FI121256B - Transport of subscriber identity information - Google Patents

Description

Transport of subscriber identity information

FIELD OF THE INVENTION

The present invention relates to telecommunication and in particular to a method for transporting subscriber identity information and a corresponding network element, user terminal and computer program product in a telecommunication system.

BACKGROUND OF THE INVENTION

In order to use the services of the computer system, the subscriber needs a user terminal and a subscriber interface. Services such as bidirectional messaging-10 are only available to the user after the system has authenticated the combination of the user terminal and the user subscriber interface.

Depending on the technology applied, the introduction of a subscriber interface into a subscriber terminal may be implemented in different ways. In most public mobile networks, subscriber information is configured in a detachable subscriber identity unit. The combination of the user terminal and the subscriber ID is transmitted through a specific signaling procedure of the switching and management structure (SwMI). In some other technologies, such as Terrestrial Trunked Radio (TETFIA), the subscriber identity can also be stored in the user terminal itself. Typically, the implementation of a user terminal is two-fold. The manufacturer provides 20 user terminals with a terminal ID and a secret key, and the combination of the key and the terminal ID is provided in a secure manner to SwMI. The network operator receives the terminal identifier, assigns it to at least one individual subscriber identifier, and forwards the secret key and subscriber identifier combination to SwMk in a secure manner. SwMI combines this information into 25 complete subscriber information and activates the subscriber interface so that services can be used with this particular combination of user terminal and subscriber identifier.

However, there are some problems with this arrangement. In some specific group configurations, the number of numbers available is not enough for all 30 potential users. For example, if automated vehicle tracking systems track a large number of vehicles, the number of digits will not easily be sufficient for this purpose. It should be possible to re-use numbers, but this is not possible because the implementation and release of individual subscriber codes is far too slow and cumbersome.

2

SUMMARY OF THE INVENTION

It is therefore an object of the present invention to provide a method and apparatus for implementing the method to alleviate the above problem. The objects of the invention are achieved by a method, a user terminal, a network test element, a communication system and a computer program product characterized by what is stated in the independent claims. Preferred embodiments of the invention are described in the dependent claims.

The invention is based on the idea of enabling dynamic delivery of a subscriber ID from a switching and management structure to a user terminal 10 included in the payload of a message. Note that a user terminal configured with a group identifier can monitor and receive some downlink messages even though the user terminal is not registered and thus does not have full access to the system services. A payload is provided with a mechanism by which a given user terminal can independently determine that a message received through a 15 group address is directly addressed to it. When this particular UE detects such a message, it takes the subscriber ID for its own use and registers with the system. Typically, registration requires successful authentication, providing an additional security measure to the procedure. Similarly, the use of the received subscriber ID 20 may be terminated by a payload command in the short message delivered to the unique subscriber ID of the UE.

An advantage of the method and arrangement of the invention is that it enables the fast and efficient utilization of subscriber identifiers without requiring substantial changes to the existing radio interface. Other advantages are discussed in more detail in connection with the description of preferred embodiments of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described in more detail by means of preferred embodiments with reference to the accompanying drawings, in which: Figure 1 shows the main elements of a radio system used as an embodiment;

Figures 2A and 2B illustrate a reference structure of an apparatus for a user terminal and a switching and control structure element used in an embodiment;

Figure 3 illustrates an embodiment of a method for a user terminal; 3

Figure 4 illustrates another method used for the user terminal in another embodiment;

Figure 5 illustrates a preferred embodiment for terminating a unique user ID; Figure 6 illustrates an embodiment of a method for a switching and control structure (SwMI) element;

Figure 7 illustrates another method used for a switching and control structure (SwMI) element in another embodiment;

Figure 8 illustrates an additional embodiment for optimizing the use of 10 main control channel resources;

Figure 9 illustrates an additional embodiment for optimizing the power consumption of a user terminal.

DETAILED DESCRIPTION OF THE INVENTION

It should be noted that the following embodiments are exemplary of 15. In addition, while the specification may refer to "one" embodiment or "some" embodiments at different points, the reference may not necessarily refer to the same embodiment, or the characteristic in question is not related to a single embodiment. The individual features of the various embodiments may be combined to provide additional embodiments.

The invention will now be described using TETRA air interface terms and elements as defined in European Telecommunication Standards ETSI EN 300 392-2; European Standard (Telecommunications series); Terrestrial Trunked Radio (TETRA); Voice plus Data (V + D); Part 2: Air Interface (Al), and ETSI EN 300 392-7; European Standard 25 (Telecommunications series); Terrestrial Trunked Radio (TETRA); Voice plus Data (V + D); Part 7: Security, but not limited to this one radio system technology. The present invention is applicable to any communication technology in which the objects of telecommunication service functions are identified on the basis of unique subscriber identities.

