TW564619B - A system for ensuring encrypted communication after handover - Google Patents

Abstract

A fraudulent intruder can eavesdrop on a call by removing information about an encryption algorithm when a multimode mobile station sends an unprotected initial signaling message containing this information over the radio interface to the mobile telecommunications system. The attempt can be prevented in a universal mobile telecommunications system (UMTS) comprising at least two radio access networks providing mobile stations with access to at least one core network, a multimode mobile station, and at least one core network. During connection setup with a first radio access network, the multimode mobile station sends an unprotected initial signaling message that includes information about those encryption algorithms that the multimode mobile station supports when it communicates in a second radio access network. The first radio access network saves some or all the information of it. Then it composes and sends an integrity-protected message that includes information about the encryption algorithms supported by the multimode mobile station in the second radio access network.

Description

564619 A7 B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 5. Description of the invention () Field of invention = The invention is roughly related to integrity protection in telecommunication systems. BACKGROUND OF THE INVENTION = A third generation mobile communication system is known in Europe as UMTS (Universal Mobile Telecommunications System). It is part of the International Telecommunication Union IMT-2000 system. UMTS / IMT-2000 is a global wireless multimedia system that provides higher transmission speeds (2 million bits per second) than current mobile networks. Figure 1 shows a simplified block diagram of a GSM (Global System for Mobile Phones) network and a UMTS network. The main part of the network is the user terminal 100 and a network part, which includes a GSM base station system BSS105 and a UMTS field wireless access network UTRAN101 (which is currently designated in 3 GPP (third Generation agreement plan), broadband multi-access wireless network) and core network CN104. The radio interface between the user terminal and UTRAN is called Uu and the interface between UTRAN and the 3G core network is called 1 u. The interface between the GSM base station system B s S and the authentic wireless packaging service GPRS core network is called Gb and the interface between the GSM base station system BSS and the GSM core network is called a. The user terminal can be a multi-mode terminal, which can be operated using at least two wireless access technologies, in this example, UMTS and GSM, for example. UTRAN includes a radio network subsystem RNS102, which further includes a radio network controller RNC103 and one or more Node Bs (not shown in Figure 1). The interface between two RNSs is called lur. On the user terminal and the GSM base station system, page 5 (please read the precautions on the back before filling this page) Suspected line_ This paper size applies to China National Standard (CNS) A4 (210X 297 mm) 564619 A7 B7 V. Description of Invention () The interface between BSS and BSS printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs is referred to as "wireless interface". The GSM base station system BSS includes base station controller BSC106 and base transceiver station BTS107. For example, the core network node of the (GSM) mobile switching center MSC and the (GPRS) serving GPRS support node SGSN can control two types of wireless access networks, namely UTRAN and BSS. Another possible network architecture is each wireless access The access network (UTRAN and BSS) has its own control core network nodes, which are MSC and SGSN, 2G MSC, 2G SGSN and 3G MSC, and 3G SGSN. But these core network components are connected to the same home location. Register HLR (not shown in Figure 1), which contains all static messenger information, such as the user's billing, even when the user terminal can operate through several different wireless access networks Controlled by a location. The wireless interface protocols that need to be set, rebuilt, and released for wireless location services are briefly discussed below. The wireless interface protocol architecture in the access hierarchy includes three different protocol layers, which are from top to bottom: : Wireless network layer (L3), data link layer (L2), and physical layer (L1). The protocol system in these layers is as follows. The wireless network layer contains only one protocol, which is called in the UMTS wireless interface. RRC (Wireless Help Control) and 2G GSM wireless interface is called RR (Wireless Help Protocol). The data link layer contains several protocols in the UMTS wireless interface protocol, called PDCP (Packet Data Convergence Protocol), BMC (Broadcast Multicast Control Protocol), rlC (Wireless Link Control Protocol) and MAC (Media Access Control Protocol). In the 'GSM / GPRS wireless interface, the layer 2 protocol is LLC (Logical Link Control), LAPDm (in Link access protocol in the Dm channel) 'RLC (Wireless Link Control), and VIAC (Media Access Control Protocol). The physical layer has only a π protocol ", which does not specify a name. All paper sizes on page 6 apply Chinese National Standard (CNS) A4 specifications (21〇χ 297 mm) (Please read the precautions on the back before filling out this page}, first line ·% 564619 A7 B7 V. Description of the invention ( The above-mentioned wireless interface protocols are specified for an individual wireless access technology, which means that, for example, the GSM wireless interface and the UMTSUu interface are different. In UMTS, the RRC layer is used by higher protocols in the user terminal side and Provide services to the service access points used by the luRANAP (Wireless Access Network Application Department) agreement in the UTRAN side to higher layers, ie to a non-access level NAS. All higher layers send letters (mobility management, beer control) , Conference management, etc.) are sealed in RRC information for transmission on the wireless interface. All telecommunications are subject to the assurance that the information received has been sent by an authorized person and not by someone who wants to impersonate the sender. The problem of sending out. In the cellular telecommunication system, the problem is more obvious. The air interface provides an excellent platform for eavesdropping and replacing the transmission content by using a higher transmission level. From a distant place. The basic solution to this problem is the verification between the communicating parties. The goal of a verification process is to discover and check the identity of the two communicating parties so that each party receives information about the identity of the other party and can rely on it. Identity to a sufficient degree. Authentication is typically performed in a designated procedure at the beginning of a connection. However, this does not properly protect subsequent information from unauthorized manipulation, insertion, and deletion. Therefore, it is necessary to perform each transmission of information. Separate verification. The subsequent work can be performed by attaching a message authentication code (MAC -1) to the message at the transmitting end and checking the MAC-I value at the receiving end. A MAC-I is typically part-based In a specific way, one of the protected ^ (s) is a relatively short bit string, and it is on a secret key known to both the sender, Shinko, and the receiver. The secret key is typically at the beginning of the connection Page 7 This paper size applies Chinese National Standard (CNS) A4 specification (210X297 mm) (Please read the precautions on the back before filling out this page), \ 呑 线-Consumer Affairs Bureau, Intellectual Property Bureau, Ministry of Economic Affairs Printed by Fei Cooperative Co., Ltd. 564619 V. Description of the invention (A7, B7, generated and agreed during the verification process. In some examples, the deduction method based on MAC-I calculated based on the secret key and deduction method is also "Secret push", but this is often not the case. The verification process of a single message is often called authenticity protection. To ensure the authenticity of the sender, the sender calculates based on the information sent and the secret key using a specific deduction method. ΜA (> I value, and send information with ΜA (> I value. Based on the information and secret key, the receiver calculates the MAC-I value according to the specified deduction method, and compares the received mac-1 with the calculation Out of MAC-I. If the two MAC-I values match, the receiver can believe that the information has not been changed and has been transmitted by the authorized party. Figure 2 illustrates the calculation of the message verification code in UTRAN. The length of MAC-I used in UTRAN is 32 bits of architecture software. The UMTS authenticity deduction method used in block 200 is a one-way encryption function that calculates a message authentication code (MAC-I) based on the input parameters shown in FIG. 2. The one-way function means that even if only one input parameter is unknown, it is still impossible to derive the input parameters from MAC-I. The input parameters used to calculate the MAC-I include the actual sending information (after encoding) to be sent, a secret authenticity key, a sequence number COUNT-I of the information used to protect authenticity, and a transmission The value of the direction, that is, whether the information is sent in the direction of the uplink (from the user terminal to the network) or the downlink (from the network to the user terminal), and a random number (update) generated by the network . COUNT-I consists of a short sequence number SN and a long sequence number called a super frame number HFN. Only when the short sequence number is normally sent with the information, the HFN is updated regionally in each communication party. Page 8 This paper size applies to China National Standard (CNS) A4 (210X297 mm) (Please read the precautions on the back before filling this page)

Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economy 564619 Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 B7 V. Description of the invention ()-Calculation block 200 calculates the information verification code by applying the above parameters to the true deduction method, which The authentic deduction method is published by 3GPP, and the 99-series system is called f9 deduction method. In the future disclosure of new specifications, more deduction methods may also be available. Before the protection of real discs begins, users will finally know the authentic deduction methods supported by 4 ”Temple Road, and then the Internet will choose one of these deduction methods for connection. One is about the supported deduction methods. A similar mechanism is used for encryption. Figure 3 illustrates a message sent to, for example, a wireless interface. The message is a layer of N protocol data unit (pdu) 300, which is transmitted as data in layer NlpDu30i. In this example, layer N represents the radio resource control (RRC) protocol in the radio interface and layer N-1 represents the radio link control (RLC) layer. Layer N-1PDUs generally have a fixed size. It depends on the type of physical layer used (such as the lowest layer not seen in Figure 2) and the parameters such as modulation, channel coding and interpolation. If the layer N pDu is not normally just Layer N- ;! The size of the data department provided, then layer N-1 can use functions such as splitting, linking and stuffing to make layer n_ ^ PDU always be a fixed size. In this case, we considered the actual sending of the letter „Composed of data and authenticity check information Layer N PDU. The authenticity check information includes the MAC-I and the information serial number SN required for recalculation of the MAC-I at the viewing end. The total length of the message is then the combination of the transmitted data bit and the authenticity check information bit. Figure 4 illustrates a system transfer from a wireless access network to a gsm base station system. For simplicity, only one mobile switching center is shown in Figure 4. In fact, it includes a GSM (2G or 2G) operation. Page 9 This paper size is applicable to the Chinese National Standard (CNS) A4 specification (210 × 297 mm) (Please read the precautions on the back before filling this page}

564619 A7 B7 V. Description of the invention () Switching center MSC and a UMTS (3G or third generation) mobile switching center, which can be one or two separate MS C entities. The interaction between these two action exchange centers (if they are two separate entities) does not seem to be necessary for the actual invention, and therefore, it will not be described further. First of all, a connection exists between a user terminal and a wireless access network, which in this particular example is UTRAN. The wireless access network is based on various parameters such as the load information of the adjacent honeycomb, measurement from the user terminal, and the existence of the GSM honeycomb and the user terminal capability (also supports GSm mode) in the nearby geographic area. The road can initiate a handover between systems to the base station secondary system BSS. First, UTRAN requires the user terminal to send a measurement control message containing specified parameters between the systems 400.

