GB2456534A - Changing communication channels for secure encrypted communications - Google Patents

Changing communication channels for secure encrypted communications Download PDF

Info

Publication number
GB2456534A
GB2456534A GB0800779A GB0800779A GB2456534A GB 2456534 A GB2456534 A GB 2456534A GB 0800779 A GB0800779 A GB 0800779A GB 0800779 A GB0800779 A GB 0800779A GB 2456534 A GB2456534 A GB 2456534A
Authority
GB
United Kingdom
Prior art keywords
communication session
change
channel
communication
predetermined time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0800779A
Other versions
GB0800779D0 (en
Inventor
Alberto Gomez
Miguel Arranz
Steven Babbage
Robert Koehler
Christopher David Pudney
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vodafone Group PLC
Original Assignee
Vodafone Group PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vodafone Group PLC filed Critical Vodafone Group PLC
Priority to GB0800779A priority Critical patent/GB2456534A/en
Publication of GB0800779D0 publication Critical patent/GB0800779D0/en
Priority to EP09703054.8A priority patent/EP2263395B1/en
Priority to US12/863,433 priority patent/US20110243322A1/en
Priority to PCT/GB2009/050034 priority patent/WO2009090432A2/en
Publication of GB2456534A publication Critical patent/GB2456534A/en
Priority to ZA2010/05879A priority patent/ZA201005879B/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K1/00Secret communication
    • H04K1/003Secret communication by varying carrier frequency at or within predetermined or random intervals
    • H04L29/06659
    • H04L29/06748
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B1/00Details of transmission systems, not covered by a single one of groups H04B3/00 - H04B13/00; Details of transmission systems not characterised by the medium used for transmission
    • H04B1/69Spread spectrum techniques
    • H04B1/713Spread spectrum techniques using frequency hopping

Abstract

Security of communications between a mobile terminal 1 and a cellular network node, e.g. base station 3, is enhanced. A communication session transmitted on a first traffic channel is encrypted using a key "KA" 50. The security is enhanced by causing the communication session to change to a second communication channel 54 after a predetermined time, preferably very quickly after establishing the key "KA". The communication session may then change to a third communication channel 56 after another predetermined time. Alternatively, the communication session may be encrypted using a second key "KB" (72 fig.3) after the change to the second communication channel 54.

