GB2336971A - Authentication of a visiting mobile station - Google Patents

Authentication of a visiting mobile station Download PDF

Info

Publication number
GB2336971A
GB2336971A GB9808951A GB9808951A GB2336971A GB 2336971 A GB2336971 A GB 2336971A GB 9808951 A GB9808951 A GB 9808951A GB 9808951 A GB9808951 A GB 9808951A GB 2336971 A GB2336971 A GB 2336971A
Authority
GB
United Kingdom
Prior art keywords
mobile station
network
authentication
identity information
visiting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB9808951A
Other versions
GB9808951D0 (en
GB2336971B (en
Inventor
Ralph James Edwards
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Priority to GB9808951A priority Critical patent/GB2336971B/en
Publication of GB9808951D0 publication Critical patent/GB9808951D0/en
Priority to CN98115617A priority patent/CN1233895A/en
Publication of GB2336971A publication Critical patent/GB2336971A/en
Application granted granted Critical
Publication of GB2336971B publication Critical patent/GB2336971B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/06Registration at serving network Location Register, VLR or user mobility server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities
    • H04W8/24Transfer of terminal data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

In a Total Access Communication System (TACS) mobile telephone network which supports mobile station authentication, a switching centre stores identity information of a visiting mobile station which has a home network which does not support authentication. The stored identity information is suitable for use in a non-authenticating network. Subsequent call access by the visiting mobile station results in transmission of modified identity information in accordance with the authentication of the network. The stored (unmodified) identity information can then be used by the home network for call set up.

