1. Field of the Invention
The invention pertains to the protection and safety of telecommunication systems, and particularly to authentication of certain messages which are utilized to terminate an aspect of communications over an air interface involving a mobile station.
2. Related Art and Other Considerations
In a typical cellular radio system, wireless user equipment units (UEs) communicate via a radio access network (RAN) to one or more core networks. The user equipment units (UEs) can be mobile stations such as mobile telephones (“cellular” telephones) and laptops with mobile termination, and thus can be, for example, portable, pocket, hand-held, computer-included, or car-mounted mobile devices which communicate voice and/or data with radio access network. Alternatively, the wireless user equipment units can be fixed wireless devices, e.g., fixed cellular devices/terminals which are part of a wireless local loop or the like.
The radio access network (RAN) covers a geographical area which is divided into cell areas, with each cell area being served by a base station. A cell is a geographical area where radio coverage is provided by the radio base station equipment at a base station site. Each cell is identified by a unique identity, which is broadcast in the cell. The base stations communicate over the air interface (e.g., radio frequencies) with the user equipment units (UE) within range of the base stations. In the radio access network, several base stations are typically connected (e.g., by landlines or microwave) to a radio network controller (RNC). The radio network controller, also sometimes termed a base station controller (BSC), supervises and coordinates various activities of the plural base stations connected thereto. The radio network controllers are typically connected to one or more core networks. The core network has two service domains, with an RNC having an interface to both of these domains.
One example of a radio access network is the Universal Mobile Telecommunications (UMTS) Terrestrial Radio Access Network (UTRAN). The UMTS is a third generation system which in some respects builds upon the radio access technology known as Global System for Mobile communications (GSM) developed in Europe. UTRAN is essentially a radio access network providing wideband code division multiple access (WCDMA) to user equipment units (UEs). The Third Generation Partnership Project (3GPP) has undertaken to evolve further the UTRAN and GSM-based radio access network technologies.
Other types of telecommunications systems which encompass radio access networks include the following: Advance Mobile Phone Service (AMPS) system; the Narrowband AMPS system (NAMPS); the Total Access Communications System (TACS); the Personal Digital Cellular (PDS) system; the United States Digital Cellular (USDC) system; and the code division multiple access (CDMA) system described in EIA/TIA IS-95.
There are certain procedures in telecommunications systems which essentially involve termination or cessation of some type of interaction with a mobile station such as a user equipment unit. The interaction may be, for example, a radio connection between the user equipment unit and the radio access network (e.g., a RRC connection), or tracking of the user equipment unit by the core network. In the situation of termination of the radio connection with the radio access network, a message such as a release message may initiate the connection release. In the case where it is no longer necessary for the core network to track the user equipment unit, a detach message may be employed to initiate a detach operation. Thus, both the connection release message and the detach message are examples of termination or cessation messages.
As explained below, security issues can arise if an unauthorized party is able to initiate otherwise unrequested and undesired instances of a termination or cessation message. As a precursor for an understanding of the circumstances in which such security issues can arise, brief and generalized comments regarding various topics are below provided. These topics include routing areas; location areas; signalling protocols employed between the radio access network and the user equipment unit (including modes and states of modes of models of such protocols); and, failure of a radio access network control node. These topics culminate with further information regarding the connection release and detach procedures.
The topology of a radio access network can be conceptualized in areas or units larger than cells. Taking the UTRAN as an example radio access network, a UTRAN Routing Area (URA) is a geographical area comprising one or more cells. Each URA is identified by a unique identity which is broadcast in all cells belonging to the URA. A URA can comprise cells controlled by more than one RNC. A URA with more cells in more than one RNC is overlapping between the RNCs, i.e. an overlapping URA.
