EP1269783A2 - Procede et dispositif associe pour produire des cles de securite dans un systeme de communication - Google Patents

Procede et dispositif associe pour produire des cles de securite dans un systeme de communication

Info

Publication number
EP1269783A2
EP1269783A2 EP01912044A EP01912044A EP1269783A2 EP 1269783 A2 EP1269783 A2 EP 1269783A2 EP 01912044 A EP01912044 A EP 01912044A EP 01912044 A EP01912044 A EP 01912044A EP 1269783 A2 EP1269783 A2 EP 1269783A2
Authority
EP
European Patent Office
Prior art keywords
ciphering key
communication station
operator
mobile terminal
communication system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP01912044A
Other languages
German (de)
English (en)
Inventor
Antti Kuikka
Jukka-Pekka Honkanen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Oyj
Original Assignee
Nokia Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Oyj filed Critical Nokia Oyj
Publication of EP1269783A2 publication Critical patent/EP1269783A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the present invention relates generally to the communication of data, such as IP (Internet Protocol) - formatted data, in a communication system, such as a GSM (Global System for Mobile communications) cellular communication system. More particularly, the present invention relates to a method, and associated apparatus, by which to perform security key generation pursuant to the IPsec (Security Architecture for Internet Protocol) to facilitate secured communications of packet data between two communication stations, such as two mobile terminals operable in the GSM communication system.
  • IP Internet Protocol
  • GSM Global System for Mobile communications
  • SIM Subscriber Identity Module
  • wireless communication systems have achieved wide popularity in recent years as a result of advancements in communication technologies.
  • Multiuser, wireless communication systems of improved capabilities are regularly utilized by large numbers of consumers to communicate both voice and nonvoice information .
  • a communication channel formed between a sending station and a receiving station is a radio channel defined upon a portion of the electromagnetic spectrum. Because a radio channel forms a communication link between the sending and receiving stations, a wireline connection is not required to be formed between the sending and receiving stations to permit the communication of data between the stations. Communication by way of a wireless communication system is thereby permitted at, and between, locations at which the formation of a wireline connection would not be practical. Also, because a communication channel is formed of a radio channel, a radio communication system can be more economically installed as the infrastructure costs associated with a wireline communication system are significantly reduced .
  • a cellular communication system is exemplary of a wireless, multi-user radio communication system which has achieved wide levels of usage and which has been made possible due to advancements m communication technologies.
  • a cellular communication system is typically formed of a plurality of fixed-site base stations installed throughout a geographical area which are coupled to a PSTN (Public-Switched,
  • Portable transceivers typically referred to as mobile stations, or mobile terminals, communicate with the base stations by way of radio links .
  • a cellular communication system efficiently utilizes the portion of the electromagnetic spectrum allocated thereto. Because of the spaced-apart positioning of the base stations, only relatively low- power signals are required to effectuate communications between a base station and a mobile station. As a result, the same frequencies can be reused at different locations throughout the geographical area. Thereby, communications can be effectuated between more than one set of sending and receiving stations concurrently at separate locations throughout the area encompassed by the cellular communication system.
  • Digital communication techniques are also utilized in many cellular, as well other types of, communication systems. Utilization of digital communication techniques, for instance, permits the increase of communication capacity and, also as a result thereof, have permitted the introduction of new types of communication services. Digital communication techniques have facilitated improvements in the maintenance of security in communications effectuated during operation of such communication systems .
