WO2009093084A2 - A method of sending providing data security over an unsecured network - Google Patents

A method of sending providing data security over an unsecured network Download PDF

Info

Publication number
WO2009093084A2
WO2009093084A2 PCT/GB2009/050075 GB2009050075W WO2009093084A2 WO 2009093084 A2 WO2009093084 A2 WO 2009093084A2 GB 2009050075 W GB2009050075 W GB 2009050075W WO 2009093084 A2 WO2009093084 A2 WO 2009093084A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
components
security
network
providing
Prior art date
Application number
PCT/GB2009/050075
Other languages
French (fr)
Other versions
WO2009093084A3 (en
Inventor
Metin Barut
Original Assignee
Vodafone Group Plc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vodafone Group Plc filed Critical Vodafone Group Plc
Publication of WO2009093084A2 publication Critical patent/WO2009093084A2/en
Publication of WO2009093084A3 publication Critical patent/WO2009093084A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/50Service provisioning or reconfiguring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/16Interfaces between hierarchically similar devices
    • H04W92/18Interfaces between hierarchically similar devices between terminal devices

Definitions

  • the system may invoke a secure network application - such as an intranet or other limited access network employing trusted sign on procedures controlling access - or may utilise unsecured networks, such as the internet, and employ computer network authentication protocols or even simple user ID and password sign on procedures, all dependent on the level of security required.
  • a secure network application such as an intranet or other limited access network employing trusted sign on procedures controlling access - or may utilise unsecured networks, such as the internet, and employ computer network authentication protocols or even simple user ID and password sign on procedures, all dependent on the level of security required.
  • network security between the mobile terminals and the mobile network are governed by complex security algorithms effecting a trusted environment allowing sensitive data to be securely passed between network and terminals.
  • sensitive information includes details of the physical location of such devices. Whilst such information is sensitive, it is also important to provide appropriate access to such information to enable the provisioning of location centric information and applications to the mobile user. This information may be required not only by the mobile network operators but also third parties provisioning the necessary information and applications.
  • the MLP Protocol Mobile Location Protocol
  • OMA Open Mobile Alliance -www.openmobilealliance.com
  • Such protocols are, in practice, reduced to software applications running on the location servers and relevant computer terminals allowing requests and responses to be communicated between the two.
  • the positioning information of the requested mobile telephone is provided to the client with the same protocol.
  • the location information can be continually monitored and stored within the server (having been obtained by various means including cell location or Assisted Global Posting Satellite (AGPS) standards) or the location of the identified mobile handset may even be calculated on the GSM network on request.
  • AGPS Assisted Global Posting Satellite
  • these protocols allow a mobile handset to request location information from the server via a mobile data session, they are primarily designed to enable data transmission between the location server and devices other than mobile phones (e.g. personal computers and laptops)
  • a first embodiment of the present invention there is provided method for providing security of data transmitted between a first device and a second device over an unsecured network, comprising the steps of providing at least one device with encryption means and the other device with a complimentary decryption means for encrypting and decrypting data transmitted therebetween, whereby the first device selectively identifying components of such data necessary for providing data security and selectively encrypting only those data components for transfer over the network to the second device, transmitting that data, including encrypted data components, from the first device to said second device, whereby the second device identifies and decrypts the encrypted data components.
  • the invention is realized by selectively identify only those parts of the data to be transmitted that require encryption in order to obtain appropriate levels of security, whilst the remaining data which is not security sensitive may simply be transmitted in an unencrypted format.
  • security of the data is achieved whilst minimizing encryption processing and additional data (encrypted ) to be transmitted.
  • both first and second devices will each be provided with complimentary encryption and decryption means, wherein either device selectively identifies components of data necessary for providing data security and selectively encrypting only those data components for transfer over the network.
  • both devices are able to communicate with each other using the inventive process, but minimizing the amount of encrypted data to be used in such communication.
  • the first device will comprise a data requesting device, for example a computer
  • the second device will comprise a data server.
  • the server will comprise data relating to the location of mobile telephones.
  • the method for transmitting data from the first device said second device will employ the data including a request for secure data to be sent from the second device to first device, and will comprise the step of the second device selectively identifying components of the requested (secure) data necessary for providing data security and the encrypting means on the second device selectively encrypting only those data components of the requested data for transfer over the network, then transmitting said requested data, including encrypted data components, from the second device to the first device, wherein the method provides the first device identifying and decrypting the encrypted data components of the requested data.