As another example from UTRAN, a Location Area (LA) is a geographical area comprising one or more cells. Each LA is identified by a unique identity sent on the broadcast channel, in the same way as the URA. However, a location area is used by the core network to track the location of the UE (in idle mode and in connected mode), while the URA is used by the radio access network to track the location of the UE in connected mode. Typically, a location area is geographically larger than a URA. To each location area there is one of several RNCs having cells in that particular location area. A relationship between location area and RNC is stored in the core network.
Radio access networks typically have a particular signalling protocol employed between the radio access network and the user equipment unit to support the management of radio resources. For example, UTRAN has its Radio Resource Control (RRC) layer 3 signalling protocol. A user equipment unit in the RRC protocol operates in a state model conceptualized as having two modes: an Idle Mode and a Connected Mode. The Idle Mode is entered after power on. In Idle Mode there is no connection between the user equipment unit (UE) and the UTRAN. When an RRC connection is established, the user equipment unit (UE) is assigned a U-RNTI and the user equipment unit (UE) enters Connected Mode. The U-RNTI (UTRAN Radio Network Temporary Identity) is a global identity, which can be used in any cell in the UTRAN. In Connected Mode, the RNC in charge of the RRC connection for this UE is denoted as the Serving RNC (SRNC). The U-RNTI consists of two parts: the SRNC-identity (which within UTRAN identifies the SRNC for this UE) and the Serving RNTI (S-RNTI) which identifies the RRC connection within the particular SRNC.
As illustrated by FIG. 11, within Connected Mode there are four different states: CELL_DCH state; CELL_FACH state; CELL_PCH state; and URA_PCH. As summarized briefly below, each state reflects a different level of activity.
The CELL_DCH state is characterized, e.g., by having a dedicated channel (DCH) assigned to the user equipment unit (UE). Macro-diversity may be used between DCHs of several cells. In the CELL_DCH state, there is a dedicated control channel (DCCH) used for transmission of signalling messages between the user equipment unit (UE) and the UTRAN.
In the CELL_FACH state, no dedicated physical channel is assigned, but the user equipment unit (UE) listens continuously to a common channel (the FACH) in the downlink belonging to the selected cell. In the uplink, the user equipment unit (UE) typically uses a random access channel (RACH). At each cell reselection, the user equipment unit (UE) updates the network with its current cell location. In this state, there is a dedicated control channel (DCCH) used for transmission of signalling messages between the user equipment unit (UE) and the UTRAN. The DCCH is implemented by appending the Radio Network Temporary Identity (U-RNTI or C-RNTI) to all signalling messages, and thus addressing an individual UE. As mentioned previously, the U-RNTI (UTRAN RNTI) is a global identity, which can be used in any cell in the UTRAN. The C-RNTI (Cell RNTI) is only significant in a single cell, and has to be reallocated in every cell. On the other hand, C-RNTI is much shorter than the U-RNTI which saves space over the radio interface when it is used. There is also a CCCH (Common control channel) in this state, which is used when the connection to the SRNC is not available, such at after cell reselection over RNC borders, when the CELL UPDATE or URA UPDATE message is sent to the DRNC.
In the CELL_PCH state, the user equipment unit (UE) monitors a paging channel (PCH) of a selected cell. On the PCH, the user equipment unit (UE) uses discontinuous reception (DRX) to save power, and the scheme for when to listen is agreed between the network and the user equipment unit (UE) on a per user equipment unit (UE) basis. Also in the CELL_PCH state the user equipment unit (UE) updates the network with its current cell location at cell reselection. No DCCH is available in the CELL_PCH state. On the PCH, means for addressing individual user equipment units (UEs) exist (using the U-RNTI), but the user equipment unit (UE) can not transport any signalling messages to the network.
The URA_PCH state is almost identical to the CELL_PCH state. The difference is that the user equipment unit (UE) does only update the network of its location after crossing URA borders. As mentioned before, the URA (UTRAN Registration Area) is a group of cells. This means that in this state the position of the user equipment unit (UE) is in general known only on URA level.
