The invention relates to a method and arrangement for ciphering information transfer. The invention can be advantageously applied in a time division multiple access (TDMA) cellular system offering broadband circuit switched services.
The prior art will be now described, discussing first the use of time slots in the GSM (Global System for Mobile communications) system and the coding of information in a burst transferred in a time slot. Then it will be described a known method for ciphering information transfer in said system as well as the disadvantages related to it.
Current mobile communication networks generally use the time division multiple access (TDMA) method. For example, in the GSM system each traffic channel uses TDMA frames comprising eight time slots. In mobile communication systems a call is conventionally established in such a manner that one time slot is reserved for the call and the transmission channel provided by that time slot is then used for the whole duration of the call. If, however, the mobile station moves from the area of a base station to that of another, a handover is carried out and a channel using a new time slot is established between the new active base station and the mobile station.
FIG. 1 shows a GSM TDMA frame comprising eight time slots 0 to 7. Separately shown are transmission frame TX and reception frame RX. Here, transmission frame means a frame sent by the mobile station, i.e. an uplink TDMA frame, and reception frame means a frame received by the mobile station, i.e. a downlink TDMA frame. A cross in FIG. 1 marks the time slot 1 which in the call depicted by the example is used in both uplink and downlink transmission. It should be noted that in the downlink and uplink directions there is a delay between the frames, which is why time slots represented by corresponding numbers are not simultaneous in the different transfer directions.
Broadband high speed circuit switched data (HSCSD) services, in which a call uses more than one time slot in order to speed up the communications rate, have been introduced especially for data transmission services. The number of uplink time slots may be equal to that of downlink time slots, in which case the configuration is symmetrical, or it may be unequal, in which case the configuration is asymmetrical. Time slots used are specified during call establishment and the system indicates the time slots used as well as the related parameters to the mobile station. Said parameters include, for example, the ciphering key used in ciphering/deciphering. The number of time slots used can also be changed during a call.
FIG. 2 shows a TDMA frame in conjunction with a HSCSD call using two time slots 1 and 2 in the uplink direction TX and three time slots 0 to 2 in the downlink direction RX.
FIG. 3 illustrates the use of a time slot in the GSM system. A burst transferred in a time slot contains training sequence symbols TSS 33, two sequences IS1 and IS2 consisting of information symbols, 31 and 32, and tail symbols TS1 and TS2, 30 and 34, respectively. In addition, time slots are separated by guard periods GP, 35. A conventional GSM system uses GMSK modulation to modulate the data into the burst.
Furthermore, there are new solutions to increase the transfer capacity by changing the method of modulation of the burst transmitted in a time slot. One such solution is the so-called EDGE (Enhanced Data rates for GSM Evolution) system which is now being developed and is based on the GSM system. In that solution, GMSK modulation may be replaced by binary order quadrature amplitude modulation (B-O-QAM), quadrature order quadrature amplitude modulation (Q-O-QAM) or by code pulse modulation (CPM), for example. Possible characteristics of the EDGE system are described e.g. in [1]. To illustrate the invention we will examine in this patent application some of the arrangements to implement the EDGE system discussed in said document. Those arrangements will be below called the xe2x80x9cEDGE systemxe2x80x9d although the characteristics of the eventual implemented EDGE system might be different from those described here.
When using fast modulation, the symbol rate can be generated from a 13-MHz clock frequency by dividing by 36, for example, while in the conventional GSM system the divisor is 48. Thus the symbol rate becomes 361.111 ksps (kilosymbols per second). When using Q-O-QAM modulation, a symbol comprises 2 bits, so the modulation bit rate is 722.222 kbps (kilobits per second). When using B-O-QAM modulation, a symbol comprises one bit, so the modulation bit rate is 361.111 kbps.
Table 1 below lists the most important modulation characteristics of the GSM system and the system using QAM modulation.
So, using QAM modulation, a burst in one time slot can transfer 208.333 symbols, whereas the GSM system can only transfer 156.25 symbols.
Table 2 below shows the time slot sequence lengths in the GSM system and in the system based on QAM modulation. The portion of the stealing flag is shown separately in the numbers of information symbols and bits.
In the GSM system the ciphering of information transferred is based on the use of the so-called A5 ciphering algorithm. The ciphering algorithm is used to produce a 114-bit pseudo-random ciphering sequence which is used to encrypt the 114 information bits transferred in one burst. A ciphered 114-bit sequence is produced by performing an exclusive-or (xor) operation between the unciphered information and the ciphering sequence. Similarly, the ciphered information is deciphered at the receiving end by producing the same ciphering sequence and carrying out an xor operation between the ciphering sequence and the received bit sequence.
The A5 algorithm is not public but as regards its structure it is a conventional ciphering algorithm using two input parameters. The first input parameter, so-called COUNT value, is derived from the TDMA frame number and transferred on the synchronization channel SCH. The COUNT value is used for producing ciphering blocks for bursts in sequential TDMA frames. The second input parameter is a call specific ciphering key Kc which is transferred on a data transmission channel prior to call establishment.
