Authenticating mobile network provider equipment
First Claim
1. A method of providing mobile network security, comprising:
- registering a first mobile network provider equipment using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register, the secret data and an address of the registration entity being embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output, the physical device providing the first mobile network provider equipment with the address of the registration entity to facilitate an initial communication from the first mobile network provider equipment to the registration entity, the initial communication comprising a unique identifier of the first mobile network provider equipment and a first random number;
mutually authenticating between the first mobile network provider equipment and the registration entity via an SSL connection over an IP-protocol-based network;
after mutual authentication, receiving, from the registration entity, encryption data usable to communicate securely with a second mobile network provider equipment over the IP-protocol-based network, the encryption data comprising one or more keys and an IP address of the second mobile network provider equipment, the IP address of the second mobile network provider equipment not being publicly available, the second mobile network provider equipment being coupled to a base station controller via a dedicated line, the second mobile network provider equipment aggregating mobile communications from the first mobile network provider equipment and at least another mobile network provider equipment and sending the aggregated mobile communications to the base station controller via the dedicated line, the second mobile network provider equipment also receiving the one or more keys from the registration entity;
sending voice data from the first mobile network provider equipment to the second mobile network provider equipment using S-RTP via UDP over IP using the one or more keys; and
sending signaling data from the first mobile network provider equipment to the second mobile network provider equipment via SCTP over IP-SEC using the one or more keys,wherein the first mobile network provider equipment, the second mobile network provider equipment and the registration entity are disposed communicatively on a provider network side of an air link that supports voice and data communications with mobile phones, the mobile phones being configured to support GSM and GPRS communications.
7 Assignments
0 Petitions
Accused Products
Abstract
Providing mobile network security is disclosed. A first mobile network provider equipment registers using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register and embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output. An encryption data usable to communicate securely with a second mobile network provider equipment over a packet data network is received from the registration entity.
-
Citations
31 Claims
-
1. A method of providing mobile network security, comprising:
-
registering a first mobile network provider equipment using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register, the secret data and an address of the registration entity being embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output, the physical device providing the first mobile network provider equipment with the address of the registration entity to facilitate an initial communication from the first mobile network provider equipment to the registration entity, the initial communication comprising a unique identifier of the first mobile network provider equipment and a first random number; mutually authenticating between the first mobile network provider equipment and the registration entity via an SSL connection over an IP-protocol-based network; after mutual authentication, receiving, from the registration entity, encryption data usable to communicate securely with a second mobile network provider equipment over the IP-protocol-based network, the encryption data comprising one or more keys and an IP address of the second mobile network provider equipment, the IP address of the second mobile network provider equipment not being publicly available, the second mobile network provider equipment being coupled to a base station controller via a dedicated line, the second mobile network provider equipment aggregating mobile communications from the first mobile network provider equipment and at least another mobile network provider equipment and sending the aggregated mobile communications to the base station controller via the dedicated line, the second mobile network provider equipment also receiving the one or more keys from the registration entity; sending voice data from the first mobile network provider equipment to the second mobile network provider equipment using S-RTP via UDP over IP using the one or more keys; and sending signaling data from the first mobile network provider equipment to the second mobile network provider equipment via SCTP over IP-SEC using the one or more keys, wherein the first mobile network provider equipment, the second mobile network provider equipment and the registration entity are disposed communicatively on a provider network side of an air link that supports voice and data communications with mobile phones, the mobile phones being configured to support GSM and GPRS communications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system for providing mobile network security, comprising:
-
a physical device of a first base station in which an address of the registration entity and secret data are embodied in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output, the physical device providing the first base station with the address of the registration entity to facilitate an initial communication from the first base station to the registration entity, the initial communication comprising a unique identifier of the first base station and a first random number; a processor of the first base station configured to use the physical device to register the first base station with a registration entity that knows the secret data, the processor being configured to perform the cryptographic function using the secret data; and a communication interface of the first base station configured to receive, from the registration entity after mutual authentication, encryption data usable to communicate securely over an IP-protocol-based network, the encryption data comprising one or more keys and an IP address of a gateway, the IP address of the gateway not being publicly available, the gateway being coupled to a base station controller via a dedicated line, the gateway aggregating mobile communications from the first base station and a second base station and sending the aggregated mobile communications to the base station controller via the dedicated line, the gateway presenting the first base station and the second base station as a single logical base station to the base station controller, wherein the first base station, the gateway, the second base station and the registration entity are disposed communicatively on a provider network side of an air link, wherein the base station and the registration entity mutually authenticate over the IP-protocol-based network, and wherein, after the base station and the registration entity mutually authenticate, then registration entity transmits the one or more keys to the communication interface of the base station and to the gateway so that the base station and the base station controller can communicate securely via the IP-protocol-based network and the dedicated line. - View Dependent Claims (23, 24, 25, 26)
-
-
27. A computer program product for providing mobile network security, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
-
registering a first mobile network provider equipment using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register, the secret data and an address of the registration entity being embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data, but prevents the physical device from being used to provide the secret data as output, the physical device providing the first mobile network provider equipment with the address of the registration entity to facilitate an initial communication from the first mobile network provider equipment to the registration entity, the initial communication comprising a unique identifier of the first mobile network provider equipment and a first random number; and after authentication with the registration entity, receiving encryption data from the registration entity and auto-discovering a second mobile network provider equipment, the encryption data comprising an IP address of the second mobile network provider equipment and one or more keys, the one or more keys also being provided by the registration entity to the second mobile network provider equipment so that the first mobile network provider equipment and the second mobile network provider equipment can communicate securely over an IP-protocol-based network, the IP address of the second mobile network provider equipment not being publicly available, the second mobile network provider equipment being coupled to a base station controller via a dedicated line, the second mobile network provider equipment aggregating mobile communications from the first mobile network provider equipment and a third mobile network provider equipment and sending the aggregated mobile communications to the base station controller via the dedicated line, wherein the first mobile network provider equipment, the second mobile network provider equipment, the third mobile network provider equipment and the registration entity are disposed communicatively on a provider network side of an air link, the air link supporting voice and data communications with a mobile wireless communications device. - View Dependent Claims (28, 29, 30, 31)
-
Specification