Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W8/00—Network data management
  • H04W8/26—Network addressing or numbering for mobility support
  • H04W8/265—Network addressing or numbering for mobility support for initial activation of new user
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
  • H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
  • H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/30—Security of mobile devices; Security of mobile applications
  • H04W12/35—Protecting application or service provisioning, e.g. securing SIM application provisioning
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/80—Wireless
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
  • H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
  • H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]

Definitions

• This invention relates to wireless voice and data systems, and has particular relation to allowing a subscriber to move his subscription from one wireless terminal to another.
• the invention thus provides subscription portability, sometimes also called personal mobility.
• a wireless terminal (portable telephone, laptop computer, etc.) cannot be used as such unless its user has subscribed to a wireless communications service, so that the terminal may use that service to communicate with other terminals, both wireless and wireline. This in turn requires the service provider to register and provision that terminal, that is, to recognize that terminal as being entitled to service and to program the terminal with identification and security information that allows it to access the wireless service.
• registration In the wireless service industry the term “registration” has several meanings.
• registration will be used to mean an exchange of the information needed to establish the identity of the user of a terminal and to permit access to wireless services.
• This registration may be required in two situations. First, when the terminal is originally purchased, it is not registered to anyone. This situation is referred to as initial provisioning. Second, a subscriber may choose to re-register, that is, to transfer his subscription from one wireless terminal to another. This re-registration might be, for example, from his portable telephone to his laptop computer, or from his regular portable telephone to the portable telephone which he has just rented on a trip to a distant city. This re-registration is referred to as subscription portability.
• provisioning is performed manually by trained personnel at a terminal distribution site.
• One of these employees manually registers the terminal with the service provider, typically over the landline telephone.
• the employee enters information into the terminal through the keypad, using secret information which the service provider has made available to him/her, and storing the subscription information permanently in the terminal.
• This arrangement is expensive because the seller must have extensively trained employees at every retail outlet.
• the process is not secure, since the secret information is readily available to these employees.
• UIM user identification module
• GSM Global System for Mobiles
• This first alternative means is still not entirely satisfactory. It requires an electronic interface between the module and the wireless terminal and this interface adds cost to the terminal. Further, the interface is open to contamination when the UIM is removed and inserted, and consequently may become unreliable with repeated use.
• a second alternative means deals with the initial provisioning but not with subscription portability. This second means requires that, when the subscriber first buys a new telephone, the user dials a special number to reach a customer service representative who can determine the credit of the user and can then program the necessary subscription information into the terminal using over the air messages.
• This second alternative means is an improvement over the UIM means in that it requires no special interface in the terminal.
• This second means is also not entirely satisfactory, because the service provider must still have highly skilled personnel in the customer service center to operate the over-the-air programming equipment. The expensive nature of the customer service process prohibits the subscriber from reregistering a telephone which a friend has loaned to him for a day or two.
• the purpose of this invention is to provide a method for initial provisioning and subscription portability that does not require skilled personnel to complete the provisioning and registration process, nor a removable item that the user must physically insert into the terminal.
• the procedure described herein requires only that the subscriber enter his/her portable wireless subscription identifier, or user identifier (conventionally, his International Mobile User Identifier, or IMUI) and a password (conventionally, his Personal Identification Number, or PIN) into a wireless terminal.
• the password may be entered into the terminal in any convenient manner, such as keying a number into a keypad, speaking a phrase (with suitable voice recognition technology) into the microphone, or any other convenient manner.
• the wireless terminal is then able to contact the service provider using over-the-air signals, obtain necessary subscription information, and automatically reprogram itself - and reprogram the service provider - so that the service provider thereafter recognizes this wireless terminal as being registered to this subscriber.
• the password must be fairly short - typically four to six digits, as in bank card PINs - because the average subscriber cannot memorize a security code that is sufficiently long (twenty digits or more) to impede a brute-force attack.
• Applicant has developed a subscription which is truly portable from one wireless terminal to another, and which uses passwords which are both short and secure.
• IMUI International Mobile User Identifier
• PIN Personal Identification Number
• the terminal Whenever a subscriber wishes to register a terminal to his subscription, he enters his user identifier (conventionally, his International Mobile User Identifier, or IMUI) and his password (conventionally, his Personal Identification Number, or PIN) into the terminal.
• the terminal generates a public/private key pair and stores it.
• This key pair is preferably a Diffie-Hellman (D-H) key pair. It optionally concatenates the public key with a random number, and encrypts the (optionally concatenated) number with the password.
• Any convenient Secure Key Exchange (SKE) method may be used.
• SKE Secure Key Exchange
• DH-EKE Diffie-Hellman Encrypted Key Exchange
• the terminal then makes wireless contact with a local serving system and requests registration.
• This serving system may be the subscriber's home system, but often it is not.
• the terminal and the home system must be assured of each other's identities, whether there is no intermediate serving system, one system, or even several.
• the remainder of this description assumes one intermediate system, but is readily modified to handle none or several. That is, the terminal and the home system will always be the source and destination (or vice versa) of messages, regardless of how many intermediate systems (if any) they have to pass through.
• the terminal tells the serving system what the subscriber's home system is, by stating either the full user identifier or enough of the user identifier as is necessary to identify the home system. It also states the DH- EKE message.
