HK1137269B - Method and apparatus for security in a data processing system - Google Patents
Method and apparatus for security in a data processing system Download PDFInfo
- Publication number
- HK1137269B HK1137269B HK10100858.9A HK10100858A HK1137269B HK 1137269 B HK1137269 B HK 1137269B HK 10100858 A HK10100858 A HK 10100858A HK 1137269 B HK1137269 B HK 1137269B
- Authority
- HK
- Hong Kong
- Prior art keywords
- key
- short
- access key
- random value
- bak
- Prior art date
Links
Description
This application is a divisional patent application of the invention patent application having the title "method and apparatus for security in a data processing system" filed as international filing date 8/10/2002 and application No. 02823862.1.
Technical Field
The present invention relates generally to data processing systems, and more particularly to a method and apparatus for data processing system security.
Background
Security within data processing and information systems, including communication systems, is beneficial for accountability, fairness, accuracy, privacy, operability, and a variety of other desired criteria. The general fields of encryption or cryptography are used in e-commerce, wireless communication, broadcasting, and the application range thereof is not limited. In electronic commerce, encryption is used to prevent fraud to confirm the identity of the participant. Encryption, as well as various other security measures, are also used to protect Web pages from hackers, and to prevent access to confidential documents.
Systems using cryptography, commonly referred to as cryptosystems, can be divided into symmetric cryptosystems and asymmetric cryptosystems. Symmetric cryptosystems use the same key (i.e., security key) to encrypt and decrypt messages. While asymmetric encryption systems encrypt a message using a first key (i.e., a public key) and decode it using a second, different key (i.e., a private key). Asymmetric cryptographic systems are also referred to as public key cryptographic systems. There is a problem within symmetric cryptographic systems that the key is securely provided from the sender to the recipient. In addition, there is a problem when keys or other encryption mechanisms are frequently updated. The method of securely updating keys within a data processing system requires additional processing time, memory storage, and other processing overhead. In a wireless communication system, updating keys uses valuable bandwidth that would otherwise be available for transmission.
The prior art does not provide a method of updating keys for a large group of mobile stations to enable access to encrypted broadcasts. There is therefore a need for a method of updating keys within a data processing system that is secure and efficient. In addition, there is a need for a method of securely and efficiently updating keys within a wireless communication system.
Disclosure of Invention
Embodiments disclosed herein address the above stated needs by providing a method for security within a data processing system. In one aspect, a method for secure transmission includes determining a short-term key for a message to be transmitted, wherein the short-term key has a short-term key identifier, determining an access key for the message, wherein the access key has an access key identifier, encrypting the message with the access key, forming an internet protocol header including the short-term key identifier, and transmitting the encrypted message with the internet protocol header.
In another aspect, in a wireless communication system supporting broadcast service options, an infrastructure element includes receiving circuitry, a subscriber identification unit to recover a short-term key for decrypting broadcast messages, and a mobile device unit to apply the short-term key to decrypt broadcast messages. The subscriber identity unit comprises a processing unit for decrypting the key information. The mobile equipment unit includes a memory storage unit for storing a plurality of short-term keys and short-term key identifiers.
In another aspect, a digital signal storage device includes a first set of instructions for receiving a transmission-specific short-term key identifier, the short-term key identifier corresponding to a short-term key, a second set of instructions for determining an access key based on the short-term key identifier, a third set of instructions for encrypting the short-term key identifier with the access key to recover the short-term key, and a fourth set of instructions for decrypting the transmission using the short-term key.
Drawings
Fig. 1A is a diagram of an encryption system.
Fig. 1B is a diagram of a symmetric encryption system.
Fig. 1C is a diagram of an asymmetric encryption system.
Fig. 1D is a PGP encryption system diagram.
Fig. 1E is a PGP decryption system diagram.
Fig. 2 is a diagram of a spread spectrum communication system supporting multiple users.
Fig. 3 is a block diagram of a communication system supporting broadcast transmissions.
Fig. 4 is a block diagram of a mobile station in a wireless communication system.
Fig. 5A and 5B illustrate a model describing key updates for controlling broadcast access within a mobile station.
FIG. 6 is a model describing cryptographic operations within a UIM.
Figures 7A-7D illustrate a method of implementing secure encryption in a wireless communication system that supports broadcast transmissions.
Fig. 7E is a timing diagram of a key update period for a security option in a wireless communication system that supports broadcast transmissions.
Fig. 8A-8D illustrate the application of a security encryption method in a wireless communication system supporting broadcast transmissions.
Fig. 9A illustrates the format of an IPSec packet for internet protocol transmission.
Fig. 9B illustrates a security association identifier or SPI applied to an IPSec packet.
Fig. 9C illustrates a memory storage device for storing SPI information within the mobile station.
Fig. 9D illustrates a memory storage device for storing a Broadcast Access Key (BAK) within a mobile station.
Fig. 10 and 11 illustrate a method of providing security for broadcast messages in a wireless communication system.
