CN1193530C - Method and device for ensuring communication information security in code division multiple access communication system - Google Patents

Abstract

An apparatus and method for securing communication information in a CDMA communication system are disclosed. The method comprises the following steps: encoding an analog input signal into information bits having a predetermined length and generating vocoder packet information bits; encrypting the encoded vocoder packet information bits using a block cipher and a security key; adding a frame quality indicator and encoder tail bits after the encrypted vocoder packet information bits to form a CDMA frame; and transmitting the CDMA frame to a base station after convolutional coding, interleaving processing and spread spectrum modulation in sequence through a specified frequency band.

Description

Method and device for ensuring communication information security in code division multiple access communication system

technical field

The present invention relates to a CDMA communication system, and more particularly, to a method and device for securing communication information in the CDMA communication system, which enables the system to perform private communication while preventing eavesdropping.

Background technique

In the traditional CDMA communication system conforming to the IS-95 standard, the caller's voice is coded into information bits after being digitally processed and compressed by a vocoder, and then modulated in the reverse communication channel. The modulated signal is transmitted to the base station. The modulated signal obtained in the base station is restored to the original information bits in the forward communication channel, and then decoded into the original speech by the vocoder. Through the above procedure, communication between remote mobile stations can be performed.

However, the conventional CDMA system has a disadvantage that information bits can be detected in a base station or exchange as long as they pass through the vocoder, and the detected information bits can be easily decoded into original voice. Therefore, the traditional CDMA system has the disadvantage of being easily eavesdropped.

US Patent No. 5,727,064 discloses a technique for solving the above disadvantages, which adds a encryptor to the long key generator. However, this technique cannot be applied to unmodified legacy CDMA systems because it requires modifications to IS-95 CDMA equipment, and it is limited to use between different user groups using different security keys. to communicate.

Contents of the invention

An object of the present invention is to provide an apparatus and method for securing communication information in a CDMA communication system, which enables the system to carry out private communication while preventing eavesdropping or interception, without requiring compliance with the IS-95 standard Modify the traditional base station and switching system.

To achieve the above object, the present invention provides a device for ensuring the security of communication information in a CDMA communication system, the device comprising: an encoder for compressing an input signal into information bits with a predetermined length and generating a vocoder packet information bits; an encryptor for encrypting vocoder packet information bits generated from said encoder; a CDMA framer for adding a frame quality indicator to encrypted vocoder packet information bits output by said encryptor And the tail bits of the encoder to form a CDMA frame; the CDMA frame transmitter, through the specified frequency band, transmits the CDMA frame to the base station CDMA frame receiver after sequentially undergoing convolutional coding processing, interleaving processing, and spread spectrum modulation for receiving the base station The signal sent is restored to the CDMA frame; the CDMA deframer is used to extract the encrypted vocoder grouping information bits from the CDMA frame restored by the above-mentioned CDMA frame receiver; decrypting the encrypted vocoder packet information bits extracted by the framer; and a decoder for decoding the decrypted vocoder packet information bits output from the decryptor. Wherein, the above-mentioned encryptor uses the block cipher and the security key to encrypt the group information bits of the vocoder, and the decryptor uses the above-mentioned block cipher and the security key shared with the other mobile station to encrypt the group information bits of the vocoder. decrypt.

In addition, to achieve the above object, the present invention provides a method for ensuring the security of communication information in a CDMA communication system, the method comprising the steps of: encoding an analog input signal into information bits with a predetermined length, and generating a voice code grouping information bits of the vocoder; using a block cipher and a security key to block-encrypt the above-mentioned coded vocoder grouping information bits; adding frame quality indicators and coder tail bits to the encrypted vocoder grouping information bits to form CDMA frame; and transmit the CDMA frame to the base station after sequentially undergoing convolutional coding processing, interleaving processing and spread spectrum modulation processing through the specified frequency band.

To achieve the above object, the present invention also provides a method for ensuring communication information security in a CDMA communication system, the method comprising the following steps: receiving a signal sent from a base station; restoring it to a CDMA frame; extracting the encrypted vocoder packet information bits from the CDMA frame; decrypting the encrypted vocoder packet information bits by using a block cipher and a security key; and decoding the decrypted vocoder packet information bits.

