1. Field of Invention
The present invention relates generally to the field of wireless communication and data networks and more particularly, in one exemplary aspect, to the implementation of third party in wireless communication and data networks which provides a third party operator with the ability to enable and disable user access to a network while protecting privacy rights of the users.
2. Description of Related Technology
Universal Mobile Telecommunications System (UMTS) is an exemplary implementation of a “third-generation” or “3G” cellular telephone technology. The UMTS standard is specified by a collaborative body referred to as the 3rd Generation Partnership Project (3GPP). The 3GPP has adopted UMTS as a 3G cellular radio system targeted for inter alia European markets, in response to requirements set forth by the International Telecommunications Union (ITU). The ITU standardizes and regulates international radio and telecommunications. Enhancements to UMTS will support future evolution to fourth generation (4G) technology.
UMTS networks are separated into three (3) distinct sub-systems, the User Equipment (UE), the Access Network (AN), and the Core Network (CN). The UE (e.g., mobile device or cellular phone) is used by the subscriber to access the network, and is considered the origination point of radio access. The Access Network is comprised of two entities: the Base Transceiver Station (BTS) also referred to as a NodeB, and the Base Station Controller (BSC) also referred to as a Radio Network Controller (RNC). The Access Network can be more generally characterized as the endpoint of radio access. The Access Network interfaces to the Core Network, which manages network administration, such as mobility management, authentication, authorization, accounting, call control, switching, routing, etc.
At 3GPP (3rd Generation Partnership Project), a study is being conducted to develop concepts for supporting the application of Home NodeBs (HNBs) or “femtocells” for 3G networks; i.e., UMTS based on CDMA and LTE (Long Term Evolution). Femtocell deployment could greatly improve the Access Network coverage, at reasonable cost to the network operator. Furthermore, a HNB femtocell could be deployed as an alternative to WiFi and unlicensed mobile access (UMA). The 3G HNB or femtocell base station enables cellular operators to allow customers to use existing and future standard cellular handsets and other devices.
FIG. 1 illustrates a typical UMTS cellular system 100. The Access Network comprises a plurality of base station towers or NodeBs 102 that are set at fixed geographic locations. Their wireless coverage is indicated by the dotted areas 104. Unlike the NodeBs 102, a HNB (femtocell) 112 is not necessarily geographically fixed and creates overlapping wireless coverage as indicated by the dotted areas 114 of FIG. 1. The Core Network 106 (which is not illustrated in its full complexity) includes a number of different components and logical entities, and governs the operation of the NodeBs 102. It is assumed, that the HNBs 112 may be operating as an UMTS NodeB or Enhanced NodeB (eNodeB) and that the surrounding NodeBs 102 and HNBs 112 are operating as UMTS NodeBs or eNodeBs. A UE 108 is being served by either the NodeB 102 or HNB 112, and can switch between the two servers via a well known handoff procedure.
A considerable capital expenditure for network operators is associated with the deployment of additional fixed base stations. Unlike base stations, femtocells are typically paid for by customers wishing to improve service and or localized reception. Therefore, the intended mode of operation for the HNB femtocell is to augment the service provider's existing network of base stations by connecting to the service provider's network via a broadband interface (such as DSL or DOCSIS cable modem). Due to the smaller size and cost of an HNB femtocell, they can be distributed in areas which are not feasible for service through standard base station deployment (e.g., extension of indoor service coverage, or for temporary service coverage).
With the convergence of WiFi, VoIP and fixed (e.g., circuit-switched PSTN) telephony within the home, mobile operators are also seeking a way to increase their share of the residential calls market. In one approach, a HNB femtocell could support cellular calls locally, and then use a broadband connection to carry traffic to the operator's Core Network. Another distinct advantage of femtocell deployment over other user managed networks (such as WLAN, WiMAX, etc.) is that femtocells offer seamless integration with current cellular network base stations.
The benefits of HNB deployment are shared between the user and the network. From the customer's perspective, a home base station (femtocell) offers the benefit of using a single mobile handset with a built-in personal phonebook for all calls, whether from home or elsewhere. Ideally, client devices (such as a UMTS phone) may transition freely between a HNB and a base station (without pre-stored network configuration) transparently to the user. This feature enables operation with all existing and future handsets, rather than requiring customers to upgrade to expensive dual-mode devices. Flexible usage, low cost, and increased network coverage and capacity for end users are the key benefits for customers seeking to deploy HNB femtocells.
