Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
  • H04W88/14—Backbone network devices
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/06—Authentication
  • H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W80/00—Wireless network protocols or protocol adaptations to wireless operation
  • H04W80/04—Network layer protocols, e.g. mobile IP [Internet Protocol]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W92/00—Interfaces specially adapted for wireless communication networks
  • H04W92/02—Inter-networking arrangements

Definitions

• a digital mobile communication system is A digital mobile communication system.
• the present invention relates to a system for digital mobile communication which comprises a number of hierarchical levels, which system may comprise components from both a digital mobile telephony system and from a system for a mobile data network.
• Modern digital mobile telephony systems will be provided with functions for use in many other fields than transmission of speech as those systems will be able to provide their subscribers with the possibility for broadband connections, for example they will be able to use them for transmission of large amount of data.
• modern computer networks admit broadband connections, and through their protocols contain possibilities for a user to be mobile, either wireless, or when a user at for example an office may move between different rooms, and connect to the network by simply connecting the terminal or computer via a connector in a room free of choice.
• a mutual drawback of the systems disclosed in the two documents mentioned is that they lack functionality for authentication of a subscriber, or functionality for handling session keys.
• a problem which is solved by the present invention is thus to make it possible to integrate components of functions from a mobile data network into a digital mobile telephony system, or to make it possible to connect a mobile data network with a digital mobile telephony system, without any need for the user of the telephony system to exchange their telephones for new ones.
• Both mobile data networks and digital mobile telephony systems consist of hierarchical communication levels, and the problem is solved by the present invention by providing a system for digital mobile communication comprising a number of hierarchical communication levels, where one of the levels comprises functionality for a digital mobile telephony system and also comprises functionality for a protocol within a mobile data network, with the functionality of a protocol for a mobile data network that is comprised in one of the levels of the system comprising the functionality of a subscriber (MN). Since one of the levels in the system comprises functionality for both types of systems, this level may be used as an "interface" between the two types in the system.
• MN subscriber
• the “lowest” levels in other words those that are the closest to the end user, are levels which come from a digital mobile telephony system, the users of the system will be able to use terminals which are intended for the digital mobile telephony system without problems, at the same time as the mobile telephony system is integrated with the system for a mobile data network at higher levels.
• a further problem which is solved by the present invention is how a user who has a terminal intended for a digital mobile telephony system will be able to be authenticated against the parts of the integrated systems which come from a system for mobile data communication, and also how session keys will be handled in an integrated system. How the invention solves these problems will be disclosed in the description below.
• Fig. 1 shows an example of the structure of a system for digital mobile telephony
• Fig. 2 shows an example of the structure of a system for a mobile data network
• Fig. 3 shows the principle structure of a system according to the present invention
• Fig. 4 shows how the authentication is constructed in a system according to the invention
• Fig. 5 shows authentication in a larger system
• Fig. 6-7 shows the invention applied on the system from Fig. 5.
• Fig. 1 the principal structure of a digital mobile telephony system is shown, in the current case the so-called UMTS system.
• the system consists of a number of hierarchical levels, which connect the system to the overarching countrywide telephone network.
• the levels shown in Fig. 1 are MS - the subscriber level, most often a cell phone, but a level that can be an arbitrary mobile terminal, in other words for example a computer or other equipment which is able to communicate with the closest next level, the so- called UTRAN level.
• This level, UTRAN is the level that connects the subscribers with the rest of the system via base stations in the coverage area of the system.
• the UTRAN level is in turn connected with the SGSN level, which in turn is connected with the GGSN level, with the function to link the MS with external networks, which may comprise both data and speech.
• an MlP-based system In Fig. 2 the principal structure of a system for mobile data communication is shown, in the present case an MlP-based system.
• an MlP-based system also consists of hierarchical levels.
• a mobile user, designated MN communicates with the closest next level, FA, which in turn communicates with the next level, HA.
• the protocol in an MlP-based system is such that MN may communicate with FA via an essentially arbitrary medium, for example via radio or wire.
• the functions for FA and HA in an MlP-based system roughly correspond to the functions for SGSN and GGSN respectively in the UMTS system.
• Fig. 3 shows a system for digital mobile communication according to the invention.
• the system comprises a number of hierarchical communication levels, where a number of the levels (UTRAN, SGSN) come from the UMTS system, and other levels (HA, FA) come from an MlP-based system.