Description of drawings

The features and advantages of the present invention will become more clearly understood by the following text description and with reference to the accompanying drawings, in which:

Figure 1 is a block diagram showing a communication channel according to the present invention;

Fig. 2 shows a kind of DES algorithm applicable to the present invention;

Figure 3 shows a single iteration in the DES algorithm shown in Figure 2;

The flowchart of Fig. 4 shows the encryption/transmission process according to a preferred embodiment of the present invention;

The flowchart of Fig. 5 shows the receiving/decrypting process according to a preferred embodiment of the present invention;

Detailed ways

1. Construction of reverse/forward communication channel

Figure 1 is a block diagram showing a communication channel according to the invention. In FIG. 1, dotted lines indicate main parts of the present invention.

The reverse communication channel will be described below with reference to FIG. 1 .

The voice input from the microphone is digitized and compressed by the vocoder 100 , encoded into vocoder packet information bits 141 , and sent to the scrambler 140 . Encryptor 140 encrypts all or part of the vocoder block information bits 141 output by the vocoder using a block cipher 170 (such as DES or Triple DES) and generates encrypted vocoder block information bits 143, which are then transmitted to the CDMA framer 110. A security key 160 is used in the encryption process, which is stored in the encryptor 140 or exchanged in a secure manner. The CDMA framer 110 performs the process of adding a frame quality indicator and encoder tail bits after the encrypted vocoder packet information bits 142 to form a CDMA frame.

Next, the forward communication channel will be described with reference to FIG. 1 .

The decryptor 150 decrypts all or part of the encrypted vocoder block information bits 152 output from the CDMA deframer 120 using a block cipher 170 identical to that of the sender to restore the original vocoder block information bits 151, and send it to the vocoder 130. A security key 160 is also used in the decryption process, which is stored in the decryptor 150 or exchanged in a secure manner. Here, the CDMA deframer 120 performs the reverse process of the CDMA framer 110 .

2. Encryption/decryption

The encryption of the vocoder block information bits 141 and the decryption of the encrypted vocoder block information bits 152 are performed in units of bytes according to the block cipher 170, so that only information bits corresponding to integer multiples of 8 are will be encrypted or decrypted.

For example, in an IS-95A 9600bps frame, information bits at 172 bits (=1+171 or 4+8×21):

(1) If at full rate, all 171 bits (vocoder output) are encrypted/decrypted except for the first 1 bit format bit (0), and

(2) If it is at a non-full rate (for example, 1/2 rate, 80 bits), except for the first 4-bit format bits (for example, 1/2 rate 1000), the remaining 168 bits correspond to the vocoder The bits output by the converter are encrypted/decrypted, in other words, only a part of the 172 bits are encrypted/decrypted.

However, when the amount of computation in a given time is too large to be encrypted/decrypted, only a part of it (for example, 8 bytes) will be encrypted/decrypted. In addition, when the output of the vocoder 100 is a silence (the rate varies according to the specification of the vocoder, and is usually distinguished by the format bit), in order to prevent repeated transmissions of the same format, or to prevent noise, the encryption/decryption can be omitted process. In this way, after the vocoder finishes encoding, the encryptor 140 and the decryptor 150 can use software or hardware to perform encryption/decryption every 20 ms.

As for encryption/decryption, you can choose FIPS PUB 46 (Federal Information Processing Standard 46) provided by NIST (National Institute of Standards and Technology) in the United States as DES (Data Encryption Standard).

Figure 2 shows a DES algorithm suitable for use in the present invention, and Figure 3 shows a single iteration of the DES algorithm shown in Figure 2 using 64-bit text and a 56-bit security key. In the case of full rate, for example, only the first 8 bits of the 172 bits can be considered to be encrypted/decrypted. Thus, the 64-bit plain text (for example, 01 23 45 67 89 ab cd e7) shown in FIG. 8 bits, and the 56-bit key (for example, 01 23 45 67 89ab cd) in Figure 2 represents the security key, which is shared by the sending station and the receiving station. The 172 encrypted vocoder block information bits are obtained by concatenating the format bits in front of the 64-bit cipher text and concatenating the remaining unencrypted vocoder bits after the 64-bit cipher text after passing through the scrambler 140. Encoder bits (for example, c9 57 44 25 6a 5e d3 1d).