  • the method provides that the selective identification of data necessary for providing data security is predefined in a software client, dependent on the data to be transmitted. Usually, this is achieved by predefining which elements of the data are to be encrypted when that data is to be transmitted, preferably effected in the client software by applying appropriate attributes to the identified data elements (or parameters) - usually user identification and password parameters - in the Context Element Definitions of such software which cause those parameters only to be encrypted.
  • the step of selective identification of data necessary for providing data security may be automated and dependent on the security integrity of the network between said first and second devices, comprising the step of the first or second device determining information relating to the actual network security and, dependent on such determination, identifying which data components require encryption and then encrypting such data components.
  • the client software may again apply appropriate attributes to the identified data elements (or parameters) - usually user identification and password parameters - in the Context Element Definitions of such software, but these attributes are varied in the event that the client detects that the request is being made via a secure network (eg intranet). This is particularly useful where a user may need to access such information from different locations using networks of different security integrities.
  • the method will preferably, but is not limited to, the components of such data necessary for providing data security comprising at least unique user identification and an associated password. It may further include an identifier of the data to be requested from the server and the requested data itself when returned from the server. Again, for the specific embodiment, where data is requested related to location of a mobile telephone, this may include the actual telephone number (or other recognized identifier) and or the actual location data itself. However, if both the telephone number and the location are to be transmitted together, it is possible that only one or other need be encrypted as, on there own, neither comprise sensitive information - only when coupled is such information sensitive. As such, the response data need not encrypt data other than data sent in the request itself.
  • the identifier e.g.
  • the invention simply requires that the method determines what information is required to be encrypted to ensure security thereof over an unsecured network whilst minimizing the amount of data to be encrypted.
  • the components of the requested data necessary for providing data security will comprise at least one of the requested data or the identifier of the requested data.
  • the first device is a fixed or mobile computing device
  • the second device is a server comprising location information associated with mobile telephones
  • said unsecured network comprises the internet
  • the data to be transmitted is a request for location information associated with a particular telephone in accordance with predefined protocols recognized by the server
  • the method will comprise the steps of identifying components of such protocol necessary for providing data security of such request and encrypting those components.
  • the method of the present invention is particularly applicable where the protocol comprises the Open Mobile Alliance Mobile Location Protocol and the identified components comprises at least one of the client identification code (user ID) and the password settings required by such protocol . This will usually comprise the step of applying appropriate attributes to those identified components in the Context Element Definitions of such protocol specifying encryption of such components when the necessary encryption attributes are identified.
  • a system for providing security of data transmitted between a first device and a second device over an unsecured network comprising at least one device with encryption means and a second device with a complimentary decryption means for encrypting and decrypting data transmitted therebetween, characterized by the first device comprising means for selectively identifying and encrypting only minimum components of such data necessary for providing data security, together with transmitting means for transmitting this data, including encrypted data components, from the first device to the second device over an unsecured network, the second device comprising means for identifying and decrypting the transmitted and encrypted data components.
  • both first and second devices are each provided with complimentary encryption and decryption means and each device is provided with a software client to selectively identify and encrypt only minimum components of such data necessary for providing data security for transfer over the network.
  • the software client may comprise the Open Mobile Alliance Location Protocol and means for identifying and encrypting the client identification code and password of such protocol.
  • the invention provides the encrypted sending of Client-ID and Password parameters in the MLP protocol determined by the OMA to grant the secured transmission over the internet.
  • the passing over of user information to third parties sent openly (in non-encrypted form) creates a lack of security, which may result in unauthorized use of positioning information of users.
  • These parameters, which are sent in encrypted form cover the lack of security, which may arise with the use of the protocol.
  • the invention provides the encrypted sending of the Client-ID and Password parameters in MLP protocol requests used for the determination of positioning in GSM networks, removes the risk of unauthorized use of such information on the Internet and brings security control to the system.