  • Various measures have been taken with respect to security issues, of significance particularly in radio communication systems. For instance, procedures are set forth to ensure that access is granted to mobile terminals to communicate by way of the communication system only subsequent to their authentication as being authorized to communicate therethrough.
  • an authentication procedure is set forth in which ciphering keys are utilized in a public/private ciphering scheme to perform the authentication procedures.
  • SIM Subscriber Identity Module
  • GSM Global System for Mobile communications
  • the present invention accordingly, advantageously provides a method, and associated apparatus, by which to perform security key generation m a communication system, such as a GSM (Global System for Mobile communications), or other, cellular communication system.
  • a communication system such as a GSM (Global System for Mobile communications), or other, cellular communication system.
  • a key exchange protocol is utilized which removes a so-called man in the middle attack to the protocol . All messages are operated through an entity.
  • IP data is to be communicated between two mobile terminals operable in a communication system
  • messages are routed through an operator, or operators, of the GSM authentication, or other, communication system.
  • a manner is provided by which to exchange security keys between two mobile terminals operable in a GSM cellular, or other, communication system in which both of the mobile terminals communicate with the same operator.
  • the single operator personalizes the information stored at the mobile terminal and also stores the information at the operator.
  • secured key exchanges are effectuable between the first mobile terminal and the operator and between the operator and the second mobile terminal .
  • secured data communication is possible between the two mobile terminals. Secured data transmission is effectuated by encrypting the data to be communicated therebetween by a secret key generated pursuant to the key exchange effectuated by way of the operator .
  • the mobile terminals include SIM-cards which contain information personalized by the operator of the GSM system. Authentication algorithms as well as a ciphering key and the identity of the mobile terminal are stored at the SIM-card. Such information is utilized to generate a pseudo random number, a first ciphering key, and the identity of the second mobile terminal to which IP-formatted data is to be communicated. Such information is forwarded to the operator which performs analogous operations and also determines the identity of the second mobile terminal to which the IP-formatted data is ultimately to be communicated in a communication session between the first and second mobile terminals.
  • the operator generates a second ciphering key together with a second pseudo random number and forwards such information together with the identity of the first mobile terminal to the second mobile terminal.
  • the second mobile terminal detects the transmitted information and generates a new secret key to be used for data transmission between the first and second mobile terminals.
  • the second mobile terminal also determines the identity of the first mobile terminal responsive to the message sent thereto by the operator.
  • the key is utilized thereafter to sign, or encrypt, messages communicated between the first and second mobile terminals.
  • information stored at a first of the mobile terminals is personalized by a first operator, and the information stored at a second of the mobile terminals is personalized by a second operator.
  • the separate operators operate separate portions of the communication system.
  • a first secured key exchange is performed between the first mobile terminal and the first operator.
  • a secured key exchange is performed between the first operator and the second mobile terminal .
  • ciphering keys are generated to facilitate the transmission of secured data between the first and second mobile terminals.
  • a secured key exchange is performed between the second mobile terminal and the second operator.
  • a third ciphering key is generated and utilized to secure data to be transmitted between the first and second mobile terminals.
  • a method, and an associated assembly for communicating in a communication system having at least a first communication system portion operated by a first operator.
  • the first operator is coupled to the network infrastructure of the communication system.
  • the communication system has a first communication station operable at least to communicate packet data and a second communication station also operable at least to communicate packet data.
