[go: up one dir, main page]

WO2001089242A1 - A digital mobile communication system - Google Patents

A digital mobile communication system Download PDF

Info

Publication number
WO2001089242A1
WO2001089242A1 PCT/SE2001/001076 SE0101076W WO0189242A1 WO 2001089242 A1 WO2001089242 A1 WO 2001089242A1 SE 0101076 W SE0101076 W SE 0101076W WO 0189242 A1 WO0189242 A1 WO 0189242A1
Authority
WO
WIPO (PCT)
Prior art keywords
levels
functionality
sgsn
authentication
digital mobile
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/SE2001/001076
Other languages
French (fr)
Inventor
Tony Johansson
Fredrik Johansson
Jörger FALMER
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Priority to AU2001258991A priority Critical patent/AU2001258991A1/en
Publication of WO2001089242A1 publication Critical patent/WO2001089242A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/14Backbone network devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/02Inter-networking arrangements

Definitions

  • a digital mobile communication system is A digital mobile communication system.
  • the present invention relates to a system for digital mobile communication which comprises a number of hierarchical levels, which system may comprise components from both a digital mobile telephony system and from a system for a mobile data network.
  • Modern digital mobile telephony systems will be provided with functions for use in many other fields than transmission of speech as those systems will be able to provide their subscribers with the possibility for broadband connections, for example they will be able to use them for transmission of large amount of data.
  • modern computer networks admit broadband connections, and through their protocols contain possibilities for a user to be mobile, either wireless, or when a user at for example an office may move between different rooms, and connect to the network by simply connecting the terminal or computer via a connector in a room free of choice.
  • a mutual drawback of the systems disclosed in the two documents mentioned is that they lack functionality for authentication of a subscriber, or functionality for handling session keys.
  • a problem which is solved by the present invention is thus to make it possible to integrate components of functions from a mobile data network into a digital mobile telephony system, or to make it possible to connect a mobile data network with a digital mobile telephony system, without any need for the user of the telephony system to exchange their telephones for new ones.
  • Both mobile data networks and digital mobile telephony systems consist of hierarchical communication levels, and the problem is solved by the present invention by providing a system for digital mobile communication comprising a number of hierarchical communication levels, where one of the levels comprises functionality for a digital mobile telephony system and also comprises functionality for a protocol within a mobile data network, with the functionality of a protocol for a mobile data network that is comprised in one of the levels of the system comprising the functionality of a subscriber (MN). Since one of the levels in the system comprises functionality for both types of systems, this level may be used as an "interface" between the two types in the system.
  • MN subscriber
  • the “lowest” levels in other words those that are the closest to the end user, are levels which come from a digital mobile telephony system, the users of the system will be able to use terminals which are intended for the digital mobile telephony system without problems, at the same time as the mobile telephony system is integrated with the system for a mobile data network at higher levels.
  • a further problem which is solved by the present invention is how a user who has a terminal intended for a digital mobile telephony system will be able to be authenticated against the parts of the integrated systems which come from a system for mobile data communication, and also how session keys will be handled in an integrated system. How the invention solves these problems will be disclosed in the description below.
  • Fig. 1 shows an example of the structure of a system for digital mobile telephony
  • Fig. 2 shows an example of the structure of a system for a mobile data network
  • Fig. 3 shows the principle structure of a system according to the present invention
  • Fig. 4 shows how the authentication is constructed in a system according to the invention
  • Fig. 5 shows authentication in a larger system
  • Fig. 6-7 shows the invention applied on the system from Fig. 5.
  • Fig. 1 the principal structure of a digital mobile telephony system is shown, in the current case the so-called UMTS system.
  • the system consists of a number of hierarchical levels, which connect the system to the overarching countrywide telephone network.
  • the levels shown in Fig. 1 are MS - the subscriber level, most often a cell phone, but a level that can be an arbitrary mobile terminal, in other words for example a computer or other equipment which is able to communicate with the closest next level, the so- called UTRAN level.
  • This level, UTRAN is the level that connects the subscribers with the rest of the system via base stations in the coverage area of the system.
  • the UTRAN level is in turn connected with the SGSN level, which in turn is connected with the GGSN level, with the function to link the MS with external networks, which may comprise both data and speech.
  • an MlP-based system In Fig. 2 the principal structure of a system for mobile data communication is shown, in the present case an MlP-based system.
  • an MlP-based system also consists of hierarchical levels.
  • a mobile user, designated MN communicates with the closest next level, FA, which in turn communicates with the next level, HA.
  • the protocol in an MlP-based system is such that MN may communicate with FA via an essentially arbitrary medium, for example via radio or wire.
  • the functions for FA and HA in an MlP-based system roughly correspond to the functions for SGSN and GGSN respectively in the UMTS system.
