1. Field of the Invention
The present invention relates to communications; more specifically, the conversion of keys for first and second communications systems as the wireless unit roams between the first and second communications systems.
2. Description of Related Art
FIG. 1 depicts a schematic diagram of first and second wireless communications systems which provide wireless communications service to wireless units (e.g., wireless units 12a-c) that are situated within the geographic regions 14 and 16, respectively. A Mobile Switching Center (e.g. MSCs 20 and 24) is responsible for, among other things, establishing and maintaining calls between the wireless units, calls between a wireless unit and a wireline unit (e.g., wireline unit 25), and/or connections between a wireless unit and a packet data network (PDN), such as the internet. As such, the MSC interconnects the wireless units within its geographic region with a public switched telephone network (PSTN) 28 and/or a packet data network (PDN) 29. The geographic area serviced by the MSC is divided into spatially distinct areas called “cells.” As depicted in FIG. 1, each cell is schematically represented by one hexagon in a honeycomb pattern; in practice, however, each cell has an irregular shape that depends on the topography of the terrain surrounding the cell.
Typically, each cell contains a base station (e.g. base stations 22a-e and 26a-e), which comprises the radios and antennas that the base station uses to communicate with the wireless units in that cell. The base stations also comprise the transmission equipment that the base station uses to communicate with the MSC in the geographic area. For example, MSC 20 is connected to the base stations 22a-e in the geographic area 14, and an MSC 24 is connected to the base stations 26a-e in the geographic region 16. Within a geographic region, the MSC switches calls between base stations in real time as the wireless unit moves between cells, referred to as call handoff. Depending on the embodiment, a base station controller (BSC) can be a separate base station controller (BSC) (not shown) connected to several base stations or located at each base station which administers the radio resources for the base stations and relays information to the MSC.
The MSCs 20 and 24 use a signaling network 32, such as a signaling network conforming to the standard identified as TIA/EIA-41-D entitled “Cellular Radiotelecommunications Intersystem Operations,” December 1997 (“IS-41”), which enables the exchange of information about the wireless units which are roaming within the respective geographic areas 14 and 16. For example, a wireless unit 12a is roaming when the wireless unit 12a leaves the geographic area 14 of the MSC 20 to which it was originally assigned (e.g. home MSC). To ensure that a roaming wireless unit can receive a call, the roaming wireless unit 12a registers with the MSC 24 in which it presently resides (e.g., the visitor MSC) by notifying the visitor MSC 24 of its presence. Once a roaming wireless unit 12a is identified by a visitor MSC 24, the visitor MSC 24 sends a registration request to the home MSC 20 over the signaling network 32, and the home MSC 20 updates a database 34, referred to as the home location register (HLR), with the identification of the visitor MSC 24, thereby providing the location of the roaming wireless unit 12a to the home MSC 20.
After a roaming wireless unit is authenticated, the home MSC 20 provides to the visitor MSC 24 a customer profile which indicates the features available to the roaming wireless unit, such as call waiting, caller id, call forwarding, three-way calling, and international dialing access. Upon receiving the customer profile, the visitor MSC 24 updates a database 36, referred to as the visitor location register (VLR), to provide the same features as the home MSC 20. The KLR, VLR and/or the authentication center (AC) can be co-located at the MSC or remotely accessed.
If a wireless unit is roaming between wireless communications systems using different wireless communications standards, providing the wireless unit with the same features and services in the different wireless communications systems is complex if even feasible. There are currently different wireless communication standards utilized in the U.S., Europe, and Japan. The U.S. currently utilizes two major wireless communications systems with differing standards. The first system is a time division multiple access system (TDMA) and is governed by the standard known as IS-136, the second system is a code division multiple access (CDMA) system governed by the standard known as IS-95. Both communication systems use the standard known as IS-41 for intersystem messaging, which defines the authentication procedure.
In TDMA, users share a frequency band, each user's speech is stored, compressed and transmitted as a quick packet, using controlled time slots to distinguish them, hence the phrase “time division”. At the receiver, the packet is decompressed. In the IS-136 protocol, three users share a given carrier frequency. In contrast, CDMA uses a unique code to “spread” the signal across the wide area of the spectrum (hence the alternative name—spread spectrum), and the receiver uses the same code to recover the signal from the noise. A very robust and secure channel can be established, even for an extremely low-power signal. Further, by using different codes, a number of different channels can simultaneously share the same carrier signal without interfering with each other. Both CDMA and TDMA systems are defined for a Second Generation (2G) and Third Generation (3G) phases with differing requirements for user information privacy or confidentiality.