Figure 1 provides a simplified representation of the TETRA radio system 10 used as an embodiment. The radio system 100 comprises a switching and control structure (SwMI) 102 and a mobile station (MS) 104. The SwMI 102 is a device for voice and data (V + D). for enabling the user terminals to communicate with each other. In Figure 1, SwMI comprises 35 single digital exchanges (DXT) 104 and base station (TBS) 108, but in actual implementations, the number of elements and their interconnections may vary greatly according to the implementation.

From the subscriber terminals, the mobile station (MS) 104 is arranged to use SwMI via the air interface 110. Another type of subscriber terminal 5, a workstation 112, communicates with SwMI 102 via a workstation interface 114, where the connection is provided using, for example, E1, ISDN, BA or IP protocols. In practice, the radio system may comprise a plurality of on-call workstations 112 and corresponding different types of interfaces 114. In addition, SwMI comprises an interface 116 for interfacing with other networks such as PSTN, GSM, WCDMA, traditional analog, LAN, WAN and the like. The protocols associated with the various interfaces are implementation-specific arrangements and are known in the art.

2A and 2B are block diagrams showing reference hardware structures of a user terminal and network element used as an embodiment of the invention. An embodiment of the user terminal is a mobile station capable of performing TETRA air interface determinations. The mobile station of FIG. 2A comprises a processor unit 202 for systematically performing operations on received and / or stored information. The processor unit 202 is a central element which essentially comprises an arithmetic logic unit, a plurality of special registers and control circuits. Functions implemented in processor unit 202 typically include, for example: encoding, reordering, interleaving, editing, channel multiplexing, and burst building.

The mobile station further comprises a memory unit 203, a medium on which machine-coded data or programs or user data can be stored. The travel-25 message further comprises a transceiver unit 204 which includes at least a transmitter 205 and a receiver 206. The transmitter 205 receives a bit stream from the processor unit 202 and converts it into a radio signal for transmission by an antenna 207. Similarly, the radio signals received by the antenna 207 are led to a receiver 206, which converts the radio signal into a bit stream, which is transmitted for further processing to the processor unit 202.

The mobile station may comprise an interface unit 201 provided with at least one input unit 208 for supplying information for internal processing in the mobile station and an output unit 209 for providing information on the internal processes of the mobile station. Said interface unit may comprise interfaces to an integrated, connected or connectable mobile station in hardware. Examples of such include automatic vehicle control systems, and positioning systems, as well as 5 user interface elements such as a keyboard, display, touch screen, microphone, loudspeaker and the like.

The processor unit 202, the memory unit 203, the interface unit 201, and the transceiver unit 204 are electrically connected to each other to enable systematic performance of the functions applied to the received 5 and / or stored information according to predetermined, substantially programmed processes in the unit. In the solutions according to the invention, the operations comprise the functions of the user terminal in the delivery of unique subscriber identities. These functions are described in more detail in Figures 3-5. FIG. 10A shows logical components of a user terminal, and the referenced means may comprise the functionality of one of the presented units or may be implemented in combination of the functions of the presented units.

As an embodiment of the network element of Figure 2B, a switching and control structure (SwMI) element is used, comprising a processor unit 251, an element 15 including at least an arithmetic logic unit, a plurality of special registers and control circuits. A memory unit 252 is associated with the processor unit for systematically performing functions on the received and / or stored information. The processor unit 202 is a central element which essentially comprises a medium on which machine-coded data or programs or user information 20 can be stored. The SwMI element further comprises an interface block 253 having an input unit 254 for input of information for internal processing in the mobile station and an output unit 255 for providing information on the internal processes of the mobile station. Examples of said interface unit include a plug-in unit that serves as a gateway for information supplied to its external access points. Examples of said output unit include a holding unit which supplies information to conductors connected to its external access points.

The processor unit 251, the memory unit 252, and the access unit 253, are electrically interconnected to enable systematic performance of operations on the received and / or stored information in accordance with predetermined programmed processes of a substantially switching and control element. These functions are described in more detail in Figures 6-7. Figure 2A illustrates logical components of a user terminal, and the referenced means may comprise the functionality of one of the presented units or may be implemented in combination of the functions of the presented units.

35 The functions described below can be implemented using the elements shown in various ways. For example, the functions of the user terminal and the switching and control element can be implemented by hardware (one or more devices), micro-software (one or more devices), software (one or more modules), or combinations thereof. For hardware implementation, the processor units may be implemented with one or more application-specific integrated circuits (ASICs), digital signal processors (DSP), digital signal processor devices (DSPD), programmable logic devices (PLD), programmable gate arrays (FPGAs), controllers, , microprocessors, other electronic devices designed to perform the functions described herein, or any combination thereof. In the case of micro-10 programs or software, implementation may be accomplished by modules (e.g., procedures, functions, etc.) that perform the functions described herein. The software codes can be stored in a memory unit and executed by a process unit. The memory unit may be implemented inside or outside the processor, in which case it is communicatively connected to the processor in various ways known in the art. Further, the components of the systems described herein may be rearranged and / or supplemented with additional components to achieve various aspects, objectives, advantages, etc., as described herein, and are not limited to the structures described in Figure 2, which will be appreciated by one skilled in the art.

