Secure wireless communication

FIELD: information technology.

SUBSTANCE: disclosed is a method which is realised by a mobile device (100) in order to authenticate communication with a network (400), in which keys are generated (on step S610, 620) using voice encryption and authentication for cellular communication and an authentication key is then generated (on step S630) based on said keys. The authentication key is used to generate the expected message authentication code used for network authentication according to a security protocol for key matching and authentication.

EFFECT: high reliability of secure wireless communication.

10 cl, 6 dwg

 

Claims priority

The priority of this application is based on provisional application US 60/998125, filed October 9, 2007, the contents of which reference fully incorporated into the present application.

The technical field to which the invention relates.

The present invention relates to a method and system for secure wireless communication. More precisely, the present invention relates to a method of operation of the authentication keys in the network, and the mobile equipment with the aim of establishing a communication channel with mutual authentication.

The level of technology

In recent years has been the development of methods and technologies for secured wireless communication. In particular, the protection system second generation (2G) based multiple access code division multiple access (CDMA) system has developed in the protection of the third generation (3G) based on CDMA.

As is well known in the prior art, the protection system 2G CDMA provides authentication and voice encryption for mobile communication (CAVE, from the English - cellular authentication and voice encryption). In particular, in the protection system 2G CDMA uses at least one root key, commonly called AKey, and the encryption keys shared secret data (SISD). The encryption keys SID are generated by well-known procedures update SISD. Keys sifrovanymi are prodolgovatie keys and reviewed in the present invention as the root keys. The encryption keys SID can be used in conjunction with the guest register location (RM or VLR, English - Visitor Location Register) network, for example, if the timing is the home service system for a mobile device. In addition, the usual security protocols 2G CDMA can provide a global procedure calls and responses and the individual procedure calls and responses.

In case of a procedure of global challenges network implements a circular transfer of mobile equipment call containing a random number (RAND or random, from the English - random number). A mobile device having access to the system (e.g., registration, call initiation and call termination) in the network that requires authentication, generates and transmits an authentication response (AUTHR, English - authentication response) using long-term key. A couple of RAND/AUTHR send home register location/centre authentication (use of frm/CA or HLR/AC, English - Home Location Register/Authentication Center) for verification. In the case of initiation of the call will also use the last 6 digits to compute AUTHR. If how to initiate and end calls, the mobile device generates the keys applicable for the call (i.e. the SMEKEY and PLCM). If the pair verified RAND/AUTHR, use of frm/CA also generates keys SMEKEY and PLCM, and transmits the timing.

Procedures for the individual call can be accessed by the network when attempting to establish communication with the mobile device at any time on the control channel or data channel. For example, RM asks the use of frm/CA individual call and response, containing the alleged couple RANDU and AUTHU. The network transmits RANDU mobile equipment and the mobile device calculates a response containing AUTHU, using long-term key and passes it to the network. The network verifies couple RANDU/AUTHU.

Conventional protocols security system 3G CDMA-based Protocol for authentication and key agreement (AKA, English - authentication and key agreement) and provide mutual authentication, which means that to communicate (i) the mobile device authenticates the network, and (ii) the network authenticates the mobile device. Well-known security protocols for AKA used in 3G CDMA-based fives. The five include a random number RAND, an expected response (XRES, English - expected response), the encryption key (CK, English - cipher key), key integrity (IK, from the English - integrity key) and authentication token network (AUTN, English - network authentication token). Normal authentication token network AUTN is based on a sequence number (SQN, from the English - sequence number), the key anonymity (K-English - anonymity key), field management authentication (AMF-English - authentication management field code and message authentication (MAC-English - message authentication code).

For example, the mobile device generates its own MAC based / over the new non SQN, stored in the mobile equipment, the secret key K stored in the mobile equipment, AMF and a random number RAND. Then MAC generated in the mobile equipment, compared to MAC, extracted from the authentication token network AUTN, received from the host system. In addition, the mobile device may identify whether a sequence number SQN extracted from the authentication token network, the acceptable value. If the mobile device successfully authenticates the network, the mobile device generates a response RES and sends it to the back-end system network. Then the serving network system compares the expected response XRES with the response RES to authenticate the mobile device, and thereby completes the mutual authentication according to the usual Protocol for AKA.

If the authentication process, the mobile device determines that the MAC, which was extracted from the authentication token network AUTN, does not coincide with the MAC generated in the mobile equipment, the mobile device transmits the back-end system network failure message. In addition, if the authentication process, the mobile device determines that the MAC value that was extracted from the authentication token network AUTN, coincides with the MAC value generated by the mobile device, but the sequence number SQN is is not in the valid range, the mobile device sends the network message resynchronization. As the security Protocol for AKA, briefly described above and used in the 3G CDMA system, well known in the prior art, additional information about it for the sake of brevity, is not described in the description.

Although the evolution of security protocols has been through a transition from security protocols 2G CDMA system to the security protocols of the 3G CDMA system, which is also implemented in some conventional security protocols IMS, part of the hardware used for wireless communication, has not been updated and(or) not able to handle the later protocols. For example, some companies that could be spent considerable time and money on the development of the hardware used for the processing of security protocols system 2G CDMA, decided not to update the hardware is different due to cost reasons. Thus, part of a normal system equipment 2G CDMA is currently not able to provide a channel of communication with mutual authentication using security protocols for AKA normal 3G CDMA system.

