Method and apparatus for providing authentication in a communication system Number:7,522,727 from the United States Patent and Trademark Office (PTO) owispatent A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).<H authentication, communication, Method, and, appa, 7522727.html, Patent, pto, 7522727

Title: Method and apparatus for providing authentication in a communication system

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Patent Number: 7,522,727 Issued on 04/21/2009 to Sowa, et al.

Inventors: Sowa; Hans Christopher (Schaumburg, IL), McDonald; Daniel J. (Cary, IL), Chater-Lea; David J. (Crowthorne, GB), Pappas; Scott J. (Lake Zurich, IL), Johur; Jason (Maidenhead, GB), Newkirk; Dennis (West Chicago, IL), Kremske; Randy (Woodstock, IL), Anderson; Walter F. (Algonquin, IL)
Assignee: Motorola, Inc. (Schaumburg, IL)

Appl. No.: 11/468,851

Filed: August 31, 2006

Related U.S. Patent Documents


Application Number	Filing Date	Patent Number	Issue Date
09785722	Feb., 2001	7123719

Current U.S. Class: 380/247 ; 380/248; 380/249; 380/258; 380/259; 380/260; 380/261; 380/262; 380/263; 380/264; 380/265; 380/266; 380/267; 380/268; 380/269; 380/270; 380/271; 380/272; 380/273; 380/277; 380/278; 380/279; 380/280; 380/281; 380/282; 380/283; 380/284; 380/285; 380/286; 455/432.1; 455/432.2; 455/432.3; 455/433; 455/434; 455/435.1; 455/435.2; 455/435.3; 455/436; 713/161; 713/162; 713/163; 713/164; 713/165; 713/166; 713/167; 713/168; 713/169; 713/170; 713/171

Current International Class: H04K 1/00 (20060101); H04L 9/00 (20060101)

References Cited [Referenced By]

U.S. Patent Documents


4841433	June 1989	Hakim
4888800	December 1989	Marshall
5164988	November 1992	Matyas et al.
5199072	March 1993	White
5329573	July 1994	Chang
5588062	December 1996	Altschuler
5794139	August 1998	Mizikovsky
5812955	September 1998	Dent
5850444	December 1998	Rune
5889861	March 1999	Ohashi
6026298	February 2000	Lamb
6108424	August 2000	Pitiot
6128389	October 2000	Chan
6134431	October 2000	Matsumoto
6477387	November 2002	Jackson
6707915	March 2004	Jobst et al.
6876747	April 2005	Faccin et al.
6920559	July 2005	Nessett et al.
7123719	October 2006	Sowa et al.

Foreign Patent Documents


0658021	Jun., 1995	EP
1011222	Jun., 1999	EP
1011222	Jun., 1999	EP
2344978	Jun., 2000	GB
WO9727716	Jul., 1997	WO
WO9917459	Apr., 1999	WO
WO0041427	Jul., 2000	WO
WO0048363	Aug., 2000	WO
WO0124560	Apr., 2001	WO

Other References

Roelofsen, Security Issues for TETRA Networks, TETRA Conference, PTT Telecom/KPN Research 1998. cited by other .
Roelofsen, KPN Research, TETRA Security, Information Security Technical Report; vol. 5, No. 3 (2000) 44-54. cited by other .
Terrestrial Trunked Radio (TETRA); Voice Plus Data (V+D); Part 7; Security EN 300 392-7. cited by other .
Marcel Waldvogel, et al. "The Versakey Framework: Versatile Group Key Management" IEEE Journal on Selected Areas in Communications, IEEE Service Center, Piscataway, US, vol. 17, No. 9, Sep. 1999, XP011055017, ISSN: 0733-8716, p. 1619. cited by other .
Asha Mehrotra, et al. "Mobility and Security Management in the GSM System and Some Proposed Future Improvements", Proceedings of the IEEE, IEEE, New York, US, vol. 86, No. 7, Jul. 1998, XP011044053, ISSN:0018-9219, p. 1489 Right-Hand Column, Line 43 and p. 1491, Left-Hand Column, Line 44, Figure 13. cited by other.

Primary Examiner: Abrishamkar; Kaveh
Attorney, Agent or Firm: Davis; Valerie M.

Parent Case Text

The present application is a divisional application of, and claims priority and full benefit under 35 U.S.C. .sctn. 120 of previous U.S. patent application Ser. No. 09/785,722, for METHOD AND APPARATUS FOR PROVIDING AUTHENTICATION IN A COMMUNICATION SYSTEM, filed Feb. 16, 2001, and assigned to Motorola, Inc., and which is incorporated herein by reference in its entirety. This application is related to U.S. application Ser. No. 11/468,824, filed Aug. 31, 2006, titled "Method and Apparatus for Providing Authentication in a Communication System" by Sowa, et al. commonly owned together with this application by Motorola, Inc.

Claims

What is claimed is:

1. A method comprising the steps of: receiving, from a mobile station, a request to communicate in a communication system; determining whether the request to communicate is encrypted; when the request to communicate is not encrypted, sending a request to authenticate the mobile station to an infrastructure system device in the communication system; when the request to communicate is encrypted, determining whether the mobile station is powering up; when the mobile station is powering up and the request to communicate is encrypted, sending a request to authenticate the mobile station to the infrastructure system device in the communication system; when the mobile station is not powering up and the request to communicate is encrypted, determining whether the request to communicate is encrypted using a valid key; when the mobile station is not powering up and the request to communicate is encrypted using a valid key, permitting the mobile station access to the system without requesting authentication.

2. The method of claim 1, further comprising the steps of: storing authentication requests during a time period when the infrastructure system device is not available; when the infrastructure system device becomes available, forwarding the stored authentication requests to the infrastructure system device.

3. The method of claim 1, wherein sending the request to authenticate the mobile station to an infrastructure system device comprises sending the request to authenticate the mobile station to a zone controller in a zone in which the mobile station is located.

4. The method of claim 1, further comprising receiving an acknowledgement that authentication for the mobile station has passed.

5. The method of claim 4, wherein authentication is performed by a first infrastructure system device using session authentication information that was received from a second infrastructure system device.