The inter-system measurement on the GSM carrier is started. When the rules sent to a measurement report (described in the measurement control information) are implemented, the user terminal sends a measurement report 401. The inter-system handover decision is then completed at UTRAN. After this decision, a wireless network controller SRNC located in UTRAN sends a relocation request 402 to the mobile switching center (3G MSC) via lu. Once received, the mobile switching center (2G MSC) sends a handover request message 403 to the target base station system. The information contains information such as the encryption deduction method and encryption key used to connect, and for example, which deduction method is used. Ms level information supported by the user terminal. Therefore, it is possible that the mobile switching center MSC chooses the encrypted deduction method and instructs only the selected deduction method to the base station system B s S, or it is possible that the mobile parent exchange center MSC sends a list of possible encrypted deduction methods to the base station system. BSS 'It then makes the final choice. MS grade information is on page 10 of UMTS. This paper size is applicable to Chinese National Standard (CNS) A4 specification (210x297 mm) (Please read the precautions on the back before filling this page.) Printed by the cooperative 564619 A7 B7 V. Description of the invention () When the connection starts, it is sent to the mobile switching center MSC by the user terminal. It is possible that the MS-level information is sent by the user terminal to the UMTS wireless access network (UTRAN) when the UMTS connection starts. When the inter-system handover from UMTS to GSM is triggered, MS level information is sent from UTRAN to MSC. When a GSM base station controller receives this information, it is reserved and responded by the designated GS MU honeycomb to send back a handover request a CK information 404, which indicates that the base station secondary system BSS can support the request handover and the user terminal. The wireless channel that should be pointed to. The transfer request ACK404 also indicates that a transfer deduction method has been accepted, or, if the transfer request 403 contains several deduction methods, it indicates which transfer deduction method has been selected. If the base station system B S S does not support any of the specified encryption deduction methods, it returns handover failure information (instead of 404), and the mobile switching center MSC indicates that the handover to UTRAN has failed. In phase 405, the mobile switching center (3G MSC) responds to the information sent by the serving radio network controller located in UTRAN in phase 402 with the relocation command information on the lu interface. The relocation command is carried in a data section such as information about the GSM channel and information about the encryption mode. The UTRAN commands the user terminal to perform handover by sending an inter-system handover command 406 information, which contains the channel information for the target gsM. In addition, other information can also be included, such as the GSM encryption mode setting information, which can be used as an encryption deduction method for at least the GSM connection. After switching to the designated GSM channel, the mobile station generally sends four times of handover information 407 in the four subsequent layers 1 on the main DCCH. These messages are accessed by the GSM burst data frame, which are not encrypted. On page 11 of this part, the paper size applies the Chinese National Standard (CNS) A4 specification (210x297 public love) (Please read the notes on the back before filling out this page)-Printed by the Intellectual Property Bureau of the Ministry of Economic Affairs, Consumer Consumption Cooperative, printed 564619 A7 B7 5. In the state of invention (), it may not be necessary to send these transfer information. If so, it is specified in the inter-system transfer command 406. The terminal can receive an entity information 408 message as a response to the handover information. Entity information contains only GSM timing information. The reception of an entity information message causes the terminal to stop sending out the burst data frame. If handover information is used, it triggers the GSM base station controller in the base station system to notify the mobile switching center (2G) with a handover detection message 409. After the lower layer connection is successfully established, the mobile station sends back a handover completed 410 message to the GSM base station secondary system on the primary DCCH. When receiving the handover completion message 4 10, in this example, the network releases the old channel of the UTRAN channel. In Figure 4, the three messages from this release procedure are shown, but in reality many other messages are needed between the network components that are not shown in Figure 4. These three messages are first transferred by the GSM base station system to the mobile switching center, and then a release command 412 is sent to the UTRAN or more accurately to the serving wireless network controller via the lu interface. The third message is an IU release completion message 4 丨 3. The encryption key used after the handover between systems is derived with a conversion function of the encryption key used by UTRAN before the handover. This conversion function exists in mobile stations and mobile switching centers, so no additional procedures are required on the wireless interface. As mentioned above, the GSM encryption deduction method used after handover between systems is selected by the MSC or BSS and notified to the mobile station (in messages 405 and 406). The GSM encryption deduction capability (included in the GSM MS-level information element) is included in the current transparent specifications for utran. However, the GSM MS-level information element RRC connection is established on page 12. This paper size is applicable to the Chinese National Standard (CNS) A4 specification (210X297 mm) " '------ (Please read the precautions on the back before filling in this Page) Printed by the Consumer Property Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 564619 A7 B7 V. Description of the invention () The program was sent from the mobile station to UTRAN, which was then sent to the core network when the system was handed over to GSM . Figure 5 is a signaling diagram showing the basic connection setting and security mode setting procedures used in 3GPP UTRAN. Figure 5 on the one hand shows only the most important transmissions between a mobile station and a serving wireless network controller in a wireless access network, and on the other hand shows the serving wireless network controller and a mobile exchange. Signaling between the center or a serving GPRS support node. The establishment of a radio resource control (RRC) connection between the mobile station and the serving radio network controller is performed via the Uu interface 500. When the RRC connection is established, the mobile station can transmit information such as the user equipment security capabilities and starting values required for encryption and authenticity protection deduction. User equipment security capabilities include information on supported (UMTS) cryptographic deduction methods and (UMTS) authentic deduction methods. All the above values are stored in the serving wireless network controller in the subsequent stage 501. Meanwhile, GSM class information (MS class 2 and MS class 3) is transmitted by the mobile station to UTRAN when the RRC connection is established, and it can be stored and then used to serve the radio network controller.

