The invention relates to a method for providing connection security for transmission between the communicating parties in a telecommunication network.
At the beginning of a communication a handshake is usually performed between applications in telecommunication networks, during which the parties involved typically authenticate each other and exchange key information, for example, negotiate an encryption algorithm and cryptographic keys to be used in communication. It is only after the handshake that the actual data is transmitted. The confidentiality of the transmission is arranged, for example, through ciphering. FIGS. 1a and 1b of the attached drawings show block diagrams of two known cipher algorithms which can be used to protect a transmission: a symmetric and a public key algorithm.
FIG. 1a shows a symmetric algorithm based on a secret key shared between the participants. At party A""s end the message M to be sent to party B is encrypted in box E of FIG. 1a with the shared secret key K. The message is sent over a transmission route as encrypted cipher text C, which party B can decrypt in box D shown in FIG. 1a with the same secret key K. Through decryption party B gets the original message M. An intruder eavesdropping transmission needs to know the secret key K in order to be able to read and understand the transmitted cipher text C. The encryption and decryption of the symmetric algorithm can be expressed by the equations:
C=EK(M)
M=DK(C),
where C is the cipher text, M is the message in plain text, EK is the encryption with key K, and DK is the decryption with key K.
FIG. 1b shows a public key algorithm which is an asymmetric approach. This algorithm is based on two keys: a public key and a private key. These two keys are related in such a manner that a message encrypted with a public key K+ can only be decrypted with the corresponding private key Kxe2x88x92 and vice versa. In FIG. 1b a message M is encrypted at party A""s end in box E with the public key K+ of the intended receiver, that is party B. The encrypted cipher text C is transmitted over a transmission line to party B""s end, where the cipher text C is decrypted in box D with the corresponding party B""s private key Kxe2x88x92 and the original message M is retrieved. The encryption and decryption of the asymmetric algorithm can also be expressed by the following equations:
C=EB+(M)
M=DBxe2x88x92(C),
where C is the cipher text, M is the message in plain text, EB+ is encryption with the receiver""s public key KB+, and DBxe2x88x92 is decryption with the receiver""s private key KBxe2x88x92.
In the public key algorithm the encryption of a message with the private key Kxe2x88x92 of the message sender acts as a signature, since anyone can decrypt the message with the known public key K+ of the sender. Since asymmetric keys are usually much longer than symmetric keys, the asymmetric algorithm requires much more processing power. Thus asymmetric algorithms are unsuitable for encrypting large amounts of data.
A hybrid cryptography uses both the above-mentioned algorithms together. For example, only session keys are exchanged using public key algorithm, and the rest of the communication is encrypted with symmetric method.
To provide message integrity and authentication in a connection, a message authentication code MAC is calculated and attached to the transmitted message. For example, MAC can be calculated with a one-way hash algorithm in the following way:
h=H(K, M, K),
where K is the key, M is the message, and H is the hash function. The input cannot be deduced from the output. When MAC is attached to a message, the message cannot be corrupted or impersonated. The receiving party calculates MAC using the received message and the same hash function and key as the transmitting party and compares this calculated MAC to the MAC attached to the message in order to verify it.
FIG. 2 shows examples for communication connections. A mobile station MS operating in the GSM network (Global System for Mobile communications) is able to make a connection to a bank directly from the GSM network. Other possible connections presented in FIG. 2 are connections from the GSM network to different services via gateway GW and Internet. In mobile communication networks, such as the GSM, the air interface from the mobile station MS to the GSM network is well protected against misuse, but the rest of the transmission route is as vulnerable as any other public telephone network, providing measures are not taken to provide connection security.
One problem with providing connection security is that handshaking requires plenty of processing time since several messages must be sent between the parties involved. The low processing power and narrow bandwidth in the mobile stations make handshakes particularly burdensome in mobile communication networks. Handshakes are also burdensome for applications which have numerous simultaneous transactions, for example, a server in a bank. Therefore, it is desirable to minimize the number and duration of the handshakes. This leads to the problem that an attacker has lots of time for cryptanalysis, as the same encryption keys are used between the two handshakes. If the attacker succeeds in the cryptanalysis, he can access all the material sent between the two handshakes.
The object of this invention is to provide a method for securely protecting transmitted information between communicating applications, especially over narrow-band connections, without unnecessarily loading the communicating parties.
This is achieved by using a method according to the invention characterized by what is stated in the independent claim 1. Special embodiments of the invention are presented in the dependent claims.
The invention is based on the idea that the communicating parties recalculate the security parameters during the transmission session simultaneously with each other at agreed intervals and the continue communicating and providing connection security for messages with these new parameters. The communicating parties monitor the time for recalculation and at the agreed intervals recalculate and thus change the security parameters without a handshake taking place. In the primary embodiment of the invention, the messages are numbered and the number agreed on triggers recalculation at intervals.
The advantage of the method according to the invention is that security parameters can be changed during the session without handshaking. This reduces the need for handshakes.
Another advantage of the method according to the invention is that the security of the transmission is improved, i.e. attacking is made more difficult and less profitable.