Description

1
2456534
IMPROVING SECURITY IN TELECOMMUNICATION SYSTEMS
The present invention relates to a method of providing security in 5 communications between a device and a telecommunications network node. The invention also relates to a corresponding telecommunications system and base station.
Various schemes are known that provide some degree of security in io communications between a device and a telecommunications network. For example, in many GSM cellular telecommunications networks the A5/1 algorithm is used to encrypt communications sent wirelessly between a mobile terminal and a base station.
15 The GSM encryption algorithm A5/1 has become known publicly and has some weaknesses. Attempts have been made to devise GSM eavesdropping equipment that breaks A5/1 and allows the attacker to listen to people's telephone calls.
20 The cryptanalysis by such eavesdropping equipment is not quite in real time. Instead, intercepted encrypted data has to be recorded and processed to try to obtain the decryption key. It would take at least several seconds, more likely several minutes, to work out the decryption key. Once that has been done, recorded data can be retrospectively decrypted, and the rest of the intercepted 25 data can be decrypted on the fly in real time.
A stronger encryption algorithm exists, but is not currently deployed. It would be very expensive to deploy it, and would take some time, as terminals and network equipment would need to be re-designed. In the meantime it would be 30 advantageous to give GSM users better protection against eavesdropping.
2
The present invention seeks to reduce the likelihood of successful eavesdropping of communications between a device and a telecommunications network node without requiring amendment to the encryption algorithm used.
5 According to a first aspect of the present invention, there is provided a method of providing security in communications between a device and a telecommunications network node, the method including encrypting a communication session transmitted on a first channel using a key, and causing the communication session to change to a second, different communication 10 channel at a predetermined time.
The embodiments to be described in more detail below provide a number of ways of changing the behaviour of network equipment to make eavesdropping harder (especially eavesdropping on a specific target).
15
In one example the telecommunications network node is the node of a GSM telecommunications network which operates using the A5/1 encryption algorithm. In this example the device is a mobile telecommunications terminal that communicates wirelessly with the telecommunications network node using 20 GSM protocols. However, it should be understood that this is only one example of an arrangement to which the invention is applicable. Other arrangements to which the invention is applicable include UMTS (3G) cellular telecommunications networks, SAE/LTE (4G) cellular telecommunications networks, and other types of telecommunications network including non-25 cellular telecommunications networks that communicate using both wireless and non-wireless transmission. The embodiments make it more difficult for an attacker to identify and extract a key used to encrypt a communication session - irrespective of the communication medium - and the invention therefore has broad application.
30
3
The communication channel may comprise a time slot, frequency band anchor frequency hopping sequence for GSM, and also other possible senses such as code for CDMA.
5 In one embodiment to be described, the method of providing security further includes the step of causing the communication session to change to a third communication channel (different from the second communication channel) at a predetermined time. In this embodiment, very quickly after starting to use a new cipher key in the first channel, a command to assign the call to a new 10 (second) traffic channel/frequency is issued, and then, again very quickly, another command to reassign the call to another new (third) traffic channel/frequency is issued. With limited resources, the attacker cannot record all traffic channels and frequencies - only selected ones. By the time the attacker has found the decryption key, and read the first assignment command 15 that switches the communication session to the second channel, they have missed the second assignment command that switches the communication session to the third channel - so now the attacker does not know which traffic channel/frequency the call is on, and cannot easily intercept it.
20 In a second embodiment the method includes encrypting the communication session using a second key (different from the first-mentioned key) after causing the communication session to change to the second communication channel and at a predetermined time. In this embodiment very quickly after starting to use a new cipher key, a command to assign the call to a new 25 (second) traffic channel/frequency is issued; then, again very quickly, a sequence of commands that will cause a new (second) cipher key to be generated and used are issued. The attacker will miss the second (for example, in GSM, "Cipher Mode Complete") command, which may be (and in GSM is) the most readily available source of "known plaintext" on which to base the 30 cryptanalysis. Cryptanalysis of the remainder of the call, by recovering the second cipher key, becomes harder.
4
According to a second aspect of the invention, there is provided a method of providing security in communications between a device and a telecommunications network node, the method including encrypting a 5 communication session transmitted on a first channel using a key, performing a first change to the communication session carrier by causing the communication session to change to a second communication channel at a predetermined time, and performing a second change to the communication session carrier at a predetermined time different from the first-mentioned 10 predetermined time.
The second change to the carrier may cause the communication session to change to a third communication channel at a predetermined time. The second change to the carrier may alternatively or additionally include encrypting the 15 communication session using a second key after causing the communication session to change to the second communication channel and at a predetermined time different from said first-mentioned predetermined time.
