As part of the Universal Mobile Telecommunications Systems (UMTS), Internet based multimedia services are developed in order to enhance the implementation capability of the UMTS mobile radio system and to extend the areas of application.
In the 3GPP (3rd Generation Partnership Project) a so-called IP-based Multimedia Subsystem (IMS), which is described in the UMTS Release 5—Architecture, was standardized as a platform for Internet based multimedia services for a mobile radio system.
If a mobile radio terminal of a mobile radio subscriber logs on in a communications network in a mobile radio system with IMS to make use of Internet based multimedia services, then an authentication procedure is carried out for the mobile radio terminal in accordance with the 3GPP standard described in 3GPP TS 33.203 V5.3.0—Technical Specification, 3rd Generation Partnership Project, Technical Specification
Group Services and System Aspects, 3G Security, Access security for IP-based services (Release 5) in accordance with the IMS Authentication and Key Agreement Protocol (IMS AKA Protocol).
In accordance with the IMS AKA Protocol, the mobile radio terminal and the communications network, in whose range the mobile radio terminal is currently sited, authenticate each other and two cryptographic keys are generated, the so-called integrity key and the so-called transfer key. In accordance with UMTS Release 5, to protect the IMS signaling the integrity key is used between the mobile radio terminal and a computer of the visited communications network (Visited Network). The computer of the visited communications network is set up as a Call State Control Function Computer (CSCF Computer) and is called a Proxy CSCF Computer (P-CSCF Computer). The transfer key is used for encryption, i.e. to protect the confidentiality of the data exchanged.
In addition to using the integrity keys to protect the IMS Signaling messages, it can be specified that when IP based services are to be provided, additional electronic messages are to be exchanged in a confidential manner between an application server computer and the mobile radio terminal.
In this description an application server computer on the network side is in particular a computer that offers services in accordance with a service provided on the application layer (OSI layer 7), preferably multimedia services, and that communicates in accordance with a layer 7 protocol, i.e. an application layer protocol. The application server computer can, for example, be equipped as an HTTP server computer (Hypertext Transfer Protocol) and can communicate with the mobile radio terminal in accordance with the HTTP protocol.
Over and above the basic functionality of the IMS, application server computers are for example, used for the administration of network side user settings and to store and manage profile data relating to the mobile radio system subscribers.
Some examples of such applications between mobile users (in particular those using an IMS mobile radio system) and application server computers in the communications network, who use the HTTP protocol, are:                access lists on presence servers with which lists it is possible to use position information about the current position of a mobile radio terminal within the mobile radio system (for example, GPS data),        buddy lists of chat applications, i.e. lists of authorized subscribers for a chat application,        group management services and        settings for electronic multimedia conferences        
As a further example for such an application, mention must be made of the fact that multicast connections between a mobile radio terminal and between a multicast service center are set up using the IMS system.
In order to secure the protocols used between the mobile radio terminal and the application server computer cryptographically, their messages must be protected, with respect to, for example, authentication, data integrity and/or data confidentiality.
Depending on the actual implementation scenario and the application layer protocol used, different security protocols are used to secure the application layer protocol, for example;                for HTTP, the security protocol HTTP Digest, the TLS protocol (Transport Layer Security Protocol) or WTLS (Wireless Transport Layer Security Protocol) and        for allocating keys for multicast communication links, MIKEY (Multimedia Internet KEYing).        
With all cryptographic application layer protocols, the communication partners involved, in particular, the mobile radio terminal and the application server computer, i.e. the application server computer in the communications network, must have secret key material, i.e. secret keys, which material is available right from the start of the transmission of the first secured electronic message.
In the case of the IMS, the key infrastructure is based on symmetrical keys used to authenticate the IMS users as part of the IMS registration procedure, i.e. as part of the authentication and key exchange protocol described in 3GPP TS 33.203 V5.3.0—Technical Specification, 3rd Generation Partnership Project, Technical SpecificationGroup Services and System Aspects, 3G Security, Access security for IP-based services (Release 5).