  • Security keys are generated for use to secure the packet data communicated between the first communication station and the second communication station.
  • a first ciphering key is generated at the first communication station.
  • the first ciphering key is then forwarded to the network infrastructure together with indicia identifying the second communication station.
  • a message is thereafter routed to the second communication station.
  • secret keying material to be exchanged between the first communication station and the second communication station is generated.
  • Figure 1 illustrates a functional block diagram of a radio communication system in which an embodiment of the present invention is operable.
  • Figures 2A-2B illustrate a message sequence diagram listing the sequence of operation of an embodiment of the present invention to exchange security keys to facilitate the transmission of secured data between the first and second mobile terminal shown in Figure 1.
  • Figures 3A-3B illustrate another message sequence diagram, also illustrating the sequencing of messages generated during operation of another embodiment of the present invention.
  • Figures 4A-4B also illustrates a message sequence diagram, also illustrating the sequencing of messaging generated during operation of another embodiment of the present invention.
  • Figure 5 illustrates a message sequence diagram illustrating m greater detail portions of the sequences shown m Figures 3A-B and 4A-B.
  • a communication system shown generally at 10, is operable to provide for radio communications with mobile terminals, of which a first mobile terminal 12 and a second mobile terminal 14 are exemplary.
  • the communication system 10 forms a GSM (Global System for Mobile communications) cellular communication system operable pursuant to an appropriate standard. While the present invention shall be described with respect to an exemplary implementation m a GSM communication system, operation of an embodiment of the present invention is analogously operable and such operation can be analogously described.
  • GSM Global System for Mobile communications
  • the mobile terminal 12 is operable to transceive communication signals by way of radio link 16 with the network infrastructure 18 of the communication system.
  • the mobile terminal 14 is operable to transceive communication signals by way of the radio link 22 with the network infrastructure 18.
  • the mobile terminal 12 is, for example, able to communicate with the mobile terminal 12 by way of a communication path which includes the radio links 16 and 22 and portions of the network infrastructure 18.
  • Each of the mobile terminals 12 and 14 is also capable of communicating with other communication stations (not shown) , such as a communication station coupled to a PSTN (Public-Switched, Telephonic Network) .
  • PSTN Public-Switched, Telephonic Network
  • a first operator, operator a, 26, and a second operator, operator f, 28, are also shown to form a portion of the communication system.
  • the operators a and f are coupled to the radio network infrastructure 18 to form a portion thereof. In conventional manner, the operators control operation of portions of the communication system.
  • the mobile terminal 12 includes, in addition to transceiver circuitry 32, a SIM (Subscriber Identity Module) -card 34.
  • SIM-card is conventional of a GSM SIM-card, typically removable from the mobile terminal.
  • the SIM-card includes, for instance, a unique identifier, IDb which identifies the SIM-card and, hence, the mobile terminal 12 to which the card is connected.
  • a subscriber authentication key, Ki is also stored at the SIM- card, as are authentication and A3 and A8 algorithms.
  • the A8 algorithm for instance, is a ciphering key generation algorithm.
  • the information stored at the SIM-card 34 is utilized during operation of an embodiment of the present invention.
  • the second mobile terminal 14 in such an implementation also includes a SIM-card 36 in addition to transceiver circuitry 38.
  • the information stored at the SIM-card 36 is similar to that stored at the SIM-card 34, individualized for the specifics of the mobile terminal 14. For instance, the identity, IDd, of the mobile terminal 14 is stored at the SIM- card 36 rather than the IDb stored at the SIM-card 34.
  • Operation of an embodiment of the present invention provides a manner by which to exchange security keys between the mobile terminals pursuant to IPsec, the security architecture for Internet protocol, through the use of the information stored at the SIM-cards 34 and 36.