If the key is obtainable by an attacker after an initial phase of analysing a 20 channel carrying the communication session, the second change to the carrier is advantageously performed before the initial phase of analysing the channel can be completed. The second change to the carrier cannot be identified by the attacker because it occurs before the attacker has derived the key and therefore before the attacker is able to interpret a message transmitted on the first channel 25 to instruct the performance of the change to the second channel. Although the attacker may be able to retrospectively identify the command sent in the first channel to change the communication session to the second channel, this will not be completed until after the second change to the carrier is performed. If the second channel is only monitored after the second change to the carrier is 30 performed, the attacker will not be monitoring the second channel at the time during which the instruction sent on the second channel to perform the second
5
change to the carrier is sent, and therefore cannot be interpreted by the attacker even though the key is known.
According to a third aspect of the present invention, there is provided a 5 telecommunications system including a device, a telecommunications network node, means for encrypting a communication session between the device and the node transmitted on a first channel using a key, means for performing a first change to the communication session carrier by causing the communication session to change to a second communication channel at a predetermined time, 10 and means for performing a second change to the communication session carrier at a predetermined time.
According to a fourth aspect of the present invention, there is provided a base station for transmitting communications relating to a communication session to 15 a device on a first channel, the communication session being encrypted using a key, the base station being adapted to perform a first change to the communication session carrier by causing the communication session to change to a second communication channel at a predetermined time, and being adapted to perform a second change to the communication session carrier at a 20 predetermined time.
Advantageously, frequency hopping is performed during the communication session over a wide range of frequencies. For example, in GSM, it is advantageous to avoid assigning to (a frequency hopping set that includes) the 25 BCCH carrier, which operates at high transmission power and is particularly easy to intercept.
The method may further include modifying conventional plaintext messages sent during the communication session, for example, in GSM to replace the 30 current completely predictable padding bytes in certain messages with random data.
6
For a better understanding of the present invention embodiments will now be described by way of example, with reference to the accompanying drawings, in which:
5
Figure 1 is a diagrammatic drawing of key elements of a mobile/cellular telecommunications system for use in explaining the operation of such a system and the embodiments of the invention;
10 Figure 2 shows the messages transmitted and the channel changes in a communication session according to a first embodiment of the invention; and
Figure 3 shows the messages transmitted and the channel changes according to a second embodiment of the invention.
15
In the drawings like elements are generally designated with the same reference sign.
Key elements of a mobile/cellular telecommunications system, and its 20 operation, will now briefly be described with reference to Figure 1.
Each base station (BS) corresponds to a respective cell of its cellular or mobile telecommunications network and receives calls/data from and transmits calls/data to a mobile terminal in that cell by wireless radio communication in 25 one or both of the circuit switched or packet switched domains. Such a subscriber's mobile terminal (or User Equipment-UE) is shown at 1. The mobile terminal may be a handheld mobile telephone, a personal digital assistant (PDA), a laptop computer equipped with a datacard, or a laptop computer with an embedded chipset containing the mobile terminal's 30 functionality.
7
In a GSM (2G) mobile telecommunications network, each base station subsystem (BSS) 3 comprises one or more base transceiver stations (BTS) 8 and a base station controller (BSC) 4. A BSC may control more than one BTS. The BTSs and BSCs comprise the GSM radio access network (RAN).
5
Conventionally, the base stations are arranged in groups and each group of base stations is controlled by one mobile switching centre (MSC), such as MSC 2 for base stations in BSSs 3, 54 and 5. As shown in Figure 1, the network has another MSC 6, which is controlling a further three BSSs 7, 9 and 15. In io practice, the network will incorporate many more MSCs and base stations than shown in Figure 1.
Each subscriber to the network is provided with a smart card or SIM which, when associated with the user's mobile terminal, identifies the subscriber to the 15 network. The SIM card is pre-programmed with a unique identification number, the "International Mobile Subscriber Identity" (IMSI) which is not visible on the card and is not known to the subscriber, and also a unique key, Ki. The subscriber is issued with a publicly known number, that is, the subscriber's telephone number, by means of which calls to the subscriber are 20 initiated by callers. This number is the MSISDN.
The network includes a home location register (HLR)/home subscriber server (HSS) 10 which, for each subscriber to the network, stores the IMSI and the corresponding MSISDN together with other subscriber data, such as the current 25 or last known MSC of the subscriber's mobile terminal. The HSS is the master database for the network, and while logically it is viewed as one entity, in practice it will be made up of several physical databases. The HSS holds variables and identities for the support, establishment and maintenance of calls and sessions made by subscribers.
30
8
When the subscriber wishes to activate their mobile terminal in a network (so that it may make or receive calls subsequently), the subscriber places their SIM card in a card reader associated with the mobile terminal (terminal 1 in this example). The mobile terminal 1 then transmits the IMSI (read from the card) 5 to the BTS 8 associated with the particular cell in which the terminal 1 is located. The BTS 8 then transmits this IMSI to the MSC 2 with which the BSS 3 is associated.