Base station networks are planned and deployed by a network operator; however, femtocell deployment is accomplished by a user, and can be temporary and/or arbitrary in nature, which can create additional implementation problems for network operators. Furthermore, while the HNB femtocell performs similar functions to the Access Network, it is owned and managed by a home operator. None the less, certain functions (e.g. network access, security, authorization, etc.) must remain in control of the Core Network.
Additionally, a desirable implementation for a HNB enables additional user access control capabilities, to allow the home operator to moderate HNB usage. In one example, access to a HNB is allowed for a closed user group only; e.g. employees of a company, or family members within a residence. In another example, access to a HNB could be granted to a UE, pending authorization by the HNB owner.
Next Generation Networking (NGN) is another ongoing ITU topic of research and standardization for system architecture. Next Generation Networking broadly describes requirements for evolution of future communications systems and architectures. The main elements of NGN are: (i) packet-based networking capable of providing telecommunication services; (ii) multiple broadband Quality-of-Service (QoS) enabled transport technologies; and (iii) unrestricted access by users to different service providers. NGN defines “access independence” as a separation between transport technology and Core Network services. The decoupling of NGN Core Network components and procedures from the subtleties of access technology enables a user to employ a single identity across multiple transport technologies, e.g. WLAN, UMTS, etc.
In light of NGN standardization, the 3GPP has active research and development efforts to standardize Release 6 (WLAN/3GPP interworking); Release 6 allows 3GPP terminals to access a 3GPP IP Multimedia Subsystem (IMS) via WLAN. Wireless Local Area Network (WLAN) access is a wireless standard defined by IEEE Std. 802.11 that governs the communication of devices over a 5 GHz and/or 2.4 GHz public spectrum. WLAN is subdivided into Interworking WLAN (iWLAN) and “plain user” WLAN. Plain user WLAN is used to generically describe a privately owned WLAN access point (e.g., an AP at a residence or small business). Interworking WLAN combines a traditional WLAN access point, with additional existing 3GPP Core Network functionality, to offer a single universal user identity between UMTS and WLAN access.
WLAN was originally designed for generic wireless local area networking, and does not require any network infrastructure. WLAN could originally support simple network topologies, including peer-to-peer “ad-hoc” networks. In such simple ad-hoc networks, communication links are established directly from one wireless device, to another, without involving intermediate access points. The iWLAN network infrastructure is correspondingly more complex, as it must incorporate 3GPP Core Network entity access, to support authorization, authentication and access control. The additional complexity of iWLAN networking enables future NGN evolution toward ubiquitous, secure network service for subscribers, via 3GPP IP Access.
Referring to FIG. 2, the exemplary iWLAN network 200 comprises a WLAN UE 202, WLAN Access Network (WLAN AN) 204, 3GPP Authentication, Authorization and Accounting (AAA) Server 206, and a Packet Data Gateway (PDG) 208. The PDG 208 enables WLAN 3GPP IP Access to External IP networks (Packet Switched Services) 210 (pending authorization of the 3GPP AAA server). The WLAN Access Network 204 includes WLAN access points, routers, and intermediate AAA elements. The WLAN User Equipment 202 (WLAN UE) includes all equipment that is in possession of the end user.
Access control in a iWLAN system requires the WLAN UE 202 to authenticate and register with the Core Network via the 3GPP AAA Server 206 to obtain 3GPP IP Access 210. Service authentication and authorization is accomplished using the 3GPP (U) SIM (subscriber identity module) based protocol described hereafter. Unlike the Access Network of a UMTS system, which shares common messaging with the Core Network; the WLAN UE must establish one or more secure tunnels (e.g., VPN) with the 3GPP Network, and access the Core Network entities using TCP-IP protocols (e.g., IPv4, IPv6, etc.).
Similar to HNBs, WLAN APs (Access Points) are typically purchased for residential or business usage, and are administered by the owner. Due to the structural similarity of Release 6 to the Access Network/Core Network of UMTS, additional user access control capabilities which allow the iWLAN home operator to moderate usage are desirable. Furthermore, the access independence of iWLAN ensures that similar modifications to access control methods for 3G cellular systems, can also be used for iWLAN networks.
Prior Art Access Control
In the exemplary context of 3G cellular networks, access control has been based on an authentication protocol called Authentication and Key Agreement (AKA). AKA is a challenge-response based mechanism that uses symmetric cryptography. In the UMTS implementation of AKA, the user equipment (UE) must first identify itself before the Core Network can initiate the challenge-response; the Core Network will then initiate a challenge process to the UMTS Subscriber Identity Module (USIM), which is preprogrammed with the AKA response protocol.