Furthermore, the mobile station sends an initial higher-level information 502 (which may be, for example, a CM service request, a location update request, or a CM re-establishment request) to the mobile switching center via the service wireless network controller through the lu interface, which includes, for example, User identity, a key group identification KSI and MS level indication, such as the supported GSM encryption deduction method when GSM is handed over between systems. The network initiated the verification process, which also resulted in the creation of a new security key 503. In addition, the Internet determines the UMTS authenticity deduction UIA and UMTS page 13. This paper size applies the Chinese National Standard (CNS) A4 specification (210X 297 mm) (Please read the precautions on the back before filling out this page) Order · Printed by the Consumers ’Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs and printed by 564619 Printed by the Consumers’ Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs and printed by A7 B7 V. Description of the Invention Choose 504. Then, at stage 505, the mobile switching center sends a security mode command message to the serving radio network controller, where it notifies the used encryption key CK, the authenticity key ικ, and the allowed UIA and UEA groups. Based on the user equipment security capabilities stored in phase 501 and the possible uia and UEA lists received by the mobile switching center in phase 505, the serving wireless network controller chooses a deductive method to use when connecting. It also generates a random value update as an input parameter to the authentic deduction method (Figure 2) and the cryptographic deduction method. It also began decryption and authenticity protection 506.

The first authenticity protection information preservation mode command 507 is transmitted to the mobile station via a wireless interface controlled by the serving wireless network. This information contains the selected UIA and UEA and the UE update parameters to be used. In addition, the security mode command includes the same UE security capability, which is received by the user equipment when the rrc connection is established at 5 00. Reasons for playing this information back to UE 疋 Give the user the possibility to check if the network receives this information correctly. This mechanism is necessary, because these #interests sent out when the RRC connection is established 500 are not promoted nor are they authentically protected. A message verification code M A C -1 for authenticity protection is attached to the security mode command message 507. In phase 508, the mobile station compares whether the received UE 夂 moon force is the same as that sent in the RRC connection establishment procedure 500. If the security capabilities of the two UEs match, the mobile station can trust that the network has correctly received the security capability. Otherwise, the UE releases the RRC connection and enters an idle bear. (Please read the notes on the back before filling this page}

Page 14

564619 A7 B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs. 5. Description of the invention () If it is successful, the mobile station responds to the security mode completion information 509. This is also really destructive protection information; therefore, before sending this information, the mobile station generates a MAC-I for that information. When the serving wireless network controller receives the verified information in stage 5 10, first, it calculates the expected information verification code XMAC-I, and then compares the calculated XMAC-I with the received MAC-I. If the two values match, the serving radio network controller sends a security mode completion message 5 1 1 to the mobile switching center, which contains, for example, information of the selected UIA and UEA. In the UTRAN radio interface, authenticity protection is a function of the radio help control protocol between the user terminal and the radio network controller. Because all higher layer transmissions are carried as the data part in specific wireless assistance control information (such as initial direct transmission, direct transmission on the chain, and direct transmission on the downlink), the higher layer transmission is the radio resource control protocol layer Authenticity made. The problem is that before the first higher layer information is sent, no verification is performed, and the first layer information is carried in the initial direct transmission. This results in the highest level, that is, the situation where the non-access hierarchy information 502 cannot be protected for authenticity. When the RRC connection is established (in step 500 of Fig. 5), the first problem is that when the first information is sent out, the authenticity protection is not performed. Without authenticity protection, an intruder will change the encryption deduction information contained in the message in step 500 to the value of "GSM encryption deduction method cannot be used". In GSM, the core network receives this information with mobile station-level information components (CM2 and CM3), which are included in the relocation request information (information 402 in Figure 4). When the user equipment performs an inter-system handover, for example, from UTRAN to GSM base station, page 15 This paper standard is applicable to China National Standard (CNS) A4 (210x297). (Please read the precautions on the back before (Fill in this page)