MSC 2 now accesses the appropriate HLR/HSS 10 and extracts the 10 corresponding subscriber MSISDN and other subscriber data from the appropriate storage location, and stores it temporarily in a location in a visitor location register (VLR) 14. In this way, therefore the particular subscriber is effectively registered with a particular MSC (MSC 2), and the subscriber's information is temporarily stored in the VLR (VLR 14) associated with that 15 MSC. The information stored on the VLR 14 includes a Temporary Mobile Subscriber Identification (TMSI) number for identification purposes for the terminal within the MSC 2. The TMSI number is an identification number that is typically 32 bits in length. In conventional systems, therefore, the TMSI number is not allocated to more than one user of a given system served by that 20 MSC at one time. Consequently, the TMSI number is usually invalidated when the mobile station crosses into a new location served by a different MSC.
When the HLR 10 is interrogated by the MSC 2 in the manner described above, the HLR 10 additionally causes an authentication procedure to be performed on 25 the mobile terminal 1. The HLR 10 transmits an authentication request comprising the subscriber identity (IMSI) to an AUC (authentication centre) for deriving authentication vectors (AVs). Based on the IMSI, the AUC generates a challenge, which is a random number, or obtains a stored challenge based on the IMSI. Also, the AUC generates an XRES (expected result), based on the 30 challenge and a secret shared with the SIM, or obtains an XRES stored with the challenge. The XRES is used to finalise the authentication.
9
The authentication data and XRES, are then transmitted to the MSC 2, which transmits the authentication challenge to the mobile telephone 1. The mobile telephone 1 generates a response by transmitting the authentication data to the 5 SIM of the mobile telephone 1. The SIM generates, based on the Ki of the subscription stored on the SIM and the authentication challenge, a response corresponding to the XRES stored in the server.
For finalising the authentication according to SIM authentication the MSC 2 io compares the response value with the value of the stored XRES for authentication control.
If the response from the mobile terminal 1 is as expected, the mobile terminal 1 is deemed authenticated. At this point the MSC 2 requests subscription data 15 from the HLR 10. The HLR 10 then passes the subscription data to the VLR 14.
As part of the authentication process a cipher key Kc for encrypting user and signalling data on the radio path is also established. This procedure is called 20 cipher key setting. The key is computed by the mobile terminal 1 using a one way function under control of the key Ki and is pre-computed for the network by the AUC. Thus at the end of a successful authentication exchange both parties possess a fresh cipher key Kc.
25 The authentication process will conventionally be repeated while the mobile terminal 1 remains activated and can also be repeated each time the mobile terminal makes or receives a call, if required. Each time the authentication process is performed a new Kc is generated and provided to the terminal 1 and the BSS 3.
30
10
Each of the MSCs of the network (MSC 2 and MSC 6) has a respective VLR (14 and 11) associated with it and operates in the same way as already described when a subscriber activates a mobile terminal in one of the cells corresponding to one of the base stations controlled by that MSC.
5
The MSCs 2 and 6 support communications in the circuit switched (CS) domain - typically voice calls. Corresponding SGSNs 16 and 18 are provided to support communications in the packet switched (PS) domain - such as GPRS (or 2.5G) data transmissions. The SGSNs 16 and 18 function in an analogous 10 way to the MSCs 2 and 6. The SGSNs 16, 18 are equipped with an equivalent to the VLR for the packet switched domain. GGSN 19 provides IP connectivity to the internet and/or private intranets.
In the CS domain, for example, when the subscriber using mobile terminal 1 15 wishes to make a call, having already inserted the SIM card into the reader associated with his mobile terminal and the SIM has been authenticated in the manner described, a call may be made by entering the telephone number of the called party in the usual way. This information is received by the BSS 3 and passed on to the MSC 2.
20
Call related information needs to be transported from the mobile terminal 1 to the (MSC 2). This requires the establishment of a Radio Resource (RR) connection to MSC 2. The first phase of the call setup sets up this RR connection. RR connection establishment is triggered by sending a Channel 25 Request message. This message requests the BSS 3 to allocate radio resources for the RR connection setup. The terminal 1 then waits for an assignment on an Access Grant Channel (AGCH).
The BSS 3 allocates a Traffic Channel (TCH) to the terminal 1. GSM uses 30 physical channels. Each of those physical channels is divided into 8 time slots. One user consumes one slot, thus allowing 8 users to be on a GSM physical
11
channel simultaneously. Each GSM physical channel is 200 kHz wide. The traffic channel allocation assigns a specific frequency and a timeslot on that frequency. Conventionally, the BSS 3 will allocate a traffic channel to make best use of the radio capacity available. Conventionally, the traffic channel 5 allocated to a terminal 1 may be changed by the BSS 3 when the radio conditions/availability change. After the terminal 1 receives this traffic channel allocation information, the terminal 1 only uses the specified resources for communication session with the mobile network. However, in many conventional GSM networks frequency hopping is employed to reduce the 10 effects of interference on any particular communication session. Frequency hopping consists in changing the frequency of the traffic channel in every transmitted burst (217 hops per second), providing frequency diversity and interference averaging. This randomises the risk of interference. If frequency hopping is employed, the base station 3 broadcasts the frequency sequence to 15 be used on each traffic channel. The terminal 1 receives this information and uses it to synchronise its frequency hopping with that of the base station.
The MSC 2 next checks if the user of terminal 1 has been authenticated. As the user has already been authenticated by the authentication process described 20 above, the authentication procedure does not need to be performed again.
After the subscriber has been successfully authenticated, the MSC 2 initiates ciphering of the data being sent on the channel using the new Kc established during the authentication process. The channel is ciphered using A5/1 so as so 25 protect the call from eavesdropping. To initiate ciphering, the MSC 2 triggers the BSS 3 to send a "Cipher mode Command" message to the terminal 1, and the terminal 1 acknowledges this with a "Cipher mode Complete" message.
