Cellular radio telephone systems typically include subscriber units (such as mobile or portable units) which communicate with a fixed network communication unit via RF transmissions. A typical fixed communication network includes at least a base station and a switching center. The switching center a subscriber unit accesses may not be his "home" switching center. In this case, the subscriber unit is termed a roamer. The switching center he accessed (termed the "visted" switching center) will communicate with his "home" switching center via the public switched telephone network (PSTN). One responsibility of the fixed network communication unit is to grant use of hte communication system to the subscriber unit after the requesting subscriber unit meets the authentication requirements of the system. In a typical cellular telephone communication system, each subscriber unit is assigned a telephone number (mobile identification number) (MIN) and an identification number (or serial number) (SN) which uniquely identifies the subscriber to any fixed network communication unit. Each subscriber unit has a unique identification number that distinguishes it from other subscriber units. The fixed network communication unit has access to these identification numbers through a database. Often these numbers are used by the fixed network communication units to bill subscribers for the time the subscriber uses the system. In the case of a roaming subscriber unit, the "visted" switching center must communicate with the subscriber's "home" system database to authenticate and bill the subscriber unit. If this communication is required for each call a subscriber unit makes, significant call setup delays will occur. When the subscriber calls another unit, he enters the phone number he wishes to call. The dialed phone number becomes the data to be sent to the fixed network communication unit. Data may also include other information regarding a third communication unit such as a unit's location.
Detection of a legitimate subscriber's identification number may be accomplished by RF eavesdropping or by purposeful or inadvertent divulgence of the MIN/SN combination by the radio telephone installer. Once the subscriber's telephone number and identification number is known (stolen), a thief may reprogram another subscriber unit with the stolen identification number causing two or more subscriber units to have the same MIN/SN combination. Cellular radio telephone systems have authentication procedures to deny access to subscribers not having legitimate identification numbers, but do not have the capability to detect multiple users or effectively neutralize the effect of an installer leaking subscriber identification numbers. Therefore, the legitimate user is billed for both the thief's use and his own use.
Several authentication techniques are known. EIA-553 section 2.3 specifies that each subscriber shall have a MIN and a factory set SN. The telephone number which the subscriber is attempting to contact is the data that is transmitted by the subscriber to the fixed network communication unit. Authentication is granted by this system if the MIN and corresponding SN are found in the fixed network communication unit database. Unfortunately, EIA-553 does not require the encipherment of the MIN or SN before transmission to the fixed network communication unit thereby permitting direct RF detection of any MIN or SN. In addition, this technique fails to provide protection against a thief that acquires a MIN/SN from an installer.
Another authentication technique is described in European cellular communication system recommendations generated by the Groupe Special Mobile (GSM); see sections: 02.09, 02.17, 03.20, and 12.03. This method additionally requires the subscriber to openly transmit a temporary mobile subscriber ID (TMSI) to the fixed network communication unit; the fixed network communication unit generates and sends a random number (RAND) to the subscriber. The enciphering technique requires the subscriber unit to autonomously retrieve at least three enciphering elements from its memory: a predetermined ciphering key, an SN (individual subscriber authentication key) and a MIN (international mobile subscriber identification number--IMSI). The subscriber then enciphers its SN and MIN using the cipher to construct the RAND into a signed response (SRES). The subscriber unit transmits this signed response back to the fixed network communication unit where the fixed network communication unit checks the SN, MIN, and ciphering key against its database using the subscriber's temporary ID (TMSI).
The fixed network communication unit generates its response to the same random number using the information retrieved from the database and compares the subscriber signed response to the fixed network communication unit generated response. If the responses are substantially equivalent, authentication is confirmed. The dialed telephone number is only allowed to be transmitted after authentication is granted. This system affords some protection against a thief that acquires the MIN/SN from an installer by enciphering the SN and reassigning a temporary TMSI each time the subscriber enters a different cell area.
