1. Field of the Invention
The present invention relates to a Secure User Plane Location (SUPL) based positioning system, and particularly, to a TLS session management method for a SUPL roaming.
2. Background of the Related Art
In general, a mobile communications system has a function unit related to calculating of position of a mobile communications terminal in a mobile communications network, and thus provides a location service for transferring the location of the terminal to a certain entity periodically or according to a user's request.
Networks related to the location service have different structures according to an inner network structure of 3GPP or 3GPP2. The current location of the terminal can be calculated using a cell-ID method for transferring a cell ID to which the terminal belongs, a method in which a time taken by transferring a radio wave from a terminal to each base station is calculated and a location of the terminal is calculated using a triangulation, a method using Global Positioning System (GPS), and the like.
However, in order to provide location services to a user, considerable signaling and location information should be transferred between the mobile communications terminal and a location server. The so-called positioning technologies that have been standardized for providing such location services, namely, a location service based upon the location (position) of a mobile communications terminal, are undergoing rapid widespread dissemination. The technologies can typically be provided through a user plane and a control plane. A Secure User Plane Location (SUPL) protocol of the Open Mobile Alliance (OMA), which is well-known as an example of the positioning technologies, provides the location services through the user plane
The SUPL protocol is an efficient method for transferring location information required for the location calculation of a mobile communications terminal. The SUPL protocol employs a user plane data bearer so as to transfer positioning assistance information such as Global Positioning System (GPS) assistance, and to carry positioning technology associated protocols between the mobile terminal and a network.
In general, in a positioning system, a SUPL network related to a location service roughly includes a SUPL agent, SUPL Location Platform (SLP) and SUPL Enabled Terminal (SET). The SUPL agent refers to a logical service access point using location information which is actually measured. The SLP refers to a SUPL service access point at a network portion where network resources are accessed to obtain location information. The SET refers to a device for communicating with the SUPL network using a SUPL interface, for instance, a User Equipment (UE) of the UMTS, a Mobile Station (MS) of GSM, a IS-95 MS, a laptop computer having a SET function, Personal Digital Assistances (PDAs) or the like. The SET may be various mobile communications terminals which access through a Wideband LAN (WLAN). The SET supports various procedures defined by the SUPL protocol by being connected to the network through the user plane bearer.
A network that a user has originally registered in a positioning service is referred to as a home network. When a user moves and thus is located at another area which is not in the home network area, the corresponding area is referred to as a visited network. Therefore, the SLP within the home network is called as a Home-SLP (H-SLP), and the SLP within the visited network is called as a Visited-SLP (V-SLP). Here, upon initiating SUPL procedures at the network, an SLP to which an external client is initially connected is referred to as a Requesting SLP (R-SLP). The R-SLP is a logical entity which may be either the same as the H-SLP or not. In addition, an SET which targets a current positioning (i.e., location tracking) is defined as a target SET.
Furthermore, the SLP, as a network element, may include a SUPL Positioning Center (SPC) which is an entity for calculating an actual location, and a SUPL Location Center (SLC) which manages a function of the SLP other than calculating positioning, for example, functions of roaming and resource management. Therefore, the SET may calculate the positioning through a communication with the SPC via the SLC (i.e., proxy mode), and may calculate the positioning by directly connecting to the SPC (i.e., non-proxy mode).
However, upon opening a Transport Layer Security (TLS) session for ensuring security in a related art SUPL-based positioning (i.e., location tracking) method, in case of the non-proxy mode roaming, when opening a new TLS session between a V-SPC and a terminal after generating the TLS session, a new TLS session must be generated aside from the existing TLS session (i.e., the session between the H-SLP and the SET).
FIG. 1 illustrates a procedure for performing positioning using a SUPL when an SET executes a roaming from a H-SLP to a V-SLP. Hereinafter, a target SET is just referred to as the SET.
As illustrated in FIG. 1, if a data connection is not currently set between the SET and any network before transmitting a SUPL START message, the SET (or SUPL agent) requests a data connection (TCP connection) to a packet data network or a circuit switched network (e.g., a network of 3GPP or 3GPP2) (S10).
When the data connection is completed, the SET sets a TLS session (encryption protocol) with the H-SLP (S11). The SET then transmits a SUPL START message to the H-SLP to initiate a SUPL procedure therewith (S12). The SUPL START message may include at least session-id, SET capabilities and Local Identification (lid). The SET capabilities may include positioning (location tracking) methods supported by the SET (e.g., A-GPS supported by SET, SET-based A-GPS, etc), protocols to be used for the positioning (e.g., RRLP, RRC or TIA-801), and the like.
The H-SLP determines whether the SET is in a roaming state based upon routing information to thereafter transfer the SUPL ATART message including session-id and msid to the V-SLC of the V-SLP through an RLP Standard SUPL Roaming Location Immediate Request (SSRLIR) (S13).
The V-SLC informs the V-SPC through an internal initialization with the V-SPC that a SUPL POS procedure preparation is to be started, and switches required information with the V-SPC. Also, the V-SLC transfers a SUPL RESPONSE message including a V-SPC address or the like to the H-SLP through an RLP Standard SUPL Roaming Location Immediate Answer (SSRLIA) (S14).
Accordingly, the H-SLP transmits a SUPL RESPONSE message including at least session-id, the V-SPC address to the SET (S15). The SET terminates an IP connection with the H-SLP and also terminates the first TLS session (S16).
Afterwards, the SET sets a second TLS session with the V-SPC (S17).
The setting of the second TLS session is basically the same as the setting of the first TLS session. Upon setting the second TLS session, the SET transmits a SUPL POS INIT message including session-id, lid, SET capabilities, and the like to the V-SPC, and thereafter starts an actual positioning associated procedure (S18). Accordingly, the SET and the V-SPC switch therewith consecutive messages for performing the actual positioning (S19), and thus the V-SPC (or SET) calculates the location of the SET through the messages.