Fig. 12A illustrates a security association identifier or SPI applied to an IPSec packet.
Fig. 12B illustrates a memory storage device for storing SPI information within the mobile station.
Fig. 13 and 14 illustrate a method of providing security for broadcast messages in a wireless communication system.
Detailed Description
The term "exemplary" is used herein to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
Wireless communication systems are widely deployed to provide various types of communication such as voice, data, and so on. These systems may be based on Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), or some other modulation technique. CDMA systems offer some advantages over other types of systems, including increased system capacity.
A CDMA System may be designed to support one or more CDMA standards, such as (1) "TIA/EIA-95-BMobject State-Base State Compatibility Standard for Dual-ModeWideband Spread Spectrum Cellular System" (IS-95 Standard), by "3rdThe standard provided by GenerationPartnership Project (3GPP) is embodied in a set of documents including Nos.3G TS25.211, 3G TS 25.212, 3G TS 25.213, and 3G TS 25.214(W-CDMA standard), by "3G TS25.211rdThe standard provided by Generation Partnership Project 2 "(3 GPP2), IS referred to herein as TR-45.5 of the cdma2000 standard, and was previously referred to as IS-2000 MC. These described standards are incorporated herein by reference.
Each standard specifically defines the handling of data to be transmitted from a base station to a mobile and vice versa. The following discussion considers, as an example embodiment, a cdma2000 compliant spread spectrum communication system. Additional embodiments may include other standards/systems. Further embodiments may apply the security methods disclosed herein to any type of data processing system that uses a cryptographic system.
A cryptographic system is a method of disguising messages that enables a particular group of users to retrieve the message. Fig. 1A illustrates a basic cryptographic system 10. Cryptography is the technique of establishing and using cryptographic systems. Cryptanalysis is a technique to break cryptographic systems, i.e. to receive and understand messages when you are not in a particular group of users who are allowed to access the messages. The original message is referred to as a plaintext message or plaintext. Encrypted messages are referred to as ciphertext, where encryption includes any method of converting plaintext into ciphertext. Decryption includes any method of converting ciphertext into plaintext, i.e., recovering the original message. As illustrated in fig. 1A, a plaintext message is encrypted to form ciphertext. The ciphertext is then received and decrypted to recover the plaintext. The ciphertext is then received and decrypted to recover the plaintext. Although the terms plaintext and ciphertext generally refer to data, the concept of encryption may be applied to any digital information, including audio and video data in digital form. Although the description of the invention provided herein uses plaintext and ciphertext terms consistent with cryptography, these terms do not exclude other forms of digital communication.
Cryptographic systems are based on secrets. A group of entities is said to share a secret if the entity outside the group cannot obtain the secret without a large amount of resources.
A cryptographic system may be a collection of algorithms, where each algorithm is signed and these signs are referred to as keys. Symmetric encryption systems, often referred to as cryptosystems, use the same key (i.e., a secret key) to encrypt and decrypt messages. A symmetric encryption system 20 is illustrated in fig. 1B, where encryption and decryption use the same private key.
In contrast, symmetric encryption systems use a first key (i.e., a public key) to encrypt a message and a different key (e.g., a private key) to decrypt it. Fig. 1C illustrates an asymmetric encryption system 30 in which one key is provided for encryption and a second key is provided for decryption. Asymmetric cryptographic systems are also referred to as public key cryptographic systems. The public key is published and can be used to encrypt any message, however, only the private key can be used to decrypt messages encrypted with the public key.
There is a problem within symmetric cryptographic systems to securely provide a secret key from a sender to a recipient. One solution might be to use a messenger to provide the information, or a more efficient and reliable approach might be to use a public key cryptosystem, such as the one defined by Rivest, Shamir and adleman (rsa), as will be described below. The RSA system is used within a popular security tool called fairly good privacy (PGP), which will be discussed below. For example, the original recorded password system changes the letters in the plaintext by shifting each letter by n within the alphabet set, where n is a predetermined constant integer value. In this scheme, "a" is replaced with "D", etc., where a given encryption scheme may include several different values of n. In this encryption scheme "n" is a key. The intended recipient is provided with an encryption scheme before receiving the ciphertext. In this way, only the key-aware entity decrypts the ciphertext to recover the plaintext. However, by computing the key with known knowledge of the encryption, an unintended recipient may be able to intercept and decrypt the ciphertext, thereby causing security problems.
More sophisticated and sophisticated cryptographic systems use policy keys that prevent interception and decryption from unintended parties. Classical cryptographic systems use an encryption function E and a decryption function D, such as:
D_K(E_K(P))=P,for any plaintext P (1)
in a public cryptosystem, E _ K can be computed very simply from the known "public key" Y, which in turn is computed from K. The public key is public so anyone can encrypt the message. The decryption function D _ K is calculated from the public key Y, but only if the private key K is known. Without knowledge of the private key K, the unintended recipient may not be able to decrypt the ciphertext so generated. In this way, only the recipient that generated K can decrypt the message.