Accordingly, the known proposals for establishing a communication channel with mutual authentication without using a security Protocol for AKA on the basis of the five, described above with respect to the system G CDMA. In other words, these proposals were attempts to use the authentication procedure is-41, previously used in security protocols 2G CDMA system. However, all these proposals have at least one drawback. In particular, the declassification of the former key of the communication session is-41 (for example, SMEKEY and PLCM) would allow an attacker to reproduce a random number and to complete successfully the key agreement Protocol and to communicate with the mobile device or network. Essentially, these proposals are unsafe, when it is revealed the previously used session key communication is-41.

Disclosure of inventions

In the embodiments described methods and devices for establishing communication between the mobile device and the network, which uses security protocols ANSI-41.

In one of the embodiments, a method performed by a mobile device to authenticate the communication network, in which network accept authentication information and extract the first random number from the accepted authentication information. The first random number is a random number that the network puts in accordance with the mobile device. On the basis of the first random number generating at least one key of the mobile device using the authentication and encryption the project for a speech for cellular communication. From the accepted authentication information extracted second random number. The second random number set in accordance with the network. On the basis of the second random generating at least one network key using authentication and voice encryption for mobile communication. Based on the key of the mobile device and the network key to generate the authentication key. On the basis of the authentication key and at least part of the accepted authentication information to generate the expected authentication code network messages according to the security Protocol for authentication and key agreement. On the basis of the proposed authentication code network messages authenticate the network.

In another embodiment, a method implemented by a network with the aim of establishing a network with the mobile device, which generates the call. The call contains the sequence number field authentication management field of random numbers. Field sequence number contains the sequence number and the first random number, the network puts in accordance with the mobile device. Field management authentication provides another part of the first random number and the random number includes a second random number and an additional portion of the first random number. According to that variationbetween additionally receive at least one key of the mobile device using the first random number, receive at least one network key using the second random number and generate the authentication key based on the key of the mobile device and the network key. On the basis of the authentication key to generate a first message authentication code according to a security Protocol for authentication and key agreement, and on the basis of the sequence number field sequence number, field management authentication and the first message authentication code to generate the authentication token. The challenge and the authentication token is passed to the mobile equipment.

Brief description of drawings

The present invention will be more fully understood from the following further detailed description and accompanying drawings, given only by way of example and therefore not limiting the present invention in which the same elements are denoted by identical positions and which is represented by:

figure 1 - communication system according to one example implementation,

figure 2 - illustration of an example implementation of the mobile device

figure 3 is an illustration of one example of implementation of the random number RANDM of greater length than the random number, usually used to establish communication channels

figure 4 is an illustration of one example of implementation of the call, p is otocol for AKA, which can be generated by a home subscriber server (DAS or HSS, English - home subscriber server) and used as the DAS, and the mobile device to establish a communications channel with mutual authentication between the DAS 400 and the mobile device

figure 5 is a hybrid block diagram and schematic of the exchange of signals illustrating one example of operations performed by the DAS, the use of frm/CA and the mobile device, and communication between the DAS, the use of frm/CA and the mobile device for forming a communication channel with mutual authentication,

figure 6 is a block diagram illustrating an example of an operation of the mobile device when the authentication DAS.

Detailed description of examples of implementation

Figure 1 illustrates a communication system 10 that includes at least one mobile device (MU) 100, home register 300 location (use of frm) and a home subscriber server (DAS) 400. Specialist in the art will recognize that the communication system 10 illustrated in figure 1, simplified and can contain various intermediate components used for communication between the MU 100, the use of frm/CA 300 and DAS 400. From the location of the MU 100, the type of service requested MU 100, etc. may depend on, does the use of frm 300 or DAS 400 service requested MU 100.

According to the exemplary embodiment described with reference to figure 1, in use of frm 300 log is t center 310 authentication (CA). Specialist in the art will recognize that use of frm 300 and CA 310 may be separate and different components of the communication system, unlike the case illustrated in figure 1, in which CA 310 includes use of frm 300. Hereinafter in this application 300 and use of frm center 310 authentication will be collectively known as the home register of the location/centre authentication (use of frm/CA). Use of frm/CA 300 has functionality to perform the well-known protective procedures 2G CDMA system, such as authentication and voice encryption for mobile communication (CAVE).

According to the example implementation of the DAS 400 may act in relation to the use of frm/CA 300 as guest register location (RM) and use the system-provided 2G CMDA protective functionality use of frm/CA 300 for establishing a communication channel with mutual authentication without prior approval of the MU 100 of any cryptographic key Protocol for AKA.

Figure 2 illustrates one example implementation of the MU 100. As shown in figure 2, MU 100 includes a subscriber identity module (MIP or UIM, English - user identity module), a memory 120, a processor 130 and the transceiver 140. MIP can be a regular subscriber identity module. Alternatively, a specialist in the art will recognize that the MIP MU 100 may Ave is dostavljati a conventional removable subscriber identity module (leads bar Association). For example, the MIP may be a module designed to operate according to the protocols of the security system 2G CDMA. In the MIP can be stored MIN/IMSI/TMSI, which is well known in the art and will not be considered further for brevity.