564619 A7 B7 V. Description of the invention () When the system is under the BSS (Figure 4), the mobile switching center recognizes that the UE does not support any GSM encryption deduction method and must be set in (JSMBSS connection without encryption. Now 'that is easy Let the intruder start eavesdropping on the call. Purpose of the Invention and Jiao Chengi One of the objects of the present invention is to come up with a mobile telecommunications system that reveals the intention of a fake intruder to remove information about cryptographic deduction, and to be a multimode The mobile station sends an unprotected sending message to the mobile telecommunications system. The sending message contains the information on the wireless interface. According to the current specifications, this sending message is set for the RRC connection. The system contains at least two wireless Access network, providing mobile stations to access at least one core network, a multi-mode mobile station, and at least one core network. When establishing a connection with the first wireless access network, the multi-mode mobile station sends at least one Unprotected sending information, which contains information about the encryption deduction method supported by the multi-mode mobile station in the second wireless access network. When a handover to the second wireless access network is At the time of transmission (information 402 in FIG. 4), the core network receives information about the encryption deduction method through the first wireless access network. The first wireless access network has an inventive feature. That is, it is received by the core network. When commanding information, when the multi-mode mobile station is instructed to encrypt the first wireless access network, the first wireless access network constitutes authenticity protection command information, and the information includes information for the second wireless access network, The information of the encrypted deduction method received by the multi-mode mobile station. The protected command information includes a data section and an information verification code. The information about the deduction method support in the second wireless access network is located on page 16 This paper size applies the CNS A4 specification (21GX 297 public directors) (Please read the precautions on the back before writing this page) Order · Printed by the Intellectual Property Bureau of the Ministry of Economic Affairs and Consumer Cooperatives 564619 V. Description of the invention () The information department or the information is used as a parameter when calculating the information verification code. In two cases, the multi-mode mobile station can determine whether it is embedded in the protection information received. The information in the message corresponds to the information sent for the multi-mode mobile station in the previous message. If the information sent and the information received for the multi-mode mobile station are different from each other, it seems that a fake intruder has changed the encrypted information. Then, the multi-mode mobile station initiates the release of the connection. The present invention will be described in detail with reference to the following drawings ..... f (Please read the precautions on the back before filling this page) Ministry of Economic Affairs Intellectual Property Bureau employee consumer cooperative printed instructions: Figure 1 is a simplified block diagram of GSM and UMTS wireless access networks connected to the same core network; Figure 2 is the calculation of an information verification code; Figure 3 is The content of a message; Figure 4 is a diagram of the handover and transmission between the systems handed over from the UMTS network to the GSM network; Figure 4 is a signalling diagram showing the basic connection setting and security mode setting procedures used in 3GPP UTRAN; The figure is a first example flowchart of an implementation method according to the present invention. The figure is a second example flowchart of an implementation method according to the present invention. The figure is a third example flowchart of an implementation method according to the present invention. Implementer The flow chart of the fourth example of FIG. 10 is a fifth example of the implementation method according to the present invention; FIG. 11 is the sixth example of the implementation method according to the present invention; China National Standard (CNS) A4 specification (210X297 mm) Order line 564619 A7 B7 V. Description of invention () Drawing number comparison description: 100 user terminal 101 wireless access network 102 wireless network sub-system 103 wireless network control Device 104 core network 105 base station system 106 base station controller 107 base transceiver station invention detailed description: The idea of the method described below is added to the security of the telecommunication network ', especially the security of the transmission via the wireless interface . It should be noted that all the terms "terminal", "user terminal", "mobile station", and "user equipment" refer to the same equipment.

Most outgoing messages sent between the user terminal and the network must, for example, be protected by authenticity. Such information is, for example, RRC, MM, CC, GMM, and SM information. ◎ Authenticity protection is applied to the rrc layer, in the user terminal and the network. Authenticity protection is usually performed on all RRC (Wireless Help Control) information, with some exceptions. These exceptions can be: 1 · Assigned to more than one received message, 2 · The message is sent before the authenticity key for the connection is established, and 3 · The message is often repeated, including the information but not necessarily protected by authenticity. Due to security, the authenticity of the information in Exception 2 above or at least the important information components therein is particularly important. As mentioned above, there is no real guarantee that "蒦 '" together will have the risk that an intruder will change the encrypted deduction information contained in the message 500 to "the encrypted deduction method cannot use the value of" ". Article 18 * 1 · This paper size applies to Chinese National Standard (CNS) A4 specification (21〇χ ^^) (Please read the precautions on the back before filling out this page), τ Line 1 Printed by the Consumers ’Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs System 564619 A7 B7 5. Description of the invention () There are several different implementations & to increase safety but only some implementation methods are not shown. The present invention will be described in detail with reference to the four examples of FIGS. 6 to 9. At the beginning, a connection was established between a user terminal and a umts network. Subsequently, a handover is performed from the UMTS network to a gsm network. Figure 6 shows a flow chart of the implementation of the method according to the invention. It is assumed that the hairpin is equivalent to the state in FIG. 5 until the core network receives the information 503. In addition, it assumes that the user terminal is a dual-mode (UMTS / GSM) terminal. In the UMTS mode, it sends the first non-access hierarchy information to the wireless resource and the wireless interface under control. Information 502 in Figure 5). It further assumes that the rrc connection establishment (500) has been performed. Therefore, the user terminal is in an idle state, and there is no current PRC connection when a request reaches a connection set in the core network. The core network is routed to the user terminal, where the mobile station receives the GSM level information in the start message 5 02. This information indicates a general mobile station feature in the GSM mode, and includes information about which GSM encryption deduction methods are supported in the terminal when in the GSM mode. The term "level" must be understood to be GSM specific, and another term can be used in other systems. Add the information of the encryption deduction method supported by the mobile station to the mobile switching center in the core network to the security mode command information 600. This information is then sent to the serving wireless network controller via the lu interface. Before the code 60 1 'The service wireless network controller joins this. It is supported by the mobile station. Page 19 This paper size applies the Chinese National Standard (CNS) A4 specification (210X297 mm) (Please read the precautions on the back before filling in (This page)-Ordered-Printed by the Consumers' Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 564619 A7