RSA is a Rivest, Shamir, and Adleman defined public key cryptosystem, where, for example, plaintext considerations are as much as 2512Is a positive integer of (1). The key is a quadruplet of numbers (p, q, e, d) where p is given as 256 prime numbers, q is given as 258 bit prime numbers, and d and e are the large numbers that (de-1) can be evenly divided by (p-1) (q-1). . In addition, the cryptographic function is defined as:
E_K(P)=Pe mod pq,D_K(C)=Cd mod pq (2)
however, E _ K can be calculated from the pair (pq, E) simply, and there is no known simple method for calculating D _ K from the pair (pq, E). Therefore, the recipient who generated K can publish (pq, e). It is possible to send a confidential message to the recipient because he is a person who can read the message.
PGP combines the features of symmetric and asymmetric encryption. Fig. 1D and 1E illustrate a PGP system 50 in which a plaintext message is encrypted and recovered. Within FIG. 1D, the clear text message is compressed to save modulator transmission time and disk space. Compression enhances encryption security as it adds another layer of translation on the encryption and decryption process. Most cryptanalysis techniques use patterns found in the plaintext to break a cipher. Compression reduces patterns within the plaintext, thereby enhancing resistance to cryptanalysis. It is worth noting that one embodiment does not compress: plain text or other messages that are too short to compress or messages that are poorly compressed.
The PGP then establishes a session key, which is a valid secret key. The key is a random number that may be generated from any random event, such as the random movement of a computer mouse and keyboard while typing. The session key acts in conjunction with a secure encryption algorithm to encrypt the plaintext to produce the ciphertext. Once the data is encrypted, the session key is then encrypted as the public key of the recipient. The public key encrypted session key is sent to the recipient along with the ciphertext.
For decryption, as illustrated in fig. 1E, the recipient copy of the PGP uses the private key to recover the temporary session key, which the PGP then uses to decrypt the conventionally encrypted ciphertext. The combination of encryption methods takes advantage of the convenience of public key encryption and the speed of symmetric encryption. Symmetric encryption is generally much faster than public key encryption. Public key encryption in turn provides a solution to the key distribution and data transmission problems. In combination, performance and key distribution are improved without sacrificing security.
A key is a value used with a cryptographic algorithm to generate a particular ciphertext. The key is typically a large number. The key size is measured in bits. Within public key encryption, security increases as the key size increases, however, the public key size and the symmetric encryption private key size are generally not related. Although the public and private keys are mathematically related, in the case of a public key alone, there may be difficulties in deriving the private key. Given sufficient time and computing power, it is possible to derive a private key, making the choice of key size a significant security issue. The optimal goal is to maximize the size of the key, allowing for security considerations, while at the same time minimizing the key size to facilitate fast processing. Larger keys are cryptographically secure for a longer time. Additional considerations are possible interceptors, in particular: 1) what is the importance of the message to the third party; and 2) how much resources the third party has to decrypt the message.
It is noted that the key is stored in encrypted form. PGP stores keys in two files, among others: one for the public key and one for the private key. These files are called key rings. In use, the PGP encryption system adds the public key of the intended recipient to the sender's public key ring. The sender's private key is stored on the sender's private key ring.
As discussed in the examples given above, the method of issuing keys for encryption and decryption can be complex. The "key exchange problem" involves first ensuring that keys are exchanged so that the sender and recipient can effect the respective encryption and decryption, and for two-way communication, so that the sender and recipient can encrypt and decrypt messages simultaneously. In addition, it is desirable that the key exchange be implemented such that interception by third parties and unintended parties can be precluded.
Finally, an additional consideration is authentication, which is provided to the receiver to ensure that the message is encrypted by the intended sender and not by a third party. In a private key exchange system, keys are exchanged via secrets, improved security is provided after successful key exchange and legal verification. It is worth noting that the private key encryption scheme implicitly provides authentication. The assumption underlying private key cryptography is that only the intended sender has a key that can encrypt a message sent to the intended recipient. While public key encryption methods address one aspect of the key that is critical to the "key exchange problem," especially the resistance to analysis by passive eavesdropping during key exchange, they do not address all of the problems associated with key exchange. In particular, since the key is considered "public information" (especially in the case of RSA), some other mechanism is required to provide authentication. The verification indication needs to be a separate possession key sufficient to encrypt the message, the verification is not a specific unique identity of the sender, nor is it sufficient to own a corresponding decryption key to establish the identity of the recipient.