The flowchart of Figure 3 illustrates a method according to the invention, the steps corresponding to an embodiment for the user terminal. The embodiment is illustrated by a TETRA user terminal, without limiting the scope of protection to the terms and mechanisms of this exemplary communication technology. The method begins when the user terminal is ready for use and deployed on a TETRA network. In step 30, the user terminal is provided with a stored element that the user terminal can use to verify that the message it has received through a particular subscriber address is addressed to it and has the right to access the contents of the message. In the first basic embodiment, the received element is implemented using the device-30 identifier.

In TETRA systems, a TETRA device identifier (TEI) is typically an electronic serial number permanently associated with a TETRA device and uniquely identifying the device, either one mobile terminal or one network terminal. The TEI is typically used in 35 disabling / commissioning procedures. The stored element of step 30 is referred to as the device identifier TEIS to indicate that it is an identifier 7 that identifies a particular terminal and is stored in the user terminal.

In step 31, the user terminal is configured with the group identifier GSSI1, which enables the terminal to receive specific messages 5 over a TETRA network. TETRA systems have two sizes of subscriber identifiers, a TETRA subscriber identifier (TSI) of 48 bits and a short subscriber identifier (SSI) of 24 bits. The SSI is typically truncated from the TSI. TSI is unique in the entire TETRA domain, SSI need only be unique in one TETRA sub-domain. Typically, the TETRA-10 terminal includes at least one TSI family. Each family contains one unique TETRA ID (ITSI) and can have one TETRA alias (ATSI) and multiple TETRA group IDs (GTSI). In the present embodiment, the user terminal is configured with a GTSI from which GSSI is cut off. Reference is made below to GSSI, but it will be apparent to one skilled in the art that either GTSI or GSSI can be utilized without departing from the scope of the rat-15.

The messages available through the group ID include, for example, short messages and broadcast messages. The following is a detailed description of an embodiment that utilizes the TETRA Short Message Service. 20 It should be noted that other messaging mechanisms capable of transmitting downlink messages may be used without departing from the scope of protection.

TETRA Short Message Service (SDS) is a fast service that allows users to exchange short user-defined messages or short pre-defined messages. The message can be sent or received with the rin-25 coaxial voice call. To provide fast service, the SDS message is transported in a single uplink message, or included in one, for example, one transmission unit. Usually, SDS transport uses a random access procedure. The SDS service includes point-to-point and multi-point capabilities and can use short number assignment (SNA), full 30 TETRA subscriber identity (ITSI / GTSI) and short code (SSI) assignment, or even an external subscriber number. In the embodiment used in the solution, the target address used for the SDS part is SSI, so here GSSI.

In order to register with the TETRA system and perform both uplink and downlink communications, the user terminal requires a unique subscriber ID successfully registered with SwMI. In order to receive the SDS message, the user terminal does not need to be registered in the TETRA system, it only needs to be able to receive transmissions of relevant control channels used for SDS transmissions. Thus, in the example of Figure 3, the user terminal configured for GSSI1 enters a monitoring mode where it monitors (step 32) the Master Control Channel (MCCH) transmissions and is able to detect and receive the short message addressed to GSSI1. The short message comprises a received element which the user terminal may use to verify that the message it has received via GSSI1 is addressed to it and has the right to utilize the contents of the message. In addition, the short message comprises a unique subscriber ID ISSI2. 10 In the exemplary embodiment, this received element is the TEIr, the device identifier included in the payload of the short message addressed to GSSI1 by SwMI. Thus, when the short message is received (step 33), the user terminal reads (step 34) and extracts the received TE1r from the short message. In this basic embodiment, the mechanism for verifying the right to use the content is implemented by comparing (TE 35) the stored element TEIS with the received TE1r. If the elements do not match (step 36), the user terminal ignores the short message and returns to step 32 to monitor the additional short messages via GSSI1. If the elements match (step 36), the user terminal extracts the unique subscriber identity ISSI2 from the 20 short messages and configures (step 37) the IS-SI2 to use it as its own unique subscriber identity. By doing this, the user terminal can function as a mobile station, which includes both a device providing the necessary functions for accessing access protocols and a subscriber interface providing access from SwMI. In step 38, the mobile station registers 25 to the TETRA system in a conventional manner using ISSI2, thereby being able to access the services of the TETRA network according to the rights assigned to ISSI2. Typically, the registration includes authentication, which provides one additional element to verify that the unique subscriber number is only used by a duly authorized user terminal.

A further aspect of the previous embodiment is an arrangement in which a plurality of group addresses are configured in the user terminal and the user terminal is configured to monitor receipt of short messages (steps 32, 33) with all stored GSSs.