  • Fig. 3 shows a system for digital mobile communication according to the invention.
  • the system comprises a number of hierarchical communication levels, where a number of the levels (UTRAN, SGSN) come from the UMTS system, and other levels (HA, FA) come from an MlP-based system.
  • a number of the levels (UTRAN, SGSN) come from the UMTS system
  • HA, FA levels
  • MlP-based system MlP-based system
  • the functionality from an MlP-based system that SGSN has been provided with is the functionality for the subscriber level within an MlP-based system.
  • SGSN may thus use the data which are sent between MS and SGSN and convert them to the protocol for MIP, which enables SGSN to communicate with FA, whereby FA will perceive this as if the communication that in reality comes from an MS intended for the UTRAN system comes from an MN in an MlP-based system.
  • a so-called “tunnel” is created between FA and HA, which means that a path for data communication is opened between HA and MN. It is SGSN that provides the opening of such a path for data communication between MS and HA.
  • MN When connecting to an MlP-based system, MN receives an AAD from FA, either due to MN sending an AAS, or due to periodic transmission of AAD from FA. Pursuant to this, MN transmits RRQ, which is granted by HA by sending RRP.
  • the signals within the MIP protocol that SGSN has been provided with according to the invention are the signals, RRQ and RRP, which are needed for MN to tell HA where MN is, enabling HA to direct, to "tunnel", the traffic to the right FA.
  • a further demand on the type of system that is provided according to the invention is that such a combined system must be able to authenticate an MS from a digital mobile telephony system against building blocks in the system which come from a mobile data network.
  • Authentication here refers to checking that the user/subscriber is authorized to use the system.
  • MIP the authentication is carried out by FA sending a random number (a so-called "challenge") in the signal AAD.
  • the user responds with his personal password, which is used together with the random number to create a new number that is inserted into the RRQ, following which HA receives RRQ and checks if the password is correct, using the new number that has been inserted into RRQ and the originally sent random number. If the password is correct, RRP is sent to MN, in other words a signal granting the user access to the system and those of its services that the user may have are sent.
  • the check of whether the password is correct or not that the HA makes is preferably made in a separate function for this purpose which lies outside HA itself, for example a so-called RADIUS function, which has information regarding the user's password.
  • the authentication procedures differs slightly from the one in MIP. If a user wishes to use the UMTS system for data communication, this is often carried out using a computer, for example a portable PC that is connected to a terminal, a cell phone, in the UMTS system.
  • the cell phone sends a random number to the PC via a CHAP message, and the user is requested to state his password.
  • a new number is generated in the PC, and then this new number and the used random number together with information regarding the stated identity of the user is sent to the SGSN via the cell phone and thereafter to GGSN.
  • GGSN At GGSN it is checked if the user is authorized to access the system, and in that case which functions in the system that the user should be able to access.
  • This authentication of the user in GGSN is preferably made in a function that is separate from GGSN itself, preferably in a so-called RADIUS server, which has information regarding the user's password.
  • Fig. 4 shows how the authentication is designed in a system according to the invention.
  • the drawing shows an MS and a PC connected to this MS to be able to carry out the data communication wireless via the system according to the invention.
  • MS sends a CHAP message to the PC, where the CHAP message contains a random number.
  • the user responds with his password, using which a new number is calculated with the help of the random number.
  • Information regarding the random number, the number which has been generated from the random number, and the stated identity of the user is sent to SGSN by MS via UTRAN.
  • the random number, the new number that has been generated using the password and random number, and the information regarding the stated identity of the user which is received by the SGSN from PC via MS and UTRAN is transformed in SGSN by the information being put in a so-called MlP-extension, in other words a message in MlP-format, following which it is sent to FA, and then further to HA.
  • MlP-extension in other words a message in MlP-format, following which it is sent to FA, and then further to HA.
  • the authentication procedure for an MlP-based system which has been described above takes place, which procedure preferably takes place in an authentication function that is . separate from HA itself, for example a so-called RADIUS function. Since the information, the random number and the new generated number, that arrive at HA and the authentication function comes from a CHAP procedure, this must be stated in the information that is sent to the authentication function, suitably the same extension as the rest of the information from the CHAP lies in.
  • Fig. 5 shows a known alternative way to handle the authentication in larger MlP-based systems, with less load on HA and FA.
  • AUT a separate server
  • AUT which communicates directly with HA and FA
  • FA which is shown with two-way arrows in the drawing
  • DIAMETER a protocol to handle authentication between the different units in the system.
  • DIAMETER a protocol to handle authentication between the different units in the system.
  • the initial authentication in the system in Fig. 5 is carried out by MN sending RRQ to FA, which creates a new message with the RRQ of the MN in it, and sends this message to AUT which checks and authenticates MN. If the authentication is successful, AUT sends a message to a suitable HA (the . system may contain several HA, but for simplicity Fig. 5 only shows one), where the message among other things contains the RRQ of the MN. HA responds with RRP to AUT, and has at this stage opened its end of the "tunnel" for communication which has been described earlier. The RRP is sent from AUT to FA which extracts RRP from the message from AUT and sends RRP to MN.