Fifth, the invention's description of the encrypted deduction method information to a security order information, the information contains information about the supported encrypted deduction method. A 32-bit message verification code MAC-I is calculated and added to the coded message. In addition, the encoded information MAC-I is also based on several other parameters. The following input parameters are required to calculate the authentic deduction method: encoding information, 4-bit serial number SN, 28-bit super frame number HFN, 32-bit random number update, 1-bit direction indicator DIR, and the most important parameters] 28-bit authenticity key ικ. The short sequence number SN and the long sequence number HFN together constitute the authenticity sequence number COUNT-I 〇 When the information verification code is calculated using the authenticity deduction method and the above parameters, it is guaranteed that the correct sender cannot be added outside the actual sender. In the message. For example, MAC-I prevents the same message from being repeatedly sent. However, if the same sending message is repeatedly sent for other reasons, this MAC-I is the same as the MA (I) in the previous sending message. % I is different. This purpose is to fight against eavesdropping and other impersonation users as strongly as possible. Therefore, for this special invention, it should be noted that GSM information about the encryption deduction method supported by the mobile station is added to the security mode command information The authenticity protection in 507 allows the mobile station to determine that this information has not been changed by an intruder. ○ Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs (please read the precautions on the back before filling this page). 'At stage 602' When the mobile station receives the security mode command information 'The information received in this message for the cryptographic deduction method supported by the mobile station is compared with the operation The information of the encryption deduction method of the start information 502 that was released to the Internet by the Taiwan Institute is compared. Therefore, according to the previous technology, the received UE (UMTS) security capability parameter is the same as the UE security capability sent on page 20. This paper size applies the Chinese National Standard (CNS) A4 specification (21〇χ 297 public love) Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 564619 A7 _____ B7 5. Comparison of the invention () If both comparisons are successful, The mobile station receives the connection 604, and if not, the connection is released 603. Figure 7 shows a flowchart of the second implementation of this method. In stage 700, the mobile station sends a direct direct message (equivalent to Information 502 in FIG. 5) is provided to the core network through a service wireless network controller in the wireless access network. The information is composed of two main parts: an RRC part and a non-access level part, which is RRC It is regarded as a transparent data department. Furthermore, the data department contains one of the following information: CM service request, location update request, CM re-establishment request or paging response. When the serving wireless network controller receives the information, it The information 70 1 is stored and the data department or the NAS department is transmitted to the core network 702 through the Lu world. The core network responds to the information in the general security mode and orders the information 7 〇. As in the previous example, the message verification code MAC-I is The calculation is transmitted to the mobile station to protect the message. This code is then added to the message. The verification code of the message depends on the specified method in the message it protects. Here, the calculation uses the following cut-off bit string as the message parameter. Information == Security Mode Command + RRC Connection Requirement + rrc Begins Direct Transmission Subsequently, the security mode command information with authenticity protection is sent to the mobile station 704. It should be noted that it is not necessary to include the UE in this answer (UMTS) security capability parameters enter the above information. 'However, when the MAC-I code is calculated, the security related parameters, that is, the UE security capability parameters and the GSM level parameters are all input parameters. The receiving end, that is, the mobile station has the same interpretation of the calculation information verification code. This paper size applies to the Chinese National Standard (CNS) A4 specification (210X 297 mm) (Please read the precautions on the back before filling this page)