6. The method of claim 5, wherein at least a segment of the received session authentication information is encrypted.

7. The method of claim 6, wherein the at least a segment of the received session authentication information is encrypted using an intrakey that is used only by infrastructure system devices other than a mobile station within a zone for encrypting at least session authentication information that is distributed within the zone.

8. The method of claim 7, wherein the first infrastructure system device is a visitor location register located in one zone, and the second infrastructure system device is a home location register located in the same zone.

9. The method of claim 6, wherein the at least a segment of the received session authentication information is encrypted using an interkey that is shared by a plurality of zones and that is used by an infrastructure system device other than a mobile station in one zone in the plurality of zones for encrypting at least session authentication information for transport to another infrastructure system device other than a mobile station in another zone in the plurality of zones.

10. The method of claim 9, wherein the first infrastructure system device is a visitor location register located in one zone, and the second infrastructure system device is a home location register located in a different zone.

11. The method of claim 1, wherein the method is performed in any one of a base station and a base site.

12. A method comprising the steps of: receiving, from a mobile station, a request to communicate in a communication system; determining whether the mobile station is powering up; when the mobile station is powering up, sending a request to authenticate the mobile station to an infrastructure system device in the communication system; when the mobile station is not powering up, determining whether the request to communicate is encrypted; when the request to communicate is not encrypted, sending a request to authenticate the mobile station to an infrastructure system device in the communication system; when the mobile station is not powering up and the request to communicate is encrypted, determining whether the request to communicate is encrypted using a valid key; when the mobile station is not powering up and the request to communicate is encrypted using a valid key, permitting the mobile station access to the system without requesting authentication.

13. The method of claim 12, further comprising the steps of: storing authentication requests during a time period when the infrastructure system device is not available; when the infrastructure system device becomes available, forwarding the stored authentication requests to the infrastructure system device.

Description

FIELD OF THE INVENTION

This invention relates to encrypted communications, including but not limited to air interface communication within secure communication systems.

BACKGROUND OF THE INVENTION

Encrypted voice and data systems are well known. Many of these systems provide secure communication between two or more users by sharing one piece of information between the users, which permits only those users knowing it to properly decrypt the message. This piece of information is known as the encryption key variable, or key for short. Loading this key into the actual encryption device in the secure communication unit is a basic requirement that allows secure communication to occur. To retain security over a long period of time, the keys are changed periodically, typically weekly or monthly.

Encryption is known to be performed on an end-to-end basis within a communication system, i.e., encrypting a message at the originating communication unit (also known as a mobile station), passing it transparently (i.e., without decryption) through any number of channels and/or pieces of infrastructure to the end user's communication unit, which decrypts the message.

The Terrestrial Trunked Radio (TETRA) communication standard is presently utilized in Europe (hereinafter TETRA Standard), with potential for expansion elsewhere. The TETRA Standard calls for air interface, also known as air traffic or over-the-air, encryption. Air interface encryption protects information on the air interface between the infrastructure and the mobile subscriber. The TETRA standard calls for an authentication center, also known as a key management facility or key management center, to generate, distribute, and authenticate encryption keys and users. The TETRA standard does not, however, specify how to implement an authentication center, nor how to generate, distribute, and authenticate key material to system devices or mobile stations for information traversing through the infrastructure or SwMI (Switching and Management Infrastructure), as it is referred to in the TETRA Standard.

The TETRA standard fails to provide definition to minimize burden to call processing and bandwidth, provide encryption and authentication in a manner tolerant to equipment faults, support wide-area communications, and to store keys for all communication units without undue storage burden at local sites.

Accordingly, there is a need for a method and apparatus for providing a secure infrastructure for a communication system that utilizes air interface encryption and generates, distributes, and authenticates encryption keys and users without causing undue burden to call processing, bandwidth, security, and storage.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a secure communication system in accordance with the invention.

FIG. 2 is a block diagram showing key distribution pools in accordance with the invention.

FIG. 3 and FIG. 4 are block diagrams showing key storage within a communication system in accordance with the invention.

FIG. 5 is a diagram showing key storage and authentication information distribution within a communication system in accordance with the invention.

FIG. 6 is a diagram showing authentication information storage and authentication decision making within a communication system in accordance with the invention.

FIG. 7 is a diagram showing authentication of a mobile station by an authentication center in accordance with the TETRA Standard.

FIG. 8 is a diagram showing authentication of an authentication center by a mobile station in accordance with the TETRA Standard.

FIG. 9 is a diagram showing key storage and authentication information distribution between a communication system and a mobile station in accordance with the invention.

FIG. 10 is a diagram showing a key pull within a communication system in accordance with the invention.

FIG. 11 is a diagram showing a key push within a communication system in accordance with the invention.

FIG. 12 is a diagram showing distribution of a static cipher key to a base station within a communication system in accordance with the invention.

FIG. 13 is a diagram showing distribution of a static cipher key to a mobile station within a communication system in accordance with the invention.

FIG. 14 is a diagram showing distribution of a common cipher key to a mobile station and a base station within a communication system in accordance with the invention.

FIG. 15 is a diagram showing distribution of a group cipher key to a base station within a communication system in accordance with the invention.

FIG. 16 is a diagram showing distribution of a group cipher key to a mobile station within a communication system in accordance with the invention.

FIG. 17 is a flowchart showing a method of key persistence at a site in a communication system in accordance with the invention.

DESCRIPTION OF A PREFERRED EMBODIMENT

The following describes an apparatus for and method of providing a secure infrastructure for a communication system that utilizes air interface encryption and generates, distributes, and authenticates encryption keys and users without causing undue burden to call processing, bandwidth, security, and storage. System devices are divided into groups or pools and encryption keys are defined to provide secure transfer of key material among the system devices.

