FR2709903A1 - Method and device for security-protecting communications, using an integrated services digital network - Google Patents

Abstract

The method according to the invention consists in defining a new service supplement, entitled security-protected closed user group (11 to 11) which is accessible to users by subscription, in the environment of a control point of the services (2) of the ISDN (3). In order to set up at least one security-protected communication between at least two subscriber correspondents of the same service, whatever the service, the security protection being transparent with respect to each of the correspondents for the service requested, the method consists in recognising the security-protected closed user group supplementary service, via a switch giving access to the service of the ISDN (3), in routing the user-to-user signalling to the service control point (2) of the ISDN (3) in authenticating the correspondents about to communicate, and in checking the access right of the correspondents by reading a database containing the list of the subscribers to the security-protected closed user group service supplement. Applications range from intra- and inter-banking communications, to communications of a sensitive nature in the institutional context, to business communications, etc.

Description

Method and device for securing communications using a
integrated services digital network.

 The present invention relates to a method and a device for securing communications using a digital network with integrated services hereinafter called ISDN.

 The field of application of the present invention is very wide since it covers all the telecommunications services made available to the users of an ISDN-type network. It covers in particular intra and interbank communications, communications of a sensitive nature within the institutional framework, corporate communications, etc.

 An ISDN comprises a set of functional possibilities which make it possible to offer, to the users who can be distributed over different activity sites and which are connected to it, a series of telecommunications services such as support services, teleservices and additional services. Support and teleservices are offered alone as basic services, while additional services must accompany one of the previous two.

The support services correspond to the supply of the network possibilities relating to the lower layers of the network, that is to say to layers 1 to 3 of the reference model for the interconnection of open systems also known by the English abbreviation OSI "Open System Interconnection "This model was originally developed by ISO, the abbreviation for" International Organization for
Standardization "Support services are offered at the interface between a terminal and the network and relate to the transfer of information. Teleservices are services offered to a user downstream of the terminal and include functions relating to all layers 1 to 7 corresponding to the lower layers, 1 to 3, and upper layers, 4 to 7, of the OSI model. The additional services correspond to optional possibilities applying to support services and teleservices. These possibilities are additive or modifying of those of the basic services and relate mainly to the faculties and comfort of implementing the services. ISDNs which use CCITT signaling No. 7, abbreviation for International Telegraph Consultative Committee and
Telephony, provide support and teleservice services to meet various needs for users who can benefit from the same wide range of services grouped together on the same access such as telex, fax, videotex, videophone and telephony etc ... This signaling uses a signaling principle by signaling channel which is based on the transfer of control information by a data transmission link common to several circuits. Signaling by signaling link is at the confluence of developments in switching based on recorded program control and data transmission, the principles of which it applies according to the OSI model. The system associated with this signaling consists of two main sets of functions: the SSTM message transport subsystem and the SSU user subsystems.

The connection of users to the ISDN public network covers all of the means implemented from the terminal to the public users switch. The specifications of user-network interfaces call upon the notions of channel, interface structure and access capacity, based on a limited number of channel types and interface structure. There are two user / network interfaces: the first basic rate interface supports two B channels and one D channel, and a second primary rate interface supports thirty channels
B and a D channel.

Channel B is a 64 Kbits / s channel switched to circuit mode or packet mode which can be used to transport all types of information. The D channel is a 16 or 64 Kbits / s channel operating in message mode capable of transporting signaling and services in packet mode. These interfaces are versatile in the sense that each of them is able, within the limits of its own speed, to provide all of the services offered by the network. The ISDN access protocols extend the concept of signaling by signaling channel to the terminal equipment of user installations or terminal user installations,
ITU. Channel D of the user / network access carries the signaling relating to channels B of the same access. The signaling implemented between the user and the network allows the establishment of the connections necessary for the transfer of information between users as well as the completion of additional services.

 Among these additional services, user-to-user signaling SUU offers an additional means of transferring information between users. A specific additional service, called a closed user group, GFU, allows the creation, from the public network, of virtual private networks partitioned with respect to each other, which can only be accessed by subscribers to the GFU assigned to them. . This additional service is provided by the TRANSGROUPE service, a trademark registered by France Télécom, and exploits the intelligent network capacities supported by the CAS architecture, abbreviation for Service Access Switch, and PCS abbreviation and trademark registered by France Telecom. Service Order Point.