564619 A7 ______B7 V. Description of the invention () (Please read the precautions on the back before filling this page) Method ’to verify that the information received is the same as the calculated code 705. Therefore, the mobile station has stored the information sent earlier, the RRC connection request message (500) and the RRC start direct transmission message (502) to calculate the XMAC-I for receiving the security mode command message. When the received MAC-I value and the calculated XMAC-I value match, the mobile station assumes that the network has received the correct information about the security capabilities and GSM level, and the connection is accepted at 707. Otherwise, the connection at 706 is released. This solution has a disadvantage, that is, the RRC connection request of the encoded information and the initial direct transmission of RRC must be stored in the memory of the serving radio controller and mobile station 'until the security mode command information is sent / received. However, on the other hand, this solution may omit the UE security capability from the security mode command information of the prior art, in order to save 32 bits of space in the information. FIG. 8 shows a flowchart of the third implementation method. This answer is slightly different from the second answer, that is, only the blocks 801, 804, and 805 are different from the blocks in Figure 7. Therefore, these two blocks are now described in detail. Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs in stage 801. Unlike storing the entire information, the service wireless network controller only stores the data department for the next use of information. In other words, it only stores one of the following information: CM service request, location update request, CM re-establishment request, or paging request. Therefore, this solution saves memory space compared to the second solution. In order to protect the information, Yu Jie 8 0 4 ’uses the previously stored data to calculate the information verification code μ a c -1. The information system is formed as follows: Page 22 This paper size applies the Chinese National Standard (CNS) A4 specification (21 × χ 297 public directors) 564619 A7 B7 V. Description of the invention () Chemical interest = security mode command + UE security capability + start The NAS information section of the NAS information section that directly transmitted the information has the security mode command information transmitted from the Uu interface to the mobile station. This table is not used for UE security capabilities and GSM MS level security parameters are used to calculate the message authentication code MAC-I, but they do not need to be included in the message. However, this does not reduce security. At stage 805, the mobile station calculates XMAC-I by using the same information parameters as the network used in stage 804, that is, the previously stored UE security capabilities and the parameters of the NAS information department that directly transmit the information. Fig. 9 shows a flowchart of the fourth embodiment. This answer is a combination of the first and third answers. When a connection is established between the mobile station and the serving wireless network controller in the wireless access network, the network controller receives and stores the user equipment capability information UEC in its memory for subsequent use 900. When the mobile station sends, for example, the first non-access hierarchy information containing the encrypted deduction method supported by the mobile station as the data part of the information directly transmitted to the wireless access network at the beginning of RRC, it then sends the NAS information to the core network. Road 90 1. In phases 902 and 903, the mobile switching center in the core network adds information about the encryption deduction method supported by the mobile station parameters to the security mode command information, and sends the information to the wireless access network via the lu interface. Service wireless network controller. At stage 904, the serving wireless network controller calculates the MAC-I code in the manner previously described, and adds information parameters to the previously described parameters. The information parameters are formed as follows: Page 23 This paper standard applies Chinese national standards (CNS) A4 specification (210X 297 mm) (Please read the notes on the back before filling out this page) # -Order · Printed by the Intellectual Property Bureau Employee Consumer Cooperative of the Ministry of Economic Affairs 564619 A7 __B7 V. Description of the invention () (please first Read the notes on the back and fill in this page again} Information = Security Mode Command + UE Security Capability + GSM Level In the same way as in the previous example, the security parameter UE security capability and GSM level are used to calculate the message verification code MAC-I. But it is not necessary to include it in the information. The advantage of this solution is that no other memory is needed in the mobile station or wireless network controller. Basically, in the above solution, the core network is a 3 G Network components, so 'controlling at least the UMTS wireless access network can also control the GSM base station system. The implementation and embodiments of the present invention have been described with some examples. However,' yes It is to be understood that the present invention is not limited to the details of the above embodiments, and various changes and modifications can be made by those skilled in the art without departing from the characteristics of the present invention. The embodiments described are for illustration and use. It is not limited. Therefore, the present invention is only limited by the scope of the accompanying patent application. Other implementation methods and equivalent implementation methods defined by the scope of the patent application are included in the scope of the present invention. Line-Intellectual Property of the Ministry of Economic Affairs Printed by the Bureau ’s consumer cooperative, for example, the source wireless access network can be, for example, UTRAN, GSM base station system, GPRS system (general packet wireless service), GSM edge, GSM 1 800, or other systems. Similarly, the target wireless The access system can be, for example, UTRAN, GSM base station system, GPRS (General Packet Radio Service), GSM edge, GSM1800, or other systems. Furthermore, there are GSM security interpretations supported by multi-mode mobile stations.

The information of the method (Α5 / 1, A5 / 2, A5 / 3, etc.) can be added as a part of umtS, UE's wireless access capability. Alternatively, the information may be part of a separate information element or even a UE security capability parameter. In fact, page 24 of this information applies to the Chinese National Standard (CNS) A4 specification (210X297 public love) " * — 564619 A7 B7 V. Description of the invention () must be added to the RRC connection establishment procedure (see section 5 in stage 5 0), and to the security mode command information (see stage 507 in FIG. 5). As mentioned earlier, other possible implementation methods, and adding information about actual nRAT wireless access capabilities (including information about supported GSM security deduction methods) to the RRC security mode command information are just an alternative method, and Introduce some wasting to the message, because the mobile station does not necessarily need this information component, just confirm that the network has received it correctly. These three answers, namely, the fifth, sixth, and seventh examples, are described below. In the fifth implementation method, a new RRC information element containing the GSM encryption deduction capability is defined. This requires 7 bits. This information element is then added to the RRC security mode command information. The disadvantage of this solution is that to encode this new information element into the message, the UTRANRRC protocol must first decode the GSM Level 2 and Level 3 information elements. The encoding / decoding rules are not part of the UTRANRRC protocol. Fig. 10 illustrates an implementation method of the sixth example. On the UTRAN side, the received GSM Level 2 and Level 3 information (RRC information element `` UE wireless access capability between RATs '' 1001) and `` UE security capabilities '' 1 002 (including information about supporting UTRAN security deduction method) Information) is used to calculate the MAC-I (and XMAC-I) of the RRC security mode command information 1,000. This is basically the same as the solution in Figure 9, except that during the RRC connection establishment phase (900), the GSM level information (from the mobile station, not from the core network (902)) has been received and stored in the serving radio. Outside the network controller. The security mode command sent to the mobile station does not include the nUE security capability "or the" inter-RAT UE wireless access capability ". These information components are only applicable to the calculation of this information on page 25. This paper standard applies Chinese national standards (CNS) A4 specification (210X297 mm) (Please read the notes on the back before writing this page) Order: Line: · Printed by the Intellectual Property Bureau Staff Consumer Cooperatives of the Ministry of Economic Affairs 564619 A7 B7 V. Description of Invention () Ministry of Economic Affairs Used by Intellectual Property Bureau employee consumer cooperatives when printing MAC-I. The disadvantage of the sixth implementation method is that the encoding of the additional information element ("UE security capability" and, inter-RAT UE wireless access capability ") used for MAC-I calculation must be clearly defined. The right is unacceptable. Beb's more direct implementation method is shown in Figure 11 (the second implementation method of this method). Here, when the calculation is used for the RRC—security-mode—command information 1000, the entire code rrc_connection-setting-completion information is used (unlike the two information elements used in the sixth implementation method). In fact, this is indicated in the RRC connection establishment procedure (see stage 500 in Fig. 5). When sending the RRC-connection-setting-completion message, the mobile station stores a copy of the encoded information in its memory until it receives it. Until the security-mode-command information has been checked for authenticity. On the network side (for UTRAN in the serving radio network controller), a copy of the (undecoded) RRC received—connection-setting-complete information must be kept in memory 'until used for security—mode—command information The MAC-I code has been calculated so far. From the point of view of the implementation law, it may be quite easy to store the entire encoded message in memory before it is sent out (UE side) or before it is transmitted to the decoder (UTRan side). Therefore, the MAC-I used for the full mode—command will be calculated by setting the information input parameters used for authenticity deduction as follows: information = preservation—mode—command + RRC-connection-setting—complete this compared to The disadvantage of the sixth implementation method is that its solution requires a little more memory, whether it is on the mobile station or on the network side. G S M grade information includes cryptographic deduction methods supported by mobile stations. Page 26 This paper size applies Chinese National Standard (CNS) A4 specification (210 × 297 mm) (Please read the precautions on the back before filling in this page)