• a number of the levels (UTRAN, SGSN) come from the UMTS system
• HA, FA levels
• MlP-based system MlP-based system
• the functionality from an MlP-based system that SGSN has been provided with is the functionality for the subscriber level within an MlP-based system.
• SGSN may thus use the data which are sent between MS and SGSN and convert them to the protocol for MIP, which enables SGSN to communicate with FA, whereby FA will perceive this as if the communication that in reality comes from an MS intended for the UTRAN system comes from an MN in an MlP-based system.
• a so-called “tunnel” is created between FA and HA, which means that a path for data communication is opened between HA and MN. It is SGSN that provides the opening of such a path for data communication between MS and HA.
• MN When connecting to an MlP-based system, MN receives an AAD from FA, either due to MN sending an AAS, or due to periodic transmission of AAD from FA. Pursuant to this, MN transmits RRQ, which is granted by HA by sending RRP.
• the signals within the MIP protocol that SGSN has been provided with according to the invention are the signals, RRQ and RRP, which are needed for MN to tell HA where MN is, enabling HA to direct, to "tunnel", the traffic to the right FA.
• a further demand on the type of system that is provided according to the invention is that such a combined system must be able to authenticate an MS from a digital mobile telephony system against building blocks in the system which come from a mobile data network.
• Authentication here refers to checking that the user/subscriber is authorized to use the system.
• MIP the authentication is carried out by FA sending a random number (a so-called "challenge") in the signal AAD.
• the user responds with his personal password, which is used together with the random number to create a new number that is inserted into the RRQ, following which HA receives RRQ and checks if the password is correct, using the new number that has been inserted into RRQ and the originally sent random number. If the password is correct, RRP is sent to MN, in other words a signal granting the user access to the system and those of its services that the user may have are sent.
• the check of whether the password is correct or not that the HA makes is preferably made in a separate function for this purpose which lies outside HA itself, for example a so-called RADIUS function, which has information regarding the user's password.
• the authentication procedures differs slightly from the one in MIP. If a user wishes to use the UMTS system for data communication, this is often carried out using a computer, for example a portable PC that is connected to a terminal, a cell phone, in the UMTS system.
• the cell phone sends a random number to the PC via a CHAP message, and the user is requested to state his password.
• a new number is generated in the PC, and then this new number and the used random number together with information regarding the stated identity of the user is sent to the SGSN via the cell phone and thereafter to GGSN.
• GGSN At GGSN it is checked if the user is authorized to access the system, and in that case which functions in the system that the user should be able to access.
• This authentication of the user in GGSN is preferably made in a function that is separate from GGSN itself, preferably in a so-called RADIUS server, which has information regarding the user's password.
• Fig. 4 shows how the authentication is designed in a system according to the invention.
• the drawing shows an MS and a PC connected to this MS to be able to carry out the data communication wireless via the system according to the invention.
• MS sends a CHAP message to the PC, where the CHAP message contains a random number.
• the user responds with his password, using which a new number is calculated with the help of the random number.
• Information regarding the random number, the number which has been generated from the random number, and the stated identity of the user is sent to SGSN by MS via UTRAN.
• the random number, the new number that has been generated using the password and random number, and the information regarding the stated identity of the user which is received by the SGSN from PC via MS and UTRAN is transformed in SGSN by the information being put in a so-called MlP-extension, in other words a message in MlP-format, following which it is sent to FA, and then further to HA.
• MlP-extension in other words a message in MlP-format, following which it is sent to FA, and then further to HA.
• the authentication procedure for an MlP-based system which has been described above takes place, which procedure preferably takes place in an authentication function that is . separate from HA itself, for example a so-called RADIUS function. Since the information, the random number and the new generated number, that arrive at HA and the authentication function comes from a CHAP procedure, this must be stated in the information that is sent to the authentication function, suitably the same extension as the rest of the information from the CHAP lies in.
• Fig. 5 shows a known alternative way to handle the authentication in larger MlP-based systems, with less load on HA and FA.
• AUT a separate server
• AUT which communicates directly with HA and FA
• FA which is shown with two-way arrows in the drawing
• DIAMETER a protocol to handle authentication between the different units in the system.
• DIAMETER a protocol to handle authentication between the different units in the system.
• the initial authentication in the system in Fig. 5 is carried out by MN sending RRQ to FA, which creates a new message with the RRQ of the MN in it, and sends this message to AUT which checks and authenticates MN. If the authentication is successful, AUT sends a message to a suitable HA (the . system may contain several HA, but for simplicity Fig. 5 only shows one), where the message among other things contains the RRQ of the MN. HA responds with RRP to AUT, and has at this stage opened its end of the "tunnel" for communication which has been described earlier. The RRP is sent from AUT to FA which extracts RRP from the message from AUT and sends RRP to MN.