  • a suitable HA the . system may contain several HA, but for simplicity Fig. 5 only shows one
  • HA responds with RRP to AUT, and has at this stage opened its end of the "tunnel" for communication which has been described earlier.
  • the RRP is sent
  • FA After the reception of RRP from AUT, FA opens "its" end of the tunnel, and communication between MN, FA and HA may proceed without using AUT.
  • RRP is sent, from AUT to FA and from FA to MN, it may be sent either separately or included in another message.
  • each one of the three units effected, MN/FA HA will check if the received message comes from the correct sender. This is carried out by means of so-called “session keys", which during the session is used by a sending unit to create a check sum using the message the unit wants to send, which check sum is sent together with the message.
  • a receiving unit "dissolves" the message using its session key, and checks if the check sum is correct.
  • a unit for example FA
  • MN-HA forwards a message between two other units (for example MN-HA)
  • the forwarding unit will check if the message comes from the correct sender, and add an own check sum to the message using its session key, before the message is forwarded.
  • Each unit will thus need two session keys, since each unit will communicate with two other units.
  • the system in Fig. 5 will need a total of six session keys during a session for MN/FA/HA. However, only three of the keys will have to be different, since two units communicating with each other should use the same key.
  • the session keys are created by AUT for each session, and are sent to respective unit by AUT when the initiating authentication is made. To prevent unauthorized use of the keys, they are sent in coded form, where the coding is made using a code key which is known in advance by the respective units.
  • Fig. 6 shows a system according to the invention, in other words a system with components and functionality from both UMTS (UTRAN, SGSN, MS) and MIP (FA, HA), where the system has been provided with the type of separate authentication function, AUT, which has been described above in connection with Fig. 5.
  • the initiatial authentication of MS in the system is carried out in the manner described in connection with Fig. 4, with the difference that the authentication is carried out by means of the separate function for this, AUT.
  • SGSN will, in a system according to the invention, dissolve the message which is sent to respective from MS, and transform them so that they seem to come to respective from an MN in an MlP-based system.
  • the password for MS in other words the password for a single user, in SGSN is both technically difficult and also unsuitable for security reasons.
  • the session keys that are sent from AUT to "MN" at the beginning of the session will be coded with the same code key that is used by FA. This enables messages which are sent to MS to be dissolved by FA and sent to SGSN for forwarding to MS, and messages arriving from MS are provided with check sums by FA, as if they came from an MN in an MlP-based system.
  • AUT codes the session keys which are going to "MN" with the same code key as used by FA is due to the fact that AUT in a system according to the invention knows that the user, "MN", really is an MS from a UTRAN-system.
  • Fig. 7 shows schematically how a user, MS1 , has entered a system according to the invention which is used by another operator than the one that the user, MS1 , has subscribed to.
  • the units in the "home system” for the user, MS1 will in the following be described with the numeral one (1 ) after their regular terms, and the units in the "alien” system will be indicated with the numeral two (2) after their ordinary terms.
  • the HA that MS1 will be communicating with is HA1 , in spite of the fact that MS1 is in an alien system, which means that HA2 doesn't have to be used in the communication from/to MS1.
  • MS1 When MS1 wants to authenticate itself in the alien system, it sends RRQ to SGSN2, which is forwarded to FA2 and from there to AUT2.
  • AUT2 recognizes that MS1 is a unit that belongs to AUT1 , and therefore sends RRQ forward to AUT1 which authenticates MS1 , and creates the six session keys that will be needed. RRQ can either be sent separately, or included in another message.
  • the session keys are coded before AUT1 sends them to respective unit, which means that the unit that sends the session keys must have a code key in common with the receiving unit.
  • the following units will have common code keys:
  • AUT1 codes the session keys to HA1 with a code key that these units have in common, and sends RRQ and session keys to HA1 , after which HA1 opens its "tunnel end" and responds with an RRP to AUT1 , which is then forwarded to AUT2.
  • the session keys for FA2 are coded by AUT1 by means of the code key that AUT has in common with AUT2.
  • AUT2 dissolves the session key, codes it with the code key that is common for AUT2 and FA2, and sends it forward to FA2, where the session key is decoded, and used in the manner described in connection with Fig. 6.
  • communication begins in the manner shown in Fig. 7, in other words between MS1 -SGSN2-FA2-HA1.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a system for digital mobile communication comprising a number of hierarchical communication levels (MS, UTRAN, SGSN, FA, HA), where one of the levels in the system comprises functionality for a digital mobile telephony system (SGSN) and further comprises functionality (FA) for a protocol in a system for a mobile data network. Preferably, the digital mobile telephony system which functionality (SGSN) is comprised in one of the levels is the UMTS system, and the mobile data network for which protocol one of the levels of the system comprises functionality (FA) is an MIP-based system.