Claims (1)

564619 Printed by the Consumer Property Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs A8 B8 C8 D8 Patent application scope 1 · A mobile telecommunications system at least: Most wireless access networks, providing mobile stations to access at least one core network; a multi-mode The mobile station sends at least one unprotected originating message when it is connected to the first wireless access network setting, and the information includes information about the encrypted deduction method supported by the multi-mode mobile station in the second wireless access network. A core network that receives information about the cryptographic deduction method; the first wireless access network is adapted to receive a command message from the core network to instruct the multi-mode mobile station to encrypt other communications; synthesize and send a authenticity Protecting the order information to the multi-mode mobile station 'The order information contains information about the encryption deduction method supported by the multi-mode mobile station in the second wireless access network, and the protection order information includes a data section including an information verification code, And the multi-mode mobile station is applicable to the information phase of the encrypted deduction method to determine whether it is received in the authenticity protection order information Fu Yu is the information sent by the multi-mode mobile station in the initial message. 2. The system described in item 1 of the scope of patent application, wherein the first wireless access network mentioned above adds the information about the encryption deduction method received in the command information to the data department for protecting the command information, and Apply the data section to a deductive method of a computational information verification code. Page 27 This paper size is applicable to China National Standard (CNS) A4 (210X297 mm) (Please read the precautions on the back before filling this page) 564619 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs A8 B8 C8 _ · —__ D8 Patent Application Scope 3 · The system described in Item 丨 of the Patent Application Scope, wherein the first wireless access network storage is received from a multi-mode The unprotected originator of the mobile station sends a discount and uses this information to calculate the information verification code. 4. The system according to item 丨 in the scope of patent application, wherein the above-mentioned first wireless access network stores the data portion of the unprotected originating transmission information received from the multi-mode mobile station and uses the data portion to calculate the Message verification code. 5 · The system described in item 1 of the scope of patent application, wherein the above-mentioned first wireless access network stores the information about the capabilities of the mobile station received from the multi-mode mobile station during the connection setting, and uses the information to cooperate with The information about the encryption deduction method embedded in the command information received from the core network is used to calculate the information verification code. 6 · The system described in item 1 or 5 of the scope of patent application, in which the above mobile station sends information about the encrypted deduction method when the connection is established, the first wireless access network stores the information and uses the information to This protection order information is composed. 7 · A wireless access network for providing the capability of a multi-mode mobile station to access at least one core network, the wireless access network is adapted to receive a wireless communication network by a multi-mode mobile station through a wireless interface Protecting Sending Information 'This information contains information about multi-mode for another wireless access network. Page 28 This paper is sized for China National Standard (CNS) A4 (210X297 mm) (Please read the precautions on the back first) (Fill in this page again) 9 1X 46 6 5 Sat The information of the encrypted deduction method supported by the mobile station and stores this information for future use. The core network receives a first command message to instruct the multi-mode mobile station to encrypt other communications to form a second command message, which contains The data part of an information verification code is calculated by using one of the calculation parameter information related to the deduction method and supported by the multi-mode mobile station in another wireless access network. The second command information is given to the multi-mode mobile station. 8. The wireless access network as described in item 7 of the scope of patent application, wherein the information of the above-mentioned encryption deduction method is attached to the data section of the second order information. 9. The wireless access network as described in item 7 of the scope of the patent application, wherein the unprotected originating message received by the multi-mode mobile station as described above is stored and the information is used to calculate the information verification code. 10. The wireless access network as described in item 7 of the scope of patent application, wherein the unprotected originating message received by the multi-mode mobile station as described above is stored and the stored data department is used to calculate the information Verification code. Page 29 This paper size applies to China National Standard (CNS) A4 (210X297 mm) (Please read the precautions on the back before filling out this page}. Order · Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs