KR100469738B1 - Provisioning system for executing provisioning via a traffic channel in mobile communicion system and method for thereof - Google Patents

Abstract

The present invention provides for provisioning an unprovisioned mobile station of the plurality of mobile stations, and the unprovisioned mobile station being employed in a wireless network comprising a plurality of base stations and a plurality of mobile stations communicating with each base station. A provisioning system and method for preventing access to an Internet Protocol (IP) data network through a network, and a wireless network having a provisioning system. The provisioning system of the present invention includes a provisioning server connected to an internet protocol data network, and a first base station among the plurality of base stations retrieves provisioning data from the provisioning server, and the retrieved provisioning data is compared with the first base station. And a provisioning control unit for controlling the base station to transmit to the first unprovisioned mobile station through a first traffic channel established between provisioned mobile stations. In this way, provisioning is performed through the traffic channel to prevent the unprovisioned mobile station from accessing the wireless network by any method other than the traffic channel, thereby enabling the unprovisioned mobile station to access the Internet protocol data network through a data call to the base station. This is to prevent unauthorized access.

Description

PROVISIONING SYSTEM FOR EXECUTING PROVISIONING VIA A TRAFFIC CHANNEL IN MOBILE COMMUNICION SYSTEM AND METHOD FOR THEREOF}

TECHNICAL FIELD The present invention relates to wireless networks, and more particularly, to a system for performing secure over-the-air (OTA) provisioning of cellular phone handsets and other mobile devices.

Cellular services are provided by cellular service providers, local telephone companies, and national long distance human operators. They are competing with each other to focus on lowering the price of cellular services to the point where the majority of the population can use it.

The current generation of cellular phones is primarily for voice calls between subscriber handsets (hereinafter referred to as mobile stations) and counterparts over a wireless network. Such mobile stations include data devices such as personal PCs with cellular / wireless modems. In general, the bandwidth of current generation mobile stations is limited to tens of Kbps, and the applications for these current generation mobile stations are also relatively limited. However, this limitation is called '3G wireless / cellular' and is expected to be overcome by next-generation (or third-generation) cellular / wireless technology that allows each mobile station to use a wider bandwidth (i.e., 125kbps or more). As data rates increase with next-generation cellular / wireless technologies, mobile applications' Internet applications will become more common. For example, 3G cellular systems applied to 3G cell-phones (or PCs with 3G cellular modems) may be used to browse websites, send and receive graphics, run streaming audio and / or video applications, and the like on the Internet. Can be. In summary, the higher the percentage of wireless traffic controlled by the 3G cellular system, the more likely it will be Internet Protocol (IP) traffic, and conversely, the lower the percentage of wireless traffic will be typical voice traffic.

To make wireless service as convenient and as accessible to many people as possible, wireless service providers may sell cellular handsets directly to potential customers as a kind of mobile station through display booths in supermarkets and department stores. Simple instructions are provided to the buyer in the process of driving the cellular handset and in registering with the wireless service to become a subscriber. In a conventional cellular system, the handset purchaser activates the new handset according to the handset instructions and signs the service by dialing "* 228xx" on the handset keypad. At this time, the value "xx" varies depending on the identification information of the wireless service provider selling the handset.

Although not initially provisioned, the new handset must have minimal radio (RF) communication capability to provision itself. Dialing "* 228xx" on the handset keypad generates a specific purpose call that connects the handset buyer to a human operator. The human operator asks the buyer for some billing information, such as personal information, credit card numbers, home billing addresses, and the like. Once the billing information has been collected and the bill set up, the human operator instructs the handset purchaser to go through various steps such as a password, code number, menu selection command, etc. to enable certain functions in the handset.

This process is commonly referred to as 'service provisioning'. Service provisioning activates the Number Assignment Module (NAM) within the cellular handset, which identifies approved wireless carriers to give the handset a unique telephone number for incoming calls and roaming capabilities. To provide. Service provisioning activates the Preferred Roaming List (PRL) within the handset, which identifies the preferred and / or prohibited frequencies within each area as a list of frequencies / bandwidth occupied by each telephone company within each geographic area. . Service provisioning activates an authentication code called "A-key" in a cellular handset. The A-key is used to authenticate the handset when the subscriber attempts to connect to the wireless network.

Wireless networks use the Home Location Register (HLR) to store A-keys, phone numbers, roaming capability information, and other data associated with each handset, where each handset is authenticated and It is either vision or in the process of authentication and provisioning in progress. HLR is a permanent database used by wireless service providers that not only identifies / verifies subscribers but also stores subscriber data related to features and services separately. The aforementioned subscriber wireless service provider uses data stored in the HLR when the subscriber connects to the wireless network in the subscriber's own home coverage area. Other wireless service providers also use the data stored in the HLR when the subscriber is roaming out of the subscriber's home service area.