  • FIGS 2A-2B illustrate a message sequence diagram, shown generally at 44, illustrating operation of an embodiment of the present invention to exchange security keys between mobile terminals 12 and 14, thereby to permit secured data transmission therebetween.
  • the message sequence diagram 44 shown in Figure 3 is representative of operation of the communication system in which both mobile terminals 12 and 14 are operated by the operator a, 26.
  • the mobile terminal 12 is represented by the SIM-card b, 34, in which the mobile terminal 12 is utilized by a user c.
  • the mobile terminal 14 is represented by the SIM-card d, 36, and the mobile terminal is operated by a user e.
  • the block 48 indicates the items known at the mobile terminal 12 at the initiation of the communication session. In addition to the information mentioned previously to be stored at the SIM-card 34, the IP address (IPa) of the operator a, 26, the IP address of the user c (IPc) , and the IP address of the user of the mobile terminal 14 (IPe) are known by the mobile terminal 12.
  • IPa IP address
  • IPc IP address of the user c
  • IPe IP address of the user of the mobile terminal 14
  • the block 48 also indicates that a value of a pseudo random number, RANDfill is generated.
  • SK and TID generation is performed to form SKca values at both the terminal 12 and at the operator a 26. Additional details relating to SK and TID generation shall be described with respect to Figure 5 below.
  • a message 55, KEYGEN(TIDb, E ⁇ RANDfill, IPc , IPe ⁇ SKca , S ⁇ RANDfill , IPc, IPe ⁇ SKca ⁇ is generated by the mobile terminal 12, including the information it generated, or otherwise known at the mobile terminal 12 and communicated to the operator a, 26.
  • the operator a decrypts the encrypted values of IPc and IPe provided thereto in the message 55.
  • Block 62 indicates items known at the operator a.
  • IDd is the identity of the SIMd 36 of the mobile terminal 14. Such value is known by both the operator a and also at the SIM-card d, 36.
  • the subscriber authentication key Ki stored in the SIM- card d 36 is also known by the operator a, as are the algorithms A3 and A8 stored at the SIM-card d 36.
  • IPa IP address of the operator a
  • IPc IPc
  • IPe IPe
  • the operator a generates a pseudo random number RANDea of 128 bits.
  • the number is generated at an AUC
  • Authentication Center associated with the operator, as are also “triplets” including values of RAND, SRES, and Kc for the requested SIM card, here IDd.
  • the operator a 26 generates new secret keying material, SKea to be used between the user e of the mobile terminal 12 and the operator a.
  • the operator a concatenates Kc : s to TKea m which TKea is executed using a one-way algorithm Aow by which to generate SKea.
  • the resultant output, SKea is used as secret keying material between the user e and the operator a.
  • Block 66 indicates that operator a knows that the user e of the mobile terminal 14 uses an operator a-personalized SIM-card.
  • the message 68 transmitted by the operator a 26 to the mobile terminal 14 information formed at, or otherwise known by, the operator a, is communicated to the mobile terminal 14.
  • the message is indicated by KEYGEN (RANDea, S [RANDea] SKea, E [IPc, IPe] SKea) .
  • Block 72 indicates that selection is made by the user e of the mobile terminal to accept a secured data link with what, to the user e, is a currently-unknown user, i.e., user c of the mobile terminal 12.
  • Block 74 indicates that the user e of the mobile terminal 14 generates new secret keying material, SKea, to be used between the user e and operator a.
  • the user e splits the RANDea to 128-bit blocks. Each block is executed through a SIM A8 algorithm. The output is a 64-bit length Kc from each block. Again, alternately, the algorithm A3 could instead be utilized to form a 32- bit length SRES value.
  • Block 76 indicates that the user e of the mobile terminal 14 decrypts the message indicated by the segment 68 to obtain a value of IPc, i.e., the user c of the mobile terminal 12.
  • IPc IPc
  • the user c of the mobile terminal 12 selects a value of a Diffie-Hellman group to be used m a Diffie-Hellman exchange.
  • a value of y and g A y are calculated. Then, and as indicated by the message 82, such information is communicated from the mobile terminal 12 to the operator a 26. Such message is indicated by KEYEX (E ⁇ GRP,g A y ⁇ SKea) .
