MXPA96006272A

MXPA96006272A - A method and apparatus for key transforms to discriminate between different networks

Info

Publication number: MXPA96006272A
Application number: MXPA/A/1996/006272A
Authority: MX
Inventors: Krister Raith Alex; W Dent Paul
Original assignee: Ericsson Inc
Priority date: 1994-07-05
Filing date: 1996-12-10
Publication date: 1998-01-01

Abstract

A method and apparatus is presented for transforming a key variable used for scrambling cellular data traffic between a terminal and a network in alternate ways using information transmitted to the terminal from the network with which the terminal is connected. Transformation is accomplished by passing portions of the key variable through a series of S-boxes which provide a mapping between the input and output. Moreover, it is disclosed how to save memory by iteratively passing portions of the key variable through the same S-box.

Description

A YAPARATO METHOD FOR THE TRANSFORMATION OF KEYS. IN ORDER TO DISTINGUISH BETWEEN DIFFERENT NETWORKS FIELD OF THE INVENTION The present invention pertains to the field of intimate and anti-fraud systems, for public or private wireless communication systems, such as digital cellular telephone systems. Such systems may use authentication procedures to verify the identity of a cellular mobile phone that attempts to access the cellular network or to verify the cellular network to a cellular mobile telephone, as well as to cause disturbances in order to prevent the emission of traffic data to or from a cellular mobile phone, which is accidentally or deliberately received by another mobile cellular phone. BACKGROUND OF THE INVENTION Cellular mobile phones and other radio communications devices are usually designed to meet the requirements of a limited number of commonly used standards in the world. Many countries choose the same standards; for example the pan-European GSM system is used by 14 countries in Europe, in Australia and some countries in the Middle East. The US digital cellular standard, Mobile Station Compatibility Standard - Dual Mode Base Station, the IS-54B Cellular System (available from the Telecommunications Industry Association, 2001 Pennsylvania Avenue, NW, Washington, DC 20006), (shortly , IS-54B) is used, for example, in the US, Mexico, Canada and South America. In the following, the terms of cellular mobile phone, cellular headset, cell phone, mobile phone, • headset ', radiotelephone terminal, cellular terminal and 1 terminal •, can be used equivalently to refer to a wireless communication device, capable of transmitting and receive data wirelessly. Similarly, the terms of the radiotelephone network, cellular system and cellular network are used equivalently to refer to a wireless communication system, which supplies the wireless data connections between two or more terminals or between two or more terminals and other equipment. Cellular mobile phones are produced in huge volumes and, therefore, it is convenient that the design is the same for all markets. One problem that exists is that cell phone numbers, also named as the mobile identification number ("MIN"), are reused in other countries. A particular MIN is not guaranteed to be unique throughout the world. For example, a cell phone brought to the US, by a traveler from another country that uses the same cellular standard as that of the US, may have the same telephone number as a local American telephone and may sometimes have access to the network at a time. not foreseeable and unauthorized. Fraudulent access is also a problem. It is an object of anti-fraud systems to prevent such unauthorized access. Anti-fraud systems make use of a secret number, such as a personal identification number (PIN code), embedded in each phone. The PIN key stored in the cell phone is also stored in the cell phone exchange, or network exchange, which belongs to the operator with which the user has a subscription, ie the so-called "home system". A cellular network is comprised of many such exchanges or switches, and associated base stations. A cell phone attempting to access the cellular network is "challenged" by issuing a random number by a base station, whose cell phone will receive and combine with the PIN secret key in a previously defined manner. The cell phone then transmits a response back to the base station for comparison and verification by the network. If the cell phone is traveling outside of your home system, the network that travels in the instant challenges the home phone system with the same random number. If the result transmitted from the cell phone corresponds to that received from the domestic system, the cell phone is admitted to the network and this network will be completely sure that your service note will be sent to the domestic telephone operator and will be paid. This procedure, or other similar procedures, are referred to as authentication procedures. While it may not be too difficult to ensure that unique PIN codes are issued to all cell phones registered with a particular operator, it is not obvious how to coordinate the PIN code issued between operators to guarantee a unique way, without compromising security when there are too many organizations with access to secret information. Furthermore, it is not very likely that all this coordination can be achieved between continents. Therefore, the present invention provides a resource for distinguishing security information between different networks, so that the unique form of the information is not a necessity. U.S. Patent No. 5,091,942, entitled "Authentication System for Cellular, Digital, Communications Systems", by Paul Dent, assigned to the same assignee of the present invention, incorporated herein in its entirety as a reference, discloses an authentication procedure bilateral that verifies a mobile phone to the cellular network or vice versa. The bilateral authentication system disclosed there also produces, as a secondary product, a temporary variable to be used to disturb traffic data signals. U.S. Patent No. 5,060,266, entitled "Continuous Key Synchronization for Communications Cell Systems", by Paul Dent, assigned to the same assignee of the present invention, incorporated herein in its entirety as a reference, describes a type of disturbance system to disturb the data traffic signals. A suitable algorithm for doing this is described in pending U.S. Patent No. 5,148,485, entitled "Encryption System for Digital Cellular Communications", by Paul Dent, assigned to the same assignee of the present invention, incorporated herein in its entirety as reference. The aforementioned prior art discloses the use of a 64-bit temporary key, which occurs during the authentication procedure, to generate, with the aid of a voice frame or TDMA transmission frame counter, a block of bits of the key current for each frame, which can be placed in "0" exclusive for traffic data, to prevent the traffic of data received by a radio, not in possession of the same 64 bits. The prior art known does not provide a resource to ensure that different radios, designated to meet the requirements of the same cellular standards, which are distributed to perhaps different continents, and accidentally in possession of the same 64-bit key, can not receive or transmit the same signal.