The other additional services relate to services of the "call identification" type
The caller in the case of ISDN can refuse to identify himself for example by not communicating his calling number to the recipient which is the subject of a dedicated additional service. This additional service was imposed by the CNIL, an abbreviation for
Commission Nationale Informatique et Liberté, and is made necessary in the case of an ISDN user using the telephone service while being on the red list. In this case, the subscriber subscribes for the additional service entitled "secrecy of the identity of the requester". The requested user is then informed of the application "secret of the identity of the requester". provisional solution must be implemented consisting in reserving the identification of the caller for data transmission. Furthermore, it is likely that an administrative decision should apply to the prohibition of knowing the identity of the requester for suppliers of certain services, for example in the case of an order by correspondence. However, a possibility remains for the user to identify the origin of a call, by subscribing to the additional service entitled "identification of malicious calls". This additional service allows the requested user to trigger the mechanism of identification of the ISDN caller, during or at the end of this call, within a maximum of 30 seconds. This identification information subject to the operator's discretion must facilitate the discovery of the origin of malicious or annoying calls and is only available to the operator after the end of the communication. It consists of the following elements:
- complete identification of the applicant in the form of his
ISDN number,
- date and time of the identification request, and
- numbering dialed by the caller.

 However, the communication of these identifying information to the complainant user depends on a court decision that is costly in terms of time and time.

 The object of the invention is to overcome the aforementioned drawbacks.

To this end, the invention relates to a method for securing a digital network with integrated services, or ISDN, of the type implementing a set of teleservices offered to network users, with options called additional services, characterized in that it consists in defining a new additional service entitled closed secure user group accessible to users by subscription, in the environment of an ISDN service control point, to be recognized by an access switch for the ISDN service, the secure closed user group supplementary service, to direct the user to user signaling to the ISDN service control point, to authenticate the correspondents in the process of communication and, to control the rights of '' access by correspondents by reading a database containing the list of subscribers to the closed closed user group service supplement, to allow '' establish at least one secure communication between at least two subscribers subscribing to the same service, regardless of the service, the security being transparent vis-à-vis each of the correspondents for the service requested
The advantage of the method according to the invention is that it makes it possible to ensure secure communications between two users subscribed to the same ISDN service, whatever it is. The service and the new service supplement "closed secure user group", or secure GFU, are managed by the ISDN PCS in such a way that the security is carried out with complete transparency vis-à-vis the service. ie without affecting the service offered by the ISDN to subscribed users.

 The present invention exploits the capabilities of intelligent networks provided by an architecture similar to that of a service access switch, CAS, and of a control point for PCS services which are names relating to the French ISDN known as of the NUMERIS trademark of France Telecom.

 In order to simplify the terminology used in this description, the terms CAS and PCS are kept for the similar functions used by the invention.

Other advantages and characteristics of the invention will appear more clearly with reference to the appended drawings which represent:
FIG. 1, a simplified diagram representing closed groups of users managed by the PCS,
FIG. 2, a simplified representation of the principle used by the method according to the invention,
FIG. 3, a block diagram of the key distribution and management function used by the method according to the invention,
FIG. 4, a first embodiment of a device for implementing the method according to the invention
FIG. 5, a representation of a layered structure according to the OSI model of secure communication between two users of the same GFU according to the invention, and
Figure 6, a second embodiment of a device according to the invention.

 The present invention respects digitization and out-of-band signaling which are the two principles on which the integration of services within an ISDN is based.

 Initially, security is limited to basic access, i.e. separate management of the two B channels and the D channel in packet or circuit mode and reserves the possibility of extending the value-added service secure communication via ISDN to the primary accesses, that is to say to the thirty B channels and to the D channel, as well as to any other type of access in number, in type of channels and in speed.

 As described above, the invention uses the PCS development environment.

 FIG. 1 illustrates a simplified diagram symbolizing the management of virtual private networks using the "closed user group" supplementary services GFU respectively GFU n "1, 11, GFU n" 2, 12,, GFU n "i, lil via ISDN PCS 2 3. Each closed user group, GFU n 1 to N "i, 11 to 1d, is composed of a set of ITU user terminal installations between which secure communications are possible. The communications of a given GFU are partitioned with respect to the other GFUs.