The decryption process, which is the reverse process of the encryption process, will be described below.

8 encrypted bytes (i.e., the 64-bit ciphertext (e.g., c9 57 44 25 6a 5e d3 1d)) and the 56-bit key in Figure 2 (for example, 01 23 45 67 89 ab cd) to decrypt the original 64-bit plain text (for example, 01 23 45 67 89 ab cd; Refer to Figure 4). The 172 vocoder packet information bits generated by adding the remaining 108 bits with 64 bits of plain text are sent to vocoder 130 where they are decoded to recover the original speech.

Block ciphers such as DES and Triple DES are used in the above encryption/decryption process.

3. Setting/disabling of safe mode

For mobile communications that cannot use the above-mentioned security mode, if a predetermined key is input at the beginning of the communication, the sending station will be placed in the security mode setting or canceling state, and the receiving station will also be placed in the same state as The same security mode setting or disabling status of the sending station. This allows remote stations to communicate securely and privately while preventing eavesdropping. This setting/unsetting of the security mode with a specific key can be performed before the call setting, and can also be performed during the call after the call setting is completed.

The execution procedure for setting safe mode startup is as follows. An ON key requesting the activation of the security mode is entered into the reverse communication channel. Then, a first pattern (different from vocoder speech) corresponding to security mode activation is sent to other mobile stations along with the information bits. The opposite mobile station receives and checks this first pattern to put the security mode in the ON state.

The procedure for turning off Safe Mode is as follows. An OFF key is entered during communication and is transmitted to other mobile stations along with a second pattern (different from vocoded speech) information bits corresponding to the de-security mode. The opposite mobile station receives and checks this second pattern to put the security mode in the OFF state, and then returns to the normal mode. In addition, when the communication ends, the security mode can also be automatically set to OFF. With this method, it is possible to repeatedly set/cancel the security mode during communication.

In areas of weak radio waves, an error may occur in the pattern transmitted for setting/disabling the security mode, and thus the receiving station cannot be placed in the security mode activation or deactivation state. Thus, since the sending station is put in safe mode enabled and the receiving station is put in safe mode off, it cannot communicate with each other. The following methods can be used to solve this problem: 1) Repeatedly send the safe mode on/off signal to reduce the occurrence of errors; or 2) When the sending station transmits the safe mode on/off signal to the receiving station and communicates with each other, by receiving The station sends an ECHO (Echo) signal to the sending station to inform the sending station of the reception of the security mode ON/OFF signal, and then the sending station detects the ECHO signal sent from the receiving station, and sets the ON/OFF of the security mode.

The ON key and the OFF key for setting the security mode ON/OFF are selected from those keys which do not affect communication. In addition, in the case where the security mode is set to ON, the security key in the block cipher can be transmitted with the ON key, or it can be used to find out the security key that can be transmitted with the ON key The program was launched together, which will be explained later.

4. Mute control

In general, silence means a situation where the electric power of voice is less than a reference value (no voice is detected) within 20 ms. In the case of silence, the encryption process in the encryptor 140 and the decryption process in the decryptor 150 can be skipped by the signal MUTE_TX 143 or MUTE_RX153, in addition, they can also be skipped by the signal Security_Mode 180 according to the security mode.

Table 1. Actions performed by the encryptor based on safemode and mute

Table 2. Actions performed by the decryptor based on safe mode and silent

Table 1 and Table 2 show the operations performed by the encryptor and decryptor according to security mode and mute, respectively. Referring to Table 1 and Table 2, when the signal Security_Mode 180 is OFF, both the encryptor 140 and the decryptor 150 are skipped. In addition, although the Security_Mode 180 is set to ON, when the signal MUTE_Tx 143 or MUTE_Rx 153 is ON, the encryptor 140 and decryptor 150 are all skipped.

The signal MUTE_Tx 143 or MUTE_Rx 153 indicates whether the current vocoder group contains information relative to mute (MUTE), they can be represented by flags in the application software, and can be controlled as additional signals in the hardware device. The signal Security_Mode 180 indicates whether the security mode is currently set or released.