At this point RR connection establishment has been completed between the 30 mobile terminal 1 and the MSC 2. The BSS 3 then acts as a conduit for transporting the signaling messages between the mobile terminal 1 and the
12
MSC 2. The MSC 2 routes the calls towards the called party via the MSC 2. By means of the information held in the VLR 14, MSC 2 can associate the call with a particular subscriber and thus record information for charging purposes.
5 What has been described thus far is conventional.
A first embodiment of the invention will now be described with reference to Figure 2 which shows the messages being transmitted between mobile terminal 1 and base station 3.
10
To establish a communication session between the base station 3 and the mobile terminal 1, the base station 3 initially allocates a traffic channel to the communication session (channel "0" in this example) in the conventional way -that is, based on the current radio conditions and capacity. The communication 15 session using a newly established cipher key (Kc) "KA" is established by message 50 sent from base station 3 to mobile terminal 1. Mobile terminal 1 acknowledges the establishment of the encrypted communication session by sending message "OK" 52 to the base station 3.
20 The base station 3 then very quickly (at a first predetermined time) issues message "MOVE TO CHANNEL 7" 54 to instruct the mobile terminal 1 to move to a different traffic channel, channel "7" in this example. The same cipher key "KA" is used for the communication session on traffic channel "7" as on traffic channel "0".
25
After the communication session has moved to traffic channel "7", the base station 3 then very quickly (at a second predetermined time) issues "MOVE TO CHANNEL 25" message 56 to the mobile terminal 1 to instruct the mobile terminal 1 to move to another different traffic channel, channel "25" in this 30 example. The encrypted communication session is then continued in the
13
conventional way. The same cipher key "KA" is used for the communication session on traffic channel "25" as on traffic channel "7".
As mentioned above, known attempts to eavesdrop on A5/1-encrypted GSM 5 communication sessions cannot be performed in real time but require an initial period where encrypted data recorded (indicated at 58) on the traffic channel must be processed to try to obtain the cipher key. This initial period is likely to be between several seconds and several minutes. The processing phase of the initial period is indicated at 60 in Figure 2.
10
An attacker monitoring transmission channel "0" may be able to record data including messages 50, 52 and 54 of the communication session between the mobile terminal 1 and base station 3 during the recording phase 58. The cryptanalytic process performed by the attacker may start as soon as the first 15 encrypted data are sent - which would usually be the start of the first "OK" message 52. The first and second predetermined times may be determined relative to the "OK" message 52.
Following completion of the processing phase 60 (at 60A), the attacker may 20 have identified the cipher key KA used in the communication session. However, as can be seen in Figure 2, by the time the cipher key KA has been obtained at 60A, the communication session is occurring on traffic channel "25". By obtaining the cipher key KA the attacker will be able to retrospectively decrypt the "MOVE TO CHANNEL 7" message 54 that was 25 transmitted on channel "0". If, in consequence, the attacker then monitors channel 7 (using the cipher key KA to decrypt communications on that channel), the attacker would not be able to identify and decrypt further communications between the mobile terminal 1 and the base station 3 because the communication session has since moved to traffic channel "25". Provided 30 that the attacker does not continuously always monitor traffic channel "0" and traffic channel "7", the attacker will be unable to identify on which
14
transmission channel the communication session is now occurring because the "MOVE TO CHANNEL 25" message 56 was transmitted during the initial period (comprising recording phase 58 and processing phase 60) before the cipher key KA was obtained and therefore before the attacker could determine 5 that channel "7" should be monitored to continue eavesdropping on the communication session. In this regard, it should be noted that it is less likely that an attacker will be able to record all traffic channels continuously because this would require significant resources; rather, it is more likely that an attacker will only monitor selected traffic channels.
10
As mentioned above, a traffic channel, for example traffic channel "0", "7" or "25", if frequency hopping is employed, is a known sequence of transmission frequencies and time slots between which the base station 3 and the mobile terminal 1 switch during the communication session. Both the base station 3 15 and the mobile terminal 1 know this sequence of frequencies and time slots used, so that they can synchronise movement between the frequencies and time slots during the communication session so that data are not lost.
In an enhancement of this first embodiment, frequency hopping is performed 20 over the widest possible set of frequencies in order to make it more difficult for an attacker to identify communications relating to a particular communication session. Advantageously, the base station 3 avoids assigning a frequency hopping set that includes the Broadcasting Control Channel (BCCH) carrier which operates at high transmission power and is particularly easy to intercept.
25
A second embodiment of the invention is shown in Figure 3.
As in the first embodiment, to establish a communication session between the base station 3 and the mobile terminal 1, the base station 3 allocates a traffic 30 channel to the communication session (channel "0", in this example) in the conventional way - that is, based on the current radio conditions and capacity.
15
The communication session using a newly established cipher key (Kc) "KA" is established by message 50 sent from base station 3 to mobile terminal 1. Mobile terminal 1 acknowledges the establishment of the encrypted communication session by sending message "OKA" 52 to the base station 3.
5
The base station 3 then very quickly issues message "MOVE TO CHANNEL 7" 54 to instruct the mobile terminal 1 to move to a different traffic channel, channel "7" in this example. The same cipher key "KA" is used for the communication session on traffic channel "7" as on traffic channel "0".
10