FIG. 2 illustrates in a simplified manner the principle used by the method according to the invention during the establishment of a communication between a user calling A and a user called B. ISDN 4 is characterized by out-of-band signaling 5, governed by standard CCITT n 7, routed by the signaling network which is independent of the data transmission network. Consequently, as soon as the user-to-user signaling SUU for the establishment request has resulted respectively in the terminal installation of the user calling ITU A, 6, and of the user called ITU B, 7, L ' user calling A can take possession of the physical circuit. ISDN 4 includes a service access switch
CAS 8 placed under the control of the PCS 9 service control point capable of managing an upstream half-call with caller A and a downstream half-call with called B which are associated with different signaling information and identified by a label that associates them with half-calls. It is only on the orders of the PCS 9 that the CAS 8 effectively puts the two correspondents A and B.

 If the PCS 9 agrees on the connection establishment request following the consultation of its BD 10 database, the latter will convert the public number of called party B into a number kept secret . This secret number is communicated to CAS 8 which establishes the downstream half-call. In addition, the PCS 9 adds to the signaling information relating to the downstream half-call a mark which identifies it, thus attesting to the user called B that the call indeed comes from the GFU and that it is the subject of control by PCS 9. Users A and B of the GFU can reject all calls that do not originate from PCS 9, that is to say calls that are not correctly identified. With such a precaution, it then becomes almost impossible for a fraudster to short-circuit the control of the GFU.

 The additional service entitled "identification of malicious calls" can be used for the logging of security-related events and in particular for the detection of fraudulent intrusion attempts in the GFU. It can also be envisaged a systematic and automatic triggering of the identification of any internal or external call to the secure GFU as well as a legal authorization to access information concerning all calls. Provision may also be made for storing this information on an irreversible physical medium in order to be able to constitute, in the more or less long term, a service of proofs in the event of a contested appeal.

An expert system can be responsible for the subsequent exploitation of this information in order to be able to produce for each user the list of calls corresponding to their GFU and even to provide them with statistics and synthetic diagrams based on predetermined rules. This constitutes the principle of a security hyper-viewer which can also be responsible for billing the user service and automatic recovery of sums due for the use of the additional service entitled "Secure GFU"
Once the communication has been established between the caller A and the called party B, the ISDN then behaves like a simple communication channel between the two correspondents A and B. It is represented in FIG. 2 by two parallel lines in dashed lines.

 Figure 3 illustrates the key distribution and management phase when establishing communication between two users.

 The method according to the invention revolves around a security management center, or CGS 11, incorporated into the PCS 12, controlled for example by a security server not shown.

 This information management by the CGS 11 consists in processing the signaling relating to all secure communications between users.

For this it performs the authentication of the calling user A and the called user B as well as the access control thanks to its database BD 13 containing the profiles of the users thus constituting a dictionary of users.

She develops and manages the keys, then keeps a record of all the exchanges involving her for non-repudiation purposes. It can also then automatically bill the additional service offered and, for example, manage a fleet of CAM microcircuit cards, a CAM card 14 and 15 being assigned personally to each subscribed user A and B.

 In the development and management of keys, the method uses two types of keys for effective security.

 A first type of key, also called basic key CLE, is distributed to the members of the closed group of subscribed users GFU by means, for example, of the microcircuit card CAM 14 and 15 allocated to each of the subscribed users A and B plus one for PCS 12. A basic key CLE is a double key comprising a secret key KS and a public key KP. This double key, or bi-key, is used in asymmetric type cryptographic algorithms. Each subscribed user A and B therefore has a first secret key, respectively KAS and KBS, and a second public key, respectively KAP and KBP.

 A second type of key, called KT traffic key or session key, is communicated to the caller A and to the called party B during the establishment of the communication under the protection by encryption by means of an algorithm of the preceding type. configured by the aforementioned CLE basic keys.

A secure channel between the PCS 12 and the user is obtained thanks to the user-to-user signaling SUU by using an encryption process using the public key KAP of user A, thus ensuring the confidentiality of the traffic keys.
KT sent, followed by a signature by the secret key KDS of the PCS 12 ensuring the authentication of the origin of the call. The reciprocal transformation consists of a decryption by means of the public key KDP of the PCS 12 followed by a decryption by the secret key of the user KAS or
KBS.

Key management is centralized inside PCS 12 by the
CGS 11. There can be one KT traffic key per channel for basic access, ie a maximum of three keys for 2B plus D channels.

 The number of KT traffic keys sent to a given terminal depends on the number of channels used. The same keys are used for the two directions of transmission in "full duplex", which requires two encryption algorithms parameterized by the same KT traffic key for each channel, in this example six algorithms are then necessary.

