It is known to use encryption in mobile communication systems. In other words, in order to enhance security, messages exchanged over the air-interface between a mobile station and a network entity of a mobile communication network are encrypted, such that the sending side uses an encryption key and the receiving side requires an appropriate key for decrypting the message and thereby discerning the message content. It should be noted that the present specification and claims shall use the term “key” or “encryption key” with respect to keys used both for encryption and decryption. It should also be noted that the term “network entity” shall be used for any network element or combination of network elements that fulfils a given function, such as the function of handling message exchanges with a mobile station. As such, a network entity can be provided by hardware, software or any combination of hardware and software, and can be implemented in one node of a mobile communication network, or spread out over several nodes.
In order to provide both the mobile station and the network entity with appropriate corresponding encryption keys, with which each respective element can decrypt messages received from the other, it is possible to generate one encryption key in one element, store it in that element, and then transmit it to the other element. However, this is highly disadvantageous, as it is possible that the encryption key sent over the air-interface is intercepted. Consequently it is preferred to implement respective and corresponding encryption key generation procedures in both the network entity and the mobile station, where corresponding encryption keys (which may be identical, or different from one another, depending on the encrypting scheme used) are respectively generated in parallel, such that the mobile station and the network entity can each on their own have corresponding or matching encryption keys. The correspondence between the encryption keys is ensured by using corresponding algorithms in the mobile station and network entity. This is well known and need not be described in more detail.
Furthermore, it is known to start the encryption key generation on the two respective sides using a common seed value, e.g. a regularly changed random or pseudo-random value broadcast by the mobile communication network to all network entities and listening mobile stations.
The generation of encryption keys is commonly performed at predetermined instances, for example when the mobile station registers with the mobile communication network. Usually the encryption keys are only generated at certain types of registrations, such as power-on, the transition from one switching entity (e.g. a mobile switching center MSC) to another, or forced registration, in which the network commands the mobile station to perform a registration.
The communication between a mobile station and a network entity is commonly arranged such that it will use a plurality of message exchange procedures in the course of which predetermined messages are exchanged between the network entity and the mobile station, the type and number of exchanged messages depending on the given message exchange procedure. Examples of message exchange procedures are a registration procedure, a link set-up procedure, a link configuration procedure, a call set-up procedure etc. For example, if the mobile station wishes to originate a call, it will send a predetermined call origination request to the network entity, and will then wait for a certain type of response message. In other words, the mobile station will wait until a precise and expected type of response from among a limited number of possible responses, e.g. one that confirms the receipt of the origination request, or one that provides call establishment information, etc. Messages not belonging to the limited group of expected responses will be ignored and the entity will continue to wait for an expected message. Usually, a time-out feature will also be implemented, according to which the mobile station only waits for a predetermined time-out period. After the time-out period expires, the mobile station can e.g. repeat the request, or also enter an idle mode and indicate a corresponding failure to the user of the mobile station, e.g. a call establishment failure in the above mentioned example of initially sending a call set-up request.
The message exchange procedures can be such that some or all exchanged messages in a given procedure are encrypted. It may be noted that the term “encrypted message” refers to any message of which at least a part is encrypted. For example, an encrypted message can be a message that contains a (first) unencrypted part and a (second) encrypted or encryptable part. As an example, a message could be contained in one or more packets, each having a header and a payload section, where the header is not-encrypted and the payload section is.
An example of rules governing the use of encryption in the communication between a mobile station and the network entity of a mobile communication network is provided by standard TIA/EIA-136 published by the Telecommunication Industry Association. In TIA/EIA-136 a mode called enhanced privacy and encryption (EPE) is provided, which is an authentication-related capability that adds confidentiality to signals transmitted over a time division multiple access (TDMA) digital channel between a base station of a mobile communication network and a mobile station. The encryption, if supported by the network entity and the mobile station, is mandatory and is automatically activated, pending hand shaking procedures between the mobile station and base station. TIA/EIA-136 specifies that with EPE encryption is automatically activated after authentication is complete if both the mobile station and the system support the feature. TIA/EIA-136 further specifies that support for EPE is mandatory for mobile stations that adhere to protocol version 4, but mobile stations that adhere to lower protocol versions may also support EPE.