In the case of a fixed rate, no separate process is required when silence occurs. However, in the case of variable rates, when silence occurs, it is easy to detect the silence state of the frame through the format bits of the vocoder packet without any special process. In this case, encryption and decryption are not performed. Therefore, it is not necessary to adopt a new logic to implement the present invention.

5. Shared security key

Since the block ciphers of the encryptor 140 and the decryptor 150 use the same algorithm and the same security key. Therefore, there is a need for a scheme that can share a security key between a sender and a receiver that are far away from each other.

The first scheme is to send a security key from the sender to the receiver when set to secure mode. For example, when the security mode is set to ON, 172 bits of information in an IS-95 9600bps frame are sent as a specific code pattern (for example, 5555...555 in hexadecimal) representing the Security_Mode set , then, 128 bits in the next frame (if the security key is 128 bits) is defined as a security key, or a security key encrypted by the master key (it is generally called a session key and is single-use) are sent out. In the case of the use of master keys, the mobile stations in communication share the same master key, which is kept within an authorized organization.

The second scheme is to designate a key (for example, 100 keys of 128 bits) stored in the transmitter and receiver in the same manner when the secure mode is set. In other words, among the 172 information bits of an IS-95 9600bps frame, for example, 164 of them are used as a specific pattern representing security mode on (for example, 5555...555 in hexadecimal), while The remaining 8 bits are used as an index into 256 secure keys kept in secret. At this time, the stored security key can be configured as a security key provided by the mobile station manufacturer and a security key input by the user himself.

A third solution is to have the two users exchange only the "Security Key" via another call. The security key to be exchanged can be obtained by user input or by a random number generator in the mobile station. When set to secure mode, security keys exchanged according to the third scheme can be specified and used by the second scheme.

6. Encryption/transmission process

Figure 4 is a flowchart showing the encryption/transmission process according to a preferred embodiment of the present invention. The encryption process will be described in detail below with reference to FIG. 4 .

First, when the power of the transmitter is powered on, an initialization process in the transmitter is performed (step 400). Then, when the user enters a key to request a call (step 405), the call will be established (step 410). At this point, if the key entered is a security mode activation key (steps 415 and 420), the security mode of the transmitter will be set to ON (step 425), and a specific pattern representing Security_ON and a slave transmitter's The index of the selected security key among the plurality of security keys is added to the information bits in the communication channel (step 430).

If the key entered is a security mode off key (steps 415 and 420), the security mode of the transmitter will be set to OFF (step 435), and then the specific pattern representing Security_OFF is added to the information bits in the communication channel among (step 440).

If the security mode key is not entered in step 415, the vocoder will encode the input signal into information bits of a specified length and generate a vocoder packet of information bits (step 445). If the security mode is ON (step 450) and the vocoder block information bits are not muted (step 455), the vocoder block information bits will be encrypted with the block cipher and security key (step 460). Otherwise, steps 455 and 460 will be skipped. In the CDMA framer, the frame quality indicator and encoder tail bits are added to the encrypted or unencrypted vocoder packet information bits to form a CDMA frame (step 465), which is then sequentially convolutionally encoded , interleaving and spread spectrum modulation processes and finally transmitted to a base station through a designated frequency band (step 470). In step 475, if the call is on hold, the flow returns to step 415. If the call has ended, the security mode is set back to the normal mode (step 480), and the flow will return to step 405 to continue execution.

Various functions related to the encryptor and decryptor of the present invention can be realized by software, and can also be realized by hardware such as ASIC (Application Specific Integrated Circuit).

7. Receive/decrypt process

The flow chart of FIG. 5 shows the reception/decryption process according to a preferred embodiment of the present invention performed at the receiver corresponding to the transmitter shown in FIG. 4 . This receiving/decrypting process will be described in detail below with reference to FIG. 5 .