Memory 120, a processor 130 and the transceiver 140 may be used in combination with MIP for implementing embodiments of the methods described next with reference to Fig 3 and 4. For convenience of explanation in the following embodiments, the memory 120, a processor 130 and the transceiver 140 are collectively referred to as MU.

Figure 3 illustrates one example implementation of the random number RANDM of greater length than the random number, usually used to establish communication channels. MU 100 generates a random number RANDM. For example, to generate a random number RANDM is initiated after the MIP insert into MU 100 and / or in response to a signal received from the DAS 400. Random number RANDM shown in figure 3, contains 72 bits. In particular, a random number RANDM contains, for example, 20 random bits, 32 bits, used for authentication and encryption of speech for mobile communication (CAVE), and 20 bits, representing the 6 digits of the called number. Next, a random number RANDM generated MU 100 and stored in the MU, referred to as RANDMME. The lower the index, ME means that a random number is stored in the MU 100. This is a random number RANDM MEreported DAS 400 and stored in the DAS 400 as RANDMHSS.

Figure 4 illustrates one example implementation of the call Protocol for AKA, which can be generated DAS 400 and used as the DAS 400 and MU 100 to establish a communication channel with mutual authentication between the DAS 400 and MU 100. As shown in figure 4, the calling Protocol for AKA contains a random number RANDM format shown in figure 3. However, since the random number RANDM that is part of the challenge Protocol for AKA is a random number RANDM stored in the DAS 400, a random number is called RANDMHSS. Similarly, a random number RANDM stored in MU, referred to as RANDMME. Challenge Protocol for AKA provides at least partially improved protection due to the random number RANDM of greater length than the random number, usually used to establish the channel.

As shown in figure 4, the calling Protocol for the AKA field contains sequence number (SQN), the authentication management (AMF) and the random numbers for key agreement authentication (AKA_RAND). At least part of each of the fields, including the field SQN, AMF and AKA_RAND, contains several bits RANDMHSSpreviously stored in the DAS 400 and used to generate call Protocol for AKA.

As shown in figure 4, the field SQN contains at least part of the sequence is Omer, stored in the DAS 400 (SQNHSS), an indicator or flag (R) and part of the random number RANDMHSS. In particular, the field SQN contains a total of 48 bits, including 16 bits SQNHSS1-bit indicator and 31 bits RANDMHSS. Field SQN is one of the input parameters used to generate message authentication code (MAC).

Indicator R field SQN used DAS 400 to initiate from the side of the MU 100 generate and save a new random number RANDMME. As indicated previously, a random number RANDMMEmay contain 72 bits. For example, if the indicator R is “1”, MU 100 generates and stores a random number RANDMMEand if the indicator is “0”, MU 100 does not generate and store a new random number RANDMME.

As shown in figure 4, each pack contains 16 bits of the random number RANDMHSSstored in the DAS 400. AMF is another one of the input parameters of the function used to compute MAC.

Field AKA_RAND contains a portion of the random number RANDMHSSstored in the DAS 400, and random bits generated by the DAS 400. In particular, the field AKA_RAND contains 128 bits. 128 bits field AKA_RAND include 25 bits of the random number RANDMHSS24-bit individual call RANDU and 79 other bits generated by the DAS 400.

Next, with reference to figure 5 will be described the operation being performed and the connection is shown using the CSO figure 4 call Protocol for AKA and(or) information, retrieved from the calling Protocol for AKA.

Figure 5 shows the hybrid block diagram and schematic of the exchange of signals illustrating examples of operations performed by the DAS 400, use of frm/CA 300 and MU 100 and the connection between the DAS 400, use of frm/CA 300 and MU 100.

It is shown that the DAS 400 receives a well-known couple RANDU/AUTHU in interaction with the use of frm/CA 300. DAS 400 transmits the use of frm/CA 300 pair RANDU/AUTHU as well-known a couple RANDU/AUTHR to get network keys KEYSNHSSsuch as the SMEKEY and PLCM. In particular, the DAS 400 uses the system-provided 2G CDMA functionality use of frm/CA 300. Use of frm/CA 300 generates network keys KEYSNHSSaccording to CAVE and returns network keys KEYSNHSSDAS 400.

Similarly DAS 400 transmits the use of frm/CA 300 random number RANDMHSSthe mobile device. As stated above, the random number RANDMHSSthe mobile device may have been previously taken from MU as a random number RANDMMEand stored in the DAS 400 as a random number RANDMHSSthe mobile device. In particular, a random number RANDMHSSthe mobile device is a random number that the network puts in accordance with the mobile device. Use of frm/CA 300 performs an operation CAVE with a random number RANDMHSSto generate the keys KEYSMHSSmobile devices such as the SMEKEY and PLCM.

Possible case when the random number RANDMHSSMoby is inogo devices are not available in the DAS 400; for example, a random number RANDMMEthe mobile device has not been previously accepted or has been removed from the DAS 400. In this case, the network will generate a random number RANDMHSS. For example, the DAS 400 may generate the second random number RANDN and use this second random number RANDN as part of the CAVE RAND (see figure 3) stored in the DAS 400 random number RANDMHSSthe mobile device. In addition, the DAS 400 can generate random bits for inclusion in the random part is stored in the DAS 400 random number RANDMHSSmobile device, and set the same value “1” for the bit part of the random number RANDMHSSthe mobile device displays the digits of the called number. Note that using the same values in the figures showing part of the called number that is passed in the call to the random number RANDMHSSthe mobile device may be used for MU information about RANDN.