  • the operator decrypts the message to obtain values of the variable of the Diffie-Hellman group and a value of g A y. Then, and as indicated by the message 86, such values, together with a value SKea are communicated from the operator a 26 to the mobile terminal 14.
  • the message is indicated KEYEX (E ⁇ GRP , g A y ⁇ SKca) .
  • the user e decrypts the message 86 to obtain the values of GRP and g ⁇ y.
  • the user e uses the values of GRP to generate x and to calculate the value g A x.
  • the message 94 such information is communicated from the mobile terminal 14 to the operator a 26.
  • the message is indicated by KEYEX (E ⁇ GRP, g ⁇ x ⁇ SKea) .
  • the operator decrypts the message to obtain values of GRP and g A ⁇ .
  • the message 98 such information is forwarded from the operator a to the mobile terminal 12.
  • the user c of the mobile terminal 12 decrypts the message to obtain values of GRP and g A x. Then, and as indicated by the block 104, the user c generates secret keying material from SKce which is equal to (g A x) A y which is equal to g (xy) . Then, as indicated by the block 106, the user c encrypts the data to be communicated to the mobile terminal with the key SKce.
  • Block 108 indicates that the user e of the mobile terminal 14 also generates secret keying material SKce in the same manner. The encrypted data, encrypted with SKce is communicated from the mobile terminal 12 to the mobile terminal 14, as indicated by the message 112.
  • the message 112 is represented by E ⁇ (data) ⁇ SKce.
  • E ⁇ (data) ⁇ SKce When detected at the mobile terminal 14, and as indicated by the block 114, the user e decrypts the encrypted data provided thereto with the key SKce.
  • a response to be communicated by the mobile terminal 14 to the mobile terminal 12 is encrypted, indicated by the block 116, with the key SKce. And, the response is communicated in the form of a message 118 to the mobile terminal 12.
  • the message is indicated by E ⁇ (response) ⁇ SKce.
  • FIGS 3A-3B illustrate a message sequence diagram, shown generally at 112, illustrating signaling generated during operation of another embodiment of the present invention.
  • keys are exchanged between the first and second mobile terminal 12 and 14 to be used to secure data to be transmitted between the mobile terminals.
  • operator a 26 and operator f 28 are associated with the respective mobile terminals 12 and 14.
  • Block 126 indicates that the items known at the mobile terminal 12 include the identification of the SIMb, IDb. Also, the subscriber authentication key Ki and the algorithms A3 and A8 , as well as the IP addresses of the operator a, the user c, and the user e IPa, IPc, and IPe are all known. The block 126 also indicates that a value of a pseudo random number RANDfill is generated.
  • SK and TID generation is performed to form SKca and TIDb values at both the terminal 12 and at the operator a. Additional details relating to SK and TID generation shall be described with respect to Figure 5 below.
  • the information generated at, or otherwise known to, the mobile terminal 12 is communicated, indicated by the message 134, by the mobile terminal to the operator a.
  • the message is indicated by KEYGEN (TIDb, E ⁇ RANDfill, IPa, IPc, IPe ⁇ SKca, ⁇ RANDfill, IPa, IPc, IPe ⁇ SKca) .
  • the operator decrypts the encrypted values of IPc and IPe contained in the message 134. Then, and as indicated by the block 142, the operator generates a pseudo random number RANDaf which is used to separate different parallel key generation, and is an ID to a session where keys are used. Then, and as indicated by the message 144 communicated by the operator a to the mobile terminal 14, the value of RANDaf is transmitted.
  • the message is represented by KEYGEN (RANDaf) .
  • Block 148 indicates that the items known at the mobile terminal 14 include the identification of the SIMd card, IDd. Such value is known both by the operator f 28 and the mobile terminal 14.
  • the subscriber authentication key Ki as well as the algorithms A3 and A8 are also known at the mobile terminal as are also the IP addresses of the operator a, the operator f, and the user e, i.e., IPa, IPf, and IPe.
  • a pseudo random number RANDef is also shown to be generated at the block 148.
  • the RANDfill value is of a length of 128 bits.
  • SKxy generation is performed, here to form values of SKef and TIDd. Again, additional details regarding such generation shall be described with respect to Figure 5.
  • the message 156 such information generated at, or known by, the mobile terminal 14 is communicated therefrom to the operator f.