One solution is to develop a key issuing mechanism that ensures that the listed keys are actually the keys of a given entity, sometimes referred to as a trusted entity, a certificate entity, or a third party signing authority. The authorized party typically does not actually generate the keys, but ensures that the key lists and associated identities maintained for the sender and receiver and used as references are correct and not compromised. Another method relies on the user issuing and tracking the keys of the other party with respect to each other, which is an irregular, distributed trust. In RSA, if a user wishes to send his identity information in addition to encrypting a message, the signature is encrypted with a key. The receiver may use the RSA algorithm to determine in return that the information is decrypted, so that only the sender may encrypt the plaintext using the secret key. A typical encrypted "signature" is a "message digest" that includes a unique mathematical "summary" of a confidential message (if the signature is fixed over multiple messages, the previous recipient would use it illegally once known). Thus, in theory, only the sender of a message will generate a legitimate signature for the message, thereby verifying it for the recipient.
Message digests are often computed using cryptographic hash functions. The cryptographic hash function computes a value (with a fixed number of bits) from any input, regardless of the length of the input. One characteristic of the cryptographic hash function is as follows: given an output value, it is computationally very difficult to determine the input that caused the output. An example of a cryptographic Hash function is SHA-1, FIPS PUB 180-1, described in "Secure Hash Standard," issued by the Federal information processing standards publication (FIP PUBS) and issued by the national standards and technical Bureau.
Fig. 2 is an illustration of a communication system 100 that supports multiple users and is capable of implementing at least some aspects and embodiments of the present invention. Any of a variety of algorithms and methods may be used for scheduling within system 100. System 100 provides for communication for a plurality of cells 102A through 102G, each of which is serviced by a corresponding base station 104A and 104G, respectively. In the exemplary embodiment, some base stations 104 have multiple receive antennas, and others have only one receive antenna. Similarly, some base stations 104 have multiple transmit antennas, while others have only a single transmit antenna. There is no limitation in the combination of the transmitting antenna and the receiving antenna. Thus, for a base station, there may be multiple transmit antennas, one receive antenna, or multiple receive antennas and one transmit antenna, or both with multiple transmit and receive antennas, either singly or simultaneously.
Terminals 106A, 106B, 106C, 106D, 106E, 106F, 106G, 106H, and 106I within the coverage area may be fixed (i.e., stationary) or mobile. As shown in fig. 2, a plurality of terminals 106 are dispersed throughout the system. Each terminal 106 communicates with at least one and possibly multiple base stations 104 on the downlink and uplink at any given moment, depending on whether soft handoff is used, or whether the terminal is designed and used to receive (concurrently or sequentially) multiple transmissions from multiple base stations. Soft handoff in CDMA is well known in the art and is described in detail in U.S. Pat. No. 5101501, entitled "Method and System for providing a software handoff in a CDMA Cellular Telephone System", assigned to the assignee of the present invention.
The downlink refers to transmission from the base station to the terminal, and the uplink refers to transmission from the terminal to the base station. In the exemplary embodiment, some terminals 106 have multiple receive antennas, and others have only one receive antenna. In fig. 2, base station 104A transmits data to terminals 106A and 106J on the downlink, base station 104B transmits data to terminals 106B and 106J, base station 104C transmits data to terminal 106C, and so on.
The growing demand for wireless data transmission and the expansion of services available through wireless communication technologies has led to the development of specific data services. One such service is known as High Data Rate (HDR). An exemplary HDR service IS set forth in "EIA/TIA-IS 856cdma2000High Rate Packet Data Air Interface Specification," referred to as the "HDR Specification". HDR services generally cover predetermined communication systems and provide a method for efficiently transmitting data packets in a wireless communication system. As the amount of data sent increases, and the number of transmissions increases, the limited bandwidth available for radio transmission becomes a critical resource. There is therefore a need for a method of efficiently and fairly scheduling transmissions in a communication system that optimizes the use of available bandwidth. In an exemplary embodiment, the system 100 illustrated in fig. 2 is compliant with a CDMA type system with HDR service.
According to one embodiment, the system 100 supports a high speed multimedia broadcast service, referred to as a High Speed Broadcast Service (HSBS). An example application of HSBS is video streaming of movies, sporting events, etc. The HSBS service is a packet data service according to the Internet Protocol (IP). According to an example embodiment, a service provider indicates the availability of such high speed broadcast services to users. Users who need HSBS service subscribe to receive services and may discover broadcast service arrangements through advertisements, Short Management Systems (SMS), Wireless Application Protocol (WAP), etc. The mobile user is called a Mobile Station (MS). The Base Station (BS) transmits the HSBS-related parameters within additional overhead. When the MS needs to receive the broadcast session, the MS reads the overhead and learns the appropriate configuration. The MS then tunes to the frequency containing the HSBS channel and receives the content of the broadcast service.
The service under consideration is a high-speed multimedia broadcast service. This service is referred to as High Speed Broadcast Service (HSBS) in this document. One such example is a video stream of a movie, sporting event, or the like. The service may be an Internet Protocol (IP) based packet data service.
The service provider indicates the availability of such high-speed broadcast services to the user. A user of a mobile station requiring this service subscribes to the receiving service and may discover broadcast service arrangements through advertisements, SMS, WAP, etc. The base station transmits broadcast service related parameters within additional overhead. A mobile station that needs to listen to the broadcast session will read these messages and determine the appropriate configuration, tune to the frequency containing the high speed broadcast channel, and begin receiving the content of the broadcast service.