The USIM application is resident to the UE, and it comprises the hardware and software apparatus required to unambiguously and securely identify the user to the network. The USIM application resides on a smart card that can be inserted or removed from the mobile device and contains, inter alia, the permanent identity of the user, called the International Mobile Subscriber Identity (IMSI), and a shared secret key (used for authentication). The smart card is generally referred to as the UMTS Integrated Circuit Card (UICC). The USIM on the UICC card is provided by the service provider; hence even if the UICC card is moved from one UE to another, the service provider and service configuration remain the same. The importance of the IMSI identification to user privacy imposes specific protection measures, such that the subscriber identity is masked whenever possible.
Unlike other UTRAN fixtures, a HNB is not completely controlled by the network operator. The typical operators of HNBs are residential and small business owners who wish to augment their current wireless area network service. In order to maintain a consistent level of security across the network, network operators require that HNBs support the same standard of service as a NodeB. Therefore, due to the non-technical nature of the HNB operator, a design constraint on the usability of the user interface (e.g., does not require technical knowledge, does not require undue effort for administration, etc.) for access control is required. Furthermore, as mentioned before, the sensitive nature of a UE's permanent identity (i.e. IMSI) must be shielded from the owner of the HNB, to protect the privacy of the user.
An exemplary LTE authentication and security setup procedure is shown in FIG. 3. UMTS network control messaging can be divided into Access Stratum (AS) and Non-Access Stratum (NAS). AS refers generally to the lower-level network functions which comprise data carrying capacity, and radio resource control; AS functions include but are not limited to Media Access Control (MAC), Radio Link Control (RLC), Broadcast, Multicast Control (BMC), and Radio Resource Control (RRC). NAS refer generally to higher-level network functions, including but not limited to: Call Control (CC), Session Management (SM), Supplementary Service (SS), Short Messaging Service (SMS), Mobility Management (MM), etc. Core Network services such as authentication and registration are handled in NAS messaging; Access Network services and messaging are categorized as AS messaging.
Referring to the sequence of steps 300 of FIG. 3, the UE requests access using a non-access stratum (NAS) message 302, comprising the IMSI/TMSI, a Key Set Identifier (KSI), and UE capabilities is forwarded to the Mobility Management Entity (MME) via the NodeB 304 (the NodeB does not process the message). The MME identifies the user with the use of the encrypted IMSI/TMSI. Under certain conditions, (e.g., if the user has not been authenticated), the MME will require an authentication and key agreement (AKA) to complete successfully 306.
After the UE and MME have completed the AKA, and mutual authentication has completed, the MME updates the Home Location Register (HLR), and initiates local security activation procedures. The MME selects UMTS encryption algorithms (UEA), UMTS integrity algorithms (UIA), and generates a series of encryption keys. In step 308, the MME sends a Security Mode Command (SMC) to the NodeB comprising the selected UEA, UE capabilities, KSI, and a NAS Message Authentication Code (MAC) the NodeB forwards the NAS SMC to the UE 310, and an acknowledgement to the MME 312. After the UE has completed NAS-MAC verification, and initialized security integrity and encryptions procedures, the UE completes NAS SMC signaling with the MME 314, and local security procedures are completed.
Once local security procedures have correctly finished, the UE and NodeB must complete Access Stratum setup. After the AS SMC has completed, the UE and NodeB can initiate data and call control, normal call initiation and call processing safely and securely.
Referring now to steps 302, 304, and 306, a key security/privacy risk is the transfer of the International Mobile Subscriber Identity. The IMSI consists of Mobile Country Code (MCC), a Mobile Network Code (MNC), and a Mobile Subscriber Identification Number (MSIN). The total maximum length of IMSI is fifteen (15) digits, where the MCC is three (3) digits and MNC is typically two or three (2 or 3) digits depending on the area. From a subscriber's privacy point of view, the MSIN uniquely identifies the subscriber and thus must be protected for confidentiality reasons. Unfortunately, the subscriber's credentials cannot be fetched before the subscriber has been properly identified. With the 3G AKA authentication method the network cannot be authenticated (from the UE's point of view) before the UE has provided its own identification. Furthermore, because the UE must transmit its IMSI across the air interface, the UE must be able to reject plain text IMSI queries coming from an untrustworthy source. Additionally, public key cryptography or symmetric keys may be used to hide the IMSI.
Securing the IMSI over the air interfaces can be achieved if the UE has a public key (or symmetric key), which it can use to encrypt (at least the MSIN of) the IMSI before sending it to the network. In a public key based approach, the UE uses a public key of the operator to encrypt the IMSI for secure transmission over the air. Only the originator of the public key may decrypt the message, and corresponding IMSI.