Upon calculating the location of the SET, the V-SPC transmits a SUPL END message to the SET to notify the termination of the SUPL procedure. The SET having received the SUPL END message terminates the second TLS session with the V-SPC (S20 and S21).
The V-SPC also informs the V-SLC through the internal communication of the termination of the SUPL procedure and the calculated location value of the SET (S22). The V-SLC transmits the received information to the H-SLP through an RLP Standard SUPL Roaming Position (SSRP) message (S23).
Afterwards, when the SET executes the roaming, a method for setting the first and second TLS sessions will now be explained in more detail.
FIG. 2 illustrates in more detail the method (full handshake) for setting the TLS session (i.e., a method in which the SET performs a mutual authentication between the H-SLP and the V-SLP).
As illustrated in FIG. 2, the SET first sets a first TLS session (encryption protocol) with the H-SLP (S11).
That is, the SET includes parameters such as Version, RandomNumber, sessionID[empty], CipherSuites and CompressionMethod in a Client Hello message to thus transmit it the H-SLP (ST1). Here, the sessionID is set as ‘empty’ when generating a new session. The CipherSuites and CompressionMethod indicate a list of encryption parameters supported by the SET and an ID for a data compression method, respectively.
The H-SLP transmits a Server Hello message including parameters such as Version selected thereby, RandomNumber, sessionID[1], CipherSuites and CompressionMethod to the SET in response to the Client Hello message. If there is not the session ID transmitted by the SET, the H-SLP transmits an empty session ID to the SET.
The H-SLP sequentially transmits to the SET messages such as Certification*, ServerKeyExchange*, CertificateRequest* and ServerHello Done after sending the Server Hello message. Here, ‘*’ denotes ‘optional’.
The Certificate is a message to be transmitted posterior to the Server Hello message. The H-SLP transmits a public key thereof through a ServerKeyExchange or transmits the Certificate which includes the public key thereof and a root certificate of a Certificate Authority (CA) as a chain type.
The ServerKeyExchange is a message to be transmitted posterior to the Certificate. The ServerKeyExchange includes public key information of the H-SLP (server). Correct information related to the key information depends on a corresponding public key algorithm (e.g., RSA, Diffie-Hellman, or the like). The Certificate Request is a message to be transmitted posterior to the ServerKeyExchange. When requiring the public key information of the SET, the H-SLP uses the Certificate Request message in order to request a certificate. The ServerHello Done is a message to be transmitted posterior to the Certificate Request, and used in notifying the SET of the completion of an initial negotiation.
When the ServerHello Done is inputted from the H-SLP, the SET sequentially transmits to the H-SLP messages such as Certificate, ClientKeyExchange and CertificateVerify*, ChangeCipherSpec and Finished (ST3).
The ClientKeyExchange is a message to be transmitted after sending the Certificate, and includes key information (EncH-SLP—PK(pre-master secret) encrypted using the public key of the H-SLP. The key information denotes the most basic pre-master secret for making keys (Integrity Key, Ciphering Key, Initialization Vector, and the like) used for an actual encryption of the H-SLP. The corresponding key information is used in a symmetric encryption algorithm.
The CertificateVerify is a message to be transmitted posterior to the ClientKeyExchange. The CertificateVerify indicates whether the SET has a proper individual key with respect to the public key transmitted through the Certificate message. The CertificateVerify may include a value obtained by hashing and signing the key information of the SET and a content of the previous TLS handshake message.
At last, the H-SLP sequentially transmits ChangeCipherSpec and Finished messages, and terminates every full handshake procedures for setting the first TLS session (ST4). The ChangeCipherSpec is a message to be transmitted posterior to the CertificateVerify, and notifies a time point for performing encryption after terminating the negotiation between the H-SLP and the SET. Here, the SET changes the TLS session state from a pending state into a current state. The Finished is a message to be transmitted posterior to the ChangeCipherSpec. The Finished message indicates whether the negotiation is successfully completed or that damages have not occurred on security parameters during the negotiation.
According to such the procedures, upon setting the first TLS session, the SET transmits the SUPL START message to the H-SLP to notify an initiation of the SUPL procedure (S12). The H-SLP determines the location information of the V-SLP to which the SET belongs to thereafter recognize the roaming of the SET. The H-SLP then re-transfers the SUPL START message to the V-SLC through the RLP SSRLIR message (S13).
The V-SLC notifies the V-SPC of the initiation of the SUPL procedure through the internal initialization with the V-SPC and exchanges required information therewith. The V-SLC transfers the SUPL RESPONSE message including the V-SPC address to the H-SLP through the RLP SSRLIA message, in response to the RLP SSRLIR message (S14). The H-SLP transmits the SUPL RESPONSE message to the SET.
Hence, the SET terminates the IP connection with the H-SLP and the first TLS session therewith, and performs the step S17 for setting the second TLS session with the V-SPC.
That is, in the SUPL-based positioning system, when the SET performs the roaming from the H-SLP to the V-SLP to receive the positioning service from a new location server (V-SPC), a new TLS session should be generated between the SET and the V-SPC. In this case, the parameters having set between the H-SLP and the SET such as key information for encryption, signature and integrity check should be newly set.
However, the procedure for setting the new (second) TLS session is the same as the procedure for setting the first TLS session as illustrated in FIG. 2. Accordingly, the terminal should initially set the TLS session with the H-SLP according to the full handshake for the mutual authentication, and thereafter should generate the new TLS session according to the same full handshake whenever the terminal roams to the V-SLP, which disadvantageously increases time and resources required for the switching of the authentication and encryption keys during the roaming.