A block diagram of a secure communication system that is comprised of a plurality of zones is shown in FIG. 1. The secure communication system is comprised of a plurality of system devices that comprise the infrastructure of the system. A Key Management Facility (KMF) 101 transfers security data, such as session authentication information and encryption keys, to a User Configuration Server (UCS) 103, that forwards the information and data to the appropriate zone based on configuration data within the UCS 103. Communications for a first zone are provided by a plurality of system devices including a Zone Manager (ZM) 105, a Zone Controller 107 that includes a Home Location Register (HLR) 109 and a Visited (also known as a Visitor or Visitors') Location Register (VLR) 111, an air traffic router (ATR) 113, and a plurality of base stations (BSs) 115 and 117 located at a plurality of communication sites within the first zone. Communications for a second zone are provided by a plurality of system devices including a ZM 119, a ZC 121 that includes an HLR 123 and a VLR 125, an ATR 127, and a plurality of BSs 129 and 131 located at a plurality of communication sites within the second zone. The BSs 115, 117, 129, and 131 communicate with a plurality of mobile stations (see FIG. 4). The ZCs 107 and 121 communicate via a network 133, such as a local area network or a wide area network such as an IP (internet protocol) network. Only two zones and their associated system devices are shown for the sake of simplicity, although any number of zones may be successfully incorporated in the secure communication system.

For the sake of simplicity, not all system devices will be shown in each Figure, but rather a representative set of system devices that illustrates a particular concept will be provided. Similarly, not all key material is shown stored in each system device for the sake of space. Each message containing a key, key material, configuration, or other information is transferred with an related identity (ID) such as ITSI or GTSI, although the ID is generally not shown in the drawings for space considerations.

The KMF 101 is a secure entity that stores the authentication key (K) for each mobile station (MS) or communication unit, such as a portable or mobile two-way radio, Direct Mode Operation (DMO) gateway, receiver, scanner, or transmitter (for example, see devices 401, 403, and 405 in FIG. 4). The KMF 101 provides a random seed (RS) and associated session authentication keys (KS and KS') for each mobile station associated with the secure communication system. The KMF 101 also imports/generates various air interface keys, such as Static Cipher Key (SCK), Group Cipher Key (GCK), and Common Cipher Key (CCK), for distribution in the system. The KMF 101 functions as the authentication center (AuC), as referred to in the TETRA communication standard, in the system. Typically, there is one KMF server per system, although there may be one or more KMF clients per system.

The UCS 103 is a single point of entry for configuration data in the system. In the preferred embodiment, the UCS 103 stores and distributes session authentication information, such as RS, KS, and KS', to the appropriate home zone in the system. The UCS 103 functions as a non-real time distribution point for session authentication information in the system.

The ZM 105 or 119 is a management database for a zone. In the preferred embodiment, the ZM 105 or 119 stores session authentication information, such as RS, KS, and KS', for the zone managed by the particular ZM 105 or 119. The ZM functions as a non-real time storage facility for authentication information in the zone.

The ZC 107 or 121 performs real time authentication for the mobile stations in its zone. The ZC uses the session authentication information, such as RS, KS, and KS', to perform the real-time authentication. The HLR 109 or 123 stores session authentication information for each MS that has the HLR 109 or 123 as its home. The VLR 111 or 125 stores session authentication information for each MS visiting the VLR's 111 or 125 zone. The ZC 107 or 121 performs real-time distribution of its home mobile stations' session authentication information when the MS roams outside its home zone. In the preferred embodiment, an HLR 109 or 123 and VLR 111 or 125 are part of each zone controller and perform on behalf of the same zone for which the zone controller is associated. The HLR 109 or 123 and VLR 111 or 125 may be part of other system devices or may be stand alone devices. The derived cipher key (DCK) is generated during authentication. The ZC 107 or 121 generates and distributes the DCK for the MS to the BSs 115, 117, 129, and 131 that require the DCK for secure communications.

The ATR 113 or 127 is the conduit used by the KMF 101 to send rekey messages or key updates to an MS, such as SCK and GCK. The KMF 101 sends key updates for mobile stations to the home zone ATR 113 or 127 for dissemination. All rekey acknowledgments (ACKs), whether infrastructure or MS originated, pass through the ATR 113 or 127 to the KMF 101.

Each BS 115, 117, 129, and 131 receives and transmits authentication messages over the air interface. Each BS 115, 117, 129, and 131 acts as a transmitter for its associated ZC 107 or 121 and as a receiver for the MS in the system. The BS 115, 117, 129, or 131 uses DCK for air interface encryption with the MS. The BSs 115, 117, 129, and 131 are responsible for sending key material to the MSs 401, 403, 405, and 407. The result of some of these operations (SCK, GCK) is sent back to the KMF 101. Because each base site is comprised substantially of one or more base stations, the terms base site (or site) and base station are used interchangeably herein, both sharing the acronym BS. In the preferred embodiment, a TETRA site Controller (TSC) connects all the base stations at a site, stores key material, and distributes key material to the base stations as needed, thereby making keys available to all base stations at a site. Thus, when a key is said to be stored at a base station or a base site, in the preferred embodiment, the TSC actually provides storage for the base station for key material. Because key storage and distribution and other key-related functions may be performed by a base site, base station, or TSC, these terms are considered interchangeable for the purposes of this document.

The Mobile Station (MS) authenticates the system and/or is authenticated by the system using a challenge-response protocol. Each MS has its own key, K, for use during authentication. Each MS is assigned to one HLR, which typically remains the same. Each MS is also associated with only one VLR in the zone in which the MS is presently located. An MS is not registered on a system until the MS is active and has passed authentication.

FIG. 2 is a block diagram showing key distribution pools. Using a single key encryption key (KEK) to encrypt keys for distribution system wide is a convenient choice, although a single KEK would result in degraded security due to the higher likelihood that the KEK would be compromised and the resultant compromise would affect the whole system. Using a different KEK for each system device would be more secure, but would burden storage within system devices and add unnecessary delays to call processing. FIG. 2 shows a system for using KEKs that is more secure than a single system-wide key, yet not as burdensome as a different KEK for each system device. Two types of KEKs are assigned to confidentially distribute key material (such as air interface keys, session authentication information, data utilized to generate encryption keys, and other key-related material) to the system devices of the infrastructure of a system: intrakeys and interkeys. KEKs are 80 bits in the preferred embodiment.

