in radio communication
CN101420686B (zh) 基于密钥的工业无线网络安全通信实现方法
JP2004048738A (ja) 通信システムにおけるメッセージング方法
Ateniese et al. Untraceable mobility or how to travel incognito
EA014148B1 (ru) Способ и система для предоставления ключа протокола mobile ip
CN110475247A (zh) 消息处理方法及装置
CN101641935A (zh) 配电系统安全接入通信系统和方法
CN110212991B (zh) 量子无线网络通信系统
EP1129594A1 (fr) Transfert securise de l'information temporaire d'abonne de mobile et systeme a cet effet
KR100320322B1 (ko) 셀룰라전화기
US7515713B2 (en) Secure generation of temporary mobile station identifiers
Zahednejad et al. A novel and efficient privacy preserving TETRA authentication protocol
JP2967089B1 (ja) 暗号通信装置
KR20000038664A (ko) 인증시스템에서의 키 생성함수 갱신방법 및그를 이용한 비밀키생성방법
GB2388282A (en) Secure communication between mobile terminals using private public key pairs stored on contactless smartcards
Duraiappan et al. Improving Speech Security and Authentication in Mobile Communications
Ateniesey et al. On traveling incognito

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20010606

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

RIN1 Information on inventor provided before grant (corrected)

Inventor name: RUNE, JOHAN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Withdrawal date: 20020528

RBV Designated contracting states (corrected)

Designated state(s): DE FR GB