As described in 3GPP TS 33.203 V5.3.0, a mobile radio terminal registers in the IMS for an IMS communication session at its home communications network (Home Network) at the computer designated for this purpose, which computer is also called the S-CSCF computer (Serving Call State Control Function Computer).
The communication takes place using a local proxy computer, the above described P-CSCF computer, in the visited communications network, which represents the first IMS contact point for the mobile radio terminal and hence for the mobile user.
The authentication according to 3GPP TS 33.203 V5.3.0 takes place between the mobile radio terminal and the S-CSCF computer with the participation of a so-called HSS computer (Home Subscriber Server Computer). Within the course of the authentication, the integrity key and the transfer key are generated in the mobile radio terminal and in the HSS computer and transmitted in a cryptographically secure manner to the S-CSCF computer.
The integrity key is transmitted, cryptographically secured, from the S-CSCF computer to the P-CSCF computer. The integrity protection and the authenticity of the subsequent IMS related signaling messages is provided locally between the mobile radio terminal and the P-CSCF computer and is based on the integrity key. According to UMTS Release 5, the transfer key is not used at the moment, but there are plans to include the transfer key in future versions of the UMTS Standard (Release 6 and subsequent standards) in order to provide additional protection for the confidentiality of transmitted data.
A problem arises if the transfer key and the integrity key, which are created as session keys from an IMS AKA authentication and key generation, are used to secure different applications than for IMS signaling.
The mobile radio terminal and the home communications network, in other words, the user and the home communications network operator are regarded as mutually trustworthy.
However, the visited communication network (in the case of roaming; where it is not a case of roaming, this corresponds to the home communications network) is given the integrity key and the transfer key. If an application server computer were also to be given the integrity key and the transfer key, then, theoretically, the application server computer would be able to compromise the security of the IMS signaling between the mobile radio terminal and the visited communications network.
Conversely, the visited communications network, i.e. a computer of the visited communications network would be able to compromise the security of the communication between the mobile radio terminal and the application server computer, if said security were to be based directly on the integrity key or the transfer key.
Where a mobile radio terminal wants to communicate with several application server computers at the same time, it is also desirable, and frequently even a requirement, that it is not possible to make inferences from the cryptographic key that has been given to a particular application server computer as to the cryptographic key that another application server computer has been given.
A possible method of solving the above described problem is to derive a new cryptographic key from the integrity key and/or the transfer key, and to do so both in the home communications network and in the mobile radio terminal of the user. An application server computer receives the derived cryptographic key, thus recognizes neither the integrity key nor the transfer key, provided that the cryptographic function used to derive the key does not allow any meaningful inferences to be made as to the integrity key and/or the transfer key for the application server computer.
The problem that arises with this method is that one needs a key derivation function that cannot be reconstructed by the computer of the visited communications network. A so-called keyed hash, which uses, for example, the integrity key or the transfer key as input parameter and the random parameter generated within the course of the authentication carried out in accordance with 3GPP TS 33.203 V5.3.0 as random value, can also be calculated by the computer in the visited communications network.
A new random parameter that was agreed between the mobile radio terminal of the user and the home communications network for the purposes of key derivation could only be achieved by making a modification to existing communications or security protocols, i.e. by a modification, for example, to the IMS AKA protocol or in the communication between the SCSCF computer and the HSS computer.
However, such a modification should be avoided, there is no simple way to modify existing communications standards or security standards and it is thus very cost intensive.
For an overview of the security mechanisms provided in the UMTS Standard Release 5, see G. Horn, D. Kroselberg, K. Muller: Security for IP multimedia services in the 3GPP third generation mobile system, Proceedings of the Third International Networking Conference INC' 2002, Pages 503 to 512, Plymouth, UK, 16.-18. Jul. 2002.
The message authentication functions and key generation functions used as part of the IMS AKA protocol are described in 3GPP TS 35.205 V5.0.0—Technical Specification, 3rd Generation Partnership Project, Technical Specification Group Services and System Aspects, 3G Security, Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*, Document 1: General (Release 5) and 3GPP TS 35.206 V5.0.0—Technical Specification, 3rd Generation Partnership Project, Technical Specification Group Services and System Aspects, 3G Security, Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*, Document 2: Algorithm Specification (Release 5). Further, a block cipher encryption function, known as Rijndael function, is described in 3GPP TS 35.206 V5.0.0.