In this embodiment, however, very quickly after the communication session is moved to transmission channel "7" a "PRODUCE NEW KEY KB" message 70 message is transmitted from the base station 3 to the mobile terminal 1, which establishes a new cipher key KB at the terminal 1 and base station 3 for 15 encrypting the communication session between the base station 3 and the mobile terminal 1. The base station 3 then transmits "START USING KB" message 72 to the mobile terminal 1. The mobile terminal 1 acknowledges the instruction in message 72 by sending "OKB" message 74 in reply to the base station 3. The communication session then continues in transmission channel 20 "7" encrypted by cipher key "KB".
To establish the new cipher key KB a "Cipher Mode Complete" command is sent in message 70. In GSM the Cipher Mode Complete command is the most readily available source of known plaintext on which an attacker could perform 25 cryptanalysis.
If the attacker which records transmission channel "0" during the recording phase 58 is able to obtain the cipher key "A" used during the communication session on transmission channel "0" after performing cryptanalysis during the 30 processing phase 60, the attacker will also be able to retrospectively decipher the encrypted "MOVE TO CHANNEL 7" message 54 that was transmitted in
16
channel "0". However, assuming that the attacker is not also continually monitoring transmission channel "7", the attacker will not be able to record and analyse initial communications, including message 70, transmitted immediately after the communication session moves to transmission channel "7", because 5 the "PRODUCE NEW KEY KB" message 70 was transmitted during the initial period (comprising recording phase 58 and processing phase 60) before the cipher key KA was obtained and therefore before the attacker could determine that channel "7" should be monitored to continue eavesdropping on the communication session.. The attacker will therefore not have access to the 10 message 70 (which includes the relatively easy to decipher plaintext Cipher Mode Complete command). The information gained by the attacker by the recording phase 58 and processing phase 60 in relation to channel "0" will therefore not allow the attacker to subsequently decrypt communications between the base station 3 and the mobile terminal 1 on transmission channel 15 "7" as the attacker will not be able to identify the new cipher key KB. Of course, the attacker could obtain the new cipher key KB by starting the cryptanalysis process again on channel "7" but there would be a delay until the recording phase 58 and processing phase 60 were completed for channel "7".
20 The "MOVE TO CHANNEL 7" message 54 is transmitted between the base station 3 and the mobile terminal 1 within a predetermined time from transmission of the "OK" manage 52, for example. The "PRODUCE NEW KEY KB" message 70 is transmitted between the base station 3 and the mobile terminal 1 within a predetermined time from transmission of the "OK" message 25 52, for example.
The times at which the messages 54 and 70 are sent are selected such that the message 70 is transmitted to the mobile terminal 1 before the initial decryption process of the attacker has been completed (i.e. before the key KA has been 30 discovered) at time 60A.
17
The first and second embodiments may be enhanced by modifying the known plaintext messages that are conventionally used. In certain plaintext messages completely predictable padding bytes are included. In an enhancement these completely predictable padding bytes are replaced with random data. For 5 example, the "OK" messages 52 and 74 may be plaintext messages of 32 bytes. The majority of these messages will be predictable padding bytes that do not convey any data. For example, these padding bytes may be all "0"s. An enhancement to the embodiments would replace these "0"s with random data around the "OK" part of the message.
10
An advantage of the embodiments of the invention is that the known GSM protocols used to establish and maintain the communication session between the base station 3 and the mobile terminal 1 are not changed. The mobile terminal 1 does not need to be modified. The algorithm performed by the base 15 station 3 is modified to (in the first embodiment) cause a communication session to move from a first transmission channel ("0") to a second, different, transmission channel ("7") very quickly (at a predetermined time) after establishing the communication session, and then to again very quickly (at a predetermined time) cause the communication session to move from the second 20 transmission channel ("7") to a third, different again, transmission channel ("25").
In the second embodiment, the algorithm of the base station 3 is modified to cause the communication session to move from the first transmission channel 25 ("0") to the second, different, transmission channel ("7") very quickly (at a predetermined time) after establishing the communication session with cipher key "KA", and then very quickly (at a predetermined time) after the communication session moves to the second traffic channel ("7"), to cause a new, replacement cipher key "KB" to be established between the base station 3 30 and the mobile terminal 1 for encrypting further communications in the transmission channel 7.
18
In relation to the first embodiment, it should be appreciated that, in addition to two traffic channel changes that are performed very quickly, further traffic channel changes may be performed very quickly.
5
In relation to the second embodiment, it should be appreciated that, in addition to producing a new cipher key KB very quickly after the communication session moves to the second transmission channel ("7"), a further new cipher key may be established on movement of the communication session to another io new transmission channel.
The first and second embodiments may be combined in various ways. For example, the first embodiment may be modified so that when the communication session moves to transmission channel 25, a new cipher key is 15 very quickly established.
In the prior art, during a communication session, the traffic channel may be changed but this would always be in dependence upon the radio characteristics and capacity. In the embodiments of the present invention, the transmission 20 channel will also be changed at a predetermined time.
Conventionally, a new cipher key is established when mobile terminal 1 is activated in the network and at other arbitrary times such as when a new communication session is established. In contrast, the second embodiment, a 25 new cipher key is used during a communication session at a predetermined time.
The embodiments describe a CS call. However, it should be appreciated that the invention is also applicable to other types of communication session, such 30 as a PS communication session.
19