Description

TITLE
A digital mobile communication system.
TECHNICAL FIELD The present invention relates to a system for digital mobile communication which comprises a number of hierarchical levels, which system may comprise components from both a digital mobile telephony system and from a system for a mobile data network.
BACKGROUND ART
Modern digital mobile telephony systems will be provided with functions for use in many other fields than transmission of speech as those systems will be able to provide their subscribers with the possibility for broadband connections, for example they will be able to use them for transmission of large amount of data. Inversely, it is also a fact that modern computer networks admit broadband connections, and through their protocols contain possibilities for a user to be mobile, either wireless, or when a user at for example an office may move between different rooms, and connect to the network by simply connecting the terminal or computer via a connector in a room free of choice.
Since these two types of systems, digital mobile telephony systems and computer networks more and more receive functions which are beginning to resemble the functions of each other, it will be desirable to be able to use components from a computer network in a digital mobile telephony system, or to be able to connect a computer network to a digital mobile telephony system. A problem in this context is that if one wants to use components from a computer network in a digital mobile telephony system after the installation of the mobile telephony system, the terminals available which have been sold will not support the kind of signalling which takes place in the computer network. Document WO 00/18155 discloses a system for an IP mobility mechanism for a packet radio network. In order to make the system function, new messages need to be added to the existing standard, which is a drawback of this system. In addition, the system disclosed by this document can not be used by existing telephones, but needs telephones which have been adapted to the system. Thus, the system is not well equipped to handle "retrofit" or upgrading of existing packet radio networks, since users would have to exchange their telephones for new ones.
Document WO 00/18154 discloses a system similar to the system of WO 00/18155, with similar drawbacks.
A mutual drawback of the systems disclosed in the two documents mentioned is that they lack functionality for authentication of a subscriber, or functionality for handling session keys.
DISCLOSURE OF THE INVENTION
A problem which is solved by the present invention is thus to make it possible to integrate components of functions from a mobile data network into a digital mobile telephony system, or to make it possible to connect a mobile data network with a digital mobile telephony system, without any need for the user of the telephony system to exchange their telephones for new ones.
Both mobile data networks and digital mobile telephony systems consist of hierarchical communication levels, and the problem is solved by the present invention by providing a system for digital mobile communication comprising a number of hierarchical communication levels, where one of the levels comprises functionality for a digital mobile telephony system and also comprises functionality for a protocol within a mobile data network, with the functionality of a protocol for a mobile data network that is comprised in one of the levels of the system comprising the functionality of a subscriber (MN). Since one of the levels in the system comprises functionality for both types of systems, this level may be used as an "interface" between the two types in the system. If the "lowest" levels, in other words those that are the closest to the end user, are levels which come from a digital mobile telephony system, the users of the system will be able to use terminals which are intended for the digital mobile telephony system without problems, at the same time as the mobile telephony system is integrated with the system for a mobile data network at higher levels.
Since the functionality of a subscriber from a mobile data network is integrated into the system, users need not buy telephones which have been equipped with functionality from both kinds of systems.
In addition, a further problem which is solved by the present invention is how a user who has a terminal intended for a digital mobile telephony system will be able to be authenticated against the parts of the integrated systems which come from a system for mobile data communication, and also how session keys will be handled in an integrated system. How the invention solves these problems will be disclosed in the description below.
BRIEF DESCRIPTION OF DRAWINGS
The invention will be described in more detail below, using examples of embodiments and with reference to the enclosed drawings, where:
Fig. 1 shows an example of the structure of a system for digital mobile telephony, and Fig. 2 shows an example of the structure of a system for a mobile data network, and Fig. 3 shows the principle structure of a system according to the present invention, and Fig. 4 shows how the authentication is constructed in a system according to the invention, and
Fig. 5 shows authentication in a larger system, and
Fig. 6-7 shows the invention applied on the system from Fig. 5.
MODES FOR CARRYING OUT THE INVENTION
The following abbreviations will be used in this description:
AAD - Agent Advertisement
AAS - Agent Solicitation AUT - Autenticeringsfunktion
CHAP - PPP Challenge Handshake Authentication Protocol (RFC 1994)
FA - Foreign Agent
GGSN - Gateway GPRS Support Node
GPRS - General Packet Radio Service HA - Home Agent
MIP - Mobile Internet Protocol (RFC2002 )
MN - Mobile Node
MS - Mobile Station
PPP - Point to Point Protocol (RFC 1661) RADIUS - Remote Authentication Dial In User Service (RFC 2138)
RRP - Registration Reply
RRQ - Registration Request
SGSN - Serving GPRS Support Node
UMTS - Universal Mobile Telecommunications System UTRAN - UMTS Terrestrial Radio Access Network
In Fig. 1 the principal structure of a digital mobile telephony system is shown, in the current case the so-called UMTS system. As shown in Fig. 1 , the system consists of a number of hierarchical levels, which connect the system to the overarching countrywide telephone network. The levels shown in Fig. 1 are MS - the subscriber level, most often a cell phone, but a level that can be an arbitrary mobile terminal, in other words for example a computer or other equipment which is able to communicate with the closest next level, the so- called UTRAN level. This level, UTRAN, is the level that connects the subscribers with the rest of the system via base stations in the coverage area of the system. The UTRAN level is in turn connected with the SGSN level, which in turn is connected with the GGSN level, with the function to link the MS with external networks, which may comprise both data and speech.
In Fig. 2 the principal structure of a system for mobile data communication is shown, in the present case an MlP-based system. As shown in Fig. 2, an MlP-based system also consists of hierarchical levels. A mobile user, designated MN, communicates with the closest next level, FA, which in turn communicates with the next level, HA. The protocol in an MlP-based system is such that MN may communicate with FA via an essentially arbitrary medium, for example via radio or wire. The functions for FA and HA in an MlP-based system roughly correspond to the functions for SGSN and GGSN respectively in the UMTS system.