  • Figure 1- illustrates the use and application of the MLP Protocol to obtain location information associated with a GSM mobile network in GSM Networks: The figure illustrates, how a PC based client obtains mobile telephone positioning information from the GSM associated server, by use of the MLP Protocol.
  • FIG. 2- is an extract of the MLP Protocol Context Element Definitions: The figure shows Context Element Definitions used in the MLP protocol updated and modified in accordance with the present invention. Explanation of the Invention
  • the MLP Protocol Mobile Location Protocol
  • OMA Open Mobile Alliance
  • the MLP protocol functions as an interface between the server (Location Server) and a computer client (Mobile Positioning Service Client) usually associated with a PC or similar computer or data processing tool. Such clients may also be run on PDA's or mobile phones themselves.
  • the client While requesting position information from the server through the MLP protocol, the client indicates the Client-ID defining and identifying itself to the server and the password associated with that Client ID, as well as the mobile number for which location information is requested and with which the position information will be received.
  • the positioning information of the mobile telephone of the user is calculated on the GSM network and provided to the client with the same protocol.
  • the location information associated with the mobile device on the GSM network is pre-stored and regularly updated on the server, avoiding the need for the server to request such information on request.
  • the location information can be determined by several existing techniques, including cell identification procedures or AGPS standards (Assisted Global Positioning Satellites).
  • AGPS Assisted Global Positioning Satellites
  • the mechanism for population of the location information on the server is not essential to the current invention.
  • the invention enables sending of these predefined parameters - and only such pre-defined parameters - in an encrypted form.
  • the remaining information in the request and response messages exchanged between the server and the client will not be encrypted.
  • the advantage of mimimising the required ammount of encryption is to support the connection between server and client. Encryption can consume resources and bandwith, notably in case of having high traffic between client and server. Also, by reducing the ammount of data being encrypted and decrypted will significantly improve processing capability in the server, notably when managing high request volumes.
  • the method of the current invention is developed in the Context section of the MLP protocol, which is the common unit of the protocol.
  • MLP Protocol is used.
  • Figure 2 shows Context Element Definitions of the existing MLP, in which changes effecting the present invention have been made.
  • the "id” parameter represents the Client-ID
  • the "pwd” parameter represents the password.
  • the response field from the server may be similarly set to either encryption or non-encrypted.
  • the invention allows the sending in open (non-encrypted) or encrypted form depending on the request of information for sending between the client and server.
  • the invention does not foresee any coding method, so that the user and the service provider decide mutually on the method to be used.
  • the invention can be further automated so that the attributes are to be employed only in the event that the network communicating between the client and the server is unsecured or that its security is not deemed sufficiently high. In this way should the client and the server determine that the network is sufficiently secure, i.e. an intranet connection or Virtual Private Network (VPN) using standard sign on procedures and determination, then no encryption will be necessary and the parameter attribute settings may be automatically changed by the client.
  • VPN Virtual Private Network
  • the invention provides secured communication with MLP protocol in applications used for the determination of positioning in GSM networks.
  • a secure data communication is granted between the client requesting position determination with the related application or service and the server on the server provider side or operator side.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method and system for providing security of data transmitted between a first device and a second device over an unsecured network, comprising the steps of providing at least one device with encryption means and the other device with a complimentary decryption means for encrypting and decrypting data transmitted therebetween. The first device selectively identifying components of such data necessary for providing data security and selectively encrypting only those data components for transfer over the network to the second device, then transmitting the data, including encrypted data components, from said first device to said second device, wherein the second device identifies and decryptsthe encrypted data components The invention is particularly applicable to the MLP Protocol (Mobile Location Protocol) has been developed by the OMA (Open Mobile Alliance -www.openmobilealliance.com) to get position information from the related server when needed by applications in GSM networks. While requesting positioning information from the server through the MLP protocol, the client indicates the Client-ID defining itself to the server and the password parameters as well as the mobile number, with which the positioning information will be got. The invention enables secure transmission of the Client-ID and Password parameters in encrypted form between the client and server. In Context Element Definitions of the MLP protocol, the 'enc' attribute has been added under the 'id' (Client-ID) and 'pwd' (Password) parameters. When related parameters are requested to be sent in encrypted form, the 'CRP' option is used. The 'ASC' option is used for sending without encryption.