There are several possible subscriber/revenue models for HSBS services, including free access, controlled access, and partially controlled access. For free access, no subscription is required to receive the service. The BS broadcasts unencrypted content that interested mobiles can receive. Revenue for the service provider may be derived from advertisements sent over the broadcast channel. For example, incoming movie fragments may be sent for payment to a movie studio of the service provider.
For controlled access, the MS user subscribes to the service and pays a corresponding fee to receive the broadcast service. Unsubscribed users cannot receive HSBS service. Controlled access may be achieved by encrypting the HSBS transmission/content so that only subscribed users can decrypt the content. This may use an over-the-air key exchange procedure. This solution provides strong security and prevents theft of the service.
A hybrid access scheme, also known as partially controlled access, provides subscription-based HSBS services as encrypted, which intermittently have unencrypted advertisement transmissions. These advertisements may be used to increase the subscription to the encrypted HSBS service. The scheduling of these unencrypted segments may be known to the MS by the external device.
A wireless communication system 200 is illustrated in fig. 3, wherein video and audio information is provided by a Content Server (CS)201 to a Packetized Data Service Network (PDSN) 202. The video and audio information may come from television programming or radio transmissions. The information is provided as packetized data, such as within IP packets. The PDSN 202 processes IP packets for distribution within AN Access Network (AN). As illustrated, AN is defined as the portion of the system that includes a BS 204 in communication with a plurality of MSs 206. The PDSN 202 is coupled to the BS 204. For HSBS service, BS 204 receives the information stream from PDSN 202 and provides the information on designated channels to subscribers within system 200. To control access, the content is encrypted by the CS 201 before being provided to the PDSN 202. The subscriber user is provided with a decryption key to enable decryption of the IP packets.
Fig. 4 illustrates MS 300 in detail, similar to MS 206 of fig. 3. MS 300 has an antenna 302 coupled to receive circuitry 304. The MS 300 receives transmissions from a BS (not shown) similar to the BS 204 of fig. 3. MS 300 includes a User Identity Module (UIM)308 and a Mobile Equipment (ME) 306. The receive circuitry is coupled to the UIM308 and the ME 306. The UIM308 provides an acknowledgement procedure for the security of the HSBS transmission and provides various keys to the ME 306. ME 306 may be coupled to processing unit 312. ME 306 performs substantive processing including, but not limited to, decryption of HSBS content streams. ME 306 includes a memory storage unit MEM 310. In an example embodiment, where the ME 306 processes data (not shown) in a unit and where the ME memory stores data, the MEM 310 may be accessed by non-subscribers simply by using limited resources, and thus the ME 306 is said to be unsecure. Any information passed to ME 306 or processed by ME 306 remains secure for a short period of time. Any confidential information, such as a key, shared with the ME 306 needs to be changed frequently.
The UIM308 is trusted, stores and processes confidential information (such as encryption keys), and may remain confidential for a long period of time. Since UIM308 is a secure element, the secrets stored therein do not necessarily require the system to constantly change the secret information. UIM308 includes a processing unit referred to as Secure UIM Processing Unit (SUPU)316 and a memory storage unit referred to as secure UIM storage unit (SUMU)314, which is trusted to be secure. Within the UIM308, the SUMU314 stores confidential information in a manner that makes unauthorized access to the information difficult to achieve. If the confidential information is obtained from UIM308, access may require a large amount of resources. Also within UIM308, SUPU316 implements calculations on values that may be external to UIM308 and/or internal to UIM 308. The results of the calculations may be stored within SUMU314 or passed to ME 306. The calculated values implemented with the SUPU316 may be obtained from the UIM308 by an entity with a large number of resources. Similarly, outputs from the SUPU316 are designated for storage within the SUMU314 (but not to the ME 306), and are designed such that significant resources are required to make unauthorized intercepts. In one embodiment, UIM308 is a stationary unit within MS 300. It is noted that UIM308 may include non-secure memory and processing (not shown) for storing information including telephone numbers, e-mail address information, Web page or URL address information, and/or scheduling functions, etc., in addition to the secure storage and processing within UIM 308.
Further embodiments may provide a removable and/or reprogrammable UIM. In an example embodiment, the SUPU316 does not have significant processing functionality for functions above security and key processing that may be typically used to enable encryption of HSBS broadcast content. Other embodiments may implement UIM with more processing capabilities.
UIM308 is associated with a particular user and is used first to confirm that MS 300 enjoys the privileges of the user, such as access to a mobile telephone network. Thus, the user is associated with UIM308 rather than MS 300. The same user may be associated with multiple UIMs 308.