The first type of KEK is an intrakey, also referred to as an intrapool key or intra-zone key, KEK.sub.Z. The system devices are divided into pools or groups 201, 203, 205, and 207. Each pool is assigned its own unique intrakey, KEK.sub.Z. In the preferred embodiment, each pool of devices corresponds to a zone in the communication system, and each pool has a mutually exclusive collection of system devices, i.e., each system device only belongs to one pool. The first pool 201 utilizes KEK.sub.Z1 to encrypt key material, such as encryption keys and/or session authentication information, for transfer within the first pool (or zone in the preferred embodiment) and comprises the first zone controller ZC1 107 and its associated BSs 115, 117, and 211. The second pool 203 utilizes KEK.sub.Z2 to encrypt key material for transfer within the second pool (or zone in the preferred embodiment) and comprises the second zone controller ZC2 121 and its associated BSs 129, 131, and 213. The third pool 205 utilizes KEK.sub.Z3 to encrypt key material for transfer within the third pool (or zone in the preferred embodiment) and comprises the third zone controller ZC3 223 and its associated BSs 225, 227, and 229. The fourth pool 207 utilizes KEK.sub.Z4 to encrypt key material for transfer within the fourth pool (or zone in the preferred embodiment) and comprises the fourth zone controller ZC4 215 and its associated BSs 217, 219, and 221. In the preferred embodiment, the intrakey is used by a zone controller to distribute key material to base sites/base stations within its zone. KEK.sub.Z is also used by the KMF 101 to distribute SCK.

The second type of KEK is an interkey, KEK.sub.M, also referred to as an interpool key or inter-zone key. The interkey is used to encrypt key material sent between pools or zones in the preferred embodiment, or within a certain group 209 of system devices, particularly from the KMF 101. In the preferred embodiment, the interkey is used by the KMF 101 to distribute GCK and individual authentication information to the infrastructure. In the preferred embodiment, the interkey is stored in one system device in each zone, in each zone controller 107 and 121, and is also stored in the KMF 101. The connections shown between the KMF 101 and the zone controllers 107, 121, 215, and 223 are virtual connections in the preferred embodiment, in that other devices, such as the UCS 103 and ZMs 105 and 119, are physically located between the KMF 101 and zone controllers 107, 121,215, and 223. The UCS 103 and ZMs 105 and 119 pass encrypted key information in a transparent manner between the KMF 101 and zone controllers 107, 121, 215, and 223, i.e., the UCS 103 and ZMs 105 and 119 do not decrypt or encrypt the information, thus no storage of a KEK is required at the UCS 103 and ZMs 105 and 119, although key material may be stored in encrypted form at the UCS 103 and ZMs 105 and 119.

Preferably, a message is encrypted by one of an intrakey and an interkey, typically using TA31 (decrypted using TA32), based on a system device to which the message is forwarded. For example, when the message is intended for a system device in a zone other than the zone containing the sending device, the interkey is used. When the message is intended for a system device in the same zone as the zone containing the sending device, the intrakey is used. In the preferred embodiment, when the KMF 101 encrypts key material, such as SCK, CCK, SAI, and GCK, with either the interkey or intrakey, the KMF 101 uses TA31.

For example, from time to time, key material is distributed from the HLR to a VLR and then to the base sites within the zone of the VLR. In this case, the key material is encrypted by KEK.sub.M and passed transparently from HLR to VLR. The target VLR decrypts the key material using its KEK.sub.M and re-encrypts it with the KEK.sub.Z of the zone for distribution to sites within the zone.

Each system device that contains an infrastructure KEK has its own unique infrastructure or protection key, KI, in the preferred embodiment. The protection key is only utilized to decrypt/encrypt KEKs sent by the KMF 101 to the infrastructure system devices. Preferably, the KI is only able to be loaded by a key variable loader and is not able to be updated with an OTAR (over-the-air rekey) operation. In addition to distribution by the KMF 101, the KEKs may also be manually provided with a Key Variable Loader. KI is 128 bits long in the preferred embodiment.

As shown in Table 1 below, KEK.sub.M is only stored by the zone controllers 107 and 121 and the KMF 101. The intrakey KEK.sub.Z is held only by the KMF 101, base stations/sites, and zone controller 107 and 121 within each zone. Each zone has a unique KEK.sub.Z. Each system device has its own KI.

TABLE-US-00001 TABLE 1 Distribution of Key Encryption Key Types Infrastructure Element Zone 1 Zone 2 Zone Controller (HLR, VLR) KI.sub.1, KEK.sub.M, KEK.sub.Z1 KI.sub.2, KEK.sub.M, KEK.sub.Z2 Base Sites KI.sub.3, KEK.sub.Z1 KI.sub.4, KEK.sub.Z2

The use of intrakeys and interkeys strikes a unique tradeoff between security and key management complexity as well as speed of call processing. The KMF 101 need only maintain one interkey plus one intrakey for each pool or zone in the system. If a KEK.sub.Z is compromised, the affect and response is localized to that zone, rather than the whole system, and KI remains intact to redistribute a new KEK.sub.Z to that zone. KEK.sub.M is stored only at the KMF 101 and the HLR 109 and 123 and VLR 111 and 125 in each zone, which devices are typically more physically protected from an attack. If KEK.sub.M is compromised, the KMF 101 changes KEK.sub.M in the ZCs 107 and 121, leaving the sites unaffected.

Five basic types of air interface keys are used to encrypt air interface traffic in the secure communication system: a Static Cipher Key (SCK), a Common Cipher Key (CCK), a Group Cipher Key (GCK), a Derived Cipher Key (DCK), and a Modified Group Cipher Key (MGCK). Three basic types of keys are used between the system devices: an Infrastructure Key (KI) also known as a protection key, an inter-zone or inter-pool key encryption key also known as an interkey (KEK.sub.M), and an intra-zone or intra-pool key encryption key also known as an intrakey (KEK.sub.Z).

The Static Cipher Key (SCK) is the most basic of the air interface keys and is used to encrypt inbound (MS to infrastructure) and outbound (infrastructure to MS) information when authentication and/or dynamic air interface encryption is not available. Thus, the generation and distribution of this key has no relation to authentication.

