The present invention relates to a method and apparatus for protecting cordless telephone account authentication information. More particularly, the present invention relates to an apparatus and method for use in a telecommunication system including a local unit and a remote unit wherein the local unit generates an encrypted confirmation responsive to an inquiry received from the remote unit, using account authentication information as an encryption key.
Wireless telephony systems have become increasingly common. In such systems, a subscriber uses a local unit or handset to communicate via radio frequency transmissions with a remote unit, thereby accessing the standard telephone network. Such wireless systems include cellular telephone systems in NorthAmerica and cordless or CT2 systems in Europe and Asia.
Each handset capable of communicating with the remote unit is provided with a unique network identity. This unique identity is used for limiting access to the network to authorized subscribers. This unique identity is also used for subscriber billing and recordkeeping. Thus, the unique identity may be considered to be an account number.
Since access to the wireless telephone network is limited to authorized subscribers, and since the account number is used for billing calls made over the network, there is a substantial need for maintaining the secrecy of the account number. While the account number is unique to a given handset, the account numbers are portable in that a valid account number may be used with any handset. However, the handset must be programmed with the account number.
When a communication such as a telephone call is initiated between the handset and the remote unit, the remote unit transmits a challenge to the handset. This challenge may be in the form of a 32-bit digital random number. The handset has been pre-programmed with the account number and thus stores internally the account number. Upon receiving the transmitted challenge, the handset encrypts a confirmation or response using the stored account number. The confirmation is encrypted in order to maintain secrecy of the account number. A transmitted, unencrypted, confirmation including the account number could be received by an unauthorized party and a different handset programmed with the account number, allowing fraudulent use of the account number.
For example, in the CT2 system, the handset may store a 64-bit digital account number. The handset encrypts the 64-bit account number using the proprietary encryption function "F", using the challenge as the encryption key to produce a 32-bit encrypted confirmation. The handset then transmits the encrypted confirmation to the remote unit. The remote unit compares the received ciphered key with an expected value for the ciphered key. If the values match, the handset and account number are considered to be authorized for the communication transaction to proceed.
The unique account number is stored within the handset at the time the handset is provided to the subscriber and the account is opened between the subscriber and the operator of the wireless telephone network. Therefore, the apparatus which stores the account number must be readily programmable. Moreover, because account numbers may change, the apparatus which stores the account number must be capable of being reprogrammed. Further, as a consumer product, the handset is extremely cost-sensitive. Therefore, it is important that the apparatus for storing the account number and generating the encrypted response be inexpensive.
To reduce the risk of fraud, the account number is preferably stored within a semiconductor device, such as an integrated circuit. To prevent theft of the account number, the account number is never made available at the output pins of the integrated circuit. In operation, the external outputs, such as the pins of the integrated circuit, are electrically isolated to prevent disclosure of the stored account number. If the stored digital account number was ever available at the inputs and outputs of the integrated circuit, the account number would be available for copying and use in another handset.
Prior art techniques of protecting account number information stored within a handset have used non-volatile memory for programming the account number. When a subscriber registers for service with the wireless network operator, the account number has been stored in the non-volatile memory and the memory placed within the handset. The non-volatile memory device operates in conjunction with logic circuitry in encrypting the confirmation in response to a received challenge. In prior art devices, the non-volatile memory device and the logic circuitry have been combined in a single integrated circuit. When the account number is communicated from the non-volatile memory to the logic circuitry, the external output pins have been electrically isolated to prevent external disclosure of the account number.
However, combining non-volatile memory, such as EEPROM or Flash EPROM technology, on the same integrated circuit as logic circuitry, such as in a microcontroller, is very expensive. The semiconductor manufacturing processes capable of providing EEPROM and Flash EPROM are expensive relative to semiconductor manufacturing processes capable of providing logic circuitry only. Also, where the non-volatile memory device and the associated logic circuitry are combined in a single microcontroller, yield reductions due to non-volatile memory programming failures can greatly increase the expense of the finished device. Accordingly, there is a need in the art for an apparatus for generating an encrypted confirmation in a handset which utilizes integrated circuit devices which do not require both non-volatile and logic fabrication processes.
An alternative to the prior art technique of storing an account number in non-volatile memory located in the same integrated circuit device as control logic is storing the account number in a separate non-volatile memory integrated circuit device. In this technique, during the process of encrypting a confirmation in response to a received challenge, the stored account number is communicated from the non-volatile memory device to the control circuit. However, during the time when the stored account number is communicated from one integrated circuit device to another, it is susceptible to copying for fraudulent purposes.
Accordingly, there is a need in the art for an apparatus and a method for generating an encrypted confirmation which does not use a non-volatile memory fabrication process, yet which does not expose the stored account number for copying.