• a suitable HA the . system may contain several HA, but for simplicity Fig. 5 only shows one
• HA responds with RRP to AUT, and has at this stage opened its end of the "tunnel" for communication which has been described earlier.
• the RRP is sent
• FA After the reception of RRP from AUT, FA opens "its" end of the tunnel, and communication between MN, FA and HA may proceed without using AUT.
• RRP is sent, from AUT to FA and from FA to MN, it may be sent either separately or included in another message.
• each one of the three units effected, MN/FA HA will check if the received message comes from the correct sender. This is carried out by means of so-called “session keys", which during the session is used by a sending unit to create a check sum using the message the unit wants to send, which check sum is sent together with the message.
• a receiving unit "dissolves" the message using its session key, and checks if the check sum is correct.
• a unit for example FA
• MN-HA forwards a message between two other units (for example MN-HA)
• the forwarding unit will check if the message comes from the correct sender, and add an own check sum to the message using its session key, before the message is forwarded.
• Each unit will thus need two session keys, since each unit will communicate with two other units.
• the system in Fig. 5 will need a total of six session keys during a session for MN/FA/HA. However, only three of the keys will have to be different, since two units communicating with each other should use the same key.
• the session keys are created by AUT for each session, and are sent to respective unit by AUT when the initiating authentication is made. To prevent unauthorized use of the keys, they are sent in coded form, where the coding is made using a code key which is known in advance by the respective units.
• Fig. 6 shows a system according to the invention, in other words a system with components and functionality from both UMTS (UTRAN, SGSN, MS) and MIP (FA, HA), where the system has been provided with the type of separate authentication function, AUT, which has been described above in connection with Fig. 5.
• the initiatial authentication of MS in the system is carried out in the manner described in connection with Fig. 4, with the difference that the authentication is carried out by means of the separate function for this, AUT.
• SGSN will, in a system according to the invention, dissolve the message which is sent to respective from MS, and transform them so that they seem to come to respective from an MN in an MlP-based system.
• the password for MS in other words the password for a single user, in SGSN is both technically difficult and also unsuitable for security reasons.
• the session keys that are sent from AUT to "MN" at the beginning of the session will be coded with the same code key that is used by FA. This enables messages which are sent to MS to be dissolved by FA and sent to SGSN for forwarding to MS, and messages arriving from MS are provided with check sums by FA, as if they came from an MN in an MlP-based system.
• AUT codes the session keys which are going to "MN" with the same code key as used by FA is due to the fact that AUT in a system according to the invention knows that the user, "MN", really is an MS from a UTRAN-system.
• Fig. 7 shows schematically how a user, MS1 , has entered a system according to the invention which is used by another operator than the one that the user, MS1 , has subscribed to.
• the units in the "home system” for the user, MS1 will in the following be described with the numeral one (1 ) after their regular terms, and the units in the "alien” system will be indicated with the numeral two (2) after their ordinary terms.
• the HA that MS1 will be communicating with is HA1 , in spite of the fact that MS1 is in an alien system, which means that HA2 doesn't have to be used in the communication from/to MS1.
• MS1 When MS1 wants to authenticate itself in the alien system, it sends RRQ to SGSN2, which is forwarded to FA2 and from there to AUT2.
• AUT2 recognizes that MS1 is a unit that belongs to AUT1 , and therefore sends RRQ forward to AUT1 which authenticates MS1 , and creates the six session keys that will be needed. RRQ can either be sent separately, or included in another message.
• the session keys are coded before AUT1 sends them to respective unit, which means that the unit that sends the session keys must have a code key in common with the receiving unit.
• the following units will have common code keys:
• AUT1 codes the session keys to HA1 with a code key that these units have in common, and sends RRQ and session keys to HA1 , after which HA1 opens its "tunnel end" and responds with an RRP to AUT1 , which is then forwarded to AUT2.
• the session keys for FA2 are coded by AUT1 by means of the code key that AUT has in common with AUT2.
• AUT2 dissolves the session key, codes it with the code key that is common for AUT2 and FA2, and sends it forward to FA2, where the session key is decoded, and used in the manner described in connection with Fig. 6.
• communication begins in the manner shown in Fig. 7, in other words between MS1 -SGSN2-FA2-HA1.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Security & Cryptography (AREA)
• Mobile Radio Communication Systems (AREA)

Priority Applications (1)

Applications Claiming Priority (2)

Publications (1)

Family

ID=20279648

Family Applications (1)

Country Status (3)

Cited By (1)

Citations (4)

• 2000
  • 2000-05-15 SE SE0001760A patent/SE522792C2/sv unknown
• 2001
  • 2001-05-15 WO PCT/SE2001/001076 patent/WO2001089242A1/en active Application Filing
  • 2001-05-15 AU AU2001258991A patent/AU2001258991A1/en not_active Abandoned

Patent Citations (4)

Also Published As

Similar Documents

Legal Events