• the serving system first provides its D-H public key to the terminal, so that the specifics of who is requesting registration are not sent in the clear.
• the serving system opens a channel with the terminal to facilitate the registration process.
• the serving system sends the DH-EKE message to the home system, which decrypts it with the password.
• the password is known only to the home system and the subscriber.
• the home system thereby recovers the subscriber's public key.
• the home system generates its own D-H public /private key pair and stores it.
• VUIM virtual User Identification Module
• Registration may now continue in the conventional fashion, as though a PUIM had been used. Alternatively, registration may be included within the downloading process. This is possible since a terminal with a VUIM already has something which a terminal with a PUIM does not acquire until later, namely, a communications link to (and a shared secret session key with) the home system.
• a strength of this method is that the public keys are temporary, and can be replaced on each subsequent registration. Further, each public key is essentially a random number, providing no indication whether an attempted decryption was or was not successful.
• An off-line dictionary attack therefore fails. The only thing that a dictionary attacker recovers is a collection of possible public keys, none of which has anything to distinguish it from any of the others. There is thus nothing to distinguish a correct guess of the password from an incorrect guess. The follow-on on-line attack must therefore still use the entire dictionary of passwords, and will therefore fail.
• This strength may also be viewed as the password being used as a private key in a key exchange procedure, rather than as an encryption key per se. It is for this reason that the process is called Secure Key Exchange rather than Encrypted Key Exchange. It is not necessary that the terminal and home system exchange passwords nor session keys in encrypted form. What is important is that the home system be assured that the terminal knows the password and has the common session key. It is also important that the password not be discoverable by eavesdroppers while the terminal is demonstrating its identity to the home system. If the password is not included in the message, even in encrypted form, then it is more difficult to be compromised.
• FIG. 1 shows an exchange of DH-EKE messages.
• FIG. 2 shows an authentication procedure.
• FIG. 1 shows an exchange 100 of DH-EKE messages.
• the user 102 enters the user identifier and password into the wireless terminal 104.
• the terminal 104 generates a pair of Diffie-Hellman (D-H) private and public keys, and stores them.
• D-H Diffie-Hellman
• the terminal 104 and the base station of the serving system 106 carry out a separate procedure to establish a local session encryption key SESS 108 to protect the user identifier from interception.
• the terminal 104 uses the password to encrypt the D-H public key, optionally concatenated with a random number before encryption, then transmits the user identifier (optionally encrypted under the local session key) and the encrypted public key, that is, a first DH-EKE message 110, to the base station of the serving system 106 in a registration request.
• This request should result in a dedicated channel assignment in order to complete the download procedure efficiently.
• the serving system 106 contacts the home system 112 requesting a subscription registration.
• the home system 112 decrypts the wireless terminal's public key using the password in the subscription record.
• the home system then creates a private and public D-H key, from which a tentative session key is obtained using the terminal's public key and the home system's private key.
• the home system then encrypts its own public key, optionally concatenating a random number before encryption, using the password stored in the subscription record and returns it in the form of a second DH-EKE message 114 to the wireless terminal 104 via the serving system 106.
• the wireless terminal 104 decrypts the home system's public key and creates (hopefully) the same tentative session key, using the home system's public key and its own private key.
• the wireless terminal 104 and home system 112 carry out this procedure to prove that each have the same key.
• This authentication could be either unilateral (for example, only allowing the home system 112 to authenticate the wireless terminal 104) or bilateral.
• the bilateral technique has three steps. First, the wireless terminal 104 encrypts a random number C w and sends the encrypted number E(C W ) 202 to the home system 112. Second, the home system 112 generates its own random number C H , encrypts (C w , C H ) and sends the encrypted number E(C W , C H ) 204 to the wireless terminal 104.
• the wireless terminal 104 encrypts C H and sends the encrypted number E(C H ) 206 to the home system 112.
• a unilateral procedure could, for example, omit the first step, and replace C w in the second step by a second random number.
• the public keys were encrypted by the password, and the authentication consists of three different things being sent in an interlocked manner. Therefore, a man-in-the-middle attacker cannot cause a false acceptance of keys, and cannot know the mutual key without breaking the discrete logarithm or elliptic-curve group. Such breakage is currently considered infeasible if the group size is sufficiently large.
• the home system 112 verifies the session key of the wireless terminal 104, it will transfer the subscription information - that is, all or part of a virtual UIM (VUIM) — to the serving system 106, in both encrypted form for over-the-air transmission and in unencrypted form for use by the serving system.
• VUIM virtual UIM
• the session key - or, at least, a first portion of it - can also serve as an authentication key AUTH 116 for subsequent authentications of the terminal 104 in the serving system 106.
• This has advantages over the current cellular authentication procedures in that the authentication key is created at each registration, and therefore will change randomly from registration to registration.
• the D-H exchange produces 512 bits of output, which is more than are needed for authentication.
• the remainder of the session key that is, a second portion of it, can serve as a conventional encryption key for subsequent control signal transmissions.
• the serving system 106 downloads the encrypted subscription data - the VUIM - to the terminal and makes a registration entry in the Visitor Location Register (VLR). The user is now ready to make calls.
• VLR Visitor Location Register
• the user can be assigned a Temporary Mobile User Identifier (TMUI) as described in existing cellular standards.
• TMUI Temporary Mobile User Identifier
• the generation of per-call encryption keys can be carried out using the authentication key using procedures described in existing cellular standards.
• the airlink security procedures in existing cellular standards can be used without modification after the generation of the authentication key using the methods described here.
• My invention is capable of exploitation in industry, and can be made and used, whenever is it desired to register a wireless subscription in a new wireless terminal.
• the individual components of the apparatus and method shown herein, taken separate and apart from one another, may be entirely conventional, it being their combination which I claim as my invention.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Databases & Information Systems (AREA)
• Mobile Radio Communication Systems (AREA)