The conventional provisioning process described above has many disadvantages. The human operator must talk directly to the user by pressing a key and verifying the screen results. This is not only very time consuming, but also leads to frequent mistakes, especially for subscribers with no experience. This mistake may not be recognized early and frustrates the subscriber, which in turn prevents the subscriber from using the cellular service normally. If a mistake is recognized at the end, the provisioning process described above will have to be redone at least partially. Human operators also have to repeat this provisioning process, so they have to pay their own labor costs.

It would be desirable to automate the cellular service provisioning process as much as possible in order to minimize and reduce interactions with subscribers, thus reducing labor costs for human operators and reducing errors while allowing the user to feel the above. In particular, it is more convenient if an unprovisioned handset via an Internet connection is connected to a provisioning server to perform at least part of the over-the-air service provisioning process. something to do. Using a 3G cellular system will be an easier and more common process when provisioning OTA services for handsets. It has been described above that 3G cellular systems are used to browse websites, send and receive graphics, run streaming audio and / or video applications, and the like, over the Internet.

However, OTA service provisioning of handsets poses serious security problems for wireless service providers, particularly those related to cheating. The base station controlling the initial setup data call from the unprovisioned handset does not store the necessary provisioning data. Instead, a base station typically accesses provisioning data stored on one or multiple provisioning servers in a wireless service provider's network that is accessible or inaccessible via an intranet or the Internet. Here, a number of wireless service providers operate a cluster of base stations, which are not directly connected to each other but are connected to local telephone companies or to major long distance telephone companies. Without the Internet or intranet, each cluster of base stations could not request its own provisioning server. Accordingly, the wireless telephone company will have to pay additional line usage fees to the local telephone company and / or long distance company to connect the base station with the provisioning server.

Thus, by using an Internet connection, wireless service providers can consolidate and use all service provisioning applications and data in one central repository without spending too many copies of the information on multiple provisioning servers. have. In such a case, an experienced user can use a wireless network by connecting to a wireless network by pretending service provisioning while using an unprovisioned handset, and then accessing the IP address of the Internet instead of the Internet Protocol (IP) address of the provisioning server. . As a result, an experienced user can use the unprovisioned handset to browse the Internet for free, thereby deceiving and misusing the wireless service provider.

This problem occurs for a variety of reasons. First, the public can freely know the IP addresses of other services. Second, conventional wireless networks do not provide a method or device that can prevent access to unauthorized IP addresses. Third, although the network provides the IP address to be used for provisioning with the mobile terminal, the mobile terminal will be trusted simply by using only that IP address.

Thus, what is needed is an improved system and method for performing automatic service provisioning of wireless handsets (or other types of mobile stations). There is also a need for a system that performs secure OTA provisioning of wireless devices.

It is therefore an object of the present invention to perform provisioning only over a traffic channel to prevent the unprovisioned mobile station from accessing the wireless network by means other than the traffic channel, thereby enabling the unprovisioned mobile station to access the Internet through a data call to the base station. This is to prevent unauthorized access to the protocol data network.

1 is a view showing a general configuration of a wireless network to which the present invention is applied.

2 illustrates another configuration of portions of the wireless network of FIG. 1 performing over-the-air (OTA) service provisioning in accordance with an embodiment of the invention.

3 is a detailed view of a base station according to an embodiment of the present invention.

4 is a detailed view of a provisioning security control unit according to an embodiment of the present invention.

5 is a flow chart for performing security service provisioning of the wireless network shown in FIGS. 1 and 2 in accordance with an embodiment of the present invention.

<Explanation of symbols for the main parts of the drawings>

111-114: MS 101-103: BS

121-123 Cell site 140 MSC

150: IWF 155: HLR

160: provisioning server 175: operator station

265: Provisioning Security Controls

According to the present invention, there is provided a provisioning system for provisioning an unprovisioned mobile station among a plurality of mobile stations communicating with a plurality of base stations, the first base station of the plurality of base stations upon detecting a provisioning request signal from the mobile station. Retrieve provisioning data from a provisioning server connected to the Internet Protocol data network and transmit the retrieved provisioning data to the first unprovisioned mobile station via a first traffic channel established between the first base station and the first unprovisioned mobile station. It can be achieved by a provisioning system comprising a provisioning control unit to control the base station to.