For an overview of the security mechanisms provided in the UMTS Standard Release 5, see G. Horn, D. Kroselberg, K. Müller.
The message authentication functions and key generation functions used as part of the IMS AKA protocol are described in 3GPP TS 35.205 V5.0.0 and 3GPP TS 35.206 V5.0.0. Further, a block cipher encryption function, known as Rijndael function, is described in 3GPP TS 35.206 V5.0.0.
For an overview of various key derivation functions see IST-2000-25350—SHAMAN, D13—WP1 contribution, Final technical report comprising the complete technical results, specification and conclusion, Chapter 4.7, Pages 114 to 122, November 2002
A further key derivation method is described in D. Harkins und D. Carrel, The Internet Key Exchange (IKE), RFC 2409, Pages 17 to 19, November 1998.
A radio communication device and a method for radio communication is known from the EP 1 156 694 A1, which enable a mobile device to provide an encryption function and also an integration function on the data transmission levels two or higher. To this end the mobile terminal has an encryption or integrity unit, which is switched between a radio communication control unit and a terminal multiplexer. Thereby, the encryption integrity processing unit only carries out an encryption processing action on so-called transparent data, such as, for example, speech data transmitted between the terminal multiplexer and the radio communication unit. Further, the encryption integrity processing unit carries out encryption and/or integrity processing on non-transparent data transmitted to and from the radio communication control device.
The problem of how to increase the cryptographic security in a mobile radio system forms the basis of the invention.
The problem is solved by the method for creating and distributing cryptographic keys in a mobile radio system and by the mobile radio system with features in accordance with the independent patent claims.
A method for creating and distributing cryptographic keys in a mobile radio system assumes at least one mobile radio system with one mobile radio terminal, one first computer, preferably a computer of a visited communications network (Visited Network), one computer of a home communications network (Home Network) and also at least one second computer, preferably set up as an application server computer. The at least one mobile radio terminal is placed preferably in the area of the visited communications network and has been authenticated vis-à-vis the home communications network and the visited communications network. In relation to this, one should note that the visited communications network and the home communications network can be identical. As part of the authentication process, authentication key materials were created, which materials are stored and available in the mobile radio terminal and in the computer of the home communications network. In the method, a first cryptographic key and a second cryptographic key are created by the mobile radio terminal and by the computer of the home communications network by using the authentication key materials. Thus the first key and the second key are each stored and available in the mobile radio terminal and in the computer of the home communications network.
Alternatively, the first and the second computers can both be set up as application server computers.
The first cryptographic key is transmitted, preferably by the computer of the home communications network (alternatively by the mobile radio terminal), to the first computer, preferably to the computer of the visited communications network. Further, the second cryptographic key is transmitted to the second computer, preferably to the application server computer, preferably by the computer of the home communications network, alternatively by the mobile radio terminal.
A mobile radio system has at least one mobile radio terminal, in which authentication key materials are stored. This being the result of an authentication between the mobile radio terminal and a computer of a home communications network of the mobile radio terminal. Further the mobile radio system has a first computer, preferably a computer of a visited communications network and also a computer of the home communications network. There are authentication key materials stored in the computer of the home communications network, likewise resulting from the authentication of the mobile radio terminal at the communications network. Furthermore, there is at least one second computer, preferably set up as an application server computer, in the mobile radio system. The mobile radio terminal is situated in the visited communications network. The mobile radio terminal and the computer of the home communications network each have a crypto unit to create respectively a first cryptographic key and a second cryptographic key using the authentication key materials. The computer of the visited communications network has, in addition, a memory for storing the first cryptographic key, which key has been transmitted to the computer by the mobile radio terminal or by the computer of the home communications network. In addition, the application server computer has a memory for storing the second cryptographic key, which key has been transmitted to the application server computer by the mobile radio terminal or by the computer of the home communications network.