First, when the receiver is powered on, an initialization process in the receiver is performed (step 500). Then, when the ringing and calling are received (step 505), a call between the transmitter and receiver is established (step 510). Afterwards, the receiver receives a modulated signal from the base station and recovers the CDMA frame from the signal (step 515). The CDMA deframer extracts an encrypted vocoder packet information bit from the recovered CDMA frame (step 520). The decryptor determines whether the encrypted vocoder packet information bits contain a security mode pattern (step 525). If the security mode code pattern represents Security_Mode ON (step 530), the decryptor will check the index contained in the information bits, and determine the security key corresponding to the index in a plurality of security keys of the receiver (step 535 ), then the security mode of the receiver is set to ON (step 540). In step 530, if the security mode pattern in the information bits indicates Security_ModeOFF, the security mode of the receiver is set to OFF (step 545).

When the vocoder packet information bits do not contain a security mode pattern in step 525, if the receiver's security mode is ON (step 550) and the encrypted vocoder packet information bits are not silent (step 555), then The decryptor will decrypt the encrypted vocoder packet information bits using the block cipher and the security key (step 560). Otherwise, steps 555 and 560 will be skipped (steps 550, 555, 560). The decrypted or skipped vocoder packet information bits are subjected to decoding by the vocoder (step 565).

In step 570, if the call is placed on hold, the process is returned to step 515. If the call has ended in step 570, the security mode is set back to normal mode (step 575), and the flow will return to step 505.

Various functions related to the decryption process of the present invention can also be realized by software or hardware such as ASIC (Application Specific Integrated Circuit).

As described above, the present invention can utilize a block cipher to perform an encryption process between a vocoder and a CDMA framer on a reverse communication channel, and can utilize a block cipher to perform an encryption process between a vocoder and a CDMA deframer on a forward communication channel. during the decryption process.

Therefore, since the information bits are transmitted in an encrypted form (beyond the transmitter and receiver), it is impossible to detect the coded information bits without precise knowledge of the algorithm and security, even in cases where the encoded information bits are detected by an advanced technique. The encrypted information bits are decrypted into raw vocoder packets using the key.

In addition, the present invention has the advantage that it enables a CDMA system to conduct private communications that cannot be eavesdropped without modifying conventional base stations and switching systems conforming to the IS-95 standard.

The invention also provides a simple and secure method for the sharing of security keys, whereby communication between different groups of users using different security keys is possible. This allows for the rapid establishment of a secure network among multiple small user groups.

The invention has been described in terms of preferred embodiments. However, it should be understood that the application of the present invention is not limited to these specific examples. Those skilled in the art will recognize that various modifications and changes can be made to the present invention without departing from the spirit and scope of the invention as defined by the following claims.

Claims (17)