As shown in figure 5, in step S550 DAS 400 generates the key AKA_key authentication. For example, the key AKA_key authentication may be the result of hashing the network keys KEYSNHSSand keys KEYSMHSSmobile device according to the following equation: AKA_key=H1(KEYSMHSS, KEYSNHSS). In step S560 DAS 400 uses AKA_KEY according to the protocols authentication and key agreement system 3G CMDA, along with RANDU, the values of the AMF and a sequence number SQN HSSto generate code MACHSSmessage authentication, which is stored in the DAS 400.

Then, in step S570, the DAS generates is illustrated in figure 4 the challenge and the token AUTN authentication. Token AUTN authorization contains the key AK anonymity, the sequence number SQNHSSfield AMF authentication management and code MACHSSmessage authentication. Call and token AUTN authorization transmit MU 100.

Figure 6 shows a block diagram illustrating an example of an operation of the mobile device when the authentication DAS after receiving the call and token AUTN authentication. In particular, the transceiver 140 MU 100 receives data from the DAS 400 call and the token and transmits the information to the processor 130 for processing and / or memory 120 for storage.

As shown in Fig.6, in step S610 MU 100 retrieves RANDU from the field AKA_RAND received call, while the MU 100 may use the extracted random number RANDU to generate network keys KEYSNMEsuch as PLCM and SMEKEY. As mentioned earlier, the key generation on the basis of random numbers are well known in the prior art, and it can easily make MIP MU 100 with use of the CAVE. Assumes that the MU 100 and use of frm/AC 300 generate network keys KEYSN in the same way.

In addition, in step S620, the CPU 130 MU extracts the random number RANDMHSSfrom a received call and generates keys KEYSMMEmobile mouth of the STS. And in this case, the MU 100 performs an operation CAVE with a random number RANDMHSSto generate the keys KEYSMMEthe mobile device. Alternatively, the keys KEYSMMEmobile devices can already be generated on the basis of RANDMMEand stored in memory 140 MU 100. For example, the CPU 130 sets the top 20 bits as six of the dialed digits and the following 32 most significant bits as CAVE RAND and sends this information to the NFA to receive an authentication response AUTHM mobile devices and keys KEYSMMEthe mobile device.

After MU 100 received as network keys KEYSNMEand the keys KEYSMMEmobile device, in step S630 MU 100 generates the key AKA_key authentication. For example, the key AKA_key authentication may be the result of hashing the network keys KEYSNMEkeys KEYSMMEmobile device according to the following equation: AKA_key=H1(KEYSNME, KEYSNME).

Then, in step S640 MU 100 generates the estimated code HMAC message authentication. MU 100 generates the estimated code HMAC message authentication using a random number RANDMHSSmobile devices are part of the SQN call Protocol for AKA and key AKA_key authentication, generated and stored in the MU 100, according to the security Protocol of 3G CDMA system for authentication and the harmonization of keys.

Then MU 100 compares the estimated code HMAC message authentication with MACMHSSobtained in step S650 from token AUTN authentication. If the alleged code HMAC message authentication and MACMHSScorresponding to the DAS 400, do not match, the MU 100 transmits the DAS 400 failure message authentication, as shown in Fig.6, and the implementation of the security Protocol is aborted. Alternatively, if the expected code HMAC message authentication and MACMHSScorresponding to the DAS 400, the same, the method illustrated in Fig.6, proceeds to step S660.

In step S660 MU 100 sets whether the random number RANDMHSSthe mobile device received from the DAS 400 call Protocol for AKA, the random number RANDMMEmobile device stored in the MU 100. If the received from the DAS 400 random number RANDMHSSthe mobile device does not match the random number RANDMMEmobile device stored in the memory 140 MU 100, in step S670 MU 100 generates and transmits a message about re-synchronization. As shown in Fig.6, the message re-synchronization field contains SQNRESYNCsequence number field MACS.

According to one of embodiments a message resynchronization contains a random number RANDMMEmobile device stored in the MU 100. For example, the R, as shown in Fig.6, the field sequence numbers contains 48 bits of the random number RANDMMEand the MACS contains a 24-bit random number RANDMMEthe mobile device. In addition, field MACS contains 18 bits of the authentication response AUTHRM mobile device associated function exclusive-OR 18-bits MACS, as well as 22-bit MACS. Since the generation of the authentication response AUTHRM mobile devices well known in the prior art, it will not be considered further for brevity.

In response to receiving the message resynchronization DAS 400 generates MACSHSSusing the key AKA_key authentication to verify the MU 100. In particular, the DAS 400 performs a pseudo-random function by using the previously generated key AKA_key authentication stored in the DAS 400 random number RANDMHSSmobile devices and stored in the DAS 400 random numbers AKA_RAND.

Then the DAS 400 compares MACSHSSwith MACS, adopted in message resynchronization, transferred to the MU 100. For example, the DAS 400 may retrieve the 22 most significant bits MACS, adopted in message resynchronization, and to compare the extracted 22 bits 22 the LSBs MACSHSS.