Description

A Method of Sending Providing Data Security over an Unsecured Network
Technical Field:
When considering the sensitivity of information transmitted between two different network components (for example from a network server to a computer or similar device) there are many known techniques for addressing the security and protection of that data. For example, the system may invoke a secure network application - such as an intranet or other limited access network employing trusted sign on procedures controlling access - or may utilise unsecured networks, such as the internet, and employ computer network authentication protocols or even simple user ID and password sign on procedures, all dependent on the level of security required.
Within the field of mobile telecommunications, network security between the mobile terminals and the mobile network are governed by complex security algorithms effecting a trusted environment allowing sensitive data to be securely passed between network and terminals. Such sensitive information includes details of the physical location of such devices. Whilst such information is sensitive, it is also important to provide appropriate access to such information to enable the provisioning of location centric information and applications to the mobile user. This information may be required not only by the mobile network operators but also third parties provisioning the necessary information and applications.
The MLP Protocol (Mobile Location Protocol) is a industry standard protocol which has been developed by the OMA (Open Mobile Alliance -www.openmobilealliance.com) to allow third parties employ a standard request to obtain location (or position) information from the related location information servers when needed for provisioning of applications in GSM networks (whilst reference herein is directed to the MLP protocol and GSM networks, the invention to be described is in no way limited to such protocols or mobile technologies but is provided by means of example only). Such protocols are, in practice, reduced to software applications running on the location servers and relevant computer terminals allowing requests and responses to be communicated between the two. While requesting location (position) information from the server with the MLP protocol, the computer client is required to indicate the Client-ID and the password parameters as well as the mobile number to get the positioning information and to define itself to the server. Provided the user has previously registered with the provider of location information and the user identification and associated password is already available on the server (ie pre-registered), the positioning information of the requested mobile telephone is provided to the client with the same protocol. The location information can be continually monitored and stored within the server (having been obtained by various means including cell location or Assisted Global Posting Satellite (AGPS) standards) or the location of the identified mobile handset may even be calculated on the GSM network on request. Whilst these protocols allow a mobile handset to request location information from the server via a mobile data session, they are primarily designed to enable data transmission between the location server and devices other than mobile phones (e.g. personal computers and laptops)
For both the 3.0.0 version (OMA-TS-MLP-V3 2-20051124-C, http://www.openmobilealliance.org/release_program/mls_vl_l.html ) of the MLP protocol, and in the 3.2 version, which is currently in use, the Client-ID and Password parameters of this protocol are sent without encryption. Especially, in case of use of the http protocol, the user name and the password may be susceptible for illegal interception when transmitted over the internet.
Final version of the MLP Protocol is updated by OMA and change requests (CR) sent to here can be followed up through the www.openmobilealliance.org portal. No solutions have previously been identified to address the lack of security during the investigations made on this portal and the search of patents related to the issue.
However, whilst similar concerns on data security have sought to employ encryption techniques and protocols to improve security, these techniques result in an increase of data traffic over the network resulting from the data heavy encrypted data content and additional processing requirements to both encrypt and decrypt the data. Statement of Invention
It is an object of the current invention to provide an improved method and system for effecting secure data transmission over an unsecured network which alleviates the aforementioned problems.
According to a first embodiment of the present invention there is provided method for providing security of data transmitted between a first device and a second device over an unsecured network, comprising the steps of providing at least one device with encryption means and the other device with a complimentary decryption means for encrypting and decrypting data transmitted therebetween, whereby the first device selectively identifying components of such data necessary for providing data security and selectively encrypting only those data components for transfer over the network to the second device, transmitting that data, including encrypted data components, from the first device to said second device, whereby the second device identifies and decrypts the encrypted data components. In this manner, the invention is realized by selectively identify only those parts of the data to be transmitted that require encryption in order to obtain appropriate levels of security, whilst the remaining data which is not security sensitive may simply be transmitted in an unencrypted format. Thus, security of the data is achieved whilst minimizing encryption processing and additional data (encrypted ) to be transmitted.
Preferably, both first and second devices will each be provided with complimentary encryption and decryption means, wherein either device selectively identifies components of data necessary for providing data security and selectively encrypting only those data components for transfer over the network. As such, both devices are able to communicate with each other using the inventive process, but minimizing the amount of encrypted data to be used in such communication. Usually, the first device will comprise a data requesting device, for example a computer, and the second device will comprise a data server. In the specific example discussed in this specification, the server will comprise data relating to the location of mobile telephones.