  • the message is represented by KEYGEN (RANDfill, RANDaf , IPa, IPe) .
  • the operator detects the message 156.
  • SKef is sent from the operator f 28 to the operator a 26.
  • a message 166 is shown to be communicated by the operator f to the operator a.
  • the message is represented by KEYGEN (RANDaf , SKef , IPa, IPe) .
  • Block 168 indicates that the RANDaf forms the ID to the communication session in which the key SKef is used.
  • the block 172 indicates that the user c of the mobile terminal 12 selects a Diffie-Hellman group variable GRP, generates y, and calculate g A y .
  • a message 174 is communicated by the mobile terminal 12 to the operator a 26.
  • the message is represented by KEYEX (E ⁇ GRP,g A y, IPc, IPe ⁇ SKca) .
  • the operator a decrypts the message to obtain values of IPc, IPe, GRP, and g y.
  • a message 178 is communicated from the operator a to the second mobile terminal 14.
  • the message is represented by KEYEX (E ⁇ RANDaf , GRP,g y, IPc, IPe ⁇ SKef) .
  • the user e of the mobile terminal decrypts the message received thereat to obtain values of RANDaf, IPc, IPe, GRP, and g A y.
  • the user e of the mobile terminal becomes aware that user c is the other participant to the communication session. Then, and as indicated by the block 186, the user e generates x and calculates g x. Thereafter, a message 188 is communicated from the mobile terminal 14 to the operator a 26.
  • the message 188 is represented by KEYEX (E
  • a message 194 is then communicated from the operator a to the first mobile terminal 12.
  • the message is represented by KEYEX (E ⁇ RANDaf , GRP,g A x, IPc, IPe ⁇ SKca) .
  • the user c of the mobile terminal decrypts the message to obtain values of RANDaf, IPc, IPe, GRP, AND g A ⁇ .
  • an encrypted data message 206 is communicated from the mobile terminal 12 to the mobile terminal 14.
  • the message is represented by
  • E ⁇ (data) ⁇ SKce When detected at the mobile terminal 14, and as indicated by the block 208, the user e of the mobile terminal 14 decrypts the encrypted data received thereat with the key SKce.
  • a response by the mobile terminal 14 is generated, here represented by the block 212, and encrypted with the key SKce.
  • a message 214 is returned by the mobile terminal 14 to the mobile terminal 12.
  • the message is represented by E ⁇ (response) ⁇ SKce .
  • the user c of the mobile terminal 12 decrypts the encrypted response received thereat with the key SKce. Thereby, secured transmission of data between the mobile terminals 12 and 14 is effectuated.
  • Figures 4A-4B illustrate a sequence diagram, shown generally at 222, also representative of operation of an embodiment of the present invention.
  • the sequence diagram 222 analogous to the message sequence diagram 122 shown in Figure 3, represents operation of an embodiment of the present invention in which operator a 26 is associated with the first mobile terminal 12 and the operator f 28 is associated with the second mobile terminal 14.
  • the operation is performed at various elements noted in the sequence diagram, and messages communicated between such elements correspond with like-numbered operations and messages shown in, and described with respect to, Figure 3.
  • operations 124-130 performed at the mobile terminal 12, the message 134 communicated from the mobile terminal 12 to the operator a 26, operations 138-142 performed at the operator a, the message 144 communicated by the operator a to the second mobile terminal 14, operations 146-150 performed at the mobile terminal 14, the message 156 communicated by the mobile terminal 14 to the operator f 28, and the operations 158 and 164 performed at the operator f correspond with such operations and messages described with respect to the sequence diagram 122 shown in Figure 3. Such operation shall not again be described.
  • a message 228 is communicated by the first mobile terminal 12 to the operator a.
  • the message is represented by KEYEX(E ⁇ GRP,g A y, IPc, IPe ⁇ SKca) .
  • the operator a decrypts the received message to obtain values of IPc, IPe, GRP, and g A y.
  • the RANDaf becomes the ID to the communication session in which the key SKef is utilized.
  • a message 234 is communicated by the operator a to the operator f 28.
  • the message 234 is represented by KEYEX (RANDaf , GRP , g A y, IPc , IPe) .
  • a message 236 is communicated by the operator f to the second mobile terminal 14.
  • the message 236 is represented by KEYEX (E ⁇ GRP , g y, IPc , IPe ⁇ SKef ) .