1. a kind of terminal equipment with data protection function for the Code Division Multiple Access (CDMA) mobile communication system of IS-95 standard, it is characterized in that comprising: a first vocoder, configured to compress the input analog signal into information bits of a predetermined length, and generate a vocoder packet; an encryptor configured to encrypt the vocoder packets of the above-mentioned first vocoder and generate encrypted vocoder packets; a vocoder framer that adds format bits representing the vocoder rate, thereby producing encrypted vocoder frames; CDMA framer, in the encrypted vocoder frame that above-mentioned vocoder framer outputs adds frame quality indicator and coder tail bit, thus constitutes CDMA frame; The CDMA frame transmitter transmits the CDMA frame to the base station after sequentially undergoing convolutional coding, interleaving processing and spread spectrum modulation through the specified frequency band; The CDMA frame receiver is used for receiving the signal sent by the base station and restoring the CDMA frame; A CDMA deframer for extracting encrypted vocoder frames from the CDMA frames restored by the above-mentioned CDMA frame receiver; a vocoder deframer for removing format bits representing the vocoder rate from the encrypted vocoder frame, thereby extracting the encrypted vocoder packet; a decryptor for decrypting the encrypted vocoder packets extracted by the above-mentioned vocoder deframer; and and a second vocoder for decoding the decrypted vocoder packets output from the decryptor into analog signals. 2. The terminal equipment with data protection function for CDMA mobile communication system as claimed in claim 1, wherein said encryptor utilizes a block cipher such as DES, 3DES or a stream cipher and a key to encrypt, and said decipherer Then use the block cipher or the stream cipher and the key shared with other terminal devices to decrypt. 3. The terminal equipment with data protection function for CDMA mobile communication system as claimed in claim 1, wherein said encryptor can set or release encryption according to user setting or canceling security mode. 4. The terminal equipment with data protection function for CDMA mobile communication system as claimed in claim 3, wherein said scrambler can generate a predetermined code pattern corresponding to the setting of security mode or the lifting of above-mentioned security mode, will The above-mentioned predetermined pattern generated is added to the format bit of the communication channel and sent to other terminal equipment, and the above-mentioned decryptor can be set by setting or canceling the above-mentioned security mode according to the above-mentioned received predetermined pattern or unlock decryption. 5. The terminal equipment with data protection function for CDMA mobile communication system as claimed in claim 3, wherein when being set to the security mode, the above-mentioned encryptor will add the encrypted key to the format of the communication channel bits and a predetermined security mode pattern, and the decryptor recovers the key contained in the vocoder frame of the communication channel, and decrypts the encrypted vocoder packet using the recovered said key. 6. The terminal equipment with data protection function for CDMA mobile communication system as claimed in claim 1, wherein said scrambler encrypts all or part of the vocoder grouping, and said descrambler encrypts all or part of the vocoder grouping Decrypt in whole or in part. 7. A method for encrypting and sending information bits in the CDMA mobile communication system of the IS-95 standard, comprising the following steps: (a) encoding an input signal into information bits having a predetermined length and generating a vocoder packet; (b) encrypting said encoded vocoder packet; (c) adding format bits representing the rate of the vocoder to generate an encrypted vocoder frame, and then adding a frame quality indicator and encoder tail bits to the encrypted vocoder frame to form a CDMA frame; and (d) Transmit the CDMA frame to the base station after sequentially undergoing convolutional coding, interleaving processing and spread spectrum modulation through the specified frequency band. 8. The method for encrypting and sending information bits in a CDMA mobile communication system as claimed in claim 7, wherein said step (b) utilizes block cipher or stream cipher and key such as DES and 3DES to encrypt. 9. The method for encrypting and transmitting information bits in a CDMA mobile communication system as claimed in claim 8, wherein said step (b) sets or releases encryption according to a security mode set by a user. 10. The method for encrypting and sending information bits in a CDMA mobile communication system as claimed in claim 9, wherein said step (b) generates a predetermined code pattern corresponding to setting and disarming of the security mode and the generated code pattern Added to the information bits of the communication channel. 11. The method for encrypting and transmitting information bits in a CDMA mobile communication system as claimed in claim 10, wherein said step (b) adds said key to the information bits of the communication channel when it is set as a security mode. 12. The method for encrypting and transmitting information bits in a CDMA mobile communication system as claimed in claim 7, wherein said step (b) only encrypts a part of the information bits of the vocoder packet. 13. A method for receiving and decrypting the information bits encrypted by the terminal equipment of the CDMA mobile communication system of the IS-95 standard, comprising the following steps: (a) receive the signal sent from the base station, and restore it to a CDMA frame; (b) extracting encrypted vocoder frames from the recovered CDMA frames; (c) extracting encrypted vocoder packets from the extracted vocoder frames; (d) decrypting the encrypted vocoder packet; and (e) Decoding the decrypted vocoder packet. 14. The method for receiving and decrypting the information bits encrypted by the terminal equipment of the CDMA mobile communication system as claimed in claim 13, wherein said step (c) utilizes block ciphers such as DES, 3DES or stream ciphers and keys to decrypt. 15. The method for receiving and decrypting the information bits encrypted by the terminal equipment of the CDMA mobile communication system as claimed in claim 20, wherein said step (c) is based on the predetermined information contained in the packet information bits of the received communication channel The pattern sets or releases the security mode, and determines whether to perform the decryption process according to the security mode. 16. The method for receiving and decrypting the information bits encrypted by the terminal equipment of the CDMA mobile communication system as claimed in claim 15, wherein when being set as a security mode, the above-mentioned key is included in the information received from the communication channel among the bits. 17. The method for receiving and decrypting the information bits encrypted by the terminal equipment of the CDMA mobile communication system as claimed in claim 13, wherein said step (c) only encrypts a part of the encrypted vocoder packet information bits The information bits are decrypted.

Images