The procedure described allows for a single TETRA subscriber ID without substantially altering existing TETRA air interface specifications. Instead of manually transporting the user terminal to the deployment center, the required functionality for deploying a unique subscriber identity to the system can be implemented over the air interface and without a previously assigned unique subscriber identity, saving time and feasibility even with a limited selection of unique subscriber identities. The necessary information is provided in the payload of the short message so that the mechanism can be implemented transparently over SwMI elements other than SwMI subscriber control elements and the user terminal. Such subscriber control elements include at least the units that implement the operational management of TETRA, such as the workstation workstations and the user-server 10 server systems.

It should be noted that although the embodiment illustrates the transmission of a short message on a TETRA master control channel, the invention is not limited to the use of a master control channel. It will be apparent to one skilled in the art that any physical and logical channel capable of transmitting short-message messages with a variable payload and which can be received by the user terminal via a group identifier can be used without departing from the scope.

Figure 4 shows another embodiment of the solution of Figure 3. In the method of Figure 4, the security of the delivery of the unique subscriber ID has been improved by using encryption. In step 40, an encryption mechanism is provided to the user terminal configu-20 by means of which the encrypted message can be exchanged between the SwMI subscriber control unit and the user terminal. In the exemplary embodiment of Figure 4, the encryption mechanism comprises an encryption algorithm and an encryption key configured in the user terminal. It will be clear to one skilled in the art that the respective subscriber control unit in SwMI must use 25 corresponding encryption algorithms. The encryption used within the protection circuit may be symmetric or asymmetric. In symmetric encryption, the parties show information about encrypted information that the parties know but which is not readily available to or deduced by third parties. In asymmetric encryption, data encryption and encryption pur-30 moon use public-private key pairs. In the embodiment of Figure 4, symmetric encryption is used. This means that the user terminal is configured with an encryption algorithm and a secret key K. The secret key K can be, for example, an authentication key for the TETRA air interface of the user equipment. However, the delivery of the TETRA air interface authentication key is very precisely controlled, and thus some applications may use a different key, for example another key dedicated to this purpose, to allow easier operations for the subscriber management.

Steps 41 for configuring GSSi1, 42 for monitoring GSSI1 messages, and 43 for detecting received short messages correspond to steps 31, 32, and 33 of Figure 3. In this embodiment, the payload of the short messages 5 is encrypted such that the encryption algorithm and encryption key stored in the user terminal a combination. In principle, the encryption could be static so that the encryption key itself is used in all encryption between the SwMI element and the user terminal. In the embodiment of Figure 4, the procedure is further improved by allowing the user-10 device to verify that information indicating information has not been produced by recording and repeating previous communication events of the message. This is accomplished by transmitting only a random number RN1 over the air interface, which is new in each communication event.

The SwMI unit that sends the message generates a random number RN1, 15 and feeds it to the encryption algorithm with the secret key of the user terminal. The algorithm obtains a one-time identifier KS which it uses to encrypt the portion of the short message that is deemed necessary to be encrypted. When the user terminal detects the received short message in step 43, it extracts (step 44) a random number that may be included in the code in the short message, determines by using a random number, an encryption algorithm and an encryption key a one-time KS (step 45) part of the payload of the short message. In this embodiment, the mechanism for verifying the legitimacy of the use of the message content is based on the success or failure of the decryption step. The UE checks (step 25 47) whether or not the decryption was successful. In the event of a failure, the procedure proceeds to step 42 to monitor short messages to the GSSI1. If the message is successfully decrypted by a one-time ID generated from a random number using a unique encryption key of the user terminal, the user terminal may be sure that the message was intended for it and use it according to a predetermined procedure. In this embodiment, the procedure comprises configuring the user terminal to use the unique subscriber identity ISSI2 (step 48) and register (step 49) as a mobile station capable of bidirectional communication. Registration includes authentication, which provides one additional element to verify that the 35 unique subscriber IDs are only used by a duly authorized user terminal.

11

The embodiment of Figure 4 provides the advantages of the embodiment illustrated in Figure 3 and further enhances the security of the procedure. It will be apparent to one skilled in the art that the embodiments of Figures 3 and 4 may be used alone or in combination. For example, a procedure for transferring a single subscriber interface 5 over an air interface could comprise both identifying the recipient at the TE and verifying the authentication by decrypting a specific portion of the message using a unique secret key stored in the user terminal.

Figure 5 shows a preferred embodiment for discontinuing the use of a unique subscriber ID. FIG. 5 begins as a continuation of the procedures of FIGS. 3 or 4, or a combination thereof 10, in a situation where the user terminal is configured with ISSI2 and functions like a mobile station in a TETRA network. During its normal operation, the user terminal routinely monitors (step 51) short messages addressed to the ISSI2 from the MCCH. When the user terminal according to the invention detects the received short message (step 52), it reads the payload of the message (step 53) and checks (step 54) whether this includes a termination request to stop using ISSI2. If no such message is detected (step 55), the user terminal returns to step 51 to monitor incoming short messages. If a message containing a stop request is detected (step 55), the user terminal deactivates ISSI2 (step 56) and enters monitoring mode 20 to monitor incoming short messages addressed to group identifier GSSI1 dedicated to transporting individual subscriber connections over the air interface.