There are many advantages, both technical and economical to be gained if it is possible to combine "building blocks" from an MlP-based system with building blocks from a UMTS system, but a problem here is that MS will not be able to communicate with FA or HA. This problem is solved by means of the present invention, in a way that is schematically illustrated in Fig. 3.
Fig. 3 shows a system for digital mobile communication according to the invention. As shown in the drawing, the system comprises a number of hierarchical communication levels, where a number of the levels (UTRAN, SGSN) come from the UMTS system, and other levels (HA, FA) come from an MlP-based system. In order to solve the problem that MS is not able to communicate with HA or FA since these come from another system, one of the levels which come from the UMTS system, in the present case the SGSN level, has been provided with the functionality for the protocol within an MlP- based system. Since the problem is that MS has to be able to communicate with the system, the functionality from an MlP-based system that SGSN has been provided with is the functionality for the subscriber level within an MlP-based system. SGSN may thus use the data which are sent between MS and SGSN and convert them to the protocol for MIP, which enables SGSN to communicate with FA, whereby FA will perceive this as if the communication that in reality comes from an MS intended for the UTRAN system comes from an MN in an MlP-based system.
During communication between MN and HA in an MlP-based system a so- called "tunnel" is created between FA and HA, which means that a path for data communication is opened between HA and MN. It is SGSN that provides the opening of such a path for data communication between MS and HA. In the following there will first be a brief description of how the tunnel is opened in an MlP-based system: When connecting to an MlP-based system, MN receives an AAD from FA, either due to MN sending an AAS, or due to periodic transmission of AAD from FA. Pursuant to this, MN transmits RRQ, which is granted by HA by sending RRP.
The signals within the MIP protocol that SGSN has been provided with according to the invention are the signals, RRQ and RRP, which are needed for MN to tell HA where MN is, enabling HA to direct, to "tunnel", the traffic to the right FA.
A further demand on the type of system that is provided according to the invention, in other words a system that is based on a combination of a system for digital mobile telephony and a system for a mobile data network, is that such a combined system must be able to authenticate an MS from a digital mobile telephony system against building blocks in the system which come from a mobile data network. Authentication here refers to checking that the user/subscriber is authorized to use the system. In MIP, the authentication is carried out by FA sending a random number (a so-called "challenge") in the signal AAD. The user responds with his personal password, which is used together with the random number to create a new number that is inserted into the RRQ, following which HA receives RRQ and checks if the password is correct, using the new number that has been inserted into RRQ and the originally sent random number. If the password is correct, RRP is sent to MN, in other words a signal granting the user access to the system and those of its services that the user may have are sent. The check of whether the password is correct or not that the HA makes is preferably made in a separate function for this purpose which lies outside HA itself, for example a so-called RADIUS function, which has information regarding the user's password.
In a UMTS system, the authentication procedures differs slightly from the one in MIP. If a user wishes to use the UMTS system for data communication, this is often carried out using a computer, for example a portable PC that is connected to a terminal, a cell phone, in the UMTS system. The cell phone sends a random number to the PC via a CHAP message, and the user is requested to state his password. Using the password and the random number, a new number is generated in the PC, and then this new number and the used random number together with information regarding the stated identity of the user is sent to the SGSN via the cell phone and thereafter to GGSN. At GGSN it is checked if the user is authorized to access the system, and in that case which functions in the system that the user should be able to access. This authentication of the user in GGSN is preferably made in a function that is separate from GGSN itself, preferably in a so-called RADIUS server, which has information regarding the user's password.
Fig. 4 shows how the authentication is designed in a system according to the invention. The drawing shows an MS and a PC connected to this MS to be able to carry out the data communication wireless via the system according to the invention. To start with, the authentication procedure for a UMTS system is carried out in the manner that is been described above, in other words MS sends a CHAP message to the PC, where the CHAP message contains a random number. The user responds with his password, using which a new number is calculated with the help of the random number. Information regarding the random number, the number which has been generated from the random number, and the stated identity of the user is sent to SGSN by MS via UTRAN.
The random number, the new number that has been generated using the password and random number, and the information regarding the stated identity of the user which is received by the SGSN from PC via MS and UTRAN is transformed in SGSN by the information being put in a so-called MlP-extension, in other words a message in MlP-format, following which it is sent to FA, and then further to HA. At HA, the authentication procedure for an MlP-based system which has been described above takes place, which procedure preferably takes place in an authentication function that is . separate from HA itself, for example a so-called RADIUS function. Since the information, the random number and the new generated number, that arrive at HA and the authentication function comes from a CHAP procedure, this must be stated in the information that is sent to the authentication function, suitably the same extension as the rest of the information from the CHAP lies in.
The authentication in MlP-based systems described above works well, but if the system becomes too large this type of authentication might be difficult to manage. If the system for example includes several HA, each FA and MN has to authenticate itself against each HA and vice versa, which may lead to a large load for the units. Fig. 5 shows a known alternative way to handle the authentication in larger MlP-based systems, with less load on HA and FA. In the MlP-based system shown in Fig. 5, all authentication is put in a separate function, preferably in a separate server, hereafter named AUT, which communicates directly with HA and FA, which is shown with two-way arrows in the drawing, and which has a protocol to handle authentication between the different units in the system. An example of such a protocol is . the so-called DIAMETER protocol. When MN, FA and HA are to initiate communication, the authentication is carried out by AUT, but when the authentication is finished, further communication is handled directly between the respective units.