In a preferred embodiment of the invention, the method for transmitting data from the first device said second device will employ the data including a request for secure data to be sent from the second device to first device, and will comprise the step of the second device selectively identifying components of the requested (secure) data necessary for providing data security and the encrypting means on the second device selectively encrypting only those data components of the requested data for transfer over the network, then transmitting said requested data, including encrypted data components, from the second device to the first device, wherein the method provides the first device identifying and decrypting the encrypted data components of the requested data.
Usually, the method provides that the selective identification of data necessary for providing data security is predefined in a software client, dependent on the data to be transmitted. Usually, this is achieved by predefining which elements of the data are to be encrypted when that data is to be transmitted, preferably effected in the client software by applying appropriate attributes to the identified data elements (or parameters) - usually user identification and password parameters - in the Context Element Definitions of such software which cause those parameters only to be encrypted.
Alternatively, the step of selective identification of data necessary for providing data security may be automated and dependent on the security integrity of the network between said first and second devices, comprising the step of the first or second device determining information relating to the actual network security and, dependent on such determination, identifying which data components require encryption and then encrypting such data components. For example, the client software may again apply appropriate attributes to the identified data elements (or parameters) - usually user identification and password parameters - in the Context Element Definitions of such software, but these attributes are varied in the event that the client detects that the request is being made via a secure network (eg intranet). This is particularly useful where a user may need to access such information from different locations using networks of different security integrities.
The method will preferably, but is not limited to, the components of such data necessary for providing data security comprising at least unique user identification and an associated password. It may further include an identifier of the data to be requested from the server and the requested data itself when returned from the server. Again, for the specific embodiment, where data is requested related to location of a mobile telephone, this may include the actual telephone number (or other recognized identifier) and or the actual location data itself. However, if both the telephone number and the location are to be transmitted together, it is possible that only one or other need be encrypted as, on there own, neither comprise sensitive information - only when coupled is such information sensitive. As such, the response data need not encrypt data other than data sent in the request itself. Alternatively, the identifier (e.g. phone number) of the data request may not necessarily need to be encrypted when returned with the requested data, if the requested data itself is encrypted. The invention simply requires that the method determines what information is required to be encrypted to ensure security thereof over an unsecured network whilst minimizing the amount of data to be encrypted.
Usually, however, the components of the requested data necessary for providing data security will comprise at least one of the requested data or the identifier of the requested data.
Preferably, the first device is a fixed or mobile computing device, the second device is a server comprising location information associated with mobile telephones, and said unsecured network comprises the internet, wherein the data to be transmitted is a request for location information associated with a particular telephone in accordance with predefined protocols recognized by the server, wherein the method will comprise the steps of identifying components of such protocol necessary for providing data security of such request and encrypting those components. The method of the present invention is particularly applicable where the protocol comprises the Open Mobile Alliance Mobile Location Protocol and the identified components comprises at least one of the client identification code (user ID) and the password settings required by such protocol . This will usually comprise the step of applying appropriate attributes to those identified components in the Context Element Definitions of such protocol specifying encryption of such components when the necessary encryption attributes are identified.
Further according to the present invention, there is also provided a system for providing security of data transmitted between a first device and a second device over an unsecured network, comprising at least one device with encryption means and a second device with a complimentary decryption means for encrypting and decrypting data transmitted therebetween, characterized by the first device comprising means for selectively identifying and encrypting only minimum components of such data necessary for providing data security, together with transmitting means for transmitting this data, including encrypted data components, from the first device to the second device over an unsecured network, the second device comprising means for identifying and decrypting the transmitted and encrypted data components. Preferably, in such a system both first and second devices are each provided with complimentary encryption and decryption means and each device is provided with a software client to selectively identify and encrypt only minimum components of such data necessary for providing data security for transfer over the network. The software client may comprise the Open Mobile Alliance Location Protocol and means for identifying and encrypting the client identification code and password of such protocol.
In one specific embodiment, the invention provides the encrypted sending of Client-ID and Password parameters in the MLP protocol determined by the OMA to grant the secured transmission over the internet. The passing over of user information to third parties sent openly (in non-encrypted form) creates a lack of security, which may result in unauthorized use of positioning information of users. These parameters, which are sent in encrypted form, cover the lack of security, which may arise with the use of the protocol.
The invention provides the encrypted sending of the Client-ID and Password parameters in MLP protocol requests used for the determination of positioning in GSM networks, removes the risk of unauthorized use of such information on the Internet and brings security control to the system.
Description of the Pictures
A preferred embodiment of the present invention will now be described, by way of example only, with reference to the following attached drawings illustrating the implementation of the technique developed to reach the purpose of the invention.