Fig. 6 is a flowchart showing a method according to the invention, with steps corresponding to an embodiment for a switching and control structure (SwMI) element-25. An example of a SwMI element is the TETRA SvvMI element, which comprises an application for managing individual subscriber interfaces, at least for individual subscriber interfaces that can be transmitted over the air interface. In step 60, the SwMI element in is configured with at least one group identifier GSSI1 that can be used to provide unique subscriber identities. In step 61, the 30 SwMI element is ready for unique subscriber ID requests. The request may come, for example, through a user interface from the SwMI element operator, or through a network interface from an authorized remote access point. If such a request is detected (step 62), the SwMI element produces a message addressed to GSSI1 and carrying a unique subscriber ID ISSI2 in its payload. As in the embodiment of Fig. 3, a device identifier TEIr is included within the payload, by means of which the user terminal can verify that the 12 messages are individually addressed to it and is requested to use the unique identifier included in the message. After transmitting (step 63) the message, the SwMI element begins to monitor (step 64) through the system whether a mobile station using ISSI2 which it transmitted in 5 short messages is registered in the system. The monitoring can be implemented, for example, as a repeated query from the home location register, sent when location registration is received. When the SwMI element receives a location registration notification, or a location registration attempt (step 65), it activates ISSI2 and thus enables bidirectional communication using ISSI2. The registration includes authentication-10, which provides an additional element to ensure that the unique subscriber identity is used only by a duly authorized user terminal.

The flowchart of Figure 7 illustrates another embodiment of the solution of Figure 6. In the method of Figure 7, the delivery of the unique subscriber ID is again improved by using encryption. Steps 700 to configure GSSI1, 710 to monitor a unique subscriber ID request, and 720 to detect a request correspond to steps 60-62 of Figure 6. As in the embodiment of Figure 6, in this embodiment, the payload of the short message is encrypted such that it can only be decrypted by a combination of an encryption algorithm and an encryption key stored in the user terminal. The encryption is again based on a random number 20 RN1, which is new for each communication instance and can be delivered to the user terminal in the TETRA code.

The SvvMI element has a user device secret key or has access to another SwMI, for example a trusted party, to which it can send a payload with a random number seed used for encryption. Thus, the SwMI element generates a random number RN1 and, either itself or subcontracted to another element, feeds the RN1 into the encryption algorithm with the secret key of the destination user terminal. The algorithm provides a one-time identifier KS, (step 725). This one-time identifier is used to encrypt (step 730) the portion of the short message whose encrypted transport is deemed necessary. The SvvMI unit 30 addresses the short message to GSSI1 and sends it (step 735) as a regular group addressed short message over the radio interface. When transmitting a short message, the SwMI element may also trigger (step 740) a timer TIM, which measures the time from sending the short message to GSSI1 to a possible response of the user terminal. Thus, as in the embodiment of Figure 6, the SwMI-35 element begins to monitor (step 745) through the system whether the mobile station is registered to the system, for example, by performing a location update 13 using ISSI2. If the timer is exceeded (step 750) before the user terminal registers using ISSI2, delivery is considered unsuccessful and the SwMI element goes back to step 710 to monitor additional requests. If a location update using ISSI2 is received (step 755) before the timer 5 is exceeded, the SwMI element activates (step 760) ISSI2, which allows the user terminal to be used as a mobile station capable of bidirectional communication according to the authority granted to ISSI2.

It will be apparent to one skilled in the art that the elements of the embodiments of Figures 6 and 7 may also be used individually or in combination. For example, Figure 10 has 6 procedures that can be completed with a timer. Also, the delivery of the unique subscriber identity over the air interface may comprise both identification of the recipient by the TE and authentication by decrypting a portion of the message using the unique subscriber identity stored in the user terminal. In addition, the TEI can also be used to complete the procedure in other ways, such as providing a checksum for encryption. The realization of the termination of the use of an individual status code in the payload of a short message is obvious to one skilled in the art from the description of the corresponding function, which embodiment is a user terminal.

In the embodiments described, the group identifier is used as the subscriber identifier for receiving the short message. This is an advantageous arrangement for the main control channel because in this way a payload with variable contents can be delivered to multiple potential recipients sharing a radio resource. However, one of ordinary skill in the art will appreciate that a predefined subscriber ID can be used without departing from the scope of protection, including the unique subscriber ID configurable. For example, a first unique subscriber identifier can be configured in a plurality of user terminals, and all such user terminals monitor short messages addressed to that particular unique subscriber identity. After receiving the short message and adopting the second unique subscriber ID, they deactivate the first 30 unique subscriber identifiers.

