The present invention relates to the field of telecommunications. More particularly, the present invention relates to the field of wireless, mobile telecommunications.
FIG. 1 illustrates an exemplary wireless network 100, such as a wireless local area network. As shown, the wireless network 100 includes a fixed network portion 105, wherein fixed network portion 105 typically includes transmission equipment that communicates with various systems (not shown) that are external to the wireless network 100, such as a publically switched telephone network and/or the Internet. The fixed network portion 105 is further connected to a number of fixed radio stations known as base stations or access points, for example, access points AP1 and AP2. Each of the access points, in turn, are capable of communicating with one or more mobile terminals, such as mobile terminal MT, over a radio (i.e., a wireless) interface.
Further with regard to FIG. 1, each of the access points, AP1 and AP2 primarily communicates with a mobile terminal in a corresponding cell C1 and C2 respectively. Moreover, it will be understood that a mobile terminal MT, communicating through an access point AP1 is generally located within the cell C1 corresponding to the access point AP1. However, as the mobile terminal MT moves away from access point AP1, as indicated by the arrow 110, toward another access point, for example AP2 and its corresponding cell C2, the signal quality associated with the communication link between the mobile terminal MT and the access point AP1 tends to decrease. If the mobile terminal MT continues to move away from the access point AP1, and the signal quality associated with the communication link between the mobile terminal MT and the access point AP1 continues to deteriorate, the communications link will, in all likelihood, be lost if the connection is not passed off or transferred from the access point AP1 to another access point, such as, access point AP2. The process of passing off or transferring the connection from AP1 to AP2 is known as handover or, alternatively, handoff.
During handover, the commnunications link associated with a mobile terminal is highly susceptible to intruders, that is, entities that wish to hijack or simply disrupt the communications link. For instance, an intruding device can, during a handover, present itself to the new access point (i.e., the access point to which the mobile terminal is attempting to establish a communications link). If the new access point accepts the intruding device as the mobile terminal, the access point may begin transmitting information to the intruder that is intended for the mobile terminal.
Although providing security for communications between a mobile terminal and one or more access points at all times is an important concern, providing a method and/or system that does so particularly during handover would be highly desirable.
The present invention is of particular relevance to mobile telecommunications networks, wherein mobile terminals undergo handover from one radio station (i.e., access point) to another as they move from one cell to another within the telecommunications network. More particularly, the present invention involves protecting communications associated with a mobile terminal against unauthorized intrusion when the mobile terminal undergoes a handover from one access point to another.
In accordance with one aspect of the present invention, a method and/or a telecommunications network is provided for achieving secure handover of a mobile terminal from a first access point to a second access point, wherein the first access point and the second access point are physically connected through a fixed network. The method and/or network involves transmitting a security token from the first access point to the mobile terminal, and then from the mobile terminal to the second access point over a radio interface. The security token is then transmitted from the first access point to the second access point through the fixed network. A communication link is then established between the mobile terminal and the second access point, to achieve secure handover, if the second access point determines that the security token received from the mobile terminal matches the security token received from the first access point.
In accordance with another aspect of the present invention a method and/or a telecommunications network is provided for achieving secure handover of a mobile terminal from a first access point to a second access point. The method and/or network involves transmitting a first message from the first access point to the mobile terminal over a radio interface, the first message containing an encrypted security token and a hash code. Then, in the mobile terminal, the encrypted security token is deciphered using an encryption key that is shared by the mobile terminal and the first access point. The mobile terminal then re-encrypts the security token using an encryption key that it shares with the second access point. Thereafter, a message is transmitted from the mobile terminal to the second access point, this second message containing the re-encrypted security token and the hash code. The second access point then deciphers the re-encrypted security token using the encryption key that it shares with mobile terminal. Finally, a communications link is established between the mobile terminal and the second access point, to achieve secure handover, if the second access point authenticates the mobile terminal based on the deciphered security token and the hash code.