Europe utilizes the Global System for Mobiles (GSM) network as defined by the European Telecommunications Standard Institute (ETSI). GSM is a TDMA standard, with 8 users per carrier frequency. The speech is taken in 20 msec windows, which are sampled, processed, and compressed. GSM is transmitted on a 900 MHz carrier. There is an alternative system operating at 1.8 GHz (DCS 1800), providing additional capacity, and is often viewed as more of a personal communication system (PCS) than a cellular system. In a similar way, the U.S. has also implemented DCS-1900, another GSM system operating on the different carrier of 1.9 GHz. Personal Digital Cellular (PDC) is the Japanese standard, previously known as JDC (Japanese Digital Cellular). PDC is a TDMA standard similar to the U.S. standard known as IS-54 protocol.
The GSM network utilizes a removable user identification module (UIM) which is a credit card size card which is owned by a subscriber, who slides the UIM into any GSM handset to transform it into “their” phone. It will ring when their unique phone number is dialed, calls made will be billed to their account; all options and services connect; voice mail can be connected and so on. People with different UIMs can share one “physical” handset, turning it into several “virtual” handsets, one per UIM. Similar to the U.S. systems, the GSM network also permits “roaming”, by which different network operators agree to recognize (and accept) subscribers from other wireless communications systems or networks, as wireless units (or UIMs) move. So, British subscribers can drive through France or Germany and use their GSM wireless unit to make and receive calls (on their same UK number), with as much ease as an American businessman can use a wireless unit in Boston, Miami, or Seattle, within any one of the U.S. wireless communications system. The GSM system is defined as a Second Generation (2G) system.
The third generation (3G) enhancement of the GSM security scheme is defined in the Universal Mobile Telecommunications Service (UMTS) set of standards, and specifically for the security in the standard identified as 3GPP TS-33.102 “Security Architecture” specifications. This security scheme with slight variations will be used as a basis for the worldwide common security scheme for all 3G communications systems, including UMTS, TDMA, and CDMA.
The 2G GSM authentication scheme is illustrated in FIG. 2. This authentication scheme includes a home location register (HLR) 40, a visiting location register (VLR) 50, and a wireless unit or mobile terminal (MT) 60, which includes a UIM 62. When the mobile terminal 60 places a call, a request is sent to the home location register 40, which generates an authentication vector AV, also called “triplet” (RAND, SRES, Kc) from a root key Ki. The triplet includes a random number RAND, a signed response SRES, and a session key Kc. The triplet is provided to the visiting location register 50, which passes the random number RAND to the mobile terminal 60. The UIM 62 receives the random number RAND, and utilizing the root key Ki, the random number RAND, and an algorithm A3, calculates a signed response SRES. The UIM 62 also utilizes the root key Ki and the random number RAND, and an algorithm A8 to calculate the session key Kc. The SRES, calculated by the UIM 62, is returned to the visiting location register 50, which compares this value from the SRES received from the home location register 40, in order to authenticate the subscriber using the mobile terminal 30.
In the GSM “challenge/response” authentication system, the visiting location register 50 never receives the root key Ki being held by the UIM 32 and the home location register 40. The VLR 50 also does not need to know the authentication algorithms used by the HLR 40 and UIM 62. Also, in the GSM authentication scheme, the triplet must be sent for every phone call by the home location register 40. RAND is 128 bits, SRES is 32 bits, and Kc is 64 bits, which is 224 bits of data for each request, which is a significant data load. The main focus of this description is the 64 bits long Kc session ciphering key which is used for user information confidentiality. When the mobile terminal roams into another serving system while in the call, the session key Kc is forwarded from the old VLR to the new target serving system.
FIG. 3 shows the UMTS security scheme which is an enhancement to the 2G GSM scheme. Similar to the GSM scheme, when the mobile terminal 90 places a call, a request is sent to the home location register 70, which sends an authentication vector—AV to the Visited Location Register (VLR) 80 which contains five elements instead of the three elements of a triplet, and therefore is called “quintuplet”. This vector contains the 128 bit RAND, the 64 bits SRES, the AUTN value which carries the authentication signature of the home network, and two session security keys: the 128 bit ciphering key CK and the 128 bit integrity key IK. These latter two keys, CK and IK, are the focus of this description.