In addition, the DAS 400 retrieves an authentication response AUTHRM mobile device, taken from the MU 100, by performing the functions excluding the WHETHER in respect of the following 18 bits MACS. According to one example implementation, then the DAS 400 transmits AUTHRM along with additional information use of frm/CA 300 to verify the MU 100 and get new keys KEYSMHSSthe mobile device. Additional information includes, for example, CAVE RANDMMEand the digits of the called number. If an authentication response mobile device verified use of frm/CA 300, also verified 18 bits MACS and, therefore, only verified 40 bits.

Alternatively, if at step S660 found that RANDMHSScoincides with RANDMMEthat way, shown in Fig.6, proceeds to step S680. In step S680 MU 100 sets if it is appropriate sequence number SQN. The sequence number SQN, based on the current authentication process, compared with the sequence number SQNMEpreviously stored in the MU 100. For example, the sequence number SQN, based on the current authentication process must be greater than the sequence number SQNMEpreviously stored in the MU 100, but must be within a certain range. In other words, the sequence number SQN, based on the current authentication process must be greater than the sequence number SQNMEpreviously stored in the MU 100, and less than the upper tolerable limit of the sequence number SQNME+Δ, i.e. SQNMD<SQN<SQNME+Δ, with Δ is an integer value.

If the Agay S680 installed, that sequence number SQN is outside the allowable range, in step S690 MU 100 transmits a message for re-sync. As shown in Fig.6, the message re-synchronization field contains the sequence number SQNRESYNCand field MACS. For example, in the field SQNRESYNCmessages about re-synchronization may contain zeros for 32 of the most high-order bits of the 48-bit sequence numbers, and 16 of the best bits of the 48-bit sequence number can be set as the sequence number SQNMEpreviously stored in the MU 100. As indicated earlier, the MU 100 generates AKA_KEY on the basis of the received call. Generated AKA_key is used to compute MACS, which is included in the box MACS messages about re-synchronization.

DAS 400 receives a message about re-sync generated, because it was determined that the sequence number SQN is outside the valid range. DAS 400 processes the received message for re-sync. For example, the DAS 400 may be configured to recognize the fact that 32 set to zero most bits of the 48-bit sequence numbers included in the box SQNRESYNCresynchronization indicate that the message resynchronization contains the sequence number SQNMEstored in the MU 100. Accordingly, the DAS 400 stores the sequence number SQNMEFor use in the future. However, the DAS 400 also verifies the MU 100 using a 64-bit MACS, the incoming field MACS, as described previously.

If at step S680 MU 100 determines that the sequence number SQN corresponding to the current authentication operation is within the allowable range, in step S700 MU 100 generates a response RES. Since the generation of the response RES based on the random number and the secret key stored in the MU, well known from the prior art, it will not be considered further for brevity. MU 100 also calculates the encryption key CK and key integrity IK based on the random number and the secret key. The calculation of the encryption key CK and key integrity IK is also well known from the prior art.

As shown in figure 5, MU 100 transmits the DAS 400 response RES. DAS 400 already generated the expected response XRES in step S580 well known manner. In step S590 DAS or network object on behalf of the DAS 400 compares the response with the expected response XRES. If they do not match, the authentication is unsuccessful. However, if a match is found, the DAS 400 and MU 100 establishes a communication channel with mutual authentication.

In the described methods, devices and systems is guaranteed at least a 64-bit protection. In addition, during the formation of calling the methods include transmitting a random number as the mobile device and the network. The key Protocol for authentication and key agreement (AKA) based on the keys CDMA contained in the calls. In addition, the mobile device re-generates 72-bit random number corresponding to the mobile device after installing the MIP, but not during the re-synchronization. During the re-synchronization transmit 72-bit random number, generated or stored in the mobile device, or a 16-bit sequence number. The network verifies and accepts the message for re-sync and saves 72-bit random number provided by the mobile device. Moreover, when the call network uses 72-bit random number that the network puts in accordance with the mobile device, and the newly created random number to create the keys CDMA, which, in turn, create the key AKA. Key AKA is used with standard features AKA for creating MAC, RES, CK and IK.

It is obvious that the described invention can be made various changes. Such changes should not be considered beyond being and scope of the invention, and all of them being obvious to a person skilled in the art, are included in the scope of the present invention.

1. The authentication communication network (400)through the mobile device (100), Privolnoye:
receive authentication information from the network,
extract from the accepted authentication information, the first random number to the mobile device is handed over network,
based on this, the first random number generate (step S620) at least one key of the mobile device using the authentication and voice encryption for mobile communication,
extract from the accepted authentication information, the second random number, which is associated with the network,
on the basis of the second random number generate (step S610) at least one network key using authentication and voice encryption for mobile communication,
generate (step S630) key-based authentication key of the mobile device and the network key,
generate (step S640) the expected authentication code network message based on the authentication key and at least part of the accepted authentication information according to the security Protocol for authentication and key agreement, and
authenticate (step S650, S660, S680) network on the basis of the proposed authentication code network messages.

2. The method according to claim 1, wherein in step authentication retrieve a message authentication code from the received information is compared (step S650) the expected message authentication code with the extracted authentication code within the claims.