The traffic keys KT can be the secret keys and the encryption algorithm used can be a cryptographic algorithm of symmetric type. Such key management requires within the GFU that the user-to-user signaling SUU corresponding to the request to establish a physical or virtual connection passes through the PCS 12 where it is intercepted. As mentioned previously in the GFU, this is, by means of a prefix recognized by the service access switch
CASE 16, to route the user-to-user signaling SUU to the PCS 12 capable of processing the GFU supplementary service. It is at this level that the initial access control is carried out in view of the number of caller A, the search for the translated number of caller B, the command to establish the downstream half-call by the CAS 16, and the authentication of the correspondents.

After checking the compatibility of GFU, the PCS 12 transmits their respective KT traffic key to caller A and called party B. Each batch of KT traffic keys is gathered in a mini-message field, encrypted at one time, from user to user SUU signaling. A minimessage field allows users to exchange 32-byte information fields when setting up or releasing the call or outside of any communication. Based on the principle that access to the database BD 13 linked to PCS 12 is necessary to know the
GFU of membership of the two correspondents A and B as well as the translated number of the called party B, it appears natural that their public key KAP and KBP are also there in the form of additional attributes.

 According to the CCITT standard no. 7, 17, the space provided for carrying the encryption keys comprises 32 bytes, ie 256 bits, which can be increased to 128 bytes, and there are also two types of signaling based on the message transfer subsystem. A signaling linked to a connection establishment request bears a label attaching it to this communication.There is also a possibility of using user-to-user signaling SUU outside any connection request. for the mini-message being sufficient in the case of encryption by a symmetric cryptographic algorithm using a 64-bit key, the transport capacity of four keys is sufficient for basic access using only three keys. otherwise, a series of mini-messages conveyed by user to user SUU signaling will provide the transport capacity for the number of keys required.

Considering the access to the BD 13 database mentioned above, double encryption is applied to the entire mini-message field, corresponding to a block of 256 bits, to which two transformations are then applied successively according to an asymmetric cryptographic algorithm. . Once the communication has been established between the two subscribers, the encryption of the communication by a symmetric cryptographic algorithm is performed at level three of the model.
OSI by an ISTCS security sub-layer abbreviation for "Integrated Services Trusted Communication Sublayer", this ensuring the confidentiality and integrity of the information exchanged via the ISDN.

 An essential reason for the choice of an encryption method using a symmetric cryptographic algorithm and carried out at level 3 by the ISTCS sublayer, is that the subsequent access to the B and D channels in packet mode must be able to be done transparently. vis-à-vis encryption.

Packet routing is carried out by level 3, an important constraint being to respect the need for transparency of the encryption compared to the support services also passing through layers 1 to 3 of the model.
OSI.

The access control introduced previously ensures the right of a subscribed user to access the service he requests. This control is based on a prior authentication process carried out from a front-end security computer interposed between the user and the network and hereinafter referred to as a security front-end
Considering that the authentication, access control and non-repudiation services are intrinsically linked, the method according to the invention proposes a double authentication mechanism having the advantage of combining the processing of these three services.

 A simple solution to allow the implementation of this mechanism consists in using a password that the user must enter via the keyboard of the security front end. However, security can be greatly increased inexpensively by exploiting the key management principles mentioned above.

 Indeed, the major drawback of the password is that it transits in the clear on the network, thus being susceptible to an attack by interception and replay. More or less complex developments on systems with zero knowledge contributions, including the Lamport scheme, allow the password to be renewed each time it is used.

 The method according to the invention exploits the fact that the physical access control has already been carried out by the PCS 12 which has checked the membership of the caller and the called user subscribed to the same GFU.

The PCS 12 then sent each of their correspondents their common KT traffic keys. These are stored in the security front end which operates encryption for the duration of the communication. The transmission of one, two or three KT traffic keys depending on the service, via user-to-user signaling SUU in the mini-messages field from the
PCS 12 is intercepted by the security front end which produces an authentication request. This then results in a password request from the subscribed user. It is recalled that the notion of subscribed user covers both a natural person and an application which must be adapted to this operating mode and within which the password for access to the network must be hidden. For example, blocking with access to ISDN prohibited as soon as the application is interrupted can be considered. Once the password entered by the subscribed user, it is encrypted by the first current KT traffic key. The security front end which operates the encryption must therefore be accessible both by the user plan which provides network services and by the signaling plan through which the encrypted password will pass.