On the other hand, the above object is, according to another aspect of the present invention, to provision an unprovisioned mobile station among the plurality of mobile stations to be employed in a wireless network comprising a plurality of base stations and a plurality of mobile stations communicating with each base station. And a provisioning system for preventing the unprovisioned mobile station from accessing an Internet Protocol (IP) data network through the wireless network; The provisioning system includes a provisioning server connected to the internet protocol data network, a first base station among the plurality of base stations retrieves provisioning data from the provisioning server, and the retrieved provisioning data is stored in the first base station and the first unprovisioning. It can also be achieved by a wireless network, comprising a provisioning control unit for transmitting to a first unprovisioned mobile station in a first traffic channel established between mobile stations.

In accordance with another aspect of the present invention, the above objects are provided for provisioning an unprovisioned mobile station among the plurality of mobile stations for use in a wireless network comprising a plurality of base stations and a plurality of mobile stations communicating with each base station. CLAIMS 1. A method of provisioning to prevent an unprovisioned mobile station from accessing an Internet Protocol (IP) data network through the wireless network, the method comprising: retrieving provisioning data from the provisioning server; A first base station of the plurality of base stations transmitting the retrieved provisioning data to a first unprovisioned mobile station through a first traffic channel established between the first base station and the first unprovisioned mobile station. Can also be achieved.

In order that the detailed description of the present invention to be described below will be more readily understood by those skilled in the art, the features and technical advantages of the present invention have been described in a somewhat schematic manner as described above. Hereinafter, further features and advantages of the present invention will be described that form the objects of the claims. It will be apparent to those skilled in the art that modifications or designs to other constructions may be readily made based on the inventive concepts and specific embodiments described below to achieve the same purposes as the present invention. In addition, those skilled in the art will appreciate that configurations equivalent to those described in the present invention do not depart from the scope and spirit of the present invention in its broadest form.

Prior to the detailed description of the present invention, the following definitions are made for convenience of specific words or phrases used throughout the present specification. "Contains" and "consists of" and derivatives thereof means "including but not limited to". "Or" means "and / or" as inclusive. "Related to" and its derivatives include "comprises", "contains in", "interconnects with", "contains", "connects with", "~ Communicate with, "," works with "," shift / fit "," parallel "," near "," constrained to "," to Have "," own ", etc. "Controller" means a device, system, or portion thereof that controls at least one operation, whether performed as hardware, firmware, software, or a combination of at least two of them. It should be noted that any particular controller may be configured to be centralized or distributed, regardless of proximity or distance. Definitions of specific words and phrases have been made throughout this specification, and such definitions can be applied to the use of such defined words and phrases in many instances, if not most, of the prior art as well as in most cases. Those skilled in the art will appreciate.

1 to 5 and various embodiments described below, which are used to describe the principles of the present invention in the present specification, are merely exemplary and should not be interpreted to limit the scope of the present invention in any case. Those skilled in the art will appreciate that the principles of the present invention may be applied to any suitably deployed wireless network.

1 shows a general configuration of a wireless network according to an embodiment of the present invention. The wireless telephone network 100 is composed of a plurality of cell sites 121 to 123, each cell site including one of a plurality of BSs (Base Stations 101 to 103). BSs 101-103 can communicate with multiple MSs (111-114). The MSs 111-114 may be, for example, wireless communication devices including conventional cellular telephones, PCS handset devices, portable computers, telemetry devices, and the like.

The dotted lines represent the rough boundaries of cell sites 121-123 that include BSs 101, 102 or 103, respectively. These cell sites are circled for illustrative purposes. The cell site may be irregularly shaped by the selected cell structure and natural or artificial obstacles.

In an embodiment of the present invention, BS 101, BS 102, and BS 103 are composed of a Base Station Controller (BSC) and a Base Transceiver Station (BTS). A BSC is a device for managing radio communication resources for a specific cell in a radio communication network, which also includes a BTS. The BTS consists of radio (RF) transceivers, antennas, and other electrical devices located at each cell site. Such electrical devices include air conditioning devices, heating devices, electrical supplies, telephone line interfaces, as well as call processing circuits. In order to clarify and clarify the present invention, the BTSs of the cells 121, 122, and 123 and the BSCs related to the BTSs are collectively shown by different reference numerals BS101, BS102, and BS103.

BS 101, BS 102 and BS 103 transmit voice and data signals between them, and transmit these signals through a communication line 131 and a mobile switching center (MSC) 140 (not shown). ). The MSC 140 plays a role of service and coordination between subscribers in wireless networks and external networks, such as public telephone systems and / or the Internet. The communication line 131 may be any connection means including T1 line, T3 line, fiber optic link, network backbone connection, and the like. In an embodiment of the invention, the communication line 131 may be a number of different data links, with each data link connecting the BSs 101-103 to the MSC 140.