In order to facilitate the understanding of a further aspect of the invention, a short description of how the authentication is carried out in the type of existing systems which is shown in Fig. 5 will follow below.
The initial authentication in the system in Fig. 5 is carried out by MN sending RRQ to FA, which creates a new message with the RRQ of the MN in it, and sends this message to AUT which checks and authenticates MN. If the authentication is successful, AUT sends a message to a suitable HA (the . system may contain several HA, but for simplicity Fig. 5 only shows one), where the message among other things contains the RRQ of the MN. HA responds with RRP to AUT, and has at this stage opened its end of the "tunnel" for communication which has been described earlier. The RRP is sent from AUT to FA which extracts RRP from the message from AUT and sends RRP to MN. After the reception of RRP from AUT, FA opens "its" end of the tunnel, and communication between MN, FA and HA may proceed without using AUT. When RRP is sent, from AUT to FA and from FA to MN, it may be sent either separately or included in another message.
At all further communication in this system, each one of the three units effected, MN/FA HA, will check if the received message comes from the correct sender. This is carried out by means of so-called "session keys", which during the session is used by a sending unit to create a check sum using the message the unit wants to send, which check sum is sent together with the message. A receiving unit "dissolves" the message using its session key, and checks if the check sum is correct. When a unit (for example FA) forwards a message between two other units (for example MN-HA), the forwarding unit will check if the message comes from the correct sender, and add an own check sum to the message using its session key, before the message is forwarded.
The following combinations of sending/receiving units will occur:
Sendina Receiving
HA FA
HA MN
FA MN
FA HA
MN FA
MN HA
Each unit will thus need two session keys, since each unit will communicate with two other units. In other words, the system in Fig. 5 will need a total of six session keys during a session for MN/FA/HA. However, only three of the keys will have to be different, since two units communicating with each other should use the same key.
The session keys are created by AUT for each session, and are sent to respective unit by AUT when the initiating authentication is made. To prevent unauthorized use of the keys, they are sent in coded form, where the coding is made using a code key which is known in advance by the respective units.
Fig. 6 shows a system according to the invention, in other words a system with components and functionality from both UMTS (UTRAN, SGSN, MS) and MIP (FA, HA), where the system has been provided with the type of separate authentication function, AUT, which has been described above in connection with Fig. 5. The initiatial authentication of MS in the system is carried out in the manner described in connection with Fig. 4, with the difference that the authentication is carried out by means of the separate function for this, AUT.
As described above in connection with Fig. 4, SGSN will, in a system according to the invention, dissolve the message which is sent to respective from MS, and transform them so that they seem to come to respective from an MN in an MlP-based system. This presumes that SGSN has access to the session keys which have been sent from AUT to "MN" during the initial authentication, which in turn presumes that SGSN has access to the password for MS, since this is the only common secret that AUT and MS have access to, and thus this is the only code key that they (AUT/MS) would be able to use during transfer of session keys.
To put the password for MS, in other words the password for a single user, in SGSN is both technically difficult and also unsuitable for security reasons. In order to enable MS to communicate with the other units in the system anyway, the session keys that are sent from AUT to "MN" at the beginning of the session will be coded with the same code key that is used by FA. This enables messages which are sent to MS to be dissolved by FA and sent to SGSN for forwarding to MS, and messages arriving from MS are provided with check sums by FA, as if they came from an MN in an MlP-based system. The fact that AUT codes the session keys which are going to "MN" with the same code key as used by FA is due to the fact that AUT in a system according to the invention knows that the user, "MN", really is an MS from a UTRAN-system.
The authentication function, AUT, which has been described, is usually unique for a certain operator and a certain area. Fig. 7 shows schematically how a user, MS1 , has entered a system according to the invention which is used by another operator than the one that the user, MS1 , has subscribed to. The units in the "home system" for the user, MS1 , will in the following be described with the numeral one (1 ) after their regular terms, and the units in the "alien" system will be indicated with the numeral two (2) after their ordinary terms. The HA that MS1 will be communicating with is HA1 , in spite of the fact that MS1 is in an alien system, which means that HA2 doesn't have to be used in the communication from/to MS1.
When MS1 wants to authenticate itself in the alien system, it sends RRQ to SGSN2, which is forwarded to FA2 and from there to AUT2. AUT2 recognizes that MS1 is a unit that belongs to AUT1 , and therefore sends RRQ forward to AUT1 which authenticates MS1 , and creates the six session keys that will be needed. RRQ can either be sent separately, or included in another message. The session keys are coded before AUT1 sends them to respective unit, which means that the unit that sends the session keys must have a code key in common with the receiving unit. The following units will have common code keys:
AUT1 - HA 1 AUT1 -AUT 2 AUT2 - FA 2
AUT1 codes the session keys to HA1 with a code key that these units have in common, and sends RRQ and session keys to HA1 , after which HA1 opens its "tunnel end" and responds with an RRP to AUT1 , which is then forwarded to AUT2.
The session keys for FA2 are coded by AUT1 by means of the code key that AUT has in common with AUT2. AUT2 dissolves the session key, codes it with the code key that is common for AUT2 and FA2, and sends it forward to FA2, where the session key is decoded, and used in the manner described in connection with Fig. 6. When the respective unit has received its session keys, communication begins in the manner shown in Fig. 7, in other words between MS1 -SGSN2-FA2-HA1.
From the explanation of the example shown in Fig. 7, one more reason for why it is unsuitable to put the code key for an MS in SGSN is realized: In order to acquire the desired function for the system in Fig. 7, the password for MS1 would have to lie in SGSN2, in other words an SGSN for an alien system. If, instead, the problem with coding of session keys was solved by letting SGSN2 access the code key for an MN in "system number one", SGSN2 would access a code key that is used in that system, which would also be unsuitable.