Figure 1- illustrates the use and application of the MLP Protocol to obtain location information associated with a GSM mobile network in GSM Networks: The figure illustrates, how a PC based client obtains mobile telephone positioning information from the GSM associated server, by use of the MLP Protocol.
Figure 2- is an extract of the MLP Protocol Context Element Definitions: The figure shows Context Element Definitions used in the MLP protocol updated and modified in accordance with the present invention. Explanation of the Invention
The MLP Protocol (Mobile Location Protocol) determined by the OMA (Open Mobile Alliance) is an application level protocol providing the position information of mobile PDA (Personal Digital Assistants) devices and mobile phones independent of the network infrastructure and technology. As shown in Figure 1, the MLP protocol functions as an interface between the server (Location Server) and a computer client (Mobile Positioning Service Client) usually associated with a PC or similar computer or data processing tool. Such clients may also be run on PDA's or mobile phones themselves. While requesting position information from the server through the MLP protocol, the client indicates the Client-ID defining and identifying itself to the server and the password associated with that Client ID, as well as the mobile number for which location information is requested and with which the position information will be received. If these user definitions are already available on the server, the positioning information of the mobile telephone of the user is calculated on the GSM network and provided to the client with the same protocol. Alternatively, it will be appreciated that the location information associated with the mobile device on the GSM network is pre-stored and regularly updated on the server, avoiding the need for the server to request such information on request. The location information can be determined by several existing techniques, including cell identification procedures or AGPS standards (Assisted Global Positioning Satellites). However, the mechanism for population of the location information on the server is not essential to the current invention.
To guaranty the secure transmission of the Client-ID and password parameters between the client and the server over an unsecured network such as the internet, the invention enables sending of these predefined parameters - and only such pre-defined parameters - in an encrypted form. The remaining information in the request and response messages exchanged between the server and the client will not be encrypted.
The advantage of mimimising the required ammount of encryption is to support the connection between server and client. Encryption can consume resources and bandwith, notably in case of having high traffic between client and server. Also, by reducing the ammount of data being encrypted and decrypted will significantly improve processing capability in the server, notably when managing high request volumes.
With reference to Figure 2, the method of the current invention is developed in the Context section of the MLP protocol, which is the common unit of the protocol. The same solution is provided in all services, where MLP Protocol is used.
Figure 2 shows Context Element Definitions of the existing MLP, in which changes effecting the present invention have been made. In the definitions, the "id" parameter represents the Client-ID, whereas the "pwd" parameter represents the password.
As shown in Figure 2 with the number [1], the "enc" attribute has been added under the "id" parameter in the section Context Element Definitions of the protocol. If this attribute is wanted to be sent by encrypting the "id" parameter, the "CRP" option is used. The "ASC" option is used for sending without encrypting.
Similarly, as shown in Figure 2 with the number [2], when in the Context Element Definitions section, the "enc" attribute has been added under the "pwd" parameter and the "pwd" parameter is requested to be sent in encrypted form, the "CRP" option is used. The "ASC" option is used for sending without encrypting.
It is appreciated that these parameters have been selected by means of example only to illustrate that selective determination of security critical information only allows a simple means for proving security of data transmitted over a non secure network whilst minimising the amount of data to be encrypted/decrypted on receipt. In this example - not illustrated - the user may also determine that the data input field of the requested telephone number also be encrypted. As above, this is simply effected by appropriate addition of the "enc" attribute to such data field.
Similarly, the response field from the server may be similarly set to either encryption or non-encrypted.
However, for return data from the server, it may be determined that only one or other of the phone number and location data needs to be encrypted as the security sensitive information relates to both the phone number and location data in combination. Thus, such selection criteria and attribute setting can be used to minimise the amount of data identified and encrypted yet sufficient to improve security of the sensitive data.
Thus, the invention allows the sending in open (non-encrypted) or encrypted form depending on the request of information for sending between the client and server. However, the invention does not foresee any coding method, so that the user and the service provider decide mutually on the method to be used.
Standard registration procedures authorising the client use and access to the server will not be described herein as represented by numerous commercially available models, Similarly, the determination of the encryption algorithms to be applied are not critical to the invention and, again, any commercially available encryption technology can be applied to the selected data.
As the open (in non-encrypted form) sending of the user information may come to people, who use it without authorization, the use of the protocol in this invention covers the lacks of security, which may arise.
Whilst this preferred embodiment employs the use of pre-setting the parameter attributes, the invention can be further automated so that the attributes are to be employed only in the event that the network communicating between the client and the server is unsecured or that its security is not deemed sufficiently high. In this way should the client and the server determine that the network is sufficiently secure, i.e. an intranet connection or Virtual Private Network (VPN) using standard sign on procedures and determination, then no encryption will be necessary and the parameter attribute settings may be automatically changed by the client.
The invention provides secured communication with MLP protocol in applications used for the determination of positioning in GSM networks. Thus a secure data communication is granted between the client requesting position determination with the related application or service and the server on the server provider side or operator side.