In the wireless network 100, the MS 111 is located in the cell site 121 to communicate with the BS 101, and the MS 113 is located in the cell site 122 to communicate with the BS 102, and the MS 114 is located within cell site 123 and communicates with BS 103. The MS 112 is located within the cell site 121 and is located closest to the edge of the cell site 123. The direction of the arrow close to the MS 112 indicates that the MS 112 moves toward the cell site 123. When the MS 112 moves into the cell site 123 and leaves the cell site 121, a handoff is performed.

As is known, the handoff procedure carries call processing from the first cell to the second cell. For example, if the MS 112 detects that the signal from the BS 101 is weakening while communicating with the BS 101, the MS 112 can detect that the stronger signal from the BS 103 results in the BS 103. Will switch to. The MS 112 and BS 103 establish a new communication link and send signals to the BS 101 and the public telephone network to transmit on-going voice, data or control signals through the BS 103. send. Thus, the call is sent from BS 101 to BS 103. Idle handoff is defined as the handoff between cells of a mobile device in communication with a control or paging channel, rather than the state of transmitting voice and / or data signals over a normal traffic channel.

At least one MS 111-114 will initially be an unprovisioned device. That is, essential configuration data such as number assignment module (NAM) data, preferred roaming list (PRL) data, or authentication code (or "A-key") data may not exist in the MS 112, Although present in MS 112, MS 112 may not be able to communicate with BS 101 because data may not be properly configured or enabled. In order to enable such unprovisioned data to operate in the wireless network 100, an over-the-air service provisioning function is provided to the wireless network 100.

2 shows another configuration of portions of a wireless network 100 that performs OTA service provisioning in accordance with an embodiment of the present invention. MS 112, BS 101, and MSC 140 are the same as in FIG. 2, the wireless network 100 further includes an Interworking Function (IWF) 150, an HLR 155, and a provisioning server 160. In FIG. The provisioning server 160 is a system-wide central server located far from other parts of the wireless network 100, namely BS 101, MSC 140, IWF 150, and HLR 155. )to be. In order to access data at the provisioning server 160, the MSC 140 communicates with the provisioning server 160 via an intranet / internet 165. Since the data in the wireless network 100 communicates with at least one or more various communication protocols at the choice of the wireless service provider, the IWF 150 intranets the original communication transmission protocol for transmitting application data within the wireless network 100. Convert to Internet Protocol (IP) based on data packets suitable for transmission within the Internet 165.

The wireless network 100 transmits the voice call of the MS 112 to an operator station 175 via a public telephone network (PSTN) 170 so that an unprovisioned handset such as the MS 112 is provisioned. Here, operator station 175 may be a human or automated voice menu application. The voice call and provisioning process begins at the same time that the user of MS 112 dials a predetermined provisioning telephone number such as "* 228xx" on the handset keypad according to the handset instructions, where the "xx" value is the MS 112. It varies according to the identification information of the wireless service provider selling the service. If the MS 112 is unprovisioned and cannot be authenticated, then the wireless network 100 rejects all other dial telephone numbers except "* 228xx". Since "* 228xx" is used only for provisioning, MS 112 connects to operator station 175 via BS 101, MSC 140, and PSTN 170.

When connected to operator station 175, important information such as credit card information of a potential subscriber is collected from the user of MS 112 by a human operator or voice menu script. As will be explained in detail below, once such important subscriber information is collected, the operator station 175 sends a provisioning command to the base station in communication with the MS 112 (in this case, BS 101 and / or MSC 140). send. Critical subscriber information is sent to the HLR 155 via the MSC 140 for use after the provisioning process is complete. The provisioning command causes BS 101 and / or MSC 140 to establish a session over intranet / internet 165 using provisioning server 160, such that BS 101 and / or MSC 140 is an operator. Critical subscriber information collected at the station 175 can be sent to the provisioning server 160 and required provisioning such as NAM data, PRL data, and authentication codes (ie, A-keys) that must be transmitted to the MS 112. Data may be retrieved from the provisioning server 160.

As will be described in detail below, the present invention transmits the essential provisioning data to the MS 112 by means of a particular data burst message. Specific data burst messages originate in the forward and / or reverse traffic channels providing communication between the MS 112 and the BS 101. The present invention prevents MS 112 from connecting to intranet / internet 165 via BS 101 under the use of a data call. MS 112 communicates with wireless network 100 only through existing traffic channels. BS 101 and / or MSC 140 act as an agent of MS 112, and independently establish and control an Internet session using provisioning server 160. Thus, in accordance with the present invention, BS 101 and / or MSC 140 restricts all transactions to Provisioning Server 160 such that an unprovisioned handset, such as MS 112, is different in intranet / internet 165. Do not allow access to servers or websites.