Description

2336971 TELECOM4UNI9ATIONS NETWORKS
The present invention relates to telecommunications networks, and in particular to total access communication system (TACS) networks. DESCRIPTION OF THE RELATED ART
Total access communication system (TACS) networks provide analogue telecommunications networks for Europe and Asia. When such networks were initially set up, security of the systems was not a major concern and so subscribers could access the network (originate and receive calls) by simply transmitting a simple message including an electronic serial number (ESN). However, fraud is becoming an increasing problem, and so is security of TACS networks must be improved.
one way of giving a network greater security is to activate so-called nauthenticationll of mobile stations. Authentication-capable mobile stations can detect the fact that authentication is activated in a network by monitoring a bit in the overhead messages on the air interface. If the bit is set, authentication-capable mobile stations transmit a modified electronic serial number (MESN) on the air interface when originating call access. The MESN is generated by an algorithm in the mobile and is based on a combination of a 16 digit authentication PIN, the dialled called party number M-number) and the ESN.
The MESN is passed to an authentication node (AN), for example the home location register HLR, where the algorithm is run again using the dialled B-number and the ESN and authentication PIN stored in the authentication node AN. If the result matches the MESN transmitted by the mobile station, the access is allowed, otherwise it is rejected.
In order that TACS networks are attractive to subscribers, it is desirable to allow a subscriber to is roam away from his or her home network into another network. Two non- authenticating TACS networks are illustrated in Figure 1 of the accompanying drawings. The mobile subscriber 1 has a home network 2 and is roaming in a visiting network 3. Inter-system roaming is generally implemented in TACS networks by creating a virtual homogenous network. Calling party number (A-number) analysis tables are modified in the visiting mobile station switching centre (VMSC) 5 of the visiting network 3, to recognise subscribers from both networks 2 and 3 and provide their home exchange pointer. When the subscriber 1, from network 2 roams to network 3 and registers or originates a call, the mobile station 1 transmits an electronic serial number, and location updating is performed towards their home exchange 4 in network 2. The home exchange 4 performs a check on the electronic serial number (ESN) of the mobile station to ensure it allows valid access before returning the subscriber categories to the VMSC 5 of the visiting network 3. The home exchange 4 is updated with the subscriber's location and call delivery can be performed. If the serial number check fails in the home system, categories are not returned and the access request is rejected.
However, significant problems can occur when authentication-capable subscribers roam into a network which supports authentication, when the home network does not.
Referring again to Figure 1, if the visiting network 3 has activated TACS authentication but the home network 2 has not, inter-system roaming ceases to function for authentication-capable mobile stations having network 2 as their home network. Figure 2 illustrates the steps which lead to the inability of subscriber 1 to roam into network 3. The authentication-capable subscriber 1 detects that the is network 3 supports authentication (step a). The subscriber 1 originates a call (step b), and sends a modified ESN to the network 3 (step c), since the overhead message of the visiting network 3 indicates that authentication is activated. The MESN is transmitted to the home exchange 4 in the home network 2 to retrieve subscriber categories from the home location register (HLR) 4 (step d). The HLR 4 compares the received MESN with the stored ESN for the subscriber concerned (step e) and then rejects the call request because the ESN is not equivalent to the MESN (step f). The rejection is passed to the visiting network 3 and the call is rejected (step g).
Non-authenticating network operators having roaming agreements with neighbouring networks have been faced with such problems when TACS Authentication is introduced. One solution is simply to terminate the roaming agreements and accept the loss of revenue that this implies. Such a situation occurred between the UK and Ireland, when a UK network activated authentication. Roaming between Malaysia and Singapore is also due to be terminated for the same reasons. As an example of the significance of terminating such agreements, the TACS network in China has roaming agreements between each of the fifteen regional operators. This produces what can be called quasihomogenous network. Each region purchases and administers its own network, but the roaming agreements bind them together into the national China TACS network.
Currently China has not activated.TACS authentication but with the increase of fraud and the advent of prepaid subscriptions, the situation is becoming more critical. It is becoming necessary for TACS operators to offer a prepaid service if they are to remain competitive. The added security afforded by TACS Authentication is considered essential for the successful introduction of a prepaid service.
Clearly, it is unacceptable to terminate roaming agreements in China as TACS Authentication is activated in the regions. However it is impossible given the market conditions in China to take a holistic approach and activate it at a national level.
In addition, the TACS networks in Italy and Austria may also experience such a problem. The TACS network in Austria seems unlikely to be capable of supporting authentication. In Italy, however, TACS authentication has been activated since November 1997. If roaming is to be allowed, a way must be found to allow Austrian subscribers to roam to Italy.
The only solution to this problem that has been identified so far has been to inhibit serial number checks in the home location register (HLR).
This, however, has serious implications for network security. The security of non-authenticating TACS networks relies on the serial number (ESN) check to limit fraudulent access. If this check is removed, any clone telephone with a valid Mobile Subscriber Number (MSN) will be able to access the network. SUMMARY OF THE PRESENT INVENTION
According to a first aspect of the present invention, there is provided a method of operating a mobile telecommunications network in which mobile station authentication is supported, the method comprising:
receiving and storing first identity information from a visiting mobile station which has a home network and which is operable to support mobile station authentication, the first identity information being suitable for use in a network which does not support mobile station authentication; receiving a call request from the visiting mobile station, which call request includes second identity information suitable for use in a network which supports mobile station authentication; obtaining information indicating whether the home network of the visiting mobile station supports mobile station authentication; and if the home network of the visiting station does not support mobile station authentication, sending the stored first identity information to the home network of the visiting mobile station in response to the received call request, or, if the home network does support mobile station authentication, sending the received second identity information to the home network of the visiting mobile station in response to the received call request.