Another solution is to use a micro-circuit card
CAM containing secret elements such as password, secret key of the terminal and public key of the PCS, and a micro-circuit card reader CAM coupled to the security front end.

 In this way the interface becomes unusable in encrypted mode as soon as the micro-circuit card CAM has been removed and stored in a safe for example.

 It should be noted that the password is not in principle encrypted twice in the same way insofar as the KT traffic key or keys are changed at each communication.

 However, it is obvious that the PCS will have a limited stock of KT traffic keys which it will distribute in turn to subscribed users of the GFU in the process of communication.

 It is therefore necessary to provide a generation system and a key stock, the number and lifespan of which will be sized as a function of the number of subscribed users and the number of means of communication per subscribed user and per unit of time. A compromise between the ability to produce random keys with good cryptographic quality and more or less renew the keys of KT traffic is therefore to be determined. Too many reuse of the same KT traffic key is to be avoided as this increases the risk of compromise.

 However, it may be that a fraudster can successfully build a dictionary of the KT traffic keys used by the PCS to successfully interpose. This is however made difficult due to the confidentiality and integrity of the transfer of KT traffic keys between the PCS and the security front end of the subscribed user thanks in particular to double encryption using the asymmetric cryptographic algorithm.

Similarly, symmetrically, the authentication protocol can be applied to the subscribed user called via his respective security front end. The
PCS sends its KT traffic key (s) to it with compatibility check with the secure GFU. The key or keys are sent in the message minimization field of the user to user signaling SUU requesting the establishment of a call, in this case, downstream half-call.

 The PCS blocks the physical circuit until the two parties are not correctly authenticated. To do this, the ability of the PCS to manage two separate half calls is called: an upstream half call with the calling party, and a downstream half call with the called party.

In the favorable case, the PCS sends, to the CAS which has recognized the call as requesting the additional GFU service, the request to establish communication between the two subscribed users. Access control can be improved by adding to the password function of the PCS a function for reading the access restrictions specific to each subscribed user within the database BD accessible by the PCS. In addition to the GFU closed user group number and the public key of
The subscribed user, information relating to the profile of each subscribed user must be accessible for reading.

 An additional event signaling function can be added to the secure access mechanism which has just been described.

Various causes of non-warning of a call can be reported to users. Corresponding messages are sent by the
CAS on order from the PCS to inform the caller and the called party of the reason for the refusal of the call Different types of reasons for refusal can arise:
- a caller and a called party belong to different GFUs, it is then necessary to warn the caller,
- a failure to authenticate the caller, the latter must be notified,
- a failure to authenticate the called party, the two correspondents must be warned by different messages,
- a network or PCS overload, you must notify the caller who will have to call again later.

A user-to-user signaling exchange scenario SUU leading to secure communication via ISDN is detailed below:
User A requests secure communication with user B via user to user signaling SUU. The CAS recognizes the additional secure GFU service and directs it if

 The scenario described above represents the case of a favorable development. However, it is necessary to provide a recovery mechanism in the event of an operator error when entering his password, for example three authorized attempts, unless all security front ends are equipped with a card reader. with CAM micro-circuit.

 A first embodiment of a device for implementing the method according to the invention is illustrated in FIG. 4.

In this figure an ISDN 18 of the type represented in FIG. 2 is used for the transmission of a secure communication between two subscribed users A and B, a subscribed user calling A on the left and a subscribed user called B on the right of ISDN 18. Each subscribed user A and B has a terminal 19, 20 coupled to a security front end 21, 22 which gives access to a PABX 23, 24 known by the abbreviation Anglo-Saxon
PABX, "Private Automatic Branch Exchange", connected directly to ISDN 18. The security front end 21, 22 is coupled respectively to terminal 19 20 of user A and B and to PABX 23, 24 by a base rate interface also called terminal S interface. The SO interface being reserved for intelligent terminals of the microcomputer type according to the name of the ECMA standard, Anglo-Saxon abbreviation for "European Computer
Manufacturer Association "The same PABX 23, 24 can receive multiple user accesses on its input. In this case, it has a unifying role. Its output is coupled to ISDN 18 via a To or T2 interface, also subject to ECMA standard. A card reader 25, 26 with microcircuit, or chip card, is connected to the security front end. The reader receives a micro-circuit card 27, 28 belonging respectively to user subscriber A and B. This card 27, 28 contains the secret elements such as password, secret key of the terminal and public key of the PCS. The interface between the user and the ISDN becomes unusable in encrypted mode as soon as the micro-circuit card CAM is removed from the CAM micro-card reader.

