This invention relates to a method and apparatus for providing secure communication through a communications network.
Digital mobile voice communications systems are well known and one example is the GSM terrestrial cellular system. Others are the Inmarsat-M satellite telephone system, the IRIDIUM(trademark) satellite cellular system described in, for example, EP-A-0365885, the ICO(trademark) satellite cellular system described in, for example, GB-A-2295296 or the ODYSSEY(trademark) satellite cellular system described in, for example EP-A-0510789. Since such systems operate over a wireless link, there is a risk of interception of calls by unauthorised persons.
The GSM system includes an optional encryption scheme described in, for example, xe2x80x9cSecurity aspects and the implementation in the GSM-systemxe2x80x9d; Peter C. J. van der Arend, paper 4a, Conference Proceedings of the Digital Cellular Radio Conference (DCRC), Oct. 12th-14th, 1988, published by Deutsche Bundespost, France Telecom and Fernuniversitate. Greater detail is given in the following GSM recommendations: GSM 02.09 xe2x80x9cSecurity Aspectsxe2x80x9d; GSM03.20 xe2x80x9cSecurity Related Algorithmsxe2x80x9d. In this scheme, a database known as the Authentication Centre (AuC) holds an individual encryption key number (Ki) for each subscriber to the authentication service, which is also stored on a chip known as the Subscriber Information Module (SIM) held in the subscriber""s mobile terminal. The subscriber has no access to the data stored in the SIM and cannot read the key.
Where a secure session is requested, a random number (RAND) is generated by the AuC and used, together with the customer""s key (Ki), to calculate a ciphering key (Kc) used during the session for ciphering and deciphering messages to/from the subscriber. The random number is sent from the AuC to the subscriber""s mobile terminal via the Base Transceiver Station (BTS). The mobile terminal passes the random number to the SIM, which calculates the ciphering key KC using an algorithm termed A5, from the received random number and the stored key (Ki). Thus, the random number is sent over the air, but not the customer""s key Ki or the ciphering key Kc.
The random number and the ciphering key Kc are fed to the Home Location Register (HLR) database of the GSM network, which stores details for the subscriber concerned, and are also sent to the Visiting Location Register (VLR) for the area where the user terminal is currently located, and are supplied to the BTS via which the mobile is communicating to the network.
The ciphering key Kc is used, together with the current TDMA frame number,to implement the A5 ciphering algorithm in both the mobile terminal and the BTS so that data transmitted over the air interface between the mobile terminal and the BTS is encrypted. Thus, the individual user key Ki is stored only at the authentication centre and the SIM, where the ciphering key Kc is calculated and forwarded to the BTS and the mobile terminal.
Whilst this scheme is adequate in many respects, it fails to provide complete security since it offers protection only over the air transmission path. Thus, it is possible for illicit access to be obtained by tampering with the fixed part of the network.
Accordingly, end-to-end encryption schemes have been proposed. Because the encryption runs from one user terminal to the other, across the whole communications path and not just the air path, improved privacy is obtained.
The basic problem in offering end-to-end encipherment of communications over a network is in providing each of the two users with the same, or each other""s, secret key. In some applications, a group of terminals (for example all owned by a single body) may all have access to the same key. Whilst this provides privacy against personnel from outside the group, it is an incomplete solution since it does not provide privacy for communication between two terminals within the group and a third within the group.
It is possible to employ public key encryption systems, in which each terminal has a secret decryption key and a non-secret encryption key, so that any other party can use the encryption key to encrypt data but only the recipient can decrypt data which has been encrypted using the public encryption key.
A communication system could be envisaged in which every user is provided with such a pair of keys, and in setting up a communication between a pair of users each sends the other its encryption key whilst keeping its decryption key secret. However, there is widespread public concern that the use of such techniques on a telecommunications network would allow criminals or terrorists to communicate using completely secure communications, free from any possibility of supervision.
It has been proposed to hold the keys in a remote xe2x80x9ctrusted third partyxe2x80x9d database. An example of such an arrangement is described in xe2x80x9cSecurity measures in communication networksxe2x80x9d, K. Presttun, Electrical Communication, 1986, Vol 60, No. 1 pp 63-70. The keys for two users (user A and user B) are distributed from a remote key distribution centre as a common, masked message, which is firstly sent to user A, where the key for user A is stripped out, and then from user A to user B, to provide the key to user B.
In our GB 96 11411.1 (and corresponding U.S. Ser. No. 08/866 912) there is described an end-to-end encryption and decryption scheme in which the terminal keys that are stored in the terminals, are held additionally in a remote xe2x80x9ctrusted third partyxe2x80x9d database. In order to set up an encrypted transmission between a first and a second terminal, each of them is provided from the remote location with a partial key which contains masked data concerning the key of the other terminal, derived from the stored data in the database. As a result, both terminals can be provided with data that in combination with their own key stored at the terminal, enables them each to set up a common secret code which can be used for end to end encryption and decryption through the network.
A difficulty with the prior references xe2x80x9ctrust third partyxe2x80x9d databases arises when it is desired to set up secure conference calls between three or more terminals. Each terminal needs to be provided with masked data concerning all the keys of the other terminals participating in the conference call so that they can each establish a common code, with the result that the partial keys and the final encryption code become long and cumbersome in dependence upon the number of participants. Also the risk of the code being ascertained by eavesdropping, from the long partial keys, is increased.
The present invention provides a solution to these problems. The invention provides a method of distributing through a communications network, enciphering key data to be used in encrypting and decrypting data at first and second terminals so as to provide secure data transmission between the terminals through the network, the terminals each storing corresponding first and second terminal keys, the method comprising: storing the first and second keys remotely of the terminals; generating at a location remote from both of the terminals, first and second separate partial keys each as a masked function of a common number and a corresponding one of said separately stored keys; dispatching the first partial key separately towards the first terminal; and separately dispatching the second partial key separately towards the second terminal.
The invention also provides a method of setting up a first terminal that stores an individual terminal key, to encrypt data to be transmitted according to a secure encryption code through a communications network to a second terminal where the data is to be decrypted, comprising receiving at the first terminal a partial key dispatched thereto through the network from a remote location, the partial key being a masked function of the individual terminal key and a number for determining the encryption code, and comparing at the terminal the received partial key and the stored key so as to provide the encryption code.
The invention also extends to a method of setting up a second terminal that stores an individual terminal key, to decrypt data transmitted thereto according to a secure encryption code through a communications network from a first terminal where the data is encrypted, comprising receiving at the second terminal a partial key dispatched thereto through the network from a remote location, the partial key being a masked function of the individual terminal key and a number for determining the code, and comparing at the second terminal the received partial key and the stored key so as to provide data for decrypting the code.
Thus in accordance with the invention, each terminal is provided with a partial key from the remote location that includes masked data concerning the terminal key of the terminal itself, without the need for key of the other terminal, so that the protocol can readily be expanded from communications between two terminals, to large numbers of terminals in conference calls without lengthening the partial keys.
One or more additional terminals may join in a call whilst it is in progress, either to expand a normal two party call into a three party conference call or to increase the number of parties in a conference call. To this end, the joining party is sent a masked version of its key so that it can determine the code, together with the frame number for the data transmission that is going on between the parties, so that the joining party can join in the transmitted data flow.
The invention is envisaged for use in satellite mobile digital communications systems, and is also useful in corresponding terrestrial digital mobile communication systems (e.g. in cellular systems such as the GSM system), or in fixed link communication systems. The invention may also be practised in store-and-forward communication systems such as e-mail or the Internet.