Unfortunately, a control node of a radio access network, such as an radio network controller (RNC) of the UTRAN, may experience a failure which seriously affects the control node, either in whole or in part. When such a failure occurs, certain information about the context of the user equipment unit, known as the “UE context” in the UTRAN, may be lost, particularly upon reset of the control node.
The information included in UE context comprises, among others, the following parameters: IMSI (the international mobile subscriber identity); C-ID; D-RNTI; and RNC Identity of the DRNC where the user equipment unit (UE) is currently located. The international mobile subscriber identity (IMSI) [which comprises not more than fifteen digits] comprises three components: a mobile country code (MCC)[three digits]; a mobile network code (MNC)[two or three digits]; and a mobile subscriber identification number (MSIN). The D-RNTI parameter is similar to S-RNTI parameter, but identifies the UE context information in the DRNC. The C-ID parameter is the Cell Identity of where the UE is currently located. The C-ID parameter is not applicable to the UEs in the URA_PCH state, since the location of a user equipment unit (UE) in the URA_PCH state is not known to the cell level, but rather is known on URA level (a group of cells defined as one URA). With regard to the RNC Identity parameter, it is noted that in the Cell_DCH state there could be many simultaneous radio links (RLs), so there could conceivably be as many RNCs (at least theoretically) handling legs of connections to the UE.
In a failure case, when the radio connection is lost, the user equipment unit (UE) and UTRAN enter Idle Mode when a failure is detected. Failure detection is quickest in the CELL_DCH state, as the physical channel is lost in that case. The user equipment units in the CELL_DCH state may expect a loss of synchronization and, at the recovery, go to CELL_FACH state after having selected a suitable cell. During the recovery, they attempt to reach UTRAN on a random access channel (such as the RACH). If that fails, they enter Idle Mode. When there is a loss of a radio connection with the radio access network (for example, a loss of the RRC connection), the user equipment units in states comparable to the CELL_FACH, CELL_PCH and URA_PCH states will not necessarily notice the loss. Moreover, in the CELL_FACH, CELL_PCH and URA_PCH states, in the circumstances in which failure can be detected, such failure detection is much slower since it relies on a periodic supervision unit every set number of minutes, where the user equipment unit (UE) makes periodic CELL UPDATE or URA UPDATE depending on the state.
If an RNC which loses the UE context (for a UE for which it was the SRNC) receives a paging request originated at the core network, the RNC assumes the user equipment unit is in idle mode. Therefore, the RNC will page the user equipment unit with the core network UE identity. However, if the user equipment unit is still in the connected mode, the user equipment unit will only detect paging using the identity in connected mode, that is the U-RNTI.
As now briefly and generally explained, the core network UE identity (such as TMSI) cannot be used for paging the UE in the connected mode. In the idle mode the user equipment unit reads the location area identity on the broadcast channel and makes a registration towards the core network when it changes location area. Upon registration, the user equipment unit receives a new core network UE identity (TMSI), since the TMSI is only valid within a location area. In the connected mode the serving RNC controls the location area the user equipment unit is registered in towards the core network. The core network knows in which location area the user equipment unit is registered, and will upon paging send the paging request to each RNC having cells in that location area. The location area identity is in connected mode always sent directly to each user equipment unit from the SRNC on a dedicated control channel. The connected mode user equipment unit ignores the location area identity on the broadcast channel. Thus, the connected mode user equipment unit may camp in a cell, on which broadcast channel a different location area identity is sent than the location in which the TMSI is valid.
To ensure that the user equipment units (for which contexts are lost in the RNC) are reachable by core network-originated paging after the RNC reset, it is important to bring such user equipment units to idle mode. Since there may be a lot of UE contexts lost in a worst scenario, a “mass release” of user equipment units may be needed. To “release” a radio connection such as an RRC connection between the radio access network (like UTRAN) and the mobile terminal (like the user equipment unit), the mobile terminal must leave the connected mode and enter idle mode. There are several known methods for releasing such a radio connection.
In a normal case of releasing a radio connection, illustrated in the context of the RRC connection of UTRAN, the network sends a RRC CONNECTION RELEASE message to the user equipment unit on the dedicated control channel (DCCH). The user equipment unit acknowledges receipt of the release message by transmitting a RRC CONNECTION RELEASE COMPLETE, and then entering idle mode so that the initiating party can enter idle mode as well. After the release, the U-RNTI that was allocated by the connection can be reused by another connection.
A possibility has been introduced in WCDMA to transmit the RRC CONNECTION RELEASE message on a common control channel (CCCH). The purpose of this solution is to enable the DRNC to release the connection to a given user equipment unit (UE), if the SRNC can not transmit the message (the DCCH originates in the SRNC).
In the conventional practice, only one user equipment unit (UE) at a time can be released using the RRC CONNECTION RELEASE message sent from UTRAN to the user equipment unit (UE). Radio connection release on a user equipment unit by user equipment unit basis is generally satisfactory in most situations. However, in a failure situation when all connections belonging to an RNC (SRNC or DRNC) have to be released (like restart of RNC or a reset is received from the core network), this conventional practice entails an enormous amount of signaling messages. Such massive signaling causes significant load in the radio network control (RNC) node(s) as well over the radio interface. Since the resources are limited, the RRC CONNECTION RELEASE messages can not be sent instantaneously to all UEs and thus they will take some time to transmit. This delay will typically cause inconvenience for the user. Moreover, this delay increases a risk that a U-RNTI, already in use by a first user equipment unit (UE), will be prematurely allocated to a new connection. Furthermore, in case of restart of an radio network control (RNC) node, the RNC may forget which U-RNTIs were allocated to user equipment units (UEs) before the restart.
In view of the foregoing, the release of plural radio connections using a single release message (known as the “omnibus release message”) has been proposed in U.S. patent application Ser. No. 09/852,915, filed May 11, 2001, and entitled “RELEASING PLURAL RADIO CONNECTIONS WITH OMNIBUS RELEASE MESSAGE,” which is incorporated herein by reference in its entirety. The omnibus release message makes it possible to save signalling and reduce the delay be addressing multiple UEs in the same release message on the CCCH or the PCCH.
Typically there is some type of protocol employed between the UE and the core network domain to support the mobility, identification and security of the UEs, e.g., a Mobility Management (MM) protocol is used between the UE and the core network domain to support the mobility, identification and security of the UEs. A MM protocol UE state model is illustrated in FIG. 12 as having three states: a MM-connected state; a MM-idle state; and, a MM-detached state.
In the MM-connected state, the mobile communicates with the core network domain over a signalling connection. The signalling connection requires that a radio connection (e.g., an RRC connection) between the UE and the radio access network be established (that is, the RRC protocol is in one of the states in connected mode). The location of the mobile is in this state tracked by radio resource control functions, using e.g. handover, normally on cell level using the RRC protocol.
In the MM-idle state, there is no ongoing communication between the core network domain and the specific mobile. Since there may be two parallel MM protocols (one for each core network domain), the RRC layer may either be in idle mode or in connected mode. The location of the mobile is tracked on registration area level and stored in the core network domain. The mobile listens to paging. From the core network domain, the UE is reachable by paging in the registration area.
In the MM-detached state, the location of the mobile is not known by the core network domain. The mobile is “switched off”.
The release operation is just one type of operation in which some type of interaction involving a mobile station (user equipment unit) is terminated or ceased. In the release operation a signaling protocol connection is the type of interaction which is terminated or ceased. Another type of cessation or termination of interaction is a detach operation, which can occur (for example) upon powering down of the mobile station.
In the above regard, a detach procedure is used to bring the user equipment unit to the MM-detached state (see FIG. 12). The detach procedure is typically run when the user presses the “off” button on the user equipment unit in order to power down. In this situation, the detach message is sent from the user equipment unit to the core network domain at power off the user equipment unit. The core network domain may then mark this user equipment unit as detached. This makes it possible to avoid unnecessary paging towards powered off user equipment units at mobile terminating call request.
To run the detach procedure, a signalling connection needs to be established. If there is no signalling connection (e.g., if the user equipment unit is in MM-idle state) when the user press the “off” button, the signalling connection needs to be established first. And if there is no signalling connection for any other core network domains presently involved, the radio connection will also need to be established.
Basic aspects of a conventional detach procedure are illustrated in FIG. 13, wherein it is assumed that the signalling connection is already established (the MM layer for this core network domain is in MM-connected state). As step 13-1, the user equipment unit (UE) sends an IMSI DETACH INDICATION message on the signalling connection to the core network. The IMSI DETACH INDICATION message goes transparently through the radio access network to the core network node (e.g., to a MSC node in this example). The IMSI DETACH INDICATION message includes an identity of the user equipment unit (such as the TMSI or possibly the IMSI). When the core network node receives the IMSI DETACH INDICATION message, the core network initiates a release of the signalling connection, by sending (as step 13-2) an IU RELEASE message to the RNC. The radio access network (the RNC node) responds to the core network (advising that the release of the signalling connection will undertaken) by sending (as step 13-3) an IU RELEASE COMPLETE message back to the core network node. The core network can now mark the user equipment unit as in MM-detached state. If any terminating calls are received at this point, the core network does not need to page the user equipment unit since the core network will assume that the user equipment unit is not reachable, and it will simply reply with a signal or voice message alerting the calling party that the called party is not reachable for the moment.
If the parallel MM layer for any other core network domain does not have a signalling connection, as step 13-4 the radio access network will initiate the RRC connection release procedure to the user equipment unit. The RRC connection release procedure will in this case release both the signalling connection and the radio connection (e.g., RRC connection). If there is another signalling connection established for the other CN domain, the radio access network will keep the RRC connection, and just release the signalling connection by sending a SIGNALLING CONNECTION RELEASE message.
After transmitting the IMSI DETACH INDICATION message, the user equipment unit starts a timer to supervise the release of the signalling connection. If the signalling connection is not released by the network before the expiry of this timer, e.g. if some of the messages do not get through (e.g. IMSI DETACH INDICATION or the RRC CONNECTION RELEASE message), the UE will release the signalling connection locally and enter MM-detached state.
On the network side, the release of the signalling connection is supervised as well. If the user equipment unit does not respond (in the case above with the last signalling connection), the radio access network will delete all information about the user equipment unit and assume the radio channel was lost.
Since the user equipment unit is about to power off when the detach procedure is run, the detach procedure has to be fast. To speed up the detach procedure, it is not required to start security functions like encryption for these messages. If the encryption was to be started, several messages were needed including a possible authentication procedure between the UE and the core network.
A shortcoming of the omnibus release message alluded to previously is that a non-friendly party can use this message nefariously but efficiently to release user equipment units. Since the message has to be sent unencrypted and includes publicly available information, this message can, if available to an intruder, be a serious security threat.
A similar security issue arises with respect to the detach procedure with its IMSI DETACH INDICATION message, which conventionally is not protected by any security functions, like authentication and/or ciphering and/or integrity. This means for example, that an intruder can send the IMSI DETACH INDICATION message on behalf of another user equipment unit by including this UE's identity in the IMSI DETACH INDICATION message. Since the core network, as part of the handling of the unsuccessful cases of this procedure will mark the user equipment unit as detached even if the user equipment unit did not respond to the request to release the signalling connection, will mark the UE as detached, this user equipment unit will not be able to receive any calls. This will happen even if the user equipment unit in reality did not detach. Thus, it could be possible to detach a lot of user equipment units by detaching them one by one, cycling through the whole value range of user equipment unit identities (e.g., using a fake user equipment unit).
What is needed, therefore, and described herein, is an authentication system which averts unauthorized termination of interaction with a mobile node such as a user equipment unit.