3. The method according to claim 2, in which the authentication step are compared (step S660), the first random number with the third random number stored in the mobile device, and transmit the network message resynchronization if the first random number does not match with the third random number, and the message resynchronization contains at least part of the third random number.

4. The method according to claim 2, in which the received information includes the sequence number field authentication management field of random numbers according to the Protocol for authentication and key agreement, and in which optional:
set (step S680), if the sequence number in the sequence number in the valid range, and
pass the message of re-synchronization, if it is determined that the sequence number is not in the valid range.

5. The method according to claim 4, in which the message resynchronization contains the sequence number stored in the mobile device.

6. The method according to claim 1, wherein the received information includes the sequence number field authentication management field of random numbers according to the Protocol for authentication and key agreement, and in which optional:
retrieve a message authentication code from the received information,
compare (step S650) estimated the code out is the certification of messages retrieved by the message authentication code,
compare (step S660), the first random number with the third random number stored in the mobile device, and
set (step S680), if the sequence number in the sequence number within the valid range, and
transmit (step S700) network authentication response if the expected message authentication code matches the extracted message authentication code, the first random number coincides with the third random number and the sequence number is in the valid range.

7. The method of establishing a network with the mobile device through the network, and in which:
generate (step S570) call containing the sequence number field authentication management field of random numbers, the field sequence number contains the sequence number and the first random number, the network received from the mobile device, the authentication management contains another part of the first random number and the random number includes a second random number and an additional portion of the first random number, and
receive at least one key of the mobile device using the first random number,
receive at least one network key using the second random number,
generate (step S550) authentication key based on the key of the mobile device and the network key,
generate (step S560), the first message authentication code based on the authentication key according to the security Protocol for authentication and key agreement,
generate (step S570), the authentication token on the basis of the sequence number field sequence number, field management authentication and the first message authentication code,
transmit to the mobile device challenge and the authentication token.

8. The method according to claim 7, in which optional:
receive from the mobile device to answer the call and the authentication token and
based on the answer set with the mobile device, the communication channel with mutual authentication.

9. The method according to claim 7, in which optional:
receive from the mobile device a message about re-synchronization, which contains the third random number and the second message authentication code,
will verify the mobile device based on the second message authentication code and
retain the second random number to generate another call to the mobile device if the mobile device is verified.

10. The method according to claim 7, in which optional:
receive from the mobile device a message resynchronization containing several bits indicating that the message resynchronization contains a sequence number, correspond to the second mobile device, notice of re-synchronization further comprises a sequence number corresponding to the mobile device, and the second message authentication code,
will verify the mobile device based on the second message authentication code and
keep an ordinal number corresponding to the mobile device to generate another call to the mobile device if the mobile device is verified.



 

Same patents:

FIELD: information technology.

SUBSTANCE: short paging message is generated for transmission over a first channel and a full paging message is generated for transmission over a second channel. The short paging message contains less data than the full paging message, and is transmitted for a group of wireless terminals over a short paging time interval. The short paging message indicates that a request has been received for transmitting the short paging message, and that receiving terminals must process a second channel over which a more detailed full paging message will be transmitted over the next time interval. The terminal controls the full paging channel after reception of the short paging message in the short paging channel.

EFFECT: low power consumption in standby mode.

11 cl, 6 dwg

FIELD: information technology.

SUBSTANCE: first channel with low degree of encoding is set up, over which a short paging message is sent during one of a set of paging time intervals. The short paging message indicates that receiving wireless communication devices must process a second channel with a higher degree of encoding, over which more detailed full paging messages are sent during the next time interval. The wireless communication device controls the full paging channel after reception of the short paging message in the short paging channel.

EFFECT: low power consumption in standby mode.

13 cl, 6 dwg

FIELD: information technologies.

SUBSTANCE: in a wireless communication device comprising an active radiating element and one or more passive elements, generating a directivity pattern in space, the active radiating element is an integrated radio modem, with its inbuilt transceiver and a transceiving antenna. Besides, the radio modem is placed in the device so that the device elements that surround it form the directivity pattern required for arrival of the maximum signal to the inbuilt transceiving antenna of the radio modem, at the same time the radio modem is connected to the terminal equipment (a computer, a hub, other segments of the network) with the help of a USB-cable.

EFFECT: improved quality of communication in modern networks of data transfer, protection of user against hazardous effect of electromagnetic radiation.

1 dwg

FIELD: information technologies.

SUBSTANCE: first repeater operating in a wireless network, comprising the second repeater, which may communicate with the first repeater, and the first and second wireless stations, which may communicate with at least one of the first repeater and the second repeater, comprises a reception device to receive a wireless signal at the reception frequency; a detection facility to detect, whether the specified part of the received wireless signal includes a varied part, so that therefore it is identified that the received signal arrives from the second repeater; and a transfer device for transfer of a wireless signal to one of the first and second wireless stations at the transfer frequency, thus for repetition of the wireless signal.

EFFECT: configuration of the repeater for reduction of oscillations between two or more repeaters or sections of repeaters.

35 cl, 40 dwg

FIELD: information technologies.