Broadcast services face a problem of determining how to distribute keys to subscribers. In order to decrypt the broadcast content at a particular time, the ME must know the current decryption key. To avoid theft of the service, the decryption key should be changed often, e.g. one service changes the key every minute. These decryption keys are referred to as short-term keys (SK). The SK is used to decrypt the broadcast content in a short time, so the SK is assumed to have a certain amount of intrinsic cost value for the user. For example, the intrinsic monetary value may be part of the registration fee. It is assumed that the cost of a non-subscriber obtaining SK from the subscriber's memory storage MEM 310 exceeds the inherent cost value of SK. I.e., illegal acquisition of SK outweighs payment, results in no net gain. As a result, the need to protect the SK within the memory storage unit MEM 310 is reduced. However, if the lifetime of the secret key is longer than the lifetime of the SK, the cost of illegally obtaining the secret key may be less than the reward. In this case there is a net gain in illegally obtaining the key from the memory storage unit MEM 310. Thus, ideally, the memory storage unit MEM 310 will not store secrets having a longer lifetime than SK.
The channel used by the CS to publish the SK to the individual subscriber units is assumed to be insecure. In other words, the optimal design would assume that the signal is unsafe and design SK accordingly. Thus, when publishing a given SK, the CS wishes to use a technique that does not let non-subscriber users know the value of the SK. In addition, the CS publishes SK to a potentially large number of subscribers for processing within the respective ME within a relatively short time frame. Known security methods of key transmission are generally slow and require a large number of key transmissions. Key transmission methods are generally not feasible for the required combination of security and validity criteria. The feasible method of publishing decryption keys to a large set of subscribers in a short time frame, feasible with the example embodiments, makes the decryption keys unavailable to non-subscribers.
The exemplary embodiments are described as sending information within internet protocol compatible packets, such as the "IPSec" packets described below, and thus the following description provides an overview of the terminology associated with IPSec. This term is useful in describing example embodiments, but use of this term is not meant to limit example embodiments to communications using IPSec.
The establishment of IPSec is specified in RFC 1825, RFC 1826 and RFC 1827, entitled "secure architecture for the Internet Protocol", r.atkinson, month 8 1995; "IPAuthentication Header", r.atkinson, 8.1995 and "IP Encapsulating Security Payload (ESP)", r.atkinson, 8.1995. A verification header is a mechanism that provides the integrity of an IP datagram, which is typically a combination of useful information (called payload) and network control information and an IP header. Network routers use IP headers to direct packets to the appropriate network nodes. In some cases, the verification header may also provide verification of the IP datagram. ESP is a mechanism for providing confidentiality and integrity of IP datagrams and may be used with authentication headers. IPSec uses "security-related" to describe parameters, such as encryption keys and encryption algorithms, used to encrypt and/or authenticate communications between groups of entities. It is noted that the security-related concepts are also suitable for use in cryptographic systems that are not based on IPSec.
The IPSec packet includes 32 as a parameter, called the Security Parameter Index (SPI), which is used with the destination address to identify the security association used to encrypt and/or validate the content of the IP datagram. The entity may store the security association in a security association database and index the security association according to the destination address and SPI. The encrypted content of the IPSec packet is referred to as the payload.
In an example embodiment, the MS 300 supports HSBSs within a wireless communication system. In order to gain access to the HSBS, the user must register and then subscribe to the service. Once registration is enabled, the individual keys are updated as needed. During the registration process, the CS and UIM308 negotiate a security association and agree on a Registration Key (RK) and other parameters needed for the security association between the user and the CS. The CS may then send further confidential information encrypted with the RK to the UIM 308. The RK is kept secret within the UIM308, while other parameters may be kept within the ME 306. The RK is unique for a given UIM308, i.e., each user is assigned a different RK. The separate registration procedure does not give the user access to the HSBS.
As described above, after registration, the user subscribes to the service. During the subscription process, the CS sends the value of the public Broadcast Access Key (BAK) to the UIM 308. It is noted that the RK is specific to the UIM308 and the BAK is used to encrypt broadcast messages to multiple users. The CS sends the BAK value encrypted using the RK unique to UIM308 to the MS 300, and in particular UIM 308. UIM308 may be able to recover the value of the BAK from the encrypted version using the RK. BAK, and other parameters, form a security association between the CS and the subscriber user group. BAK is kept secret within UIM308 while other security-related parameters may be kept secret within ME 306. The CS then broadcasts data called SK information (SKI), which is combined with the BAK within UIM308 to derive the SK. The UIM308 then passes the SK to the ME 306. In this way, the CS can effectively publish new values of SK to the ME of subscriber users. The following represents an example of if the SK is derived from the SKI, and the form that the SKI takes. The registration and subscription process is discussed in detail after the description of SKI and SK.
With respect to registration, when a user registers with a given CS, the UIM308 and the CS (not shown) establish a security association. I.e. the UIM308 and CS agree on the secret registration key RK. The RK is unique to each UIM308, although if a user has multiple UIMs, these UIMs may share the same RK depending on the CS policy. This registration may occur when the user subscribes to a broadcast channel provided by the CS or may occur prior to subscription. A single CS may provide multiple broadcast channels. The CS may choose to associate the user with the same RAK for all channels or require the user to register for each channel and associate the same user with different RKs on different channels. Multiple CSs may choose to use the same registration key or require the user to register and obtain a different RK for each CS.