  • the user e When received at the second mobile terminal, and as indicated by the block 238, the user e decrypts the message to obtain values of IPc, IPe, GRP, and g A y. Then, and as indicated by the block 242, as a result, the user e obtains knowledge that the user c is the other participant of the communication session. Then, and as indicated by the block 244, the user e of the mobile terminal 14 generates x and calculates g x. Then, a message 246 is communicated by the second mobile terminal operator f. The message is represented by KEYEX (E ⁇ GRP, g ⁇ , IPc , IPe ⁇ SKef ) .
  • a message 252 is communicated by the operator f to the operator a.
  • the message is upon any secured link and is represented by KEYEX (RANDaf , GRP, g A x, IPc, IPe) .
  • a message 254 is communicated by the operator a to the first mobile terminal 12.
  • the message is represented by KEYEX (E ⁇ GRP,g A x, IPc, IPe ⁇ SKca) .
  • a message 266 is communicated by the mobile terminal 12 to the mobile terminal 14.
  • the message 266 is encrypted data and is represented by E ⁇ (data) ⁇ SKce .
  • the user e thereof decrypts the encrypted data with the key SKce, indicated by the block 268.
  • a response message generated at the second mobile terminal is encrypted, as indicated by the block 272, with the key SKce.
  • the response message 274 is communicated by the mobile terminal 14 to the mobile terminal 12.
  • the message is represented by E ⁇ (response) ⁇ SKce .
  • the user c decrypts the encrypted response with the key SKce.
  • secured data communications are effectuated between the first and second mobile stations 12 and 14.
  • Figure 5 illustrates a message sequence diagram, shown generally at 302, which illustrates m greater detail the manner by which values of SK and TID are generated during operation of an embodiment of the present invention.
  • the sequence 302 corresponds to the sequence steps 50 and 130 shown m Figures 2-4 and, by analogy, also step 150 shown m Figures 3-4.
  • the user c of the mobile station 12 elects to initiate a secure data link with the user e of the mobile station 14.
  • Block 306 indicates that values of IDb, Ki , the IP addresses of the operator a, and users c and e, IPa, Ipc, and IPe, respectively, are known, as are the algorithms A3 and A8. And, block 306 also indicates that a temporary value of TIDb is generated at the mobile station 12.
  • Block 308 indicates that, at the operator a 26, values of IDd and Ki m the SIM d as well as values of the algorithms A3 and A8 are known.
  • a message KEYREQ (IDb, TIDb) is sent by the mobile station 12 to the operator a.
  • Block 314 indicates that, once the message is detected at the operator a, the value of TIDb is saved and a value of RANDea is calculated, here at an AUC (Authentication Center), along with, e.g., values of SRES and Kc . Then, as indicated by the block 316, a new key, SKca, to be used between the user c of the mobile station 12 and the operator 26 is generated.
  • the key is concatenated to TKea, which is executed by way of a one-way algorithm, to generate an output value of SKca.
  • the output value of SKca is used as secret keying material .
  • a message, KEYRAND (RANDea , TIDb, S ⁇ RANDea , TIDb ⁇ SKca) , is sent by the operator a 26 to the mobile station 12.
  • the detected value of TIDb is compared with the value formed thereat, as indicated by the block 322. The values should match.
  • the user c generates a value of SKca, and splits the RANDea value into 128 bit blocks in which each block is executed by an A8 , or A3, algorithm. The results are concatenated to TKea which is executed by way of the one-way algorithm.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé (44) et un dispositif associé, qui servent à échanger des clés de sécurité entre des terminaux (12, 14) mobiles exploitables dans un système (10) cellulaire GSM ou dans un autre système de communication. Lorsqu'elles sont mises en oeuvre dans un système (10) de communication cellulaire GSM, les informations de carte SIM (34, 36) sont utilisées pour produire des clés échangées entre les terminaux (12, 14) mobiles, et sont utilisées ensuite pour sécuriser des données devant être transmises entre les terminaux mobiles (12, 14) pendant une session de communication.
EP01912044A 2000-03-15 2001-03-12 Procede et dispositif associe pour produire des cles de securite dans un systeme de communication Withdrawn EP1269783A2 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US52605000A 2000-03-15 2000-03-15
US526050 2000-03-15
PCT/IB2001/000346 WO2001069838A2 (fr) 2000-03-15 2001-03-12 Procede et dispositif associe pour produire des cles de securite dans un systeme de communication