According to a second aspect of the present invention, there is provided a mobile telecommunications network in which mobile station authentication is supported, the network comprising:
receive means for receiving and storing first identity information from a visiting mobile station which has a home network and which is operable to support mobile station authentication, the first identity information being suitable for use in a network which does not support mobile station authentication; call processing means for receiving a call request from the visiting mobile station, which call request includes second identity information suitable for use in a network which supports mobile station authentication; and verification means for obtaining information indicating whether the home network of the visiting mobile station supports mobile station authentication, the verification means being operable, if the home network of the visiting station does not support mobile is station authentication, to send the stored first identity information to the home network of the visiting mobile station in response to the received call request, or, if the home network does support mobile station authentication, to send the received second identity information to the home network of the visiting mobile station in response to the received call request. BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a schematic view of two TACS networks; Figure 2 is a flow chart illustrating operation of roaming mobile station; Figure 3 is a flow chart illustrating operation of roaming mobile station in accordance with the present invention; and Figure 4 is a block diagram illustrating a TACS network and mobile station for use in accordance with the present invention. D&SCRIPTION OF THE PREFERRED EMBODIMENT An embodiment of the present invention will now be described with reference to Figures 1, 3 and 4. As previously described, a subscriber 1 having a home network 2, can roam into a visiting network 3. In networks operated in accordance with the present invention, when the authentication-capable mobile station 1 detects, using authentication detector means 9, that the visiting network 3 supports authentication (step a,) (by reference to the overhead message of network 3, as before), it registers its presence by sending its ESN and location information to the visiting mobile switching centre (VMSC) 5 of network 3 (step bl), using ESN/location registration means 10. The ESN and location information is stored in the VMSC 5 (step cl) in a ESN/location data storage area 6. when the mobile station 1 originates a call (step d'), it sends a MESN to the visiting network 3.
is Alternatively, the mobile station may register its ESN in response to a change in area identity (AID) signal on the overhead message.
Stored cooperating exchange administration data 10 of the VMSC 5 includes data concerning the authentication capabilities of all HLRs in the network 3 and in all networks with which roaming is allowed (e.g. home network 2) to be specified.
when the mobile station 1 makes a call originating access (by transmitting an MESN), its mobile station number (MSNB) is analyzed to ascertain its home exchange. The authentication capability of the home exchange is then retrieved from the stored cooperating exchange data 10. If the home exchange of the mobile supports authentication, the MESN is forwarded to the authentication node or HLR for authentication as normal by transmit means 8. If, however, the cooperating exchange data indicates that the home exchange does not support authentication, the location of the last registration/page/audit response is examined (step fl) by comparison means 7. If the location information matches the location of the call originating access, the MESN is overwritten by the stored ESN for the mobile station, and the ESN is forwarded to the home network node or HLR 4 (step g'). If the location information does not match, the MESN is forwarded to the home network node as normal.
The home network node 4 then completes its check of the received ESN (step h'), and accepts the call (step il), since the stored ESN is equivalent to the received ESN.
An authentication-capable mobile from a home network where authentication is not activated will then be able to roam to a visiting network 3 where authentication is activated, provided that the mobile. station 1 registers or responds to a page/audit request is in a valid location.
A mobile station clone with an invalid ESN will have very limited ability to access the system with this feature active even though it involves using the ESN from one access to validate another. The serial number is checked for all accesses, including registrations and page/audit responses. Under normal circumstances therefore, all accesses from such mobiles will be rejected. If, however, the clone with an invalid ESN happened to make an originating access in the same location as the valid subscriber, the access would be allowed. The size of the location is therefore crucial to the security offered by the feature. If either cell or location area is used to define the location of an access, the chances of the clone and the valid subscriber roaming to the same location are very slight.
Clones with valid ESNs will be able to access the system, but these accesses would be allowed in the home network anyway, so there is no change of the level of security provided by the network.
If the location from which the originating access was received differs from the location stored for the last registration or page/audit response, the access will still be rejected. This provides protection against a clone with an invalid ESN, but may give some loss of service to the valid subscriber. The implications are different depending on whether the location area or cell is used to define the location of the subscriber.
If location area is used rejection may occur if the subscriber had the mobile station turned off before originating a call or originated a call just after crossing allocation area boundary. In both cases the mobile station did not have time to register before originating the call. These are not normal situations, is and are unlikely to cause serious problems to the subscriber since the mobile will perform a forced registration immediately after the failed access. If the subscriber then attempts to call again, the access will be allowed.
If the location of the last access is identified by cell rather than location area, there is more chance of rejection due to differing locations. This is because forced registrations occur between location areas, not cells. This can be ameliorated by the VMSC auditing the subscriber following the rejection. The mobile will then return an audit response containing its location and ESN which can be stored in the VMSC if the subscriber then attempts to call again, the access will be allowed.
Thus operating networks in accordance with the present invention allows roaming agreements to be maintained between authenticating and nonauthenticating TACS networks with minimal loss of security for the nonauthenticating network.
The invention will have no effect on subscribers roaming from nonauthenticating networks to authenticating networks if the mobile is not authentication capable. Full service to these subscribers will be maintained.
The security may be tailored for individual markets by choosing units of location carefully for geographically compact networks the location of the last access may be identified by cell to limit the chance of a clone with an invalid ESN and the valid subscriber roaming to the same location.