SUMMARY OF THE INVENTION In view of the foregoing background, therefore, it is an object of the present invention to provide a resource by which portable communication devices, such as cell phones, can be distributed throughout the world with the same design without compromising the security of the features against fraud and privacy in any country or continent. The present invention provides a method for determining a key to disturb data traffic between a radiotelephone terminal and a radiotelephone network, which is dependent on the radiotelephone network provided for the voice communications service to the terminal. The technique comprises transmitting a random number from the cellular network to a cellular phone, which is used to carry out an authentication procedure. This authentication procedure results in the generation of a session key. Along with the random number, the cellular network also transmits an indication of the type of service provided by the network to the cell phone. The cell phone transforms the key of the session to a transformed session key, depending on the indication of the type of network and uses this transformed session key to disturb the traffic that passes between the network and the terminal.

In an alternative embodiment of the present invention, there is described a method for determining a key to disturb data traffic, between a radiotelephone terminal and a radiotelephone network, wherein the session key is transformed in dependence on the indication of the type of network by means of the substitution of values for the parts of the key of the session, using a substitution table or S box, which depends on the indication of the type of network. The substituted values are formed using first combinations of parts of the session key with parts of a random number, a logical channel number or an indication of the traffic direction. The values are substituted for the first combinations, using a substitution table or S box, which depends on the indication of the type of network. Second combinations are formed between the parts of the session key and a transformed session key is produced by combining the substituted values with the second combinations. These and other features and advantages of the present invention will be readily apparent to one skilled in the art from the following written description, when read in conjunction with the drawings, in which like reference numbers refer to like elements.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a schematic illustration of a prior art communication system, showing the connection between the authentication system and the key current generation system; Figure 2 is a schematic illustration of a radio communication system, showing the connection between the authentication system and the key current generation system, according to the present invention; and Figure 3 is a schematic illustration of the key transformation process, according to the present invention. DESCRIPTION OF THE INVENTION In the following description, which is provided for purposes of explanation and not limitation, specific details are pointed out, such as particular circuits, circuit components, techniques, etc., in order to provide a complete understanding of the invention. However, it will be apparent to one of ordinary skill in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other cases, detailed descriptions of well-known methods, devices and circuits are omitted so as not to complicate the description of the present invention with unnecessary details.

A brief description of the prior art will be useful in understanding the operation of the present invention. Figure 1 illustrates schematically a cellular base network 10 in radio communication with a cellular telephone 7. The cellular network 10 is comprised of the cellular base station 8 and the cellular exchange 9. As is obvious to an ordinary expert, a typical cellular exchange 9 may be coupled to a plurality of base stations 8. In addition, a typical cellular network 10 may comprise hundreds of base stations 8 and a plurality of interconnected cellular exchanges 9. The cellular telephone 7 comprises, in addition to other elements not shown, the radio transceiver 11, the authentication algorithm 12, the key generation algorithm 13, the frame count 14, the PIN 16 secret key, and other non-secret variables 15. The products 12, 13 and 14 can be integrated into a single microprocessor, such as the TMSC320C50 from Texas Instruments, but are shown as separate functional blocks, to more clearly illustrate the connections between these functions. The products 15 and 16 are stored in an opriate memory device, such as a read-only memory (ROM). The radio transceiver 11 can be designed to provide radio communications in accordance with the aforementioned IS-54B, according to known methods.