The Derived Cipher Key (DCK) is a session key derived within the authentication procedure. The DCK changes each time an authentication is performed with the MS and the infrastructure, also called the SwMI in the TETRA Standard. The DCK is used for inbound traffic encryption. The DCK is also used for outbound individually addressed traffic to the MS. DCK is used when using dynamic air interface encryption operating in TETRA Standard security class 3.

This Common Cipher Key (CCK) is a group key in the sense that multiple MSs have the same CCK. Unlike the GCK, however, the CCK has no relation to a particular talkgroup (TG). The CCK is geographically specific, i.e., the CCK serves all units within a given location area. The location area as defined in the TETRA standard may be as small as a site or a big as an entire system. Each unit within a location area uses the same CCK. Group communications in the outbound direction use CCK when there is no GCK/MGCK available for that group call. CCK is used for the encryption of outbound group traffic and identities only. Inbound identities are encrypted with CCK when DCK is in use.

Indirectly, the Group Cipher Key (GCK) is used to encrypt outbound talkgroup calls. In the preferred embodiment, a GCK is defined for each talkgroup in the system. Actually, the GCK is only indirectly used for the encryption of traffic information; the modified group cipher key (MGCK), which is a derivative of the GCK, is directly used for traffic encryption. GCK is never used for the actual encryption of traffic as it is considered a long term key.

The Modified Group Cipher Key (MGCK) is used to encrypt outbound talkgroup call traffic. MGCK is formed by the combination of GCK and CCK. Each GCK has a corresponding MGCK defined in for a location area.

Each infrastructure element has an infrastructure or protection key, KI, that is used as the encryption key for any infrastructure key encryption key updates. KI is similar in function to the authentication key, K, in a mobile station. In the preferred embodiment, KI is updated only by a provisioning device such as a key variable loader. In the preferred embodiment, infrastructure key encryption key (KEK) updates cannot be performed without this key.

Each zone controller has an interkey, KEK.sub.M, also referred to as an inter-zone or inter-pool key, which is used to encrypt all key traffic passed between the KMF and each zone. KEK.sub.M is also used by the zone controller to pass GCK, CCK, and DCK, as well as session authentication information, between zones. In the preferred embodiment, one KEK.sub.M is present in the KMF and each of the zone controllers in each system.

Each zone has its own intrakey, KEK.sub.Z, also referred to as an intra-zone or intra-pool key. The intrakey is used to encrypt all key traffic within the zone, between the zone controller and each of the sites within the zones. Each base site and zone controller has the same KEK.sub.Z in a zone. The KMF stores the KEK.sub.Z for each zone in the system.

A method of the present invention establishes an expected lifetime, or rekey interval, for an encryption key. Table 2 below shows example rekey intervals for each key stored in the secure communication system. When the expected lifetime for an encryption key expires, i.e., when the rekey interval occurs, the encryption key is replaced.

A number of storage locations for each type of system device within a communication system is determined. For example, one KMF 101, one UCS 103, one ZM 105 or 119 per zone, one zone controller 107 or 121 per zone, one HLR 109 or 123 per zone, one VLR 111 or 125 per zone, and a number of sites and corresponding base stations per site depending on the coverage requirements for each zone. Based on the expected lifetime for each encryption key and the number of storage locations for each system device, a type of system device is assigned to store each encryption key, and the encryption keys are stored at the system device of the assigned type. For example, derived cipher keys are stored at base stations and in the HLR/VLR, common cipher keys are stored at base stations, modified group cipher keys are stored at base stations, and group cipher keys that are stored at HLRs and VLRs.

Table 2 shows the target (user) of each key and the rekey interval, i.e., time between changes or updates of the specific key in a preferred embodiment. For example, the MGCK, which is a combination of CCK and GCK, is updated whenever CCK is changes and whenever GCK is changed. Table 2 may be changed by the KMF operator.

TABLE-US-00002 TABLE 2 KEY TARGET REKEY INTERVAL SCK All MS, all BS 1 year/or if compromised DCK MS, BS, HLR, VLR <24 hrs, whenever unit authenticates CCK group (TG HLR), all 24 hrs MS, all BS GCK group (TG HLR) 6 months MGCK group(BS, MS) 24 hrs - Minimum of CCK, GCK interval KI All devices using Never changes KEK.sub.Z or KEK.sub.M (BS, ZC KEK.sub.Z zone 6 months/or if compromised KEK.sub.M system 6 months/or if compromised

PC (personal computer) based software programs exist that provision both mobile stations and infrastructure system devices with keys. A more secure method utilizes the capabilities of the Key Variable Loader (KVL), or key loader for short, to load keys into the infrastructure devices as well as the MS. The key loader has a hardware based encryption device for the securing of keys stored within the device. The KVL may obtain keys directly from the KMF acting as a store and forward agent in order to disseminate the key encryption keys to the various devices.

Although a KVL is a very secure way to provide keys, it is a very time consuming process to use one or more KVLs to provide keys at each system device and mobile station. A method of key management is needed to store and distribute the KEKs and other key material to system devices such as zone controllers and base sites.

The KMF 101 is responsible for the generation, key distribution, and tracking of most of the air interface keys (not DCK or MGCK) in the system. The base sites 115 and 117 and each zone controller 107 serve as a proxy to the KMF 101 for key distribution. The KMF 101 distributes key material to the zones through the UCS 103, ZMs 105 and 119, and/or ATRs 113 and 127 depending on the key being distributed. The KMF 101 processes acknowledgement information from the ATR 113 and 127 to maintain currency of the system devices and MSs 401, 403, 405, and 407. FIG. 3 and FIG. 4 show key material storage within the communication system.

As shown in FIG. 3, the KMF 101 stores a protection key and associated KEK(s) for each system device. The KMF 101 stores a protection (infrastructure) key, an interkey, and an intrakey for each zone controller. For example, the first zone controller 107 is associated with the keys KI.sub.ZC1, KEK.sub.M, and KEK.sub.Z1. The KMF 101 stores these keys encrypted by a hardware key and the first zone controller 107 stores KI.sub.ZC1 and the encrypted KEK.sub.M and KEK.sub.Z1. The KMF 101 stores a protection key and intrakey, both protected by a hardware key, for each BS. For example, the KMF 101 and the first BS 115 both store the protection key KI.sub.BS1 and the intrakey KEK.sub.Z1. In the preferred embodiment, the KMF 101 stores keys encrypted/protected by a hardware key.

Prior to distribution of a KEK in the preferred embodiment, the KMF 101 encrypts KEKs with the protection key, KI, and the use of encryption algorithms TA41 and TA51, similar to that shown in FIG. 10 titled "Distribution of SCK to an individual by an authentication centre" and its associated text in the Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D); Part 7: Security, EN 300 392-7 V2.1.1, 2000-12 (herein referred to as "TETRA Standard"), which is incorporated in its entirety herein by reference. The KMF 101 stores an encryption process 301 that combines RSO and the appropriate KEK, KEKN, and KEK-VN utilizing encryption algorithms TA41 303 and TA51 305, yielding SKEK, which is a sealed version of the KEK. RSO, SKEK, KEKN, and KEK-VN are forwarded to the target system device. Curly brackets { } followed by a key name indicate that the material within the curly brackets was created using TA41 and TA51 and the key name after the brackets.

For example, KEK.sub.Z1 is intended to be transferred to the first zone controller 107 and BS115. RSO, KEK.sub.Z1, KEK.sub.Z1-VN, and KEK.sub.Z1N, and KI.sub.ZC1 are combined utilizing encryption algorithms TA41 and TA51, yielding SKEK.sub.Z1. Key material RSO, SKEK.sub.Z1, KEK.sub.Z1-VN, and KEK.sub.Z1N are forwarded transparently through ZM 105 to the first zone controller 107, which combines this key material with KI.sub.ZC1 using TA41 and TA52 (as described in the TETRA Standard), yielding KEK.sub.Z1, which is stored at ZC 107. RSO, KEK.sub.Z1, KEK.sub.Z1-VN, and KEK.sub.Z1N, and KI.sub.BS1 are combined utilizing encryption algorithms TA41 and TA51, yielding SKEK.sub.Z1. Key material RSO, SKEK.sub.Z1, KEK.sub.Z1-VN, and KEK.sub.Z1N are forwarded transparently through ZM1 105 to BS1 115, which combines this key material with KI.sub.BS1 using TA41 and TA52, yielding KEK.sub.Z1, which is stored at BS 1 115. In the preferred embodiment, an unencrypted acknowledgment of successful receipt of each key is returned to the KMF 101 via the ATR 113.

A block diagram showing key storage within a communication system is shown in FIG. 4. In particular, storage of session authentication information throughout the communication system is shown. In the preferred embodiment, session authentication information includes a random seed, RS, and two session keys, KS for authentication of an MS and KS' for authentication of the infrastructure, for each mobile station 401, 403, and 405 (only three are shown due to space constraints, although numerous MSs are part of the system). The session authentication information (SAI) is used to generate a derived cipher key (DCK) for each MS 401.

For each MS 401, 403, and 405, the KMF 101 stores an Individual TETRA Subscriber Identity (ITSI), TETRA Equipment Identity (TEI), and an MS authentication key ("MS key") that is unique to and stored within each MS 401, 403, and 405. In the preferred embodiment, the air interface keys and the MS keys are stored in hardware encrypted fashion using a hardware key K.sub.H within the KMF 101. The DVI-XL algorithm, available from Motorola, Inc., is used to encrypt the keys for storage in the KMF 101 in the preferred embodiment. Square brackets [ ] followed by a key name indicate that the material within the square brackets is encrypted by that key.

KMF 101 generates session authentication information for each MS 401, 403, and 405, which SAI is at least partially encrypted and forwarded in non-real time to the UCS 103 for storage. For each MS 401, 403, and 405, the UCS 103 stores the ITSI, TEI, and ID of the HLR associated with each MS, as well as the SAI. In the preferred embodiment, KS and KS' are stored encrypted by the interkey (as received from the KMF 101) at the UCS 103 for fast and easy transport, and RS is stored unencrypted. The UCS 103 is a transparent device in the preferred embodiment, thus it performs no encryption or decryption functions. In order to eliminate potential double entry of information, the KMF 101 receives configuration information from the UCS 103. Examples of configuration information are: Individual TETRA Subscriber Identity (ITSI), Group TETRA Subscriber Identity (GTSI), home zone, and zone managers. The KMF uses a table lookup, such as a DNS (Domain Name Server) lookup table, to obtain the ATR 113 and 127 addresses. The distribution of each of the different key types has different configuration requirements, as described herein.

The UCS 103 forwards the appropriate SAI to each ZM 105 in non-real time, based on the HLR ID associated with each MS 401. The ZM 105 , like the UCS 103, is a transparent device and performs no encryption or decryption functions. The ZM 105 stores, for each MS having the HLR 109 as its home location, an ITSI, TEI, and SAI. In the preferred embodiment, KS and KS' are stored encrypted by the interkey (as received from the UCS 103) at the ZM 105 or 119 for fast and easy transport, and RS is stored unencrypted.

The ZM 105 forwards the SAI to the HLR 109 in non-real time. The HLR 109 stores an ITSI and the SAI for each MS 401, 403, and 405. In the preferred embodiment, KS and KS' are stored encrypted by the interkey (as received from the ZM 103) at the HLR 109, and RS is stored unencrypted. In the preferred embodiment, RS, KS, and KS' are stored unencrypted at the VLR 111 for faster authentication. In an alternative embodiment, KS and KS' may be stored unencrypted at the HLR 109 for faster authentication.

When an MS 401 is authenticated at the zone, a new DCK for the MS 401 is generated by the VLR 111 at the zone controller 107 from the SAI in real time, after any encrypted SAI is decrypted due to transfer of the SAI from the HLR 109. (The ITSI, SAI, and previous DCK associated with that MS 401 are forwarded to the VLR 111 in real time before the new DCK is created.) The ITSI, SAI, and new DCK are forwarded to the HLR 109 in real time for storage. In the preferred embodiment, the ITSI, SAI, and DCK comes from the HLR for the MS 401, thus this information may come from a different zone if the MS 401 does not use the HLR 109 for its home. When the SAI/DCK comes from a different zone, that zone decrypts/encrypts the information, as necessary, with the interkey for transport to the appropriate zone, which also provides appropriate decryption/encryption within the zone. DCK is stored encrypted by the intrakey KEK.sub.Z for the zone in which it is stored, for easy and fast transport to the local BS 115 or 117. In the example shown in FIG. 4, each DCK is stored encrypted by KEK.sub.Z1. In the preferred embodiment, KS and KS' are always encrypted with the interkey KEK.sub.M, for fast and easy transport during the authentication process, even when transfer is within the same zone.

During the authentication process, the BS 115 communicating with the MS 401 receives, from ZC1 107 in real time, the MS's 401 DCK, encrypted by the intrakey KEK.sub.Z1. The BS 115 stores the ITSI and DCK unencrypted for immediate use while the MS 401 is at the coverage area of the BS 115. See FIG. 17 and its associated text for information regarding key persistence at each site.

Each MS 401, 403, and 405 stores its own ITSI, TEI, and DCK in unencrypted form, and K is stored in scrambled or encrypted form. Each MS 401, 403, and 405 also stores in unencrypted form relevant CCKs, GCKs, MGCKs, and SCKs as they are received. These keys may be stored encrypted in the infrastructure in an alternative embodiment.

The zone controller 107 is responsible for the real time distribution of keys and mobility management thereof. It maintains keys that may need to be distributed in a real-time manner necessary when roaming, for example. The group cipher key is an element in each talkgroup record and is kept in the talkgroup HLR. The common cipher key is a zone or site specific key and is maintained in the zone controller as well. The ZC is responsible for the creation of the MGCK (based upon the GCK and CCK) and the distribution to the sites.

Because keys reside in the talkgroup and individual HLR 109, the zone controller 107 is not transparent with respect to the encryption of key material. The ZC 107 maintains a protection key, KI, and two infrastructure key encryption keys, interkey KEK.sub.M and intrakey KEK.sub.Z, for the distribution of key material. KI is used to seal (encrypt) KEK.sub.M and KEK.sub.Z when they are sent from the KMF 101. Most key information is encrypted by the KMF 101 with the interkey, KEK.sub.M. The zone controller 107 decrypts the key material using KEK.sub.M and re-encrypts the same information using KEK.sub.Z when sending the information to a site within the zone. Thus, the zone controller 107 has the TETRA algorithms used for the encryption/decryption of infrastructure keys (such as TA41 and TA52 and TA31 and TA32), as described herein.

The zone controller sends ACKs from infrastructure re-keying operations to the KMF 101 via the ATR 113. When a ZC 107 or HLR 109 receives a key update, the device first decrypts key update and checks for corruption by verifying the integrity of the data and sends the result of this operation to the KMF 101 via the ATR 113 in the form of an ACK.

The site is one endpoint for air interface encryption. Audio on the air interface between the BS 115 and MS 401 is encrypted. Audio within the infrastructure is not encrypted. Outbound traffic is encrypted with algorithms using MGCK, CCK, and SCK, or DCK for individual calls. All inbound traffic is encrypted with algorithms using DCK or SCK. The site maintains the traffic algorithms and key storage for SCK, CCK, and MGCK, as well as DCK. Because the base site has traffic key storage, the base site is not transparent with respect to the encryption of key material. All key material distributed to the base site is encrypted by the intrakey, KEK.sub.Z. Thus, the base site maintains a protection key, KI, and an interkey, KEK.sub.Z. Thus, the base sites have the TETRA algorithms used for the encryption/decryption of infrastructure keys (such as TA41 and TA52 and TA31 and TA32), as described herein.

The MS is the other endpoint point for air interface encryption. Outbound traffic is encrypted with algorithms using MGCK, CCK, and SCK, or the DCK if individually addressed. All inbound traffic is encrypted with algorithms using DCK or SCK, and identities may be encrypted with SCK or CCK. The MS maintains the traffic algorithms and key storage for SCK, CCK, GCK, and MGCK as well DCK.

The following figures provides examples of the role of the zone controller 107 or 121 in some of its key generation, key distribution, and authentication functions, as well as the base site/base station and MS operations in the key generation, key distribution, and authentication processes.

A diagram showing an example of key storage and authentication information distribution within a communication system is shown in FIG. 5. Session authentication information (RS, KS, and KS') is needed to facilitate real-time authentication of the MS 401 by the ZC 107 and real-time authentication of the system by the MS, as well as mutual authentication. Triggers for the transfer of SAI may be a manual initiation by the KMF operator, an automatic fraud trigger from the system, or a periodic changing of the SAI by the KMF 101.

FIG. 5 shows the transfer of SAI for two mobile stations, ITS11 401 and ITS12 403 (both not shown). The KMF 101 encrypts at least a part of the SAI (e.g., KS and KS') with the interkey KEK.sub.M for the system, and forwards ITS1, ITSI2, RS, and KS and KS' encrypted by KEK.sub.M to the UCS 103. The UCS 103 stores a copy and forwards it to the home ZM 105 or 119 for each ITSI. Dashed lines within a system device indicate transparent passage of information through the system device. The ZM 105 or 119 also stores a copy and forward it to its ZC 107 or 121, in particular, the HLR 107 or 123. The ZC 107 or 121 stores KS and KS' encrypted along with RS in the HLR 107 or 123. Once the HLR 109 or 123 receives the SAI, an unencrypted acknowledgement (ACK) is sent, when decryption using KEK.sub.M fails, back to the KMF 101 via the ATR 113 or 127 from the zone in which the HLR 109 or 123 resides. If a VLR 111 for the MS 403 exists, such as ITSI2, the ZC 121 sends KS and KS' encrypted with the interkey KEK.sub.M to the VLR 111. Coordination between a previous authentication session information and a new authentication session information is not needed. The HLR 109 or 123 only needs one copy of SAI per ITSI registered. The UCS 103 and ZM 105 or 119 store copies of authentication session information to provide recovery from system maintenance or failures.

By providing storage and forwarding of session authentication information and keys in non-real time (i.e., without time constraint) between first-level system devices and in real time (i.e., on demand) between second-level system devices as described above, the authentication system provides a fault tolerant system that allows for quick fault recovery as well. If the KMF 101, UCS 103, and/or ZMs 105 and 119 fail or are separated from the rest of the system, full authentication may still be performed without interruption on a real-time basis with the session authentication information, for example for MS2 403, stored at the HLR 123 and VLR 111. A failure at any of these devices 101, 103, 105, and 119 is not catastrophic, in that the data stored may be downloaded from any of the other devices that stores the information. If a zone controller 107, HLR 109, and/or VLR 111 experience a fault or failure, the SAI may be immediately downloaded from the ZM 105 at the zone. By eliminating the need for the KMF 101 to participate in real time in the authentication process, there is less burden on the KMF 101 and less traffic in general on the communication links between the system devices of the infrastructure.

A diagram showing authentication information storage and authentication decision making within a communication system is shown in FIG. 6. Four mobile stations are shown within a system where three mobile stations 401, 403, and 405 use HLR1 109 of the first zone controller 107, one mobile station 407 uses HLR2 123 of the second zone controller 121, two mobile stations 401 and 403 use VLR1 111, and two mobile stations 405 and 407 use VLR2 125. Storage of SAI is shown throughout the system devices. Also shown are base station decisions whether or not to authenticate a mobile at a particular trigger. For example, power-up messages, whether encrypted or not, require authentication. Any message sent in the clear (i.e., unencrypted) requires authentication. Encrypted roam messages may be implicitly authenticated, i.e., the challenge and response mechanism may be bypassed if the encrypted roam message is successfully decrypted by the BS 131. Power-up messages, roam messages, location updates, and other types of messages are considered requests to communicate within the communication system. When authentication is required, the BS 115, 117, 129, or 131 sends a request to authenticate the MS to the infrastructure (to a zone controller in the preferred embodiment). In the event that the infrastructure device to which authentication requests are sent becomes unavailable, e.g., the device fails, is down for maintenance, or the communication link to the device is not operable, the BS stores authentication requests during the time period when the infrastructure device is not available. When the infrastructure device becomes available, e.g., the device is returned to service after a failure or maintenance or when the communication link comes up, the BS forwards the stored authentication requests to the infrastructure device.

In one situation shown in FIG. 6, a first MS 401 sends a clear (unencrypted) power-up message to the first BS 115. In the preferred embodiment, authentication of the MS 401 in this situation is required. Because the MS 401 uses HLR 109 in the zone where the BS 115 is located, the session authentication information SAI1 for the MS 401 is forwarded from the HLR 109 to the VLR 111 at the zone for completion of the authentication process.

The second MS 403 roams from BS1 115 to BS2 117 and sends a clear (unencrypted) roam message to the second BS 117. In the preferred embodiment, authentication of the MS 403 in this situation is required. Because the MS 403 uses the HLR 109 in the zone where the BS 115 is located, and because the MS 403 roamed from a site serviced by the same VLR as the new site, the session authentication information SAI2 for the MS 403 is already located in the VLR 111 at the zone for completion of the authentication process.

The third MS 405 sends an encrypted power-up message to the third BS 129. In the preferred embodiment, authentication of the MS 405 in this situation is required. Because the MS 405 uses the HLR 123 in the zone where the BS 129 is located, the session authentication information SAI3 for the MS 405 is forwarded from the HLR 123 to the VLR 125 at the zone for completion of the authentication process.

The fourth MS 407 roams from BS2 117 to BS4 131 and sends an encrypted roam message to the fourth BS 131. In the preferred embodiment, (full) authentication of the MS 403 in this situation is not required. Instead, the MS 407 is implicitly authenticated, i.e., the challenge and response mechanism is bypassed if the encrypted roam message is successfully decrypted by the BS 131. Because the MS 407 uses the HLR 109 in the zone other than the zone where the BS 131 is located, the encryption key (and if necessary, the session authentication information SAI4) for the MS 407 must be forwarded from that HLR 109 to the VLR 125 where the MS 407 has roamed for completion of the authentication process. Typically, at least a part of the SAI is encrypted by the interkey prior to transfer to another zone. If implicit authentication fails, full authentication of the MS 407 is then performed.

A diagram showing the challenge-and-response process to authenticate a mobile station by an authentication center in accordance with the TETRA Standard is shown in FIG. 7. When authenticating an MS 707, an authentication center 701, such as a KMF 101, combines the mobile authentication key, K, with RS utilizing the encryption algorithm TA11, as defined in the TETRA Standard. The output of the TA11 process 703 is KS, which is input with RANDI (a random number) to the encryption algorithm TA12, as defined in the TETRA Standard. The TA12 process 705 outputs XRES1, an expected response, and DCK1, a derived cipher key for the mobile. RAND1 and RS are provided to the MS 707. The MS 707 goes through a similar process, by combining its mobile authentication key, K, with RS received from the AuC 701 utilizing the TA11 process 703. The TA11 process 703 outputs KS, which is input with RAND1 to the TA12 process 705. The TA12 process 705 in the MS 707 outputs RES1, a response to the challenge, and DCK1, the derived cipher key for the mobile. The MS 707 forwards RES1 to the AuC 701. If XRES1 and RES1 match, the AuC 701 sends an authentication pass message to the MS 707, and communication over the air interface with the newly created DCK1 may commence. If XRES and RES do not match, the AuC 701 sends an authentication fail message to the MS 707, and communication over the air interface with the newly created DCK1 is prohibited, although the old DCK1 may be used upon authentication failure.

A diagram showing the challenge-and-response process to authenticate an authentication center by a mobile station in accordance with the TETRA Standard is shown in FIG. 8. When authenticating an AuC 701, such as a KMF 101, an MS 707 combines the mobile authentication key, K, with RS utilizing the encryption algorithm TA21, as defined in the TETRA Standard. The TA21 process 801 outputs KS', which is input with RAND2 (a random number) to the encryption algorithm TA22, as defined in the TETRA Standard. The TA22 process 803 outputs XRES2, an expected response, and DCK2, a derived cipher key for the mobile 707. RAND2 is provided to the AuC 701. The AuC 701 goes through a similar process, by combining t