Each CAM micro-circuit card has an identification number written on the chip during its manufacture and which is read by the CAM micro-circuit card reader each time it is used in encrypted mode from one of the terminals connected to the front of security. When using a terminal for the first time or when the secret elements contained in the CAM micro-circuit card are renewed, the operator or subscribed user orders the validation of the CAM micro-circuit card entered into the reader via the terminal. With each new use, the CAM micro-circuit card reader accepts to read the secret elements contained in the chip only if the identification number of the CAM micro-circuit card corresponds to the last validated number. The operation of the security front is described in detail below:
The security front end performs encryption / decryption based on a symmetric cryptographic algorithm implemented at layer 3 of the OSI model for communications via channels B and D.

In addition, the decryption encryption is accessible by a service access point identifier known by the English abbreviation SAPI for "Service Access Point Identifier" reserved for user-to-user signaling.
SUU to secure signaling exchanges.

 It also performs encryption / decryption according to the asymmetric cryptographic algorithm where the SAPI is reserved for signaling from user to user SUU, on the mini-message field from 32 to 128 bytes. The purpose of this is to acquire the KT traffic key or keys sent by the PCS in the mini-message field. This operation requires the preceding double decryption, the truncation of the mini-message into the KT traffic key and then the setting up of symmetric cryptographic algorithms for encryption / decryption of the data circuit.

On receipt of a user-to-user signaling message
SUU bearing the mark of the GFU secure additional service affixed by the PCS, the security front-end produces a request for passwords to the subscriber user, or the micro-circuit card reader CAM, which must in exchange supply the word password written on it. In response to this request, the security front end sends the password encrypted with the first current KT traffic key to the PCS. The routing of the signaling message is ensured by the CAS. The security front end then waits for signaling from the CAS. Two possibilities can then arise:
- in the event of an error when entering the password, the CAS re-issues an authentication request, the process can be repeated once,
- in the event of correct authentication of the two correspondents by the PCS, the security front end receives from the CAS a message confirming the processing of the call.

 In the favorable case, the communication continues according to the usual procedure and the security front end starts encryption on interception of the connection signaling message exchanged between the called party and the calling party.

 Figure 5 shows the embodiment of Figure 4 as a layered structure following the OSI model.

 This representation is symmetrical with respect to an ISDN of the type described previously in the preceding figures.

 The subscriber user's terminal 30A, 30B is represented by seven layers of respective level 7 to 1, the upper layer corresponding to level 7. The security front end 31A, 31B is represented by three layers of respective level 3 to 1, surmounted of the level 3 ISTCS security sublayer. Encryption is performed at this level. The SO interface corresponds to the layer of level 1, or physical level.

PABX 32A, 32B is represented in the form of three layers of respective levels 3 to 1, also called TNA, abbreviation of
Digital Termination of Subscribers, and a last layer of level A represents a TNR, 33A, 33B abbreviation of Digital Termination of
Network.

 A physical transmission medium 34, represented in FIG. 5 by a hatched layer, makes it possible to connect the respective lower level layers 1 to the terminal 30A, 30B to the security front end 31A, 31B, to the TNA 32A, 32B and to the TNR 33A, 33B up to ISDN 29. The secure communication area is shown in Figure 5 inside a closed broken line.

 A second embodiment of a device for implementing the method according to the invention is illustrated in FIG. 6.

In this embodiment, a first terminal installation of subscriber users calling ITU A comprises a cluster of terminals 35i, the maximum number of which cannot exceed eight. The terminals 35i are connected to each other by a passive bus 36 which is itself connected to a security front end 37 via an SO interface, and which can be addressed separately using the LAPD protocol, the abbreviation for "Link"
Access Protocol on the D Channel "allowing secure exchanges between the various devices ensuring the functions of layer 2 of the OSI model, and sub-addressing. The output of the security front end 37 is coupled to the input of an ISDN 38 also by an So interface. As for the first embodiment of FIG. 4, the access of the user to the security front end 37 is done by means of a reader 39 for a CAM microcircuit card 40. A second terminal installation of subscribed users called, ITU B, connected at the output of the ISDN comprises a PABX 41 connected to the ISDN 38 via a To or T2 interface. The N outputs of the PABX 41 are respectively coupled via a So interface to a cluster of terminals via a security front end 43, the installation of which is identical to that of the ITOU A comprising a reader 44 of the CAM micro-circuit card 45.