Claims

Claims
1. A method for providing security of data transmitted between a first device and a second device over an unsecured network, comprising the steps of providing at least one device with encryption means and the other device with a complimentary decryption means for encrypting and decrypting data transmitted therebetween, characterized by said first device selectively identifying components of such data necessary for providing data security and selectively encrypting only those data components for transfer over the network to the second device, transmitting said data, including encrypted data components, from said first device to said second device, said second device identifying and decrypting said encrypted data components.
2. A method as claimed in claim 1 wherein both first and second devices are each provided with complimentary encryption and decryption means, wherein either device selectively identifies components of data necessary for providing data security and selectively encrypting only those data components for transfer over the network.
3. A method as claimed in claim 1 or claim 2 wherein said first device comprises a data requesting device and said second device comprises a data server.
4. A method as claimed in any one of the preceding claims for transmitting data from said first device to said second device, which data includes a request for secure data to be sent from the second device to first device, comprising the step of said second device selectively identifying components of said requested data necessary for providing data security and said encrypting means on said second device selectively encrypting only those data components for transfer over the network, transmitting said requested data, including encrypted data components, from said second device to said first device, said first device identifying and decrypting said encrypted data components.
5. A method as claimed in any one of the preceding claims wherein said selective identification of data necessary for providing data security is predefined in a software client dependent on the data to be transmitted.
6. A method as claimed in any one of claims 1 to 4 wherein said selective identification of data necessary for providing data security is automated and dependent on the security integrity of the network between said first and second devices, comprising the step of said first or second device determining said network security and, dependent on such determination, identifying which data components require encryption and then encrypting such data components.
7. A method as claimed in any one of the preceding claims wherein the components of such data necessary for providing data security comprise at least unique user identification and an associated password.
8. A method as claimed in claim 7 when appended to claim 7 wherein the components of such data necessary for providing data security in a request comprises an identifier of said requested data.
9. A method as claimed in claim 8 wherein the components of the requested data necessary for providing data security may comprise at least one of the requested data or the identifier of the requested data.
10. A method as claimed in any one of the preceding claims wherein said first device is a fixed or mobile computing device, said second device is a server comprising location information associated with mobile telephones, and said unsecured network comprises the internet, and the data to be transmitted is a request for location information associated with a particular telephone in accordance with predefined protocols recognized by said server, comprising the steps of identifying components of such protocol necessary for providing data security of such request and encrypting those components.
11. A method as claimed in claim 10 wherein the protocol comprises the Open Mobile Alliance Mobile Location Protocol and the identified components comprises at least one of the client identification code and the password required by such protocol
12. A method as claimed in claim 11 comprising the step of applying appropriate attributes to those identified components in the Context Element Definitions of such protocol specifying encryption of such components when the necessary encryption attributes are identified.
13. A system for providing security of data transmitted between a first device and a second device over an unsecured network, comprising at least one device with encryption means and a second device with a complimentary decryption means for encrypting and decrypting data transmitted therebetween, characterized by : said first device comprising means for selectively identifying and encrypting only minimum components of such data necessary for providing data security, transmitting means for transmitting said data, including encrypted data components, from said first device to said second device over an unsecure network; said second device comprising means for identifying and decrypting said encrypted data components.
14. A system as claimed in claim 13 wherein both first and second devices are each provided with complimentary encryption and decryption and each device further comprises a software client to selectively identify and encrypt only minimum components of such data necessary for providing data security for transfer over the network.
15. A system as claimed in claim 13 or claim 14 wherein said software client comprises the Open Mobile Alliance Location Protocol and means for identifying and encrypting the client identification code and password of such protocol.
PCT/GB2009/050075 2008-01-24 2009-01-26 A method of sending providing data security over an unsecured network WO2009093084A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TR2008/00488 2008-01-24
TR2008/00488A TR200800488A1 (en) 2008-01-24 2008-01-24 The method of sending the client-code and password in encrypted form in the MLP protocol.