The scope of the invention is not limited to wireless networks that use the Internet to link base stations and provisioning servers. According to another embodiment of the present invention, intranet / internet 165 is actually a huge intranet linking groups of base stations to at least one provisioning server with relatively minimal security. It has been mentioned above that BS 101 and / or MSC 140 connect to intranet / Internet 165 and provide security to wireless network 100. The reason is that the present invention can be implemented within BS 101 or MSC 140 or can be placed between BS 101 and MSC 140. However, to simplify the principles of the present invention, the following description assumes that the present invention is implemented in BS 101. However, one of ordinary skill in the art will recognize that the specific implementations below are for illustrative purposes only and can be easily changed and applied, so that the present invention may exist virtually anywhere within the wireless network 100.

3 is a detailed view of a base station 101 according to an embodiment of the present invention. Base station 101 includes a BSC 210 and a BTS 220. A number of BSCs and a number of BTSs have been described above with reference to FIG. 1. The BSC 210 manages resources in the cell site 121 including the BTS 220. The BTS 220 includes a BTS controller 225, a channel controller 234 having a representative channel element 240, a transceiver / receiver IF (245), an RF transceiver 250, and an antenna array 255. , And the provisioning security control unit 265, which will be described later in detail.

The BTS control unit 225 is composed of a processing circuit and a memory for executing an operation program, which controls the overall operation of the BTS 220 and communicates with the BSC 210. In the normal state, the BTS controller 225 supervises the operation of the channel control unit 235 with the channel element 240, where the channel control unit 235 includes a plurality of channel elements instead of only the channel elements 240. It includes two-way communication in the forward channel and the reverse channel. The forward channel refers to signals going from the base station to the mobile station, and the reverse channel refers to signals coming from the mobile station to the base station. The transceiver IF 245 transmits a bidirectional channel signal between the channel controller 235 and the RF transceiver 250.

The antenna array 255 transmits the forward channel signal received from the RF transceiver 250 to the mobile stations in the service area of the BS 101. The antenna array 255 also transmits the reverse channel signal received from the mobile stations in the service area of the BS 101 to the RF transceiver 250. In an embodiment of the invention, antenna array 255 is a multi-sector antenna, such as a three sector antenna. Each antenna sector of the three-sector antenna is responsible for transmitting and receiving within the 120 ° arc of the service area. In addition, the RF transceiver 250 may include an antenna selector that selects a desired antenna from a plurality of antennas during transmission and reception.

The BTS control unit 225 includes an authentication control unit 260 for verifying whether a mobile station, such as the MS 112, connected to the BS 101 is pre-authenticated by the wireless network 100. The authentication control unit 260 in conjunction with the provisioning security control unit 265 provides an essential security function to allow the MS 112 to access an Internet server or website other than the provisioning server 160 connected to the wireless network 100. prevent.

Before communication through the BS 101 is made between the MS 112 and the rest of the wireless network 100, the authentication control unit 260 requires the MS 112 to provide the appropriate shared secret data (SSD) code or the necessary provisioning. Verify that data is present to verify that MS 112 is service provisioned. In a conventional service provisioning process, a subscriber generally enters an authentication code (A-key) into the MS (mobile station) during the initial provisioning period. However, other methods can also be used to enter or obtain an authentication code (A-key). After acquiring the authentication code (A-key), the MS (mobile station) automatically generates the SSD code from the authentication code (A-key) or automatically generates the SSD code by another algorithm. In other cases, the MS (mobile station) sends its SSD code as part of the authentication process. When the MS (mobile station) is provisioned, each BS (base station) in the network will have an SSD code corresponding to the SSD code of the provisioned MS (mobile station).

Mobile communication systems commonly use CAVE (Cellular Authentication Verification and Encryption) algorithms for authentication purposes. In an embodiment of the invention, the wireless network 100 uses the CAVE algorithm for authentication purposes. The MSC 140 initiates the authentication process by passing an authentication bit (hereinafter referred to as the AUTH bit) in an overhead control message via the control channel of the cell site 121. When the MS 112 recognizes the AUTH bit, the MS 112 automatically transmits identification data on its control channel to the BS 101. The identification data of this MS 112 may include SSD information, electronic serial number (ESN) data, billing information, dialed subscriber number, and other enable data.

The authentication controller 260 stores the initial incoming control channel data from the MS 112, and compares the SSD information received from the MS 112 with the SSD information received from the HLR 155. If the authentication control unit 260 determines that the SSD information received from the MS 112 is valid, the authentication control unit 260 determines the NAM data and billing data stored in the HLR 155 to determine whether the MS 112 is provisioned. Check it. When the authentication controller 260 confirms that the MS 112 is properly provisioned, the voice / data call is transmitted to the MSC 140 for normal call processing. If the authentication control unit 260 confirms that the MS 112 is not properly provisioned (that is, there is no billing information, NAM data, etc.), the authentication control unit 260 makes a call to the MSC 140 and the PSTN ( The provisioning process is initiated by transmission to operator station 175 via 170.