 The interface So common to the cluster of terminals 35i, 42i is secure.

 The security front end 37, 43 manages the origin and recipient addresses respectively but does not manage the origin and recipient sub-address relating to a terminal called within ITU B and a calling terminal within ITU A. II does not distinguish the terminals 35i, 42i connected to the So interface.

Subaddressing, which is a known method in ISDN, naturally excludes interworking with non-ISDN terminals that are unable to generate a subaddress. The origin address, identifying the interface So and the security front end 37, 43, is associated with an origin sub-address which identifies the destination terminal within the cluster of terminals 42i. The PABX 41 allows communication via the
ISDN 38, the terminal of the subscriber user calling A with the terminal of the subscriber user called B whose respective sub-addresses correspond. The subscriber user calling A therefore has the possibility of selecting a specific entity within the ITU terminal installation of the subscriber user B by supplementing, for example, the main address with 1 to 4 additional digits defining a subaddress.

This additional information is transported transparently by the network 38.

 A possible extension of the invention concerns the securing of the interface S2, as well as any other type of access whatever the number of channels, the type of channels and their bit rate.

Finally, the subject of the invention which is mainly concerned with communications between fixed installations can also be extended to communications between mobiles in the context of GSM, an abbreviation for
Special Mobile Group.

The purpose of a GSM network is to offer telecommunications services to subscribers regardless of their movements within a service area, defined by an operator or even several operators having concluded mutual agreements. To do this, the mobile subscriber uses a mobile station whose originality is to be made up of two separable elements:
- mobile equipment which provides the radio and software capacities necessary for dialogue with the network, and
- a removable card, of the CAM micro-circuit card type which contains the characteristics of the subscriber and his rights, in particular his international identity.

Claims (6)

 1. Method for securing an integrated services digital network, or ISDN, of the type implementing a set of teleservices offered to network users, with options called additional services, characterized in that it consists in defining a new additional service called closed secure user group (11 to 1i) accessible to users by subscription, in the environment of an ISDN service control point (2; 9; 12), to be recognized by an ISDN service access switch (8; 16), the secure closed user group supplementary service, to route user to user signaling to the service control point (2; 9; 12) ISDN, to authenticate the correspondents in the process of communication and to control the access rights of the correspondents by reading a database (10; 13) containing the list of subscribers to the closed closed user group supplementary service , to enable at least one secure communication to be established between at least two subscribers subscribing to the same service, whatever the service, the securing being transparent vis-à-vis each of the correspondents for the service requested.  2. Method according to claim 1, characterized in that the authentication consists on the one hand, in assigning to each correspondent as well as to the service control point (2; 9; 12), a basic key (CLE) comprising a secret key (KS) and a public key (KP), and on the other hand, during the establishment of the call, to send to each correspondent, via the user to user signaling of the ISDN, at least one traffic (KT) distributed by the service control point (2; 9 12), the confidentiality of exchanges of traffic keys (KT) being ensured by first encryption of the traffic key (KT) by the public key of each correspondent (KAP and KBP) followed by a second encryption by the secret key (KS) of the service control point (2; 9; 12).  3. Method according to any one of claims 1 to 2, characterized in that it also consists in memorizing all the exchanges between correspondents on a physical medium.  4. Device for implementing the method according to any one of claims 1 to 3, characterized in that it comprises on the one hand, a security front (21; 31A; 37) arranged in cut between at least a terminal (19; 30A; 35i) of at least one calling party (A) and the ISDN, and a security front end (22; 31B; 43i) arranged as a break between at least one terminal (20; 30B; 42i) at least one called correspondent (B) and the ISDN, the two security front-ends ensuring encryption or decryption of the information contained in the communication passing through the ISDN, and also comprises a coupled security server (11) at the service control point (2; 9; 12) allowing the management of information security.  5. Device according to claim 4, characterized in that a micro-circuit card reader (25; 26; 39; 44) is coupled to each security front allowing the reading of a micro-circuit card (27 ; 28; 40; 45) containing the public key (KP) of the service control point (2; 9; 12) and the secret key (KS) of the subscriber to the secure closed user group supplementary service.  6. Device according to any one of claims 4 and 5, characterized in that it further comprises at least one automatic exchange (41) inserted between at least one security front end (43i) and the ISDN (38).