Figure 8 illustrates an additional embodiment designed to optimize the use of a master control channel resource in delivering a unique subscriber identity. The total coverage area of the system can be divided into more than one sub-area (SA), each associated with a different GSSIx, through which a new 35 unique subscriber ID can be delivered. In the example of Figure 8, the total coverage area 80 is divided into three sub-areas SA1 81, SA2 82, SA3 83, whereby 14 group addresses for providing unique subscriber identifiers are GSSI1, GSSI2, GSSI3, respectively. In the embodiment of the system, at least two but preferably all of the above group addresses GSSI1, GSSI2, and GSSI3 are provided to the user terminals designed to use the unique subscriber identity transport method described herein. An operator that manages a pool of allocated unique subscriber identities usually has some information about the probabilities of locating a particular user terminal in a particular domain. For example, the operator may identify the user terminal as a city set and thus can well assume that the potential-10 domain for reaching the user terminal is SA2, which respectively covers the city center. According to the invention, the operator first attempts to provide a dynamic unique subscriber ID in a short message addressed to GSSI2, respectively, and delivered only in sub-domain SA2. As illustrated in the embodiment of Figure 7, the operator may wait for the location of the destination user-terminal 15 to register, for example, until the timer is exceeded, and then move to attempt to deliver a dynamic unique subscriber ID addressed to another group ID and another domain. Preferably, the second choice is the one with the second highest likelihood of reaching the target user terminal. The procedure can be continued by moving to less probable sections or until all sections have been attempted. This sectorial delivery optimizes the use of the main control channel resource. A master control channel is a critical but easily congested resource that typically needs to be optimized for use in all contexts.

Figure 9 illustrates a further embodiment of the invention in which the power consumption of the user terminal-25 device in the monitoring mode is optimized without compromising the speed of the method of the invention in providing dynamic unique subscriber identities. FIG. 9 illustrates successive downlink frames F1, F2 ..... F3 of the radio interface used in the embodiment and the corresponding power consumption level in the receiver of the user terminal. The power levels illustrated are 0 30 and P, where 0 represents the sleep mode with the receiver substantially off; when the receiver is operational and capable of receiving transmissions from SvvMl.lt. Each of these frames comprises a time slot (denoted by X) on which the control channel through which the delivery of the dynamic unique subscriber identity is implemented is described. In the previous examples of the TET-35 RA system, each TETRA air interface frame comprises a main control channel that the user terminal listens to.

15

While one of the objectives of the method of the invention is to achieve rapid dynamic unique subscriber identity configuration, some delay in delivery of the unique subscriber identity code may be tolerated to provide user equipment with longer standby periods, i.e., duty cycles without the ability to charge batteries. It has been found that the cycles of TETRA frames are so fast that some frames can be lost and yet the delivery time is significantly better than conventional methods. FIG. 9 illustrates an arrangement in which delivery of short messages carrying a dynamic unique subscriber identity is arranged in predetermined frames F1, 10 F4, ... In FIG. 9, time slots arranged for a control channel, and especially for a short message carrying a dynamic unique subscriber identity, time slots for short messages carrying a dynamic unique subscriber ID are denoted by a standard X. Similarly, the user terminal, which is in monitoring mode and operates only in the downlink direction, is configured to operate the receiver at power level P.

It will be obvious to a person skilled in the art that as technology advances, the basic idea of the invention can be implemented in many different ways. The invention and its embodiments are thus not limited to the examples described above, but may vary within the scope of the claims.

Claims (49)