In an embodiment of the present invention, the authentication control unit 260 may determine that the MS (mobile station) connected to the BS 101 has not been provisioned by other means (hereinafter referred to as unprovisioning). For example, if MS 112 cannot properly authenticate itself, then authentication controller 260 rejects the call or automatically calls the operator station 175 through MSC 140 and PSTN 170. ) To initiate the above provisioning process. Alternatively, if MS 112 dials a specific phone number, such as " * 228xx, " previously reserved for service provisioning, then authentication control 260 automatically dials the call through MSC 140 and PSTN 170. In this case, the above-described provisioning process is started by transmitting to the operator station 175.

In this case, the authentication control unit 260 connects the MS 112 via the forward and reverse traffic channels to the operator station 175 via the MSC 140. Control of the call is also transmitted to the provisioning security control unit 265. Here, the human operator or the automated voice menu of the operator station 175 instructs the user of the MS 112 to input necessary subscriber data, i.e., credit card number, address, service type, and the like, by voice or manually. Let this begin. The operator station 175 may send the collected subscriber data to the HLR 155 via the MSC 140 or to the provisioning server 160 via the intranet / internet 165.

4 shows a detailed view of the provisioning security control unit 265 according to an embodiment of the present invention. The provisioning security control unit 265 illustrated includes a data processing unit 405 and a memory 410. Memory 410 includes data burst-IP packet conversion application 415, incoming traffic channel data field 420, outgoing traffic channel data field 425, incoming IP packet data field 430, and outgoing IP packet data field. It has a storage space for (435).

Provisioning data transmitted between the MS 112 and the BS 101 as part of the above provisioning process is transmitted in a data burst message via the forward and reverse traffic channels established between the BS 101 and the MS 112. The IS-683 protocol defines a technique for transmitting data blocks in data burst messages over traffic channels.

BS 101 transmits the data burst message received on the reverse traffic channel to provisioning security controller 265. The data processing unit 405 in the provisioning security control unit 265 extracts the provisioning information from the reverse channel data burst message, and reformats the extracted provisioning data into an IP data packet to be transmitted to the provisioning server 160. The IP address of the provisioning server 160 is recognized by the data processor 405 and the rest of the wireless network 100, which may be stored in the memory 410 or anywhere in the wireless network 100. Can be. BS 101 transmits the existing voice signal and keypad input received from MS 112 to the reverse traffic channel via operator PSTN 170 to operator station 175, where the voice signal and keypad input are data burst messages. Not part

The data processing unit 405 of the provisioning security control unit 265 receives provisioning information in an IP packet from the provisioning server 160, and the IP data packet is transmitted to the MS 112 by the BS 101 in a forward traffic channel. Reformat the data burst message to be

The data processing unit 405 executes a data burst-IP packet conversion application program 415 to convert provisioning data between the IP data packet format and the data burst message format. The memory 410 stores data and programs and data burst-to-IP packet translation application 415 associated with the provisioning security control 265.

The data processing unit 405 stores the provisioning data received in the data burst message of the reverse traffic channel from the MS 112 in the incoming traffic channel data field 420 prior to conversion to the IP data packet. The data processor 405 directly receives such provisioning data from the MS 112. Alternatively, data processing unit 405 may indirectly receive provisioning data from MS 112 via operator station 175. The data processing unit 405 converts the provisioning data from the data burst message format to the IP data packet format, and then stores the converted provisioning data in the outgoing IP packet data field 435.

The data processing unit 405 stores the provisioning data received in the IP data packet from the provisioning server 160 in the destination IP data packet field 430 prior to conversion to the data burst message format. The data processor 405 converts the provision data from the IP data packet format to the data burst message format, and then stores the converted provisioning data in the outgoing traffic channel data field 425. Subsequently, the data processing unit 405 transmits the provisioning data converted into the data burst message format to the BTS control unit 225 and is transmitted to the MS 112 as a data burst message of the reverse traffic channel.

5 shows a flowchart 500 for performing security service provisioning of a wireless network 100 in accordance with an embodiment of the present invention. Initially, it is determined whether the MS 112 responds to an authentication (AUTH) code sent from the BS 101, and the BS 101 detects a connection attempt by the MS 112 in step 505. Next, in order to determine whether the MS 112 is provisioned in the wireless network 100, the authentication controller 260 of the BS 101 receives the authentication data from the MS 112, in step 510. Access data associated with MS 112 stored in HLR 155 using authentication data received at. BS 101 determines the provisioning state using at least one method, including unique provisioning number, SSD information, billing information, and the like. Here, if MS 112 is already provisioned, BS 101 sends the received voice and / or data packet to MSC 140 to perform normal call processing, including Internet call processing. However, in step 515, if the BS 101 cannot authenticate the MS 112 and the MS 112 is determined not to be provisioned, the BS 101 sends the MS 112 to the operator via the PSTN 170. The station 175 is connected.