Another alternative to IMSI, a temporary identity called TMSI is used in UMTS, if the subscriber is already known in the network. TMSI is allocated by network immediately after AKA, and is used thereafter for UE identification. The TMSI is a randomly allocated number that is only local to a geographic area. Furthermore, the network frequently changes the TMSI at arbitrary intervals in order to avoid the subscriber from being identified and tracked by eavesdroppers on the radio interface. While TMSI provides additional privacy to a user, as mentioned above, the TMSI may only be granted after the IMSI has initially passed the AKA correctly. Therefore, even though the TMSI can minimize IMSI exposure after AKA, since the IMSI is the unique identifier for the UE it is vulnerable during the initial AKA.
Unlike traditional NodeBs which do not implement access control locally (access control is done at the Core Network), HNBs implement an additional level of access control. A public key encrypted IMSI cannot be used by the HNB to identify a user (it is encrypted). The TMSI is also unsatisfactory, as it is a temporary identifier and is changed arbitrarily, and frequently. HNB access control requires the UE's IMSI, but must be implemented in a manner which minimizes UE plaintext IMSI transfers.
Other Prior Art Approaches
Various other approaches to network access control are evidenced in the prior art. For example, U.S. Pat. No. 5,444,764 to Galecki issued Aug. 22, 1995 entitled “Method of providing a subscription lock to a radiotelephone system” discloses a radiotelephone system which includes a radiotelephone having a subscription lock and a removable subscriber identification module (SIM) card containing an international mobile subscriber identification (IMSI). The subscriber lock is used to restrict registration into the radiotelephone system to only those radiotelephones which contain a SIM card which has an IMSI which falls within a range of valid IMSIs programmed into the radiotelephone or the user has entered a subsidy flag personal identification number (PIN) for permanently disabling the need for a valid IMSI.
WIPO Publication No. WO1998015154 to Karapetkov et al. published Sep. 4, 1998 entitled “Process for controlling access for a communication terminal” discloses a process for controlling access for a communication terminal which is registered with different identities in two mobile networks operating with two different technologies. According to the invention, when an attempt is made to access one of the mobile networks, a check is made to see whether the communication terminal has access authorization for that particular mobile network, and also whether the communication terminal has the identity necessary to access the other mobile network. According to the invention, when an attempt is made to access one of the mobile networks, a check is made to see whether the communication terminal has access authorization for that particular mobile network, and also whether the communication terminal has the necessary identity to access the other mobile network. If this identity is not contained in the communication terminal, access for incoming or for incoming and outgoing calls is denied. If this identity is not contained in the communication terminal, access for incoming or for incoming and outgoing calls is denied.
U.S. Pat. No. 5,940,773 to Barvesten issued Aug. 17, 1999 entitled “Access controlled terminal and method for rendering communication services” discloses an arrangement for rendering services such as for example telephone communication, data communication and so on comprising a terminal unit and an access unit, the terminal unit comprising a terminal-unit-identification code which is stored in the terminal unit and the access unit comprising a first access identification code, terminal unit as well as an access unit being lockable. In the terminal unit are furthermore first access identification codes for a given number of access units stored wherein upon starting up of the device involving contact between terminal unit and actual access unit with a certain access unit identification code, identification code of the access unit is compared to in the terminal unit stored first access identification code(s) in the terminal unit, correspondence between stored access identification code and actual access unit identification code leading to locking up of the terminal unit whereas non-correspondence between stored and actual access unit identification codes respectively at least the terminal unit identification code must be given.
United States Patent Publication No. 20050164738 to Liu published Jul. 28, 2005 entitled “Systems and methods for securing personal or private content stored in the internal memory of a mobile terminal” discloses mobile terminals, such as cell phones, having an internal memory and operating in a GSM wireless network environment with a SIM, store private content such as images, ring tones, buddy lists, email and the like, in the terminal memory. The private content is associated with the IMSI/MSISDN information of the content owner. The terminal correlates the IMSI/MSISDN information of the SIM with the IMSI/MSISDN information of the private content to grant access to the content only upon a positive content/SIM correlation.
United States Patent Publication No. 20070008885 to Bonner published Jan. 11, 2007 entitled “Dynamic dual-mode service access control, location-based billing, and E911 mechanisms” discloses an architecture that facilitates the validation and authentication of the physical location of the dual-mode handset in a VoWLAN solution (e.g., UMA (Unlicensed Mobile Access)) system and a cellular wireless service, thereby restricting the handset from gaining access from unauthorized locations. Thus, access to dual-mode service (e.g., UMA), for example, at a particular location (e.g., in a subscriber's home, or in a hot spot that is controlled by carrier) can now be managed to allow or deny service at a certain location. Another aspect of the invention is the capability to perform location-based billing. For example, if the subscriber is at home, the call may be free. Alternatively, if the subscriber is at a remote location (e.g., a retail establishment), it is now possible to charge for that connection at a different fee. Additionally, a location can now be assigned; for example, to assign a location for E911 compliance.