A method for a user terminal (104), characterized by configuring (32) a monitoring mode in the user terminal such that in the monitoring mode the user terminal is able to receive downlink 5 messages via a group identifier but is unable to communicate with the uplink switching and management structure; receiving (33) in the user terminal a message available using the group ID; determining (34) a unique subscriber identity from the payload of the message, and authentication means for verifying the use of the unique subscriber identity of the user terminal; verifying (35) the right of the user terminal to use the unique subscriber ID with the authentication means provided in the message; in response to a successful authentication, (37) providing a unique ti-15 extension ID to the user terminal. A method according to claim 1, characterized by storing (30) a terminal identity stored in the user terminal; Receiving (34) a terminal identifier received in the payload of the message; verifying (35, 36) the right of the subscriber to use the unique subscriber identifier successfully when the stored terminal identifier and the received terminal identifier correspond. A method according to claim 1 or 2, characterized by receiving (43) a message encrypting at least a portion of the payload comprising a unique subscriber identity; attempting (46) to decrypt the encrypted portion of the payload; 30 verifying (47, 48) the subscriber's right to use the unique subscriber ID successfully when the decryption of the encrypted part is successful. The method of claim 3, characterized by storing (40) an encryption algorithm stored in the user terminal and a stored encryption key; attempting to decrypt the encrypted part of the payload with the stored encryption algorithm and using the stored encryption key. A method according to claim 4, characterized by: calculating (45) a one-time identifier with the stored encryption algorithm and the stored key; an attempt is made to decrypt the encrypted part of the payload using the calculated multiple ID. A method according to claim 4 or 5, characterized in that an air interface interface encryption key of the user terminal is used as the stored encryption key. A method according to claim 4 or 5, characterized in that the encryption key which is not the air terminal encryption key of the user terminal is used as the stored encryption key. A method according to claim 7, characterized in that a public key of the user terminal is used as a stored encryption key, which can be utilized in an asymmetric encryption algorithm between the user terminal and the switching and management structure responsible for the unique subscriber identities. A method according to claim 1, characterized in that a message is received in a control channel carried over a predetermined time interval of successive air interface frames; switching the user terminal to sleep mode for 25 time intervals between defined time slots. The method of claim 1, characterized by receiving (52) a request to deactivate the unique subscriber identifier in the payload of the short message assigned to the unique subscriber identifier; 30 deactivating (56) the unique subscriber ID in the user terminal. Method according to one of Claims 1 to 10, characterized in that the message is a short message addressed to a group ID or a broadcast message accessible by using a group ID. A method of a network element (112) comprising: configuring more than one group identifier (GSSI1, GSSI2, GSSI3) in the network element, each group identifier corresponding to a separate geographical area (SA1, SA2, SA3); generating (63) a message accessible to the user terminals using the first group identifier, the payload of the message comprising a unique subscriber identity (ISSI2), and providing authentication means for verifying the use of the unique subscriber identity of the user terminal; waiting for a response from a specific user terminal for a specified period of time; transmitting a message addressed to the second group identifier (GSSI2) carrying the unique subscriber identifier (ISSI2) in response to the failure to receive a response from the specified user terminal within the specified time period. The method of claim 12, characterized by receiving (65) a message from the user terminal that has verified its right to use the unique subscriber ID; activating (66) a unique subscriber ID in response to receiving the message. A method according to claim 12, characterized in that at least part of the payload comprising the unique subscriber ID is encrypted (730). A method according to claim 14, characterized in storing in the network element the encryption algorithm and the encryption key of the destination user terminal; 25 encrypts the part of the payload that comprises a unique subscriber ID by the stored encryption algorithm of the destination user terminal and using the stored encryption key. A method according to claim 15, characterized by calculating (725) a one-time code with the stored encryption algorithm and the stored key; encrypting that part of the payload comprising the unique subscriber ID using the calculated one-time ID. 17. A method according to claim 15 or 16, characterized in that the user interface air interface encryption key is used as the stored encryption key. A method according to claim 15 or 16, characterized in that an encryption key which is not an air interface encryption key of the user terminal is used as the stored encryption key. A method according to claim 18, characterized in that the public key of the user terminal is used as the encryption key, which can be utilized in an asymmetric encryption algorithm between the user terminal and the network element. A method according to claim 12, characterized by assigning to the group identifiers the probability that the user is located in the geographical area corresponding to the group identifier; sending messages to group IDs in a probabilistic order. A method according to claim 12, characterized in that a message is transmitted in a control channel carried over a predetermined time interval of successive air interface frames. A method according to claim 12, characterized by sending a request to deactivate the unique subscriber identifier in the payload of the short message addressed to the unique subscriber identifier. A method according to any one of claims 12 to 22, characterized in that the message is a short message addressed to a group ID or a broadcast message accessible by using a group ID. 25 A user terminal (104), characterized in that the user terminal is configured with a monitoring mode such that in the monitoring mode the user terminal is able to receive downlink messages via the group identifier but is unable to communicate the uplink with the switching and management structure. 