Next, in step 520, the operator station 175 collects the necessary subscriber billing information and transmits a provisioning enable command to the BS 101. Thereafter, in step 525, the BS 101 receives the provisioning configuration data from the MS 112 as a reverse traffic channel data burst message. The provisioning security control unit 265 of the BS 101 then converts subscriber-supplied provisioning data from the operator station 175 and the MS 112 into an IP data packet including the IP address of the provisioning server 160. The BS 101 sends the outgoing IP data packet to the provisioning server 160 via the intranet / internet 165.

In step 530, the BS 101 receives provisioning data from the provisioning server 160 as an IP data packet. BS 101 converts the IP data packet from provisioning server 160 into a data burst message format and sends the converted provisioning information to MS 112 as a data burst message in a forward traffic channel.

BS 101 continues IP packet conversion for transmission between wireless network 100 and intranet / internet 165 until the current call originating from MS 112 is terminated by the user of MS 112. If the user of the MS 112 is a legitimate subscriber who has attempted to provision the MS 112 for a predetermined time (approximately one hour), then this is the BS until the service provisioning process is complete and the subscriber using the MS 112 terminates the call. It means that 101 continues the transfer process described above. Once provisioning is complete, the MS 112 enters a state ready for normal use.

In an embodiment of the present invention, either or both of the authentication control unit 260 and the provisioning security control unit 265 may be located outside the BS 101. For example, the authentication controller 260 and the provisioning security controller 265 may be implemented as a stand alone device directly or indirectly connected to the BS 101. In another embodiment of the present invention, the authentication control unit 260 and the provisioning security control unit 265 may be implemented within the MSC 140 or the IWF 150, for example. In another embodiment of the present invention, the authentication control unit 260 and the provisioning security control unit 265 may be implemented in some of a plurality of BSs (base stations) in the wireless network. In such an embodiment, two or more BSs (base stations) may share the provisioning security controller 265 with the same authentication control unit 260 located in either BS (base station).

On the other hand, in the description of the present invention has been described with respect to specific embodiments, various modifications by those skilled in the art are possible without departing from the scope of the present invention.

As described above, according to the present invention, provisioning is performed only through a traffic channel to prevent the unprovisioned mobile station from accessing the wireless network by a method other than the traffic channel, so that the unprovisioned mobile station can access the data call to the base station. This prevents unauthorized access to Internet Protocol (IP) data networks.

Claims (24)