Priority Applications (5)

Applications Claiming Priority (2)

Publications (1)

Family

ID=22651590

Family Applications (1)

Country Status (9)

Cited By (14)

Families Citing this family (123)

Citations (3)

Family Cites Families (20)

• 1998
  • 1998-10-23 US US09/178,192 patent/US6178506B1/en not_active Expired - Lifetime
• 1999
  • 1999-10-19 WO PCT/US1999/024522 patent/WO2000025475A1/en not_active Ceased
  • 1999-10-19 DE DE69930318T patent/DE69930318T2/de not_active Expired - Lifetime
  • 1999-10-19 HK HK02102209.1A patent/HK1040854A1/zh unknown
  • 1999-10-19 AU AU12133/00A patent/AU1213300A/en not_active Abandoned
  • 1999-10-19 CN CNB998150258A patent/CN100525180C/zh not_active Expired - Lifetime
  • 1999-10-19 KR KR1020017004952A patent/KR100655665B1/ko not_active Expired - Lifetime
  • 1999-10-19 EP EP99971175A patent/EP1123603B1/en not_active Expired - Lifetime
  • 1999-10-19 JP JP2000578954A patent/JP4689830B2/ja not_active Expired - Lifetime
• 2000
  • 2000-09-20 US US09/666,735 patent/US6260147B1/en not_active Expired - Lifetime

Patent Citations (3)

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events