Different connections and time slots within a TDMA frame are distinguished using separate ciphering keys. If a connection uses more than one time slot, ciphering key Kc is used in time slot 0 if that is in use. In addition, ciphering key Kc is used to produce the ciphering keys Kcn (n=0 to 7) for the other time slots.
The method above is used for creating for all bursts different ciphering bit blocks within a TDMA frame and between TDMA frames. The use of multiple input parameters in the A5 algorithm makes it possible to avoid long text sequences ciphered with one and the same ciphering block. This way, the encryption function of the conventional GSM system can be made comparatively reliable.
Ciphering methods for the GSM system are described in more detail in [2], chapter 4.
Prior-art arrangements, however, have limitations. The reliability of encryption largely depends on how much information is transferred using the same ciphering algorithm and key. The greater the amount of information transferred using the same algorithm/key, the easier it is to crack the encryption. In known arrangements one and the same ciphering algorithm and key are used to code one burst. When the amount of information in the burst is fixed, the encryption has a certain pre-determined reliability. Thus, known arrangements do not allow selection of the reliability level of encryption according to need.
Also, when using modulation methods in which greater amounts of data are modulated into one burst, the reliability of the encryption becomes lower. A situation may then occur in which the reliability of encryption is inadequate.
Furthermore, known solutions have the disadvantage that when new modulation methods are introduced, longer information blocks and ciphering sequences have to be handled in conjunction with ciphering, which may call for changes in the transmitter and receiver construction.
An object of the present invention is to avoid aforementioned disadvantages of the prior art by providing an arrangement in which the attainable reliability of encryption is better than in known solutions and in which the level of reliability of encryption can be changed if desired.
An essential idea of the invention is that the information transferred in a burst is divided into at least two blocks and said blocks are ciphered in a non-identical manner. Then the ciphering reliability is better as the amount of information encoded with one and the same ciphering algorithm and key is smaller. Furthermore, the level of ciphering reliability can be changed by altering the number and/or size of information blocks in the burst. Since the information block size can be e.g. 114 bits, which is used in the GSM system, application of the invention will not require that the construction of the mobile station be made more complex.
FIG. 4 shows in general an arrangement according to the invention for ciphering the information related to a burst. A block contains Y information bits of a burst to be ciphered, divided into s+1 sub-blocks each of which comprises y bits. Sub-blocks are created in accordance with predetermined rules. In the example depicted in FIG. 4, the bits to be transferred first are transferred in the first sub-block, the bits to be transferred second are transferred in the second sub-block, etc. However, other ways of forming the sub-blocks can be applied, too. Since in the situation according to FIG. 4 the number of information bits in a burst, i.e. the block size Y, is a multiple of the number of bits y in a sub-block, all sub-blocks are of the same length. A ciphering sequence block 0 to s is formed for each sub-block in a manner described later on. An xor operation is performed between the information bits and ciphering bits, producing Y ciphered information bits for one burst.
FIG. 5 shows a situation in which an information bit block related to a burst, comprising Y bits to be ciphered, is divided into sub-blocks 114 bits long. In this case the block size Y is not a multiple of the number of bits y in a sub-block, so the last sub-block s will not be full. As the number of bits in one burst may not necessarily be divisible by 114, the last sub-block s may comprise less than 114 bits. The remaining bits are the most significant bits of the last sub-block and they are binary added to the corresponding bits of the last ciphering block. The ciphering sequence blocks are generated in the same manner as in the situation depicted in FIG. 4, producing after an xor operation a block of Y ciphered information bits for one burst.
The method according to the invention for ciphering a TDMA data transfer call, wherein transferred information is modulated into at least one burst of a TDMA frame and transferred information is ciphered using a predetermined algorithm and ciphering key, is characterized in that
information transferred in one burst is divided into at least two blocks,
the first block is ciphered using a first ciphering key,
the second block is ciphered using a second ciphering key, and
said first and second ciphering keys are different from each other.
The arrangement according to the invention for ciphering a TDMA information transfer connection in a communications system, comprising means for modulating the information to be transferred into at least one burst of a TDMA frame and means for ciphering the information to be transferred using a predetermined algorithm and at least one ciphering key, is characterized in that it further comprises means for dividing the information transferred in said burst into at least two blocks, and means for ciphering the first block using a first ciphering key and the second block using a second ciphering key, said first and second ciphering keys being different from each other.
The mobile station according to the invention, comprising means for ciphering a TDMA information transfer connection, including means for modulating the information to be transferred into at least one burst of a TDMA frame and means for ciphering the information to be transferred using a predetermined algorithm and at least one ciphering key, is characterized in that the mobile station further comprises means for dividing the information transferred in said burst into at least two blocks, and means for ciphering the first block using a first ciphering key and the second block using a second ciphering key, said first and second ciphering keys being different from each other.
Preferred embodiments of the invention are described in the dependent claims.