Claims

PATENT CLAIMS
1. A system for digital mobile communication comprising a number of hierarchical communication levels (MS, UTRAN, SGSN, FA, HA), in which system one of the levels comprises functionality (SGSN) for a digital mobile telephony system and also comprises functionality (FA) for a protocol in a system for a mobile data network, characterized in that the functionality of a protocol for a mobile data network that is comprised in one of the levels of the system comprises the functionality of a subscriber (MN).
2. A system according to claim 2, in which the functionality of a protocol for a mobile data network that is comprised in one of the levels of the system further comprises functionality for authentication of a subscriber.
3. A system according to any of the preceding claims, further comprising functionality for handling session keys.
4. A system according to any of claims 1-3, in which the digital mobile telephony system whose functionality (SGSN) is comprised in one of the levels is the UMTS system.
5. A system according to any of claims 1-4, in which the mobile data network the protocol of which one of the levels of the system comprises functionality (FA) is an MlP-based system.
PCT/SE2001/001076 2000-05-15 2001-05-15 A digital mobile communication system Ceased WO2001089242A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001258991A AU2001258991A1 (en) 2000-05-15 2001-05-15 A digital mobile communication system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE0001760A SE522792C2 (en) 2000-05-15 2000-05-15 A system for digital mobile communication
SE0001760-8 2000-05-15