Publications (1)

Publication Number Publication Date
EP1269783A2 true EP1269783A2 (fr) 2003-01-02

Family

ID=24095720

Family Applications (1)

Application Number Title Priority Date Filing Date
EP01912044A Withdrawn EP1269783A2 (fr) 2000-03-15 2001-03-12 Procede et dispositif associe pour produire des cles de securite dans un systeme de communication

Country Status (3)

Country Link
EP (1) EP1269783A2 (fr)
AU (1) AU4096201A (fr)
WO (1) WO2001069838A2 (fr)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7596223B1 (en) * 2000-09-12 2009-09-29 Apple Inc. User control of a secure wireless computer network
US7668315B2 (en) * 2001-01-05 2010-02-23 Qualcomm Incorporated Local authentication of mobile subscribers outside their home systems
EP1504560A4 (fr) * 2002-04-30 2007-11-28 Carl Alko Meijer Procede de protection de codes cryptographiques a cle secrete
ATE553610T1 (de) * 2003-12-30 2012-04-15 Telecom Italia Spa Methode und system für schützende daten, in verbindung stehendes kommunikationsnetz und computer-programm-produkt
US8296825B2 (en) 2004-05-31 2012-10-23 Telecom Italia S.P.A. Method and system for a secure connection in communication networks
CN100350816C (zh) * 2005-05-16 2007-11-21 航天科工信息技术研究院 基于gsm网络实现无线身份认证和数据安全传输的方法
KR100682263B1 (ko) 2005-07-19 2007-02-15 에스케이 텔레콤주식회사 모바일을 이용한 원격 권한인증 시스템 및 방법
RU2635318C2 (ru) 2012-03-13 2017-11-10 Смит Энд Нефью, Инк. Хирургическая игла

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6075860A (en) * 1997-02-19 2000-06-13 3Com Corporation Apparatus and method for authentication and encryption of a remote terminal over a wireless link
SE519474C2 (sv) * 1998-04-28 2003-03-04 Telia Ab Metod att sända data över ett cellulärt mobilradiokommunikationssystem
FI105966B (fi) * 1998-07-07 2000-10-31 Nokia Networks Oy Autentikointi tietoliikenneverkossa
GB9903124D0 (en) * 1999-02-11 1999-04-07 Nokia Telecommunications Oy An authentication method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0169838A2 *

Also Published As

Publication number Publication date
WO2001069838A3 (fr) 2002-03-14
AU4096201A (en) 2001-09-24
WO2001069838A2 (fr) 2001-09-20

Similar Documents

Publication Publication Date Title
EP0841770B1 (fr) Procédé d'émission d'un message sécurisé dans un système de télécommunications
JP4634612B2 (ja) 改良された加入者認証プロトコル
CN101822082B (zh) 用于uicc和终端之间安全信道化的技术
US8861730B2 (en) Arranging data ciphering in a wireless telecommunication system
JP4866909B2 (ja) 長いキーパッドを用いた共用鍵暗号化
Lee et al. Enhanced privacy and authentication for the global system for mobile communications
US7937585B2 (en) Systems and methods for providing security to different functions
US5915021A (en) Method for secure communications in a telecommunications system
EP1001570A2 (fr) Authentification efficace avec mise à jour de la clé
US5455863A (en) Method and apparatus for efficient real-time authentication and encryption in a communication system
CN108683510B (zh) 一种加密传输的用户身份更新方法
US8792641B2 (en) Secure wireless communication
CA2377292C (fr) Systeme et methode permettant d'etablir des communications protegees entre unites sans fil a l'aide d'une cle commune
EP1976322A1 (fr) Procédé d'authentification
US20130007457A1 (en) Exchange of key material
CN1929371B (zh) 用户和外围设备协商共享密钥的方法
CA2314303A1 (fr) Methode et appareil permettant d'effectuer une mise a jour de cle a l'aide d'une validation bidirectionnelle
CN101917711A (zh) 一种移动通信系统及其语音通话加密的方法
EP1269783A2 (fr) Procede et dispositif associe pour produire des cles de securite dans un systeme de communication
US7200750B1 (en) Method for distributing encryption keys for an overlay data network
EP1658701B1 (fr) Procede, systeme et station mobile permettant d'etablir une connexion vpn
Preneel Mobile and Wireless Communications Security
Seys et al. Security in Wireless PAN Mesh Networks
Kranakis et al. Mobile and wireless communications security1
Wiig Gateway security between Bluetooth and GSM/GPRS

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20021011

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

RIN1 Information on inventor provided before grant (corrected)

Inventor name: KUIKKA, ANTTI

Inventor name: HONKANEN, JUKKA-PEKKA

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20051001