204) using a group ID to receive an available message; and processing means (202) for determining a unique subscriber identity from the payload of the message and authentication means for verifying the use of the unique subscriber identity of the user terminal; The processor means (202) further being adapted to verify the user terminal's right to use the unique subscriber identity with the authentication means provided in the message; in response to successful authentication to enable a unique status token. A user terminal according to claim 24, characterized by memory means (203) comprising a stored terminal identifier; the processor means (202) being adapted to determine the received terminal identifier from the message payload and to verify the right of the subscriber to use the unique subscriber identifier when the stored terminal identifier and the received terminal identifier correspond. The user terminal of claim 24, characterized in that the processor means (202) is adapted to receive the message by encrypting at least a portion of the payload comprising a unique subscriber ID; attempting to decrypt the encrypted part of the payload; to verify the Subscriber's right to use the unique Subscriber Identity when the decrypted part is successfully decrypted. The user terminal (104) of claim 26, characterized by memory means (203) for storing a stored encryption algorithm and a stored encryption key; the processor means (202) being adapted to attempt to decrypt the encrypted portion of the payload by a stored encryption algorithm and using the stored encryption key. The user terminal of claim 26 or 27, characterized in that the processor means (202) is adapted to compute a one-time ID by the stored encryption algorithm and the stored encryption key; 30 attempt to decrypt the encrypted part of the payload using a calculated one-time ID. A user terminal according to claim 26 or 27, characterized in that the stored encryption key is an air interface encryption key of the user terminal. The user terminal of claim 26 or 27, characterized in that the stored encryption key is not an air interface encryption key of the user terminal. 31. The user terminal of claim 30, characterized in that the stored encryption key is a public key of the user terminal available in an asymmetric encryption algorithm utilized between the user terminal and the switching and management structure responsible for the unique subscriber identities. The user terminal of claim 24, characterized in that the interface means (204) is arranged to receive the message in a control channel carried over a defined time interval of the successive air interface frames; and the connecting means (204) is arranged to sleep in periods of time between defined time slots. The user terminal of claim 24, characterized in that the interface means (204) is arranged to receive a request to deactivate the unique subscriber ID in the payload of the short message assigned to the unique subscriber ID; the processor means (202) being arranged to deactivate the unique ti-20 wide identifier in the user terminal. A user terminal according to any one of claims 24 to 33, characterized in that the message is a short message addressed to a group ID or a broadcast message accessible by using a group ID. 35. A network element (112), characterized in that the network element comprises: processor means (251) for generating a message accessible to the user terminals using the group identifier, the payload of the message comprising a unique subscriber identifier, and verification; interface means (253) for transmitting the generated message to a specified group ID; memory means (252) comprising more than one group-35 identifier, each group identifier corresponding to a separate geographical area; the processor means (251) being adapted to send to the first group identifier a message including a unique subscriber identifier; wait for a response from a specific user terminal for a specified period of time; 5, to send a message addressed to the second group ID carrying the unique subscriber ID in response to the failure to receive a response from the designated user terminal within a specified period of time. A network element according to claim 35, characterized in that the interface means (253) is arranged to receive a message from a user terminal that has verified its right to use a unique subscriber identity; the processor means (251) being arranged to activate a unique state identifier in response to receiving the message. The network element of claim 35, characterized in that the processor means (251) is arranged to encrypt at least a portion of the payload comprising a unique subscriber identity. A network element according to claim 37, characterized in that the memory means (252) is arranged to store in the network element the encryption algorithm and the encryption key of the destination user terminal; the processor means (251) being arranged to encrypt the part of the payload that comprises a unique subscriber identity with the stored encryption algorithm of the destination user terminal and using the stored encryption key. A network element according to claim 38, characterized in that the processor means (251) is arranged to compute a one-time ID by the stored encryption algorithm and the stored encryption key; encrypting that part of the payload comprising the unique subscriber ID using the calculated one-time ID. A network element according to claim 38 or 39, characterized in that the encryption key is an encryption key for the user terminal air interface. A network element according to claim 38 or 39, characterized in that the encryption key is an encryption key which is not an air interface encryption key of the user terminal. A network element (112) according to claim 41, characterized in that the encryption key is a public key of the user terminal, which can be utilized in an asymmetric encryption algorithm between the user terminal and the network element. 43. A network element according to claim 35, characterized in that the processor means is arranged to determine, for group IDs, the probability that the user is located in the geographical area corresponding to the group ID; send messages to group IDs in the order defined by the probabilities. 44. A network element according to claim 35, characterized in that the interface means are arranged to transmit a message in a control channel carried over a defined time interval of successive air interface frames. 45. A network element according to claim 35, characterized in that the processor means (251) is arranged to send a request for a deactivated unique subscriber identifier in the payload of the short message addressed to the unique subscriber identifier. A network element according to any one of claims 35 to 45, characterized in that the message is a short message addressed to a group identifier or a broadcast message accessible by using a group identifier. A communication system comprising a user terminal device according to any one of claims 24 to 34 and a network element according to any one of claims 35 to 46. A communication system method comprising configuring (32) a monitoring mode for a user terminal such that in the monitoring mode the user terminal is able to receive downlink messages via a group identifier but is unable to communicate with the uplink switching and management structure; Generating (63) in the network node a message accessible to the user equipment using the group identifier, the payload of the message including a unique subscriber identity and the message including authentication means for verifying the use of the unique subscriber identity of the user terminal; receiving (33) a message at the user terminal using a group 35 identifier; determining (34) in the user terminal a unique subscriber identity and authentication means from the payload of the message to verify the use of the unique subscriber identity of the user terminal; verifying (35) the user terminal's right to use the unique subscriber-5 identifier with the authentication means provided in the message; in response to a successful authentication, (37) providing a unique subscriber ID to the user terminal. 49. A computer program distribution means that is computer readable and encodes an instruction-based computer program for executing a computer process 10, the process comprising the steps of any one of claims 1 to 23, or 48.