During the aforementioned authentication process, the cellular phone 7 receives, occasionally, a radio signal comprising an authentication challenge. This authentication challenge includes a random number (RAND), generated by a cellular network 10 and is transmitted via the cellular base station 8. The radio signal containing the RAND is received, demodulated and decoded, according to known methods , by the radio transceiver 7, which is coupled to the authentication algorithm 12. This authentication algorithm 12 combines the RAND and the PIN 16 secret key to generate a RESP response which transmits the transmitter-receiver 11 to the base station 8 and where it is subsequently received by the cellular network 10. An example of an algorithm of authentication 12 is described in detail in U.S. Patent No. 5,091,942. A secondary product of the authentication algorithm 12 is a variable 64-bit time key, known as the key of the session (key S), which is coupled to the key generation algorithm 13 to be used to disturb the data traffic for a period of time, until the next moment that the S key is changed by a new authentication challenge. This can happen once per conversation, if desired, for security reasons. The key generator uses the value of the key S, which is set for a period of time, together with the table counter N 14, which varies schematically during the time period, to produce a non-repetitive sequence of bits of the current of pseudo-random key, to superimpose data traffic, according to known methods. An example of a key generation algorithm 13 is described in detail in the patent of E. U. A., No. 5,060,266. In this prior art system, it is not impossible to ensure that all cell phones 7 operating in, for example North America, have unique PIN 16 keys, since there is automatic inter-switch signaling between cellular networks 10 in order to provide the service outside the local area. However, it is difficult to ensure that unique keys PIN 16 can be assigned to cell phones 7 attempted for use in other continents having non-interconnected cellular systems by means of inter-switching signaling to, for example, the cellular network of America's North. It is very possible, for example, that some of the millions of cell phones 6 delivered to other continents, that use cell phones 7, in accordance with the same cellular standard, have the same PIN code 16, as they are used by some of the millions of cell phones 7 that operate in North America and so, when challenged with the same RAND, to produce the same 64-bit S key. A cell phone 7"weird", which has the same PIN 16 key as the authorized cell phone, also operating in North America, therefore, will produce the same sequence of key current in order to disturb and be able to be "heard" in a supposedly secure link. It is also possible that PIN codes can be deliberately duplicated for illegal purposes. The probability of having the same key S in two cell phones 7 using the prior art system of Figure 1, is two at the power of minus 64. Although statistically not frequent, the technique described in Figure 1, never can guarantee that duplication will not happen. It is even more undesirable that a cell phone pair 7 having the same PIN 16 key, produce the same S key when challenged with the same RAND. However, it is less concerning if two cell phones, which have the same PIN 16 key, produce the same S key in response to different authentication challenges. The present invention will now be described in conjunction with the preferred embodiment. The present invention is structured as shown in Figure 2. During the authentication procedure, the cellular network 10 transmits a challenge of the random authentication of the RAND together with an indication N of how the key B, as it is now denoted, the secondary product of the authentication process 12, will be further disturbed in the key transformation process 20 , in order to determine the key S for use by key generation algorithm 13. The indication N determines one of the several ways in which the key transformation 20 can combine the key B and the RAND to produce the key S. In the limit, the invention may comprise only two alternative indications, A or B. If the indication A is received, it means that a first value of an integer N will be used by the key transformation 20, while if the indication B is received, a second integer value of N will be used. The indication A can be emitted by the cellular networks 10 that are not integrated into the cellular network 10 of North America, for example, while the indication B is emitted by the base stations 8 within the cellular network 10 of North America. Further details on how the key transformation 20 can use the value of an integer N to modify the creation of the key S from the key B will now be given with reference to Figure 3. The B key of 64 bits is noted by the eight so-called bytes y, designated yl, y2, y3 ..., y8. Similarly, the 32-bit RAND is denoted by four of the so-called bytes r, designated, rl, r2, r3 and r4. The adders of module 2 of byte width, 30 to 37 inclusive, combine the and bytes with the r bytes (yl with rl, y2 with r2, ..., y5 with rl, y6 with r2 ..., etc.) to produce eight new so-called z bytes, designated zl, z2, z3, ... and z8. The first four bytes z, zl, z2, z3 and z4 are respectively passed through the "boxes S" 38 to 41, N times iteratively. The last four bytes and originals of the key B, y5, y6, y7 and y8, respectively, are passed directly through the boxes S, 42 to 45, iteratively N times, as previously mentioned, are included as part of the challenge of authentication. An "S box" refers to a process of replacing an output value with an input value. A box S can, for example, constitute a 1: 1 map in which a single output value is provided, which corresponds to any possible input value, or it can be a map of MANY: 1 in which several input values of the map correspond to the same output value. The first is also shown as a process without loss of information, while the latter is a process that loses information. In a process that loses information, the number of possible variants in the output value is reduced compared to the number of possible variants in the input value. In this application, an input value can be passed through the S box a number of times en route to become an output value, and it is undesirable that a number of possible variants in the output values be reduced; therefore, a process without loss of information (1: 1, box S) is preferred. This means that the input byte, for example zl, is applied as an 8-bit address to a query table S of 256 bytes, to select an output byte stored in the directed location within S. This constitutes a single iteration (ie, N = l). The output byte is then applied again as an address to the input of S and to obtain a new output byte. This constitutes a second iteration (ie, N = 2). The process repeats the number of iterations indicated by the value of N. The repeated outputs of frames S 38-41 and 42-45 are respectively combined in pairs by the exclusive "0" gates 46-49 in byte width, for supply zl ', z2 •, z3' and z4 '. Z8 is then passed once (ie, N = l) through the box S 51 and added arithmetically in the adder 50 to zl *, to get the first of the eight bytes of the key S, zl ". "is passed once through the box S 52 and is added arithmetically in the adder 53 to z2 'to obtain the second byte z2" of the key S. This process of passing the last byte z ", calculated once through from box S and add a byte z 'to the result, continue until all four bytes z' have been used and then continue in the same way as illustrated in Figure 3, using the remaining z byte, z5, z6, z7 and z8, to supply a total of eight bytes of the key S, zl ", z2", z3",, and z8".