In order to be employed in a wireless network comprising a plurality of base stations and a plurality of mobile stations communicating with each base station, provisions of the unprovisioned mobile stations among the plurality of mobile stations and the unprovisioned mobile stations are connected to the Internet via the wireless network. A provisioning system, which prevents access to a protocol (IP) data network, A provisioning server connected to an Internet Protocol data network, A first base station among the plurality of base stations retrieves provisioning data from the provisioning server, and the retrieved provisioning data is provided to the first unprovisioned channel through a first traffic channel established between the first base station and a first unprovisioned mobile station. And a provisioning control unit for controlling the base station to transmit to the mobile station. The method of claim 1, wherein the provisioning control unit Provisioning the retrieved provisioning data from an internet protocol data packet format into a data burst message format suitable for transmission in the first traffic channel. The method of claim 1, wherein the provisioning control unit Receiving provisioning data generated by a user from the first unprovisioned mobile station in a data burst message sent to the first base station via a second traffic channel established between the first base station and the first unprovisioned mobile station. A provisioning system characterized by the above. The method of claim 3, wherein the provisioning control unit And convert the user-generated provisioning data received from the first unprovisioned mobile station into a Internet protocol data packet format suitable for transmission from a data burst message format to the provisioning server in the Internet protocol data network. 2. The apparatus of claim 1, further comprising: an operator station for storing provisioning information for provisioning and generating a provisioning command, and a mobile switching station for switching the connection of the operator station through the base station and a public telephone network; The provisioning control unit Determine whether the first unprovisioned mobile station requests a provisioning service, and establish a call connection through a public telephone network between the first base station and an operator station according to the determination result to initiate a provisioning operation of the unprovisioned mobile station; Provisioning system, characterized in that. The method of claim 5, wherein the provisioning control unit Receive a provisioning enable signal from the operator station, and retrieve the provisioning data from the provisioning server based on the provisioning enable signal. The method of claim 5, wherein the provisioning control unit And determining whether the unprovisioned mobile station requests a provisioning service according to a unique telephone number dialed by the user of the unprovisioned mobile station. The method of claim 5, wherein An authentication control unit connected to the provisioning control unit to authenticate the unprovisioned mobile station in the wireless network; And the provisioning control unit determines that the unprovisioned mobile station is unprovisioned based on a signal from the authentication control unit indicating a state in which the unprovisioned mobile station is not properly authenticated. In order to be employed in a wireless network comprising a plurality of base stations and a plurality of mobile stations communicating with each base station, provisions of the unprovisioned mobile stations among the plurality of mobile stations and the unprovisioned mobile stations are connected to the Internet via the wireless network. A provisioning system for preventing access to a protocol (IP) data network; The provisioning system includes a provisioning server connected to an internet protocol data network, a first base station of the plurality of base stations retrieves provisioning data from the provisioning server, and the retrieved provisioning data is stored in the first base station and the first unprovisioned mobile station. And a provisioning control unit for transmitting to the first unprovisioned mobile station via a first traffic channel established therebetween. 10. The method of claim 9, wherein the provisioning control unit Converting the retrieved provisioning data from an internet protocol data packet format into a data burst message format suitable for transmission over the first traffic channel. 10. The method of claim 9, wherein the provisioning control unit Receiving provisioning data generated by a user from the first unprovisioned mobile station in a data burst message sent to the first base station via a second traffic channel established between the first base station and the first unprovisioned mobile station; Wireless network characterized in that. The method of claim 11, wherein the provisioning controller Converting the received user-generated provisioning data from a data burst message format into an internet protocol data packet format suitable for transmission to the provisioning server in the internet protocol data network. 10. The apparatus of claim 9, further comprising an operator station for storing subscriber information for provisioning and a mobile switching station for switching the connection of the operator station through the base station and a public telephone network; The provisioning control unit Determine whether the unprovisioned mobile station requests a provisioning service, and set up a call connection through a public telephone network between the first base station and an operator station according to the determination result to initiate provisioning operation of the unprovisioned mobile station; Wireless network. The method of claim 13, wherein the provisioning control unit Receive a provisioning enable signal from the operator station, and retrieve the provisioning data from the provisioning server based on the provisioning enable signal. The method of claim 13, wherein the provisioning control unit And determining whether the unprovisioned mobile station requests a provisioning service according to a unique telephone number dialed by the user of the unprovisioned mobile station. The system of claim 13, wherein the provisioning system comprises: An authentication control unit connected to the provisioning control unit to authenticate the unprovisioned mobile station in the wireless network; And the provisioning control unit determines that the unprovisioned mobile station is unprovisioned when the authentication control unit sends a signal indicating that the unprovisioned mobile station is not properly authenticated to the provisioning control unit. In order to be employed in a wireless network comprising a plurality of base stations and a plurality of mobile stations communicating with each base station, provisions of the unprovisioned mobile stations among the plurality of mobile stations and the unprovisioned mobile stations are connected to the Internet via the wireless network. A provisioning method for preventing access to a protocol (IP) data network, Retrieving provisioning data from the provisioning server; A first base station of the plurality of base stations transmitting the retrieved provisioning data to a first unprovisioned mobile station via a first traffic channel established between the first base station and the first unprovisioned mobile station; A wireless network provisioning method. The method of claim 17, And converting the retrieved provisioning data from an internet protocol data packet format into a data burst message format suitable for transmission of the first traffic channel. The method of claim 17, Receiving provisioning data generated by a user from the first unprovisioned mobile station in a data burst message sent to the first base station via a second traffic channel established between the first base station and the first unprovisioned mobile station; Provisioning method of a wireless network, further comprising the process. The method of claim 19, Converting the received user-generated provisioning data from a data burst message format into an internet protocol data packet format suitable for transmission to the provisioning server in the internet protocol data network. . The method of claim 17, Determining whether the unprovisioned mobile station requests a provisioning service; And If it is determined that the unprovisioned mobile station is requesting a provisioning service, establishing a call connection through a public telephone network between the first base station and an operator station that initiates a provisioning operation of the unprovisioned mobile station. A method of provisioning a wireless network, characterized by the above. The method of claim 21, Receiving a provisioning enable signal from the operator station, and upon receiving the provisioning enable signal, initiating the process of retrieving the provisioning data from the provisioning server connected to the internet protocol data network. Provisioning method of wireless network. 22. The method of claim 21, wherein the determining of whether the unprovisioned mobile station requests a provisioning service comprises: Determining whether a user of the unprovisioned mobile station has dialed a unique telephone number. The method of claim 21, Authenticating the unprovisioned mobile station in the wireless network; And determining whether the unprovisioned mobile station requests a provisioning service comprises determining that the unprovisioned mobile station is not properly authenticated.