Claims (10)

1. A method of operating a mobile telecommunications network in which mobile station authentication is supported, the method comprising: receiving and storing first identity information from a visiting mobile station which has a home network and which is operable to support mobile station authentication, the first identity information being is suitable for use in a network which does not support mobile station authentication; receiving a call request from the visiting mobile station, which call request includes second identity information suitable for use in a network which supports mobile station authentication; obtaining information indicating whether the home network of the visiting mobile station supports mobile station authentication; and if the home network of the visiting station does not support mobile station authentication, sending the stored first identity information to the home network of the visiting mobile station in response to the received call request, or, if the home network does support mobile station authentication, sending the received second identity information to the home network of the visiting mobile station in response to the received call request.
2. A method as claimed in claim 1, further comprising storing information indicating whether the home network supports mobile station authentication.
3. A method as claimed in claim 1 or 2, comprising transmitting an authentication message indicating that the network supports mobile station authentication, and wherein the first identity information is transmitted from the mobile station in response to receipt of the authentication message.
is
4. A method as claimed in claim 1 or 2, wherein the first identity information is transmitted from the mobile station in response to a change in the area identity information transmitted by the network.
5. A mobile telecommunications network in which mobile station authentication is supported, the network comprising:
receive means for receiving and storing first identity information from a visiting mobile station which has a home network and which is operable to support mobile station authentication, the first identity information being suitable for use in a network which does not support mobile station authentication; call processing means for receiving a call request from the visiting mobile station, which call request includes second identity information suitable for use in a network which supports mobile station authentication; and verification means for obtaining information indicating whether the home network of the visiting mobile station supports mobile station authentication, the verification means being operable, if the home network of the visiting station does not support mobile station authentication, to send the stored first identity information to the home network of the visiting mobile station in response to the received call request, or, if the home network does support mobile station authentication, to send the received second identity information to the home network of the visiting mobile station in response to the received call request.
6. A network as claimed in claim 5, further comprising:
storage means for storing network information indicating whether a home network supports mobile is station authentication; and wherein the verification means are operable to retrieve such stored network information in response to a call request from a visiting mobile station.
7. A network as claimed in claim 5 or 6, comprising transmit means for transmitting an authentication message indicating that the network supports mobile station authentication, and wherein the first identity information is transmitted from the mobile station in response to receipt of the authentication message.
8. A network as claimed in claim 5 or 6, wherein the first identity information is transmitted from the mobile station in response to a change in the area identity information transmitted by the network.
9. A method of operating a mobile telephone network, substantially as hereinbefore described with reference to the accompanying drawings.
10. A mobile telecommunications network substantially as hereinbefore described with reference to, and as shown in, the accompanying drawings.
GB9808951A 1998-04-27 1998-04-27 Telecommunications networks Expired - Fee Related GB2336971B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB9808951A GB2336971B (en) 1998-04-27 1998-04-27 Telecommunications networks
CN98115617A CN1233895A (en) 1998-04-27 1998-06-30 Telecommunication networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9808951A GB2336971B (en) 1998-04-27 1998-04-27 Telecommunications networks

Publications (3)

Publication Number Publication Date
GB9808951D0 GB9808951D0 (en) 1998-06-24
GB2336971A true GB2336971A (en) 1999-11-03
GB2336971B GB2336971B (en) 2002-12-11

Family

ID=10831040

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9808951A Expired - Fee Related GB2336971B (en) 1998-04-27 1998-04-27 Telecommunications networks

Country Status (2)

Country Link
CN (1) CN1233895A (en)
GB (1) GB2336971B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996005702A2 (en) * 1994-07-29 1996-02-22 Motorola Inc. Method and apparatus for authentication in a communication system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996005702A2 (en) * 1994-07-29 1996-02-22 Motorola Inc. Method and apparatus for authentication in a communication system

Also Published As

Publication number Publication date
GB9808951D0 (en) 1998-06-24
GB2336971B (en) 2002-12-11
CN1233895A (en) 1999-11-03

Similar Documents

Publication Publication Date Title
EP1157570B1 (en) System and method for providing access to value added services for roaming users of mobile telephones
US6081705A (en) Cellular telephone network support of international mobile station identity (IMSI)
US5564068A (en) Home location register for manual visitors in a telecommunication system
US5933784A (en) Signaling gateway system and method
EP1754390B1 (en) Method and radio communication network for detecting the presence of fraudulent subscriber identity modules
EP1575313A1 (en) System and method for sms message filtering
GB2322998A (en) Method of Interconnecting Communication Networks
CA2217284C (en) Method for providing ubiquitous service to mobile subscribers using a wireless gateway switch
US7215943B2 (en) Mobile terminal identity protection through home location register modification
WO2009004316A1 (en) Controlling the use of access points in a telecommunications network
US20020002049A1 (en) Method and devices for improved location updating in a mobile communication system
US6044269A (en) Method for enhanced control of mobile call delivery
WO1996034502A1 (en) Mobile communication system with intelligent network services
CN101420678B (en) Terminal closedown register method used for PHS system and PHS system implementing the method
GB2336971A (en) Authentication of a visiting mobile station
KR20000019457A (en) Method for controlling call for lost mobile terminal
KR100693747B1 (en) Authentication period adjustment apparatus based on subsribers and method thereof
GB2337668A (en) Mobile station authentication
KR100827063B1 (en) Method for restricted authentication on hlr down case in cellular network and apparatus thereof
KR100280211B1 (en) Monitoring method of illegal terminal use in mobile communication network
WO2000027156A1 (en) Method of authenticating a mobile station handing-off from an anchor exchange to a serving exchange
CN116405955A (en) Terminal communication service method, device and system
KR101449756B1 (en) Method and telecommunication system for providing wired telephone service to mobile communication subscriber

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20040427