The vector is provided to the visiting location register 80, which passes the random number RAND and the AUTN to the mobile terminal 90. The UIM 92 receives the random number RAND, and utilizing the root key Ki, the random number RAND, and an defined algorithmic functions, validates the AUTN and calculates a signed response SRES. The UIM 92 also utilizes the root key Ki and the random number RAND and defined algorithmic functions to calculate the session keys CK and IK. The SRES, calculated by the UIM 92, is returned to the visiting location register 80, which compares this value from the SRES received from the home location register 70 in order to authenticate the subscriber using the mobile terminal 90. A focus of this description are the 128 bits long session ciphering key CK and 128 bits long session integrity key IK which are used for user information confidentiality and session integrity protection. Once the subscriber is successfully authenticated, the VLR 80 activates the CK and IK received in this authentication vector. If the mobile terminal roams into another serving system while on the call, the CK and IK are sent to the new target serving system.
The 2G IS-41 authentication scheme, used in U.S. TDMA and CDMA systems, is illustrated in FIG. 4. This authentication scheme involves a home location register (HLR) 100, a visiting location register (VLR) 110, and a mobile terminal (MT) 120, which can include a UIM 122. The root key, known as the A_key, is stored only in the HLR 100 and the UIM 122. There is a secondary key, known as Shared Secret Data SSD, which is sent to the VLR 110 during roaming. SSD is generated from the A_key using a cryptographic algorithm. The procedure for generating the SSD is described elsewhere and is known to those skilled in the art. When the MT 120 roams to a visiting network, the VLR 110 sends an authentication request to the HLR 100, which responds by sending that subscriber's SSD. Once the VLR 110 has the SSD, it can authenticate the MT 120 independently of the HLR 100, or with the assistance of the HLR 100 as is known to those skilled in the art. The VLR 110 sends a random number RAND to the UIM 122 via the MT 120, and the UIM 122 calculates the authentication response (AUTHR) using RAND and the stored value of SSD in UIM 122. AUTHR is returned to the VLR 110, which checks it against the value of AUTHR that it has independently calculated in the same manner. If the two AUTHR values match, the MT 120 is declared valid. This process repeats when the wireless unit attempts to access the system, for instance, to initiate a call, or to answer a page when the call is received.
In these cases, the session security keys are also generated. To generate session security keys, the internal state of the computation algorithm is preserved after the authentication calculation. Several session security keys are then calculated by the UIM 122 and the VLR 110 using the current value of SSD. Specifically, the 520 bits Voice Privacy Mask (VPM) is computed, which is used for concealing the TDMA speech data throughout the call. This VPM is derived at the beginning of the call by the UIM and VLR, and, if the mobile roams into another serving system during the call, the VPM is sent to the new serving system by the VLR. When the call is concluded, the VPM is erased by both the UIM and the serving VLR. Likewise, the 64 bits Signaling Message Encryption Key (SMEKEY) is computed, which is used for encrypting the TDMA signaling information throughout the call. This SMEKEY is derived at the beginning of the call by the UIM and VLR, and, if the mobile roams into another serving system during the call, the SMEKEY is sent to the new serving system by the VLR. When the call is concluded, the SMEKEY is erased by both the UIM and the serving VLR.
The 2G CDMA scheme uses a similar method of key distribution, except, instead of the 520 bits VPM, it is using the 42 Least Significant Bits (LSB) of the VPM as a seed into the Private Long Code Mask (PLCM). This PLCM is used as an additional scrambling mask for the information before its spreading. The 42-bit PLCM is consistent throughout the call and is sent to the new serving system by the VLR if the mobile roams into another serving system. The SMEKEY is used in the same way as in the TDMA based scheme.
The IS-41 3G security scheme uses the UMTS security scheme, which is based on the delivery of the 128-bits ciphering key CK and 128-bits integrity key IK to the visited system VLR, while the same keys are computed by the UIM.
Key conversions as a wireless unit roams between communications systems should be performed in a way that even if lower security of 2G schemes and algorithms is compromised and partial keys are recovered by the intruder, the 3G session keys would still maintain the same level of security. Such conversions will allow a subscriber to “roam globally” maintaining the security of communications data and integrity of communications session.