The final disturbance process is reversible and, therefore, does not constitute a function called "one way". It is not the purpose of the final perturbation process to ensure that Z 'can not be derived from Z ", but rather to ensure that any 1-bit change in an input causes an average half of the output bits to change. advantage that is clearly without loss of information and does not result in the number of possible output values of Z "(2 to power 64). being less than the number of possible input values of Z '(also 2 to power 64). The one-way function property is obtained in the key generation algorithm 13, which ensures that the bits of the key SZ "can not be derived from the observation of their output key current bits. Four-byte availability of a random quantity RAND (rl, r2, r3, r4) but not restricted to this number If less than four bytes of the RAND are available, other data may be substituted, such as the logical link number and a traffic direction indicator to take the number of bytes up to 4. The last one is a resource to provide independent disturbance keys for each of a number of logical or virtual channels, supported by the same radio link, as that provide independent disturbance keys for each direction of the traffic flow (cell phone 7 to base 8 or base 8 to cell phone 7). The above algorithm reveals a resource for t ransforming a key variable used to disturb cellular mobile telephone transmissions in alternative ways, depending on the network 10, the cellular telephone 7 is operative, by the transmission from the network 10 an indication of how the internal variables should be disturbed by the passage through one or more boxes S. Likewise, it was previously described how to save memory for the substitution boxes using, instead of an alternative box S for a first and second network indication, the same box S used iteratively an alternative number of times, depending on the network indication in at least part of the key transformation process. Of course, it is always possible to save computation on the memory expense to record alternative S boxes, one for use with the first network indication, and another for use with the second network indication, like the common S box, which is used in another part of the algorithm with any network indication. However, the invention is aimed more at saving memory than at saving process power, since the process of key transformation is only performed once per call at most.

While the present invention has been described with respect to a particular preferred embodiment, those skilled in the art will recognize that it is not limited to the specific embodiment described and illustrated herein. Different modalities and adaptations, in addition to those shown and described, as well as various variations, modifications and equivalent arrangements, will now be reasonably suggested by the previous specification and drawings, without departing from the substance or scope of the invention. While the present invention has been described here in detail in relation to its preferred embodiments, it will be understood that this description is illustrative and exemplary only of the present invention and merely for the purpose of providing and enabling the complete disclosure of the invention. Therefore, it is intended that the invention be limited only by the spirit and scope of the appended claims.