SUBSTANCE: first repeater operating in a wireless network, comprising the second repeater, which may communicate with the first repeater, and the first and second wireless stations, which may communicate with at least one of the first repeater and the second repeater, comprises a reception device to receive a wireless signal at the reception frequency; a detection facility to detect, whether the specified part of the received wireless signal includes a varied part, so that therefore it is identified that the received signal arrives from the second repeater; and a transfer device for transfer of a wireless signal to one of the first and second wireless stations at the transfer frequency, thus for repetition of the wireless signal.

EFFECT: configuration of the repeater for reduction of oscillations between two or more repeaters or sections of repeaters.

35 cl, 40 dwg

FIELD: information technologies.

SUBSTANCE: method and device are proposed to transfer/receive connection identification (CID) in the communication system. Having detected the necessity to transfer its service, the mobile station (MS) sends a message of service transfer request to the first basic station (BS) that executes connection with MS. When receiving the message of service transfer request, the first BS sends to MS at least one CID to establish the connection with the second BS, to which MS will perform service transfer, together with the message of the service transfer response in response to the message of the service transfer request. MS receives CID by means of the message of the service transfer response.

EFFECT: reduced time delays in communication.

56 cl, 5 dwg, 4 tbl

FIELD: information technologies.

SUBSTANCE: method and device are proposed to transfer/receive connection identification (CID) in the communication system. Having detected the necessity to transfer its service, the mobile station (MS) sends a message of service transfer request to the first basic station (BS) that executes connection with MS. When receiving the message of service transfer request, the first BS sends to MS at least one CID to establish the connection with the second BS, to which MS will perform service transfer, together with the message of the service transfer response in response to the message of the service transfer request. MS receives CID by means of the message of the service transfer response.

EFFECT: reduced time delays in communication.

56 cl, 5 dwg, 4 tbl

FIELD: information technologies.

SUBSTANCE: method is described to transfer a probing reference signal in an upperlink at duplex mode with time-division channelling, where a terminal calculates parameters of resources for transfer of a SRS signal in a time slot UpPTS in compliance with the information on configuration related to the SRS signal in the upperlink. Above parameters contain the initial position of resources in the frequency area, and then the SRS signal is transmitted using resources; at the same time, when the initial position is calculated in the frequency area of resources, the index of the first subcarrier should be identified in the maximum throughput capacity of SRS. The terminal determines the above index with the help of the position in the frequency area of one or more channels of random access, i.e. PRACH channels in the UpPTS time slot. When the PRACH channel includes subcarriers at the lower border of the system throughput capacity, the upper border of the system throughput capacity is applied as the final position of the maximum throughput capacity of SRS, and the initial position of the maximum throughput capacity of SRS is calculated. When the PRACH channels include subcarriers at the upper border of the system throughput capacity, the lower border of the system throughput capacity is applied as the initial position of the maximum throughput capacity of SRS, and then the above index is determined by adding the initial position of the maximum throughput capacity plus the offset parameter configured for the terminal.

EFFECT: making it possible to probe channels for high throughput capacities.

12 cl, 14 dwg, 6 tbl

FIELD: information technologies.

SUBSTANCE: method to control access to a secured network based on three-element authentication of peer-to-peer objects includes the following: first of all, initialisation of reliability collectors and reliability verifier, then implementation of the protocol of three-element authentication of peer-to-peer objects with the help of a network access request initiator, a network access controller and a server of authentication policies at the level of network access control for realisation of double-sided authentication of a user between the initiator of access request and the access controller; if authentication is successful or the local policy requires to perform the process of reliability assessment by the TNC terminal, the TNC server and the server of reliability assessment at the level of assessment trusted to the platform, authentication of peer-to-peer objects for realisation of double-sided authentication of platforms reliability between the initiator of access requests and the access controller; finally, the initiator of access requests and the access controller control the ports by references generated by the terminal of the client TNAC and the terminal of the server TNAC.

EFFECT: improved reliability of access to the secured network.

10 cl, 4 dwg

FIELD: information technologies.

SUBSTANCE: method includes paging of a user's terminal, which is registered in an unloaded switchboard of mobile communication, via a wireless access unit after the unloaded switchboard of mobile communication receives a command of the user's terminal upload; detection of receipt of the paging reception confirmation from the user's terminal by the unloaded mobile communication switchboard, and if the confirmation is received, sending a message to notify that the user's terminal is to be uploaded, and then releasing the current signal connection with the user's terminal.

EFFECT: higher speed of the user's terminal upload, as a result of which mobile communication switchboard maintenance is carried out timely.

13 cl, 10 dwg

FIELD: physics; communications.

SUBSTANCE: description is given of a method and device for switching wireless terminal channels. For this, several communication channels with different physical characteristics are supported in the cell of the base station. Each wireless terminal controls several channels and evaluates several channels at the same time, such that, there can be fast switching between channels. Information on the quality of the channel is sent from each wireless terminal to the base station. The wireless terminal or base station selects the channel, based on the evaluated quality of the channel. By supporting several channels and through periodical changes in channels in different implementation alternatives, the time taken before the wireless terminal finds good or suitable channel conditions is minimised, even if the wireless terminal changes position. Several antennae are used at the base station for simultaneous support of several channels, for example, through control of the directional pattern of the antennae.

EFFECT: reduced delays before wireless terminal finds suitable channel conditions.