Claims (1)

  1. Claims
    1. A method of providing security in communications between a device and a telecommunications network node, the method including
    5 encrypting a communication session transmitted on a first communication channel using a key, and causing the communication session to change to a second communication channel at a predetermined time.
    2. The method of claim 1, including causing the communication io session to change to a third communication channel at a predetermined time.
    3. The method of claim 1 or 2, including encrypting the communication session using a second key at a predetermined time after causing the communication session to change to the second communication
    15 channel and at a predetermined time.
    4. A method of providing security in communications between a device and a telecommunications network node, the method including encrypting a communication session transmitted on a first channel using a key,
    20 performing a first change to the communication session carrier by causing the communication session to change to a second communication channel at a predetermined time, and performing a second change to the communication session carrier at a predetermined time.
    25 5. The method of claim 4, wherein the second change to the carrier causes the communication session to change to a third communication channel at a predetermined time.
    6. The method of claim 4 or 5, wherein the second change to the carrier
    30 includes encrypting the communication session using a second key at a
    20
    predetermined time after causing the communication session to change to the second communication channel and at a predetermined time.
    7. The method of any one of claims 1 to 6, wherein frequency hopping 5 is performed during the communication session over a wide range of frequencies.
    8. The method of any one of claims 1 to 7, including modifying conventional plaintext messages sent during the communication session.
    10
    9. The method of any one of claims 1 to 8, wherein the communications network is a cellular telecommunications network and the device is a mobile device that communicates with the cellular telecommunications network node wirelessly.
    15
    10. The method of claim 9, wherein the communication network is a GSM cellular telecommunications network.
    11. The network of claim 9 or 10, wherein the communication is 20 encrypted according to an A5/1 algorithm.
    12. The method of any one of claims 1 to 11, wherein the respective communication channels have different frequencies and/or time slots.
    25 13. The method of any one of claims 4 to 12, wherein the key is obtainable by an attacker after an initial phase of analysing a channel carrying the communication session, and wherein the second change to the carrier is performed before the initial phase of analysing the channel is completed.
    30 14. The method of any one of claims 4 to 12, wherein the key is obtainable by an attacker after cryptanalytic processing of a channel carrying
    21
    the communication session, and wherein the second change to the carrier is performed before the cryptanalytic processing of the channel can be completed.
    15. The method of any one of claims 4 to 12, wherein the key is
    5 obtainable by an attacker after cryptanalytic processing of a channel carrying the communication session, and wherein the predetermined time at which the second change to the carrier is performed within the minimum time that the cryptanalytic process is expected to take.
    io 16. A telecommunications system including a device, a telecommunications network node, means for encrypting a communication session between the device and the node transmitted on a first channel using a key, means for performing a first change to the communication session carrier by causing the communication session to change to a second communication 15 channel at a predetermined time, and means for performing a second change to the communication session carrier at a predetermined time.
    17. The system of claim 16, wherein the second change to the carrier causes the communication session to change the third communication channel
    20 at a predetermined time.
    18. The system of claims 16 or 17, wherein the second change to the carrier includes encrypting the communication session using a second key at a predetermined time after causing the communication session to change to the
    25 second communication channel and at a predetermined time.
    19. A base station for transmitting communications relating to a communication session to a device on a first channel, the communication session being encrypted using a key, the base station being adapted to perform
    30 a first change to the communication session carrier by causing the communication session to change to a second channel at a predetermined time,
    22
    and being adapted to perform a second change to the communication session carrier at a predetermined time.
    20. The base station of claim 19, wherein the second change to the 5 carrier causes the communication session to change the third communication channel at a predetermined time.
    21. The base station of claim 19 or 20, wherein the second change to the carrier includes encrypting the communication using a second key at a io predetermined time after causing the communication session to change to the second communication channel and at a predetermined time.
    22. A method of providing security in communications between the device and the telecommunications network node, substantially as hereinbefore
    15 described with reference to and/or substantially as illustrated in Figure 2 and/or Figure 3 of the accompanying drawings.
    23. A telecommunications system substantially as hereinbefore described with reference to and/or substantially as illustrated in Figure 2 and/or
    20 Figure 3 of the accompanying drawings.
    24. A base station substantially as hereinbefore described with reference to and/or substantially as illustrated in Figure 2 and/or Figure 3 of the accompanying drawings.
GB0800779A 2008-01-17 2008-01-17 Changing communication channels for secure encrypted communications Withdrawn GB2456534A (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
GB0800779A GB2456534A (en) 2008-01-17 2008-01-17 Changing communication channels for secure encrypted communications
EP09703054.8A EP2263395B1 (en) 2008-01-17 2009-01-19 Improving security in telecommunications systems
US12/863,433 US20110243322A1 (en) 2008-01-17 2009-01-19 Security in telecommunications systems
PCT/GB2009/050034 WO2009090432A2 (en) 2008-01-17 2009-01-19 Improving security in telecommunications systems
ZA2010/05879A ZA201005879B (en) 2008-01-17 2010-08-17 Improving security in telecommunications systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0800779A GB2456534A (en) 2008-01-17 2008-01-17 Changing communication channels for secure encrypted communications

Publications (2)

Publication Number Publication Date
GB0800779D0 GB0800779D0 (en) 2008-02-27
GB2456534A true GB2456534A (en) 2009-07-22

Family

ID=39165864

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0800779A Withdrawn GB2456534A (en) 2008-01-17 2008-01-17 Changing communication channels for secure encrypted communications

Country Status (1)

Country Link
GB (1) GB2456534A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0167442A2 (en) * 1984-06-29 1986-01-08 Fairchild Weston Systems Inc. Secure communication system
US4829540A (en) * 1986-05-27 1989-05-09 Fairchild Weston Systems, Inc. Secure communication system for multiple remote units
GB2229064A (en) * 1987-06-11 1990-09-12 Software Sciences Limited An area communications system
US20010004375A1 (en) * 1998-04-09 2001-06-21 Andrzej Partyka Telemetry system with authenticaiton
EP1515510A2 (en) * 2003-09-09 2005-03-16 Broadcom Corporation Method and system for providing multiple encryption in a multi-band multi-protocol hybrid wired/wireless network
EP1703656A1 (en) * 2005-03-16 2006-09-20 AT&T Corp. Secure open-air communication system utilyzing multi-channel decoyed transmission

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0167442A2 (en) * 1984-06-29 1986-01-08 Fairchild Weston Systems Inc. Secure communication system
US4829540A (en) * 1986-05-27 1989-05-09 Fairchild Weston Systems, Inc. Secure communication system for multiple remote units
GB2229064A (en) * 1987-06-11 1990-09-12 Software Sciences Limited An area communications system
US20010004375A1 (en) * 1998-04-09 2001-06-21 Andrzej Partyka Telemetry system with authenticaiton
EP1515510A2 (en) * 2003-09-09 2005-03-16 Broadcom Corporation Method and system for providing multiple encryption in a multi-band multi-protocol hybrid wired/wireless network
EP1703656A1 (en) * 2005-03-16 2006-09-20 AT&T Corp. Secure open-air communication system utilyzing multi-channel decoyed transmission

Also Published As

Publication number Publication date
GB0800779D0 (en) 2008-02-27

Similar Documents

Publication Publication Date Title
US11785510B2 (en) Communication system
US10880747B2 (en) Network slice allocation method, device, and system
US10368239B2 (en) Method and apparatus for providing broadcast channel encryption to enhance cellular network security
US11856402B2 (en) Identity-based message integrity protection and verification for wireless communication
CN103179558B (en) Group system group exhales encryption implementation method and system
US8838972B2 (en) Exchange of key material
EP2263395B1 (en) Improving security in telecommunications systems
US20190090132A1 (en) Communication method, network-side device, and user equipment
CN104394527A (en) Encryption in a wireless telecommunications
CN101164257A (en) System and method for encryption processing in a mobile communication system
CN112087724A (en) Communication method, network equipment, user equipment and access network equipment
EP3664486A1 (en) Method and apparatuses for ensuring secure attachment in size constrained authentication protocols
CN101166177B (en) A method and system for initialization signaling transmission at non access layer
JP5883544B2 (en) Method for enabling lawful intercept in telecommunication network, user equipment enabling lawful intercept in telecommunication network, base transceiver station enabling lawful intercept in telecommunication network, and program
CN101521879A (en) Wireless channel switching method and system therefor
Abodunrin et al. Some dangers from 2g networks legacy support and a possible mitigation
Perkov et al. Recent advances in GSM insecurities
CN110557753B (en) DNS redirection method based on relay access for public security network access
GB2456534A (en) Changing communication channels for secure encrypted communications
CN101588576A (en) Method and a system for protecting terminal privacy in wireless communication system
KR101385846B1 (en) Communications method and communications systems
CN111741467B (en) Authentication method and device
KR102593167B1 (en) Operation method of a communication network system
KR20090012000A (en) Mobile authentication method for strengthening the mutual authentication and handover security
Njoroge et al. A Survey of Cryptographic Methods in Mobile Network Technologies from 1G to 4G

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)