Three cases for setting up the security association include: 1) authentication Key Agreement (AKA) methods for 3GPP systems; 2) internet Key Exchange (IKE) method for use within IPSec; and 3) Over-The-Air-Service-provisioning (OTASP). In both cases, the UIM storage unit SUMU314 contains a secret key, referred to herein as an a-key. For example, using the AKA method, the a-key is a secret known only to the UIM and to a Trusted Third Party (TTP), where the TTP may include more than one entity. The TTP is typically the mobile service provider with which the user is registered. All communications between the CS and the TTP are secure and the CS believes that the TTP will not facilitate access to the unauthorized broadcast service. When the user registers, the CS notifies the TTP that the user wishes to register for a service, and provides confirmation of the user's request. The TTP uses a function similar to a cryptographic hash function to compute the RK from the a-key, and additional data called Registration Key Information (RKI). The TTP passes the RK and/or RKI along with other data over the secure channel to the CS. The CS transmits the RKI to the MS 300. Receiver circuitry 304 passes the RKI to UIM308 and passes the RKI to ME 306. The UIM308 computes the RK from the RKI, as well as an A-key stored in UIM memory unit SUMU 314. The RK is stored within UIM memory unit SUMU314 and is not provided directly to ME 306. Alternative embodiments may use the IKE case, or some other method, to establish the RK. Other parameters of the security association between the CS and UIM308 must also be negotiated. The RK is kept secret within the UIM308, while other parameters of the security association may be kept within the ME 306. In an example embodiment, where the BAK is sent back to the UIM308 as an IPSec packet encrypted using an RK, the CS and MS 300 negotiate an SPI value for indexing the security association, and this SPI is labeled as SPI _ RK.
In the AKA method, RK is a secret shared among CS, UIM and TTP. Thus, as used herein, the AKA method implies that any security-related relation between CS and UIM implicitly includes TTP. Including the TTP within any security association is not considered a security breach because the CS believes that the TTP will not facilitate unauthorized access to the broadcast channel. As described above, if the key is shared with the ME 306, the key needs to be changed often. This is because there is a risk that non-subscribers access the information stored in the memory storage unit MEM 310, which may result in access controlled or partially controlled services. The ME 306 stores SK, i.e., key information for decrypting broadcast content, in the memory storage unit MEM 310. The CS sends sufficient information for the subscribed user to calculate SK. If the ME 306 of the subscribed user can calculate SK from this information, the additional information needed to calculate SK is not confidential. In this case, it is assumed that the ME 306 of the non-subscribing user can also calculate SK from this information. Thus, the SK value must be calculated within SUPU316 using the secret key shared by CS and SUMU 314. The CS and SUMU314 share an RK value, however each user has a unique RK value. There is insufficient time for the CS to encrypt SK with each RK value and send these encrypted values to each subscribed user.
With respect to subscription, to ensure efficient publication of security information SK, the CS periodically sends a public Broadcast Access Key (BAK) to each subscriber UIM 308. For each subscriber, the CS encrypts the BAK using the corresponding RK to obtain a value called BAKI information (BAKI). The CS sends the corresponding BAKI to the MS 300 of the subscribing user. For example, the BAK may be sent as an IP packet encrypted using the RK for each MS. In an example embodiment, the BAKI is an IPSec packet that contains BAK encrypted using RK as a key. Since the RK is a key for each user, the CS must send the BAK to each subscriber separately; the BAK is not transmitted on the broadcast channel. MS 300 passes the BAKI to UIM 308. SUPU316 calculates BAK using the RK value and BAKI value stored within SUMU 314. The BAK value is then stored within SUMU. In an example embodiment, the BAKI contains an SPI value labeled SPI _ SK, which corresponds to a security association containing RK. When IPSec packets are encrypted according to the security association, MS 300 knows that UIM308 can decrypt the payload. As a result, when MS 300 receives an IPSec packet encrypted according to the security association, MS 300 passes the BAKI to UIM308 and instructs UIM308 to use the RAK to decrypt the payload.
The period for updating the BAK needs to be long enough so that the CS can send the BAK to each subscriber individually without a large amount of additional overhead. Since the ME 306 is not trusted to remain confidential for long periods of time, the UIM308 does not provide BAK to the ME 306. Other parameters of the security association between the CS and the subscriber group must also be negotiated. In one embodiment, these parameters are fixed, while in another embodiment, these parameters may be sent to the MS as part of the BAKI. While the BAKI is kept confidential within the ME 306, other parameters of the security association may also be kept within the ME 306. In an embodiment where SK is sent to the MS 300 as IPSec packets encrypted using BAK, the CS provides the subscriber with an SPI for indexing the security association, designated as SPI _ BAK.