66 cl, 26 dwg

FIELD: physics; communications.

SUBSTANCE: during different set conditions providing source of sound for company service information as substitutive audio signal for call return, receiver can determine whether source of sound for service information for subscriber or set time interval is provided for. Present invention provides for a method and device for obtaining substitutive repeating audio signal for call return based on choice or successively in accordance with a preset condition.

EFFECT: provision for several substitutive audio signals for call return.

26 cl, 6 dwg

FIELD: physics; communications.

SUBSTANCE: method consists of the following stages: reception of request for channel access from user terminal. Reception of the user terminal can be one of several active user terminals. The transmission cycle duration is determined as a result of reception of a request for channel access. The arrival time of data to the cycle is determined for the user terminal. The arrival time of data to the user terminal is set, so as to designate the channel for the user terminal, starting from the time of arrival of data.

EFFECT: reduced probability of collisions during transfer of data from different users.

31 cl, 8 dwg

FIELD: information technologies.

SUBSTANCE: method for assignment of band channel with adaptive modulation and coding (AMC) to subscriber stations (SS) is realised in wireless communication system, which separates full range of frequencies into multiple subcarrier bands, every of which represents set from previously specified quantity of subranges, every of which represents set of previously specified quantity of adjacent subcarriers. Method comprises the following stages: necessity in use of band channel with AMC is detected; quality of reception is measured in frequency bands; list of frequency bands with high quality of reception is formed; request is sent for assignment of band channel with AMC as well as foresaid list to base station (BS); response is received to mentioned request from BS; in compliance with response, changeover is done in SS in condition of use of band channel with AMC.

EFFECT: creation of flexible system that provides possibility for subscriber stations with proper condition of channel to realise high-speed communication with high throughput.

61 cl, 7 dwg, 3 tbl

FIELD: information technologies.

SUBSTANCE: service center (SZ) for transmission of information content should not know or define number of person who initiates loading, and sole connection (TKV) of communication from communication device (TKG) to service center (SZ) does not require making another communication contact, at that information content is requested in the first communication session (SI1) with the first notice (SN1) about service from service center (SZ), and is delivered from service center (SZ) in the second communication session (SI2) with at least one notice (SN2) about service.

EFFECT: reduction of power inputs and use of hardware resources.

18 cl, 5 dwg

FIELD: information technologies.

SUBSTANCE: system comprises subsystem of all-channel signaling processing, data base subsystem, services processing subsystem and operational maintenance subsystem, at that all subsystems are connected to communication network and accordingly realise information exchange; at that all-channel signaling processing subsystem performs function of OKC-7 processing; data base subsystem is used for storage of user data; services processing subsystem comprises one or more modules for processing of home location register services; operational maintenance subsystem comprises operational maintenance server, services acceptance terminal and close-range terminal of operational maintenance.

EFFECT: provision of possibility to service user of several types of networks via system of home location register.

5 cl, 2 dwg

FIELD: information technologies.

SUBSTANCE: in one version of realisation access network may assign group identifier (group ID) to every of pilot-signals associated with sector, for instance, on the basis of pilot-signals coverage areas, and transmit pilot-signals with appropriate group ID. PN shift may be used as group ID. Access terminal may group accepted pilot-signals in one or more pilot-signals group according to their group ID, and select representative pilot-signals from every group of pilot-signals for transmission of message about pilot-signal level. Access terminal may also use grouping of pilot-signals for efficient control of sets.

EFFECT: provision of efficient and reliable communication systems with multiple carriers.

32 cl, 13 dwg

FIELD: information technologies.

SUBSTANCE: wireless communication network comprises different base stations and subscriber stations. Every base station provides services of broadcasting content transfer to subscriber stations via communication channels of one of the following types: 1) common channel used by multiple subscriber stations, 2) individual channels, every of which is separated for use by separate subscriber station. In response to one or several preset changes of condition, i.e. change of number of subscriber stations that request the program, change of transmission power level used by base station, or in case of other change of network condition, communication channel type used for provisioning of broadcasting content to one or several subscriber stations is switched over.

EFFECT: delivery of broadcasting content with use of errors and individual channels combination, depending on whatever is more preferable in available circumstances.

5 cl, 28 dwg

FIELD: information technologies.

SUBSTANCE: one version of realisation comprises base station, which controls channel of speed indicator, decodes speed indicator channel with application of likelihood maximum decoder and determines availability of packet in speed indicator channel by comparison of probability to threshold, and analyses frame validity in packet-oriented channel on the basis of availability and content of packets accepted in speed indicator channel.

EFFECT: possibility to identify packets in speed indicator channel, high probability of good and bad frames identification in speed indicator channel and corresponding nonperiodical data transfer channel.

43 cl, 5 dwg

FIELD: information technologies.

SUBSTANCE: method and device are provided for provisioning of one or more communication services of point-point set type, such as multimedia service of broadcasting/multicasting (MBMS), to one or more mobile terminals, or subscriber devices (AA). When one or more mobile terminals are moved to new zone of mobile communication system controlled by other network component, after connection to service, information is transmitted between network elements by method.

EFFECT: facilitation of continuous service reception by mobile terminals that moved, preserving network resources and increasing efficiency of mobile communication system.

95 cl, 10 dwg

Up!