The type of encryption applied together with the type of data encrypted, is controlled and authorized by means of encryption domains. Encryption domains define the level and type of encryption desired, the manner in which the encryption shall be applied and the data eligible for encryption. The encryption domain identifies portion of FACCH/SACCH (Fast Associated Control Channel/Slow Associated Control Channel) messages on digital or analogue channels that are subject to encryption, together with the encryption algorithm to be applied. Previously, for the introduction of EPE, a single encryption domain had been defined, namely, Domain-A. This allowed the encryption of a portion of the messages on the FACCH/SACCH together with the payload (circuit-switched speech or data) on a digital traffic channel and a portion of the messages on the analogue voice channel. This information, defined by the Domain-A encryption domain, is eligible for encryption by the Domain-A encryption algorithms only. The encryption of payload (circuit-switched speech or data) by a Domain-A encryption is commonly known as voice privacy or the encryption of layer 3 messages by a Domain-A encryption is commonly known as Domain-A message encryption.
EPE introduces a new encryption domain, namely Domain-B. The Domain-B encryption domain again defines a portion of the messages on the FACCH/SACCH digital traffic channel, a portion of messages on the digital control channel together with payload (circuit-switched speech or data). This information, defined by the Domain-B encryption domain is eligible for encryption by Domain-B encryption algorithm.
A single encryption algorithm known as Scema is introduced as the domain-B encryption algorithm, producing encryption keys for the encryption of both circuit-switched speech/data on a digital traffic channel and Layer3 messages (both on digital traffic and digital control channels), as defined by TIA/EIA-136.
The Domain-B encryption applies to the following:                Domain-B message encryption for user signalling on the digital control channel. The DCCH-encryption key (DCCH=Digital Control Channel), generated in both the mobile station and the network entity, is applied to specific Layer3 TIA/EIA-136 DCCH messages.        Domain-B message encryption for user signalling on the digital traffic channel. The DTC-encryption key, generated in both the mobile station and the network entity is applied to specific Layer3 TIA/EIA-136 DTC-messages.        Domain-B encryption on the digital traffic channel for both circuit-switched voice and data. The DTC-encryption key generated in both the mobile station and the network entity is applied to circuit-switched voice and data. EPE on the DCCH is activated at registration. Both the mobile station and system generate the Domain-B encryption keys, based on among other information, the currently available value of a parameter called RAND (a random variable which is broadcast on the control channel) and other information. The generation of the keys is performed on both the mobile station side and the network side in parallel. This ensures that the encryption keys are “synchronized”, where “synchronized” means that the keys on either side are in correct correspondence to one another, such that each side can decrypt the messages encrypted by the other side. The generated encryption keys are stored in both the mobile station and the network.        
The encryption keys are only generated at certain types of registration, including power-on, transition to a new switching entity (MSC), and forced registration, where the network entity informs the mobile station whether EPE should be activated via the registration accept message.
Once activated, the mobile shall encrypt a portion of RACH messages (RACH=Random Access Channel) with the generated encryption key. Layer3 messages subject to Domain-B encryption on the reverse digital control channel are: Origination, Page Response, R-data and Serial Number.
Layer3 messages subject to Domain-B encryption on the forward digital control channel are: Analogue Voice Channel Designation, Digital Traffic Channel Designation, Message Waiting-, Page, R-data, Registration Accept and User Alert messages.
On reception of a message on the RACH from a mobile station camped on a DCCH, the network entity will determine whether a message is encrypted or not with Domain-B encryption, by using the message encryption indicator field of the Layer2 extension header. If the message is not encrypted, then processing of the message will occur as implemented in the given system. If the encryption indicator field indicates that a message is encrypted with Domain-B encryption, the Domain-B DCCH-encryption key shall be retrieved from its storage location, e.g. a visitor location register VLR, where the encryption is stored together with other information related to the subscriber using the mobile station that is in communication with the network entity. Once the Domain-B DCCH-encryption key is available, the message shall be decrypted and processing of the message is completed as implemented in the network.
The terms Layer3 and Layer2 used above refer to different levels specified by TIA/EIA-136, and are not to be understood as layers within the meaning of the OSI model.