Although one technique enciphers the subscriber's serial number before transmission, neither system detects multiple users. Detection of thieves once they acquire access is important to maintaining a secure system. Moreover, the random number transmission (required for encipherment) necessitates additional communication between the subscriber unit and the fixed network communication unit each time a call is made which increases the probability of transmission error and adds a transmission step to the fixed network communication unit's authentication protocol routine. In addition, authentication must be verified before the system will allow data to be accepted. Therefore data must be sent after the steps of the authentication procedure are complete.
Secure cellular systems also offer protection of conversations after authentication is granted. As is typical for cellular systems, the process of handing off a subscriber unit to another channel is needed for various reasons. These include maintaining communication link quality, minimizing co-channel interference between subscriber units, and managing traffic distributions. A handoff involves the transfer of communication between channels. Channelization may be in the form of time slots, frequencies, codes (as in spread spectrum type systems) and various combinations of these medium divisions. Handoffs include intracell handoffs, intercell handoffs, and intercluster handoffs. Intracell handoffs are those transfers between channels (voice or data) in the same cell; intercell handoffs are those transfers between channels in different cells, and intercluster handoffs are those transfers between channels in cells parented from different cell control units. In secure cellular systems wherein voice and/or data information is encrypted to avoid unauthorized detection of such information, handoffs introduce additional complications to maintaining encryption integrity.
In systems where absolute frame synchronization between base sites is not required, such as the proposed TDMA U.S. Digital Cellular system, subscriber units are only told which slots within a frame they must synchronize to after they are handed off. In a secure system however, voice encryption between the subscriber unit and any source basesite transceiver, typically requires an agreed starting point and must continue through the length of the call irrespective of the number of handoffs. At handoff, a conversation is already in progress, therefore lengthy gaps required to establish encryption synchronization must be avoided. Also, an intruder monitoring the channel at any point in the conversation should not be able to gain sufficient information to aid in any cryptanalysis effort.
One solution involves operating the encryption algorithm with a common mask that is reused for each slot of speech. However, this severely compromises the security of the encryption process since the same crypto-mask is repeated for each time slot thereby affording an intruder repeated chances for analyzing the same encryption process and consequently increasing the probability of decryption. At handoff this involves passing this mask from the source basesite (current serving basesite to the target basesite. This allows the encryption process to remain synchronized to the handoff channel. Also, since the speech coder continues to generate it's output sequence during pauses in the conversation (quiet periods) an intruder has a good chance of determining the encryption process during these pauses.
Another solution involves restarting the encryption process at each handoff. However, this requires the repetition of the exact cipher stream after each handoff. An intruder's probability of decoding the cipher stream each time a handoff occurs is greatly increased; particularly in microcellular systems. The method of encryption must allow for a high degree of variability to make decryption more difficult. As during the authentication process, any variable used in the encryption process should not be communicated over the airwaves.
Another solution involves using a continuous stream encryption process wherein the process must maintain its continuity during all handoffs for the same conversation. For example, the exact starting point would have to be agreed upon by the subscriber unit and source basesite. At handoff, the current contents of the encryption process as well as the exact point of transfer is agreed upon by the source basesite and the target basesite. This method does not readily lend itself to a non-synchronous system since the target site may not know the current stage of the encryption process. Also, the length of messages between basesites would increase since a large number of memory elements may be needed to define the history of the encryption algorithm as started by the subscriber unit so that the target site can generate the current state of the encryption process.
There exists a need for a substantially enhanced authentication technique for a cellular telecommunication system that detects fraudulent users and efficiently protects identification numbers from unauthorized detection. This technique should permit to access "visited" systems in an efficient and timely manner, while enabling the "visited" system to determine the legitimacy of the subscriber unit. The authentication method should restrict an illegitimate user's capacity to utilize the system in the case where access is inadvertently granted. Further, an adequate level of security resulting from encipherment should not require additional transmission processes or inject higher error levels during the authentication process. There also exists a need for an encryption process for use in a synchronous channel or a non-synchronous channel system that provides encryption integrity during handoffs between channels such that an intruder is substantially prevented from decoding the encryption process.