Publications (1)

Publication Number Publication Date
WO2001089242A1 true WO2001089242A1 (en) 2001-11-22

Family

ID=20279648

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2001/001076 Ceased WO2001089242A1 (en) 2000-05-15 2001-05-15 A digital mobile communication system

Country Status (3)

Country Link
AU (1) AU2001258991A1 (en)
SE (1) SE522792C2 (en)
WO (1) WO2001089242A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009058714A3 (en) * 2007-10-31 2010-04-08 Marvell World Trade Ltd. A system and method for reselection of a packet data network gateway when establishing connectivity

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998043446A2 (en) * 1997-03-25 1998-10-01 Telefonaktiebolaget Lm Ericsson (Publ) Communicating packet data with a mobile station roaming within an incompatible mobile network
WO2000018154A2 (en) * 1998-09-21 2000-03-30 Nokia Networks Oy Ip mobility mechanism for a packet radio network
WO2000018155A2 (en) * 1998-09-21 2000-03-30 Nokia Networks Oy Ip mobility mechanism for a packet radio network
WO2000045560A2 (en) * 1999-01-29 2000-08-03 Telefonaktiebolaget Lm Ericsson (Publ) Public mobile data communications network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998043446A2 (en) * 1997-03-25 1998-10-01 Telefonaktiebolaget Lm Ericsson (Publ) Communicating packet data with a mobile station roaming within an incompatible mobile network
WO2000018154A2 (en) * 1998-09-21 2000-03-30 Nokia Networks Oy Ip mobility mechanism for a packet radio network
WO2000018155A2 (en) * 1998-09-21 2000-03-30 Nokia Networks Oy Ip mobility mechanism for a packet radio network
WO2000045560A2 (en) * 1999-01-29 2000-08-03 Telefonaktiebolaget Lm Ericsson (Publ) Public mobile data communications network

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009058714A3 (en) * 2007-10-31 2010-04-08 Marvell World Trade Ltd. A system and method for reselection of a packet data network gateway when establishing connectivity

Also Published As

Publication number Publication date
SE522792C2 (en) 2004-03-09
SE0001760D0 (en) 2000-05-15
AU2001258991A1 (en) 2001-11-26
SE0001760L (en) 2001-11-16

Similar Documents

Publication Publication Date Title
US7912450B2 (en) System and method for communication service portability
KR101401190B1 (en) Method and system for controlling access to networks
KR100300629B1 (en) Code division multiple access system System and method for using SIM card in service area
EP1123626B1 (en) Ip roaming number gateway
US20040162998A1 (en) Service authentication in a communication system
US7076799B2 (en) Control of unciphered user traffic
EP1495586B1 (en) Method, system and device for service selection via a wireless local area network
US20070232258A1 (en) Communication system and mobile wireless communication device
WO2000008803A1 (en) A plug and play wireless architecture supporting packet data and ip voice/multimedia services
US20050086535A1 (en) Method for authenticating a user for the purposes of establishing a connection from a mobile terminal to a WLAN network
US20110072512A1 (en) Apparatus and method for providing communication service using common authentication
US20050102519A1 (en) Method for authentication of a user for a service offered via a communication system
EP1176760A1 (en) Method of establishing access from a terminal to a server
WO2001089242A1 (en) A digital mobile communication system
EP1322130B1 (en) A terminal-based service identification mechanism
KR100398658B1 (en) An apparatus and method for providing a video telephone service between personal computer and mobile terminal over the packet data network
KR100752539B1 (en) Mobile communication device and method for internet site access
EP1327350B1 (en) Payment service for transmission of information
WO2003055237A2 (en) A terminal-based service identification mechanism
JP3830388B2 (en) Method and apparatus for performing security procedures involving mobile stations in a hybrid cellular telecommunications system
KR100277687B1 (en) Wireless paging service method in intelligent network based mobile communication network
KR100957636B1 (en) Data session management method and system
KR100259053B1 (en) Method for registering and identifying radio equipment in home base station of digital radio telephone system
KR100998494B1 (en) Message transmission method of mobile communication terminal using PC link
GB2407232A (en) A method of establishing a communications link

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP