Method and apparatus for efficient real-time authentication and encryption in a communication system
First Claim
1. A subscriber unit which generates authentication messages for authenticating communications with a communication unit of a communication system, comprising:
- (a) memory means for maintaining first subscriber unit identifier, first shared-secret data, second shared-secret data, a random challenge, and instant-specific information;
(b) processor means, coupled to the memory means, for generating an authentication message as a function of the first shared-secret data, the random challenge, and the instant-specific information;
(c) key generation means, coupled to the memory means, for generating, a session key as a function of the first shared-secret data, the second shared-secret data, the random challenge, and the instant-specific information;
(d) encrypting means, coupled to the key generation means, for forming encrypted data by encrypting dialed digits which uniquely identify a target communication unit and a second subscriber unit identifier by using the session key as an encryption variable; and
(e) transmitter means, coupled to the memory means, processor means, and key generation means, for transmitting, in a single message, the first subscriber unit identifier, the authentication message and the encrypted data to the communication unit.
2 Assignments
0 Petitions
Accused Products
Abstract
Radio frequency based cellular telecommunication systems often require both subscriber units and communication units of a fixed network communication system to maintain secret data which may be used to verify authenticity as well as provide encrypting variables for message encryption processes. An efficient real-time authentication method and apparatus are provided which use a single message to provide authentication and communication link setup information. Further, an authentication method and apparatus are provided which uses instant-specific information such as a time of day, radio frequency carrier frequency, a time slot number, a radio port number, access manager identifier, a radio port control unit identifier, or a base site controller identifier to enhance the reliability of the authentication process. Furthermore, a method and apparatus are provided for maintaining secure packet data communications through an encryption process by utilizing a packetized message encryption key and a unique packet number as encryption variables.
190 Citations
34 Claims
-
1. A subscriber unit which generates authentication messages for authenticating communications with a communication unit of a communication system, comprising:
-
(a) memory means for maintaining first subscriber unit identifier, first shared-secret data, second shared-secret data, a random challenge, and instant-specific information; (b) processor means, coupled to the memory means, for generating an authentication message as a function of the first shared-secret data, the random challenge, and the instant-specific information; (c) key generation means, coupled to the memory means, for generating, a session key as a function of the first shared-secret data, the second shared-secret data, the random challenge, and the instant-specific information; (d) encrypting means, coupled to the key generation means, for forming encrypted data by encrypting dialed digits which uniquely identify a target communication unit and a second subscriber unit identifier by using the session key as an encryption variable; and (e) transmitter means, coupled to the memory means, processor means, and key generation means, for transmitting, in a single message, the first subscriber unit identifier, the authentication message and the encrypted data to the communication unit. - View Dependent Claims (2, 3)
-
-
4. A communication unit which authenticates communications from a subscriber unit of a communication system, comprising:
-
(a) receiver means for receiving, in a single message, a first subscriber unit identifier, an authentication message and encrypted data; (b) memory means for maintaining first shared-secret data, second shared-secret data, a random challenge, and instant-specific information; (c) key generation means, coupled to the memory means, for generating, a session key as a function of the first shared-secret data, the second shared-secret data, the random challenge, and the instant-specific information; and (d) processor means, coupled to the receiver means, the memory means, and the key generation means, for authenticating the received authentication message, comprising; (i) generator means for generating an expected authentication message as a function of the first shared-secret data, the random challenge, and the instant-specific information; (ii) comparison means for comparing the received authentication message and the expected authentication message; (iii) means for recovering the dialed digits which uniquely identifies the target communication unit and the second subscriber unit identifier by decrypting the communicated encrypted data by using the session key as an decryption variable and for establishing a communication link on a traffic channel with between the subscriber unit and the communication unit, if the received authentication message is substantially similar to the expected authentication message; and (iv) means for providing output indicating that a multiple user is attempting to access the communication system, if the received authentication message is not substantially similar to the expected authentication message. - View Dependent Claims (5, 6, 7)
-
-
8. A communication unit which generates authentication messages for authenticating communications with a subscriber unit operating within a communication system, comprising:
-
(a) memory means for maintaining first shared-secret data, second shared-secret data, a random challenge, and instant-specific information; (b) processor means, coupled to the memory means, for generating an authentication message as a function of the first shared-secret data, the random challenge, and the instant-specific information; (c) key generation means, coupled to the memory means, for generating, a session key as a function of the first shared-secret data, the second shared-secret data, the random challenge, and the instant-specific information; (d) encrypting means, coupled to the key generation means, for forming encrypted data by encrypting a second subscriber unit identifier by using the session key as an encryption variable; and (e) transmitter means, coupled to the memory means, processor means, and key generation means, for transmitting, in a single message, the authentication message and the encrypted data to the subscriber unit. - View Dependent Claims (9, 10)
-
-
11. A subscriber unit which authenticates communications from a communication unit of a communication system, comprising:
-
(a) receiver means for receiving, in a single message, an authentication message and encrypted data; (b) memory means for maintaining first shared-secret data, second shared-secret data, a random challenge, and instant-specific information; (c) key generation means, coupled to the memory means, for generating, a session key as a function of the first shared-secret data, the second shared-secret data, the random challenge, and the instant-specific information; and (d) processor means, coupled to the receiver means, the memory means, and the key generation means, for authenticating the received authentication message, comprising; (i) generator means for generating an expected authentication message as a function of the first shared-secret data, the random challenge, and the instant-specific information; (ii) comparison means for comparing the received authentication message and the expected authentication message; (iii) means for recovering the second subscriber unit identifier by decrypting the communicated encrypted data by using the session key as an decryption variable and for establishing a communication link on a traffic channel with between the subscriber unit and the communication unit, if the received authentication message is substantially similar to the expected authentication message; and (iv) means for providing output indicating that a multiple user is attempting to access the communication system, if the received authentication message is not substantially similar to the expected authentication message. - View Dependent Claims (12, 13)
-
-
14. A method of authentication between a subscriber unit and a communication unit of a communication system, comprising:
-
(a) providing a first subscriber unit identifier, first shared-secret data, second shared-secret data, a random challenge, and instant-specific information to both the subscriber unit and the communication unit; in a transmitting one of the subscriber unit and the communication unit; (b) generating an authentication message as a function of the first shared-secret data, the random challenge, and the instant-specific information; (c) generating, a session key as a function of the first shared-secret data, the second shared-secret data, the random challenge, and the instant-specific information; (d) forming encrypted data by encrypting dialed digits which uniquely identify a target communication unit and a second subscriber unit identifier by using the session key as an encryption variable; (e) communicating, in a single message, the first subscriber unit identifier, the authentication message and the encrypted data between the subscriber unit and the communication unit; and in a receiving one of the communication unit and the subscriber unit; (f) generating an expected authentication message as a function of the first shared-secret data, the random challenge, and the instant-specific information; (g) receiving the communicated authentication message and determining whether the communicated authentication message is authentic by comparing the communicated authentication message and the expected authentication message; if the communicated authentication message is authentic, (h) recovering the dialed digits which uniquely identifies the target communication unit and the second subscriber unit identifier by decrypting the communicated encrypted data by using the session key as an decryption variable; (i) establishing a communication link on a traffic channel with between the subscriber unit and the communication unit; and if the communicated authentication message is not authentic, (j) providing output indicating that a multiple user is attempting to access the communication system. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A communication unit which authenticates communications with a subscriber unit of a communication system, comprising:
-
(a) receiver means for receiving an authentication message; (b) memory means for maintaining instant-specific information; and (c) processor means for authenticating the received authentication message by determining, through the use of the received authentication message and the maintained instant-specific information, whether the received authentication message is authentic, wherein the processor means further comprises; (i) means for granting further communication between the subscriber unit and the communication unit, if the received authentication message was derived from the maintained instant-specific information; and (ii) means for providing output indicating that a multiple user is attempting to access the communication system, if the received authentication message was not derived from the maintained instant-specific information. - View Dependent Claims (20)
-
-
21. A subscriber unit which authenticates communications with a communication unit of a communication system, comprising:
-
(a) receiver means for receiving an authentication message; (b) memory means for maintaining instant-specific information; and (c) processor means for authenticating the received authentication message by determining, through the use of the received authentication message and the maintained instant-specific information, whether the received authentication message is authentic, wherein the processor means further comprises; (i) means for granting further communication between the subscriber unit and the communication unit, if the received authentication message was derived from the maintained instant-specific information; and (ii) means for providing output indicating that a multiple user is attempting to access the communication system, if the received authentication message was not derived from the maintained instant-specific information. - View Dependent Claims (22)
-
-
23. A method of authentication between a subscriber unit and a communication unit of a communication system, comprising:
-
(a) providing instant-specific information to both the subscriber unit and the communication unit; in a receiving one of the radio communication unit and subscriber unit; (b) generating an authentication message as a function of the instant-specific information; (c) communicating the authentication message between the subscriber unit and the communication unit; and in a receiving one of the radio communication unit and subscriber unit; (d) generating an expected authentication message as a function of the instant-specific information; and (e) determining whether the communicated authentication message is authentic by comparing the communicated authentication message and the expected authentication message, wherein the step of determining further comprises; (i) granting further communication between the subscriber unit and the communication unit, if the communicated authentication message was derived from the instant-specific information; and (ii) providing output indicating that a multiple user is attempting to access the communication system, if the communicated authentication message was not derived from the instant-specific information. - View Dependent Claims (24, 25, 26)
-
-
27. A communication device which maintains secure packet data communications through an encryption process between a subscriber unit and radio communication units of a serving communication system, comprising:
-
(a) key generating means for generating a packetized message encryption key; (b) packet ordering means for numbering a packet of a message with a unique packet number for maintaining a sequential order of the packet in the packetized message; and (c) encrypting means, coupled to the key generating means and the packet ordering means, for encrypting the packet of the message by using the packetized message encryption key and the unique packet number as encryption variables. - View Dependent Claims (28)
-
-
29. A communication device for receiving encrypted packet data communications between a subscriber unit and radio communication units of a serving communication system, comprising:
-
(a) key generating means for generating a packetized message encryption key; and (b) decrypting means, coupled to the key generating means, for receiving an encrypted packet data message and decrypting the received packet data message by using the generated packetized message encryption key and a unique packet number which was communicated between the subscriber unit and the radio communication unit of the serving communication. - View Dependent Claims (30)
-
-
31. A method for maintaining secure packet data communications through an encryption process between a subscriber unit and radio communication units of a serving communication system, comprising:
-
(a) generating a packetized message encryption key within both the subscriber unit and the serving communication system; in a receiving one of the radio communication unit and subscriber unit; (b) numbering a packet of a message with a unique packet number for maintaining a sequential order of the packet in the packetized message; (c) encrypting the packet of the message by using the packetized message encryption key and the unique packet number as encryption variables; (d) communicating the unique pack number and the encrypted packet of the message between the subscriber unit and a radio communication unit of the serving communication system; and in a receiving one of the radio communication unit and subscriber unit; (e) decrypting the communicated encrypted packet of the message by using the generated packetized message encryption key and the communicated unique packet number. - View Dependent Claims (32, 33, 34)
-
Specification