United States Patent Publication No. 20070096869 to Trohier published May 3, 2007 entitled, “Work time recording system and method for recording work time” discloses a method and a system for work time recording in which a data recording client records biometric data and/or data on physical condition of the user, and transmits it together with the user data over a first communication channel to the central unit. The user is identified based on the transmitted biometric data and/or data on physical condition and biometric data and/or data on physical condition of users stored in the user database. The analyzed data are transmitted to a remuneration recording module, and are evaluated and/or checked by means of the remuneration recording module.
WIPO Publication No. WO2007076147 to Linkola published May 7, 2007 entitled “System and method for limiting access to an IP-based wireless telecommunications network based on access point IP address and/or MAC address” discloses a system and method which manages call connections between mobile subscribers and an EP-based wireless telecommunications network through a wireless access point. Communications between the mobile subscribers and the IP-based wireless telecommunications network are initiated by a registration request. During the registration request various identifiers (IMSI, MAC address, IP Address, etc.) are communicated to the system. The system is arranged to log the identifiers and associate those identifiers with the entry point (e.g., the wireless access point) into the IP based wireless network. Call connections from the mobile subscribers are monitored for various throughput and call quality based metrics. Call handoffs between the IP-based wireless communications network and the cellular telephony network are managed by the system based on the monitored call quality and throughput metrics on a per-access point basis using the registered identifiers.
Korean Patent Publication No. KR 10-20060017142 entitled “Terminal identification method for interworking between a portable interne network and the other network, capable of identifying the terminal through a consistent method with an existing network by mapping an MAC address” published Feb. 23, 2006 discloses the mapping of a MAC (medium access control) address in IMSI type to generate an IMSI number. Another network identifies the terminal by using the generated IMSI number.
Despite the foregoing various approaches to network access control, improved methods and apparatus are needed to address the various drawbacks and shortcomings present in these prior art solutions for providing access control, and issues related to inter alia security and authentication procedures, especially as they apply to an HNB. These issues include the protection of subscriber identity specific information from the third party operator, which also needs to be kept confidential from the provider of the HNB.
Specifically, the HNB requires the IMSI of the user for consistent access control. However, it is possible that with knowledge of a user's IMSI, the user's location could be tracked. Furthermore, because the IMSI is unique and static to each user, using IMSI data collected in the past, a user's history could be tracked. Therefore the owner/operator of a HNB should preferably be not made aware of the user's IMSI (MSIN) in order to ensure the user's privacy and confidentiality when the user is not using the HNB.
Second, confidential IMSI protection in wireless networks is currently evolving, and future modifications to IMSI protection and processes are inevitable. Therefore, any future confidential protection mechanisms should take into account future privacy concerns so that in the future, current access control schemes do not cause future IMSI based HNB access control schemes to fail.
Third, the IMSI is a unique user ID for the network, but it is not intuitive to handle for a HNB owner. It is unlikely that the HNB owner would recognize a user requesting access based on their unique 15 digit IMSI. Nor is it likely that the HNB owner would be able to keep track of IMSIs for managing access control. Unfortunately, there are no other such reliable User IDs to be used for access control in current mobile networks. Accordingly, a simplified User ID for use in HNB is desirable.
Additionally, such improved methods and apparatus for providing access control with a closed user group would enable access control that can easily be performed by the owner of a HNB, without neglecting privacy issues of the users attempting to gain access to the closed user group.
Further, such methods and apparatus would ultimately provide a simple control and management scheme for a non-technical operator using an apparatus providing network accessibility, allowing for the creation and or management of a group of users, as well as adding and/or removing users to/from a group, and authentication of the served users to the existing network infrastructure while complying with the network operator's requirements for user security.
In addition, such improved methods and apparatus would have broad application beyond the scope of just the HNB, as well as applicability in other network architectures such as, for example, user authentication and registration with a third-party owned WLAN hotspot.
Such improved methods and apparatus would also preferably provide access appropriately in emergency situations, such as for example permitting a user who is blocked in a closed user group iWLAN area to establish an emergency call. With current access control methods e.g., 802.1x or MAC filtering, even the first hop (over the air) would be denied before the terminal is able to signal that it wants to establish an emergency call. Such an access control scheme may be prohibited by law for semipublic usage if non-authenticated users were prevented from making calls in emergency situations.