Claims

CLAIMS 1. A method for determining a key to disturb the traffic of radiotelephones, between a terminal of a radiotelephone and a radiotelephone network, this radiotelephone network provides a service of data or voice communications, the method comprises the steps of: a) transmitting a signal including a random number of the network to the terminal and using this random number to carry out an authentication procedure, this authentication procedure authorizes the terminal to the network and generates a session key; b) transmit an indication of the type of service provided by the network to the terminal; c) transform the session key into a transformed session key; d) use this transformed session key to disturb the traffic passed between the network and the terminal. The method, according to claim 1, wherein the transformation step comprises the steps of replacing part of the session key with substituted parts, using a substitution table. 3. The method, according to claim 2, wherein the substitution table represents a one-to-one mapping. 4. The method, according to claim 2, wherein the substitution table depends on the indication of the type of network. The method, according to claim 2, in which the substitution is performed iteratively a number of times, sensitive to the indication of the network. The method, according to claim 1, wherein combinations of the parts of the session key are formed with parts of the random number. The method, according to claim 1, wherein combinations of part of the session key are formed with a logical channel number. The method, according to claim 1, wherein combinations of parts of the session key are formed with a traffic direction indication. The method, according to claim 6, wherein the combinations are replaced by a value of the substitution table. The method, according to claim 9, in which the substitution table depends on the indication of the type of network. The method, according to claim 9, wherein the substitution is performed iteratively a number of times, which depends on the indication of the network. 12. The method, according to claim 7, wherein the combinations are replaced by a value from a substitution table. The method, according to claim 12, in which the substitution table depends on the indication of the type of network. The method, according to claim 12, wherein the substitution is performed iteratively a number of times, which depends on the indication of the network. The method, according to claim 8, wherein the combinations are replaced by a value from a substitution table. 16. The method, according to claim 13, wherein the substitution table depends on the indication of the type of network. The method, according to claim 13, wherein the substitution is performed iteratively a number of times, which depends on the indication of the network. 18. The method, according to claim 1, wherein combinations of parts of the session key are formed. 19. The method, according to claim 1, further comprising the step of forming combinations of session key parts. 20. The method, according to claim 19, further comprising substituting the values for the combinations using a substitution table. 21. The method, according to claim 20, wherein the substitution table is dependent on the indication of the type of network. 22. The method, according to claim 20, wherein the substitution is performed iteratively a number of times, which depends on the indication of the network. 23. A method for determining a key to disturb the traffic of radiotelephones, between a radiotelephone terminal and a radiotelephone network, this method comprises: a) transmitting a signal including a random number, from the network to the terminal and using the same to carry out an authentication procedure, this authentication procedure authorizes the terminal of the network and generates a session key; b) transmit an indication of the type of service provided by the network to the terminal; c) transforming the session key to a transformed session key, according to the indication of the network type by: d) substituting the values for parts of the session key, using one of the substitution table and a S box, according to the indication of the type of network; e) forming a first set of combinations of parts of the session key with parts of the random number, this random number being a logical channel number or indication of the traffic direction; f) replace the values for each of the first combinations of the parts, using either another substitution table or a S box, which depends on the indication of the type of network; g) forming a second set of combinations between parts of the session key; h) combining the substitute values and the second combinations, to form the transformed session key; and i) using the transformed session key to disturb the traffic passed between the network and the terminal. 24. A radiotelephone terminal, for disturbing signals between the radiotelephone terminals and a radiotelephone network, this terminal comprises: a) at least one antenna, for receiving and sending signals to and from the radiotelephone network; b) a radio transceiver, coupled to at least one antenna; c) a processor, to authorize the radiotelephone terminal to the network and provide a session key from this authorization; and d) the processor transforms the session key to form a transformed session key, this transformed session key is used by the processor to disturb the signals transmitted between the radiotelephone terminal and the network. 25. The radiotelephone terminal according to claim 24, wherein the session key is determined from a random number, contained in an authentication challenge, transmitted to the radiotelephone terminal over the network. 26. The radiotelephone terminal according to claim 24, wherein the transformed session key is determined as a function of the services provided by the network to the terminal. 27. The radiotelephone terminal according to claim 24, comprising at least one substitution table and a box S, for transforming the session key to the transformed session key.