Publications (2)

Publication Number Publication Date
WO2009093084A2 true WO2009093084A2 (en) 2009-07-30
WO2009093084A3 WO2009093084A3 (en) 2009-10-15

Family

ID=40901487

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2009/050075 WO2009093084A2 (en) 2008-01-24 2009-01-26 A method of sending providing data security over an unsecured network

Country Status (2)

Country Link
TR (1) TR200800488A1 (en)
WO (1) WO2009093084A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117955741A (en) * 2024-03-26 2024-04-30 河北久维电子科技有限公司 Encryption communication method and system of Modbus protocol communication equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001080520A2 (en) * 2000-04-12 2001-10-25 Nortel Networks Limited Security encrypted network access identifier for ip mobility systems
US7024557B1 (en) * 1999-12-30 2006-04-04 Samsung Electronics Co., Ltd. System and method for secure provisioning of a mobile station from a provisioning server using encryption
US20070297367A1 (en) * 2006-06-19 2007-12-27 Interdigital Technology Corporation Method and apparatus for security protection of an original user identity in an initial signaling message

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7024557B1 (en) * 1999-12-30 2006-04-04 Samsung Electronics Co., Ltd. System and method for secure provisioning of a mobile station from a provisioning server using encryption
WO2001080520A2 (en) * 2000-04-12 2001-10-25 Nortel Networks Limited Security encrypted network access identifier for ip mobility systems
US20070297367A1 (en) * 2006-06-19 2007-12-27 Interdigital Technology Corporation Method and apparatus for security protection of an original user identity in an initial signaling message

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
OMA OPEN MOBILE ALLIANCE: "Mobile Location Protocol 3.3 Draft Version 3.3" INTERNET CITATION 5 February 2007 (2007-02-05), XP007909473 Retrieved from the Internet: URL:http://member.openmobilealliance.org/f tp/Public_documents/LOC/2007/OM A-LOC-2007-0024-INP_MLP_TS_Skeleton_for_ML S_1.2.zip> [retrieved on 2009-08-10] *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117955741A (en) * 2024-03-26 2024-04-30 河北久维电子科技有限公司 Encryption communication method and system of Modbus protocol communication equipment
CN117955741B (en) * 2024-03-26 2024-06-11 河北久维电子科技有限公司 Encryption communication method and system of Modbus protocol communication equipment

Also Published As

Publication number Publication date
TR200800488A1 (en) 2009-08-21
WO2009093084A3 (en) 2009-10-15

Similar Documents

Publication Publication Date Title
US10554420B2 (en) Wireless connections to a wireless access point
US10277566B2 (en) System and method for securing authentication information in a networked environment
EP2377263B1 (en) A key distribution scheme for networks of information
US8312064B1 (en) Method and apparatus for securing documents using a position dependent file system
CN101350717B (en) Method and system for logging on third party server through instant communication software
US8887292B2 (en) Method for encrypting and embedding information in a URL for content delivery
US8532620B2 (en) Trusted mobile device based security
US20140006512A1 (en) Methods for Exchanging User Profile, Profile Mediator Device, Agents, Computer Programs and Computer Program Products
US8347090B2 (en) Encryption of identifiers in a communication system
WO2013130555A2 (en) Method of operating a computing device, computing device and computer program
EP2680207A1 (en) Secured cloud data storage, distribution and restoration among multiple devices of a user
WO2013130568A2 (en) Method of operating a computing device, computing device and computer program
EP4246892A2 (en) Method and system for controlling the exchange of privacy-sensitive information
US20020144118A1 (en) Authentication method in an agent system
Sicari et al. A secure ICN-IoT architecture
CN113872940B (en) Access control method, device and equipment based on NC-Link
CN109218334B (en) Data processing method, device, access control equipment, authentication server and system
WO2007078037A1 (en) Web page protection method employing security appliance and set-top box having the security appliance built therein
CN111327634A (en) Website access supervision method, secure socket layer agent device, terminal and system
WO2009093084A2 (en) A method of sending providing data security over an unsecured network
Konidala et al. A secure and privacy enhanced protocol for location-based services in ubiquitous society
KR100697344B1 (en) Method for single-sign-on in wired and wireless network environment, and system for the same
KR101165061B1 (en) Web service use permission system and method there of
CN118264422A (en) Multi-factor identity authentication method, device and system for mail system
CN112532626A (en) Point-to-point encrypted chatting method

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09704664

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 09704664

Country of ref document: EP

Kind code of ref document: A2