The following discusses how the SK is updated after a successful subscription procedure. During each period for updating the BAK, a short-term interval is provided during which SK is released on the broadcast channel. The CS uses a cryptographic function to determine two values, SK and SKI (SK information), so that SK can be determined from BAK and SKI. For example, SKI may be an encryption of SK with BAK as the key. In an example embodiment, the SKI is an IPSec packet in which the payload contains an SK value encrypted using BAK as a key. Alternatively, SK may be the result of applying a cryptographic hash function to the concatenation of modules SKI and BAK. CS ideally guarantees that the value of SK is not predicted in advance. If the SK can be predicted in advance, an attacker, i.e., an illegitimate access entity, can send the predicted SK value to the non-subscribing user.
As an example, assume that the values of N SK are used over a 24 hour period. If SK is predicted one hundred percent accurately, the attacker only needs to ask the UIM to compute N keys. The attacker then makes N keys available to the non-subscribing users. The non-subscribing users can download the keys at the beginning of each day and access the HSBS service is inexpensive and convenient. If an attacker can only predict SK with 50% accuracy, the attacker needs to send roughly 2N keys. As the accuracy of the prediction decreases, the number of keys to be generated by the attacker increases. If the cost of generating, storing, and publishing predictions outweighs the benefit of providing illegitimate access, an attacker may forgo publishing predictions for SK. If the prediction accuracy of the attacker is guaranteed to be small, the attacker has the possibility of giving up, thereby increasing the number of keys which the attacker can generate is a critical point beyond the benefit of the cost of providing illegal access. The result is that any scheme that generates SK ideally guarantees that the accuracy of the best prediction of the attacker is small enough. That is, the calculation of SK should include some random values that can only be predicted in advance with little accuracy.
In an example embodiment, where the SK is in encrypted form, the CS may select the SK using a random or pseudo-random function. In further embodiments, where SK is derived by applying a cryptographic function to SKI and BAK, CS introduces unpredictable values in forming SKI. Some portion of SKI is predictable. For example, portions of SKI may be derived from system time during which the SKI is valid. This portion is denoted as SKI _ prefix and may not be sent to the MS 300 as part of the broadcast service. The remainder of SKI, SKI _ RANDOM may not be predictable. I.e., SK _ RANDOM is predicted with little accuracy. The SKI _ RANDOM is sent to the MS 300 as part of the broadcast service. MS 300 reconstructs SKI from SKI _ PREDICT and SKI _ RANDOM and provides the SKI to UIM 308. The SKI may be reconstructed within the UIM 308. The value of SKI changes for each new SK. Thus, either SKI _ PREDICT and/or SKI _ RANDOM change when a new SK is computed.
The CS sends SKI _ RANDOM to the BS for broadcast transmission. The BS broadcasts SKI _ RANDOM, which is detected by antenna 302 and passed to receive circuitry 304. Receive circuitry 304 provides SKI _ RANDOM to MS 300, where MS 300 reconstructs SKI. MS 300 provides SKI to UIM308, where UIM308 obtains SK using BAK stored within SUMU 314. The SK is then provided by the UIM308 to the ME 306. ME 306 stores SK in memory storage unit MEM 310. The ME 306 decrypts broadcast transmissions received from the CS using the SK.
The CS and BS agree on some criteria for when SKI _ RANDOM is to be sent. The CS may need to reduce the inherent cost of each SK by constantly changing the SK. In this case, the need to change SKI _ RANDOM data is balanced against optimizing the available bandwidth. In some example embodiments, SKI _ RANDOM is sent with the encrypted content. This enables the MS 300 to generate the SK and immediately start decryption. In many cases, this wastes bandwidth. One exception is the scheme where SKI _ RANDOM is sent as a communication parameter. For example, the SPI value within IPSec is allowed to change and may be used to include the SKI _ RANDOM value, as will be described in detail below.
In other embodiments, SKI _ RANDOM is sent separately from the encrypted content. The SKI _ RANDOM may even be sent on a channel other than a broadcast channel. When a user "tunes" to a broadcast channel, the receive circuitry 304 obtains information for locating the broadcast channel from the "control channel". Fast access may be required when a user "tunes" to a broadcast channel. This requires ME 306 to acquire SKI in a short amount of time. The ME 306 may already know SKI _ PREDICT, however, the BS provides SKI _ RANDOM to the ME 300 for that short time. For example, the BS may often send SKI _ RANDOM on the control channel, along with information to locate the broadcast channel, or frequently send SKI _ RANDOM on the broadcast channel. The more frequently the BS "refreshes" the value of SKI _ RANDOM, the faster the MS 300 can access the broadcast message. The need to refresh SKI _ RANDOM data is balanced against optimizing available bandwidth, as sending SKI _ RANDOM data too frequently may use an unacceptable amount of bandwidth within the control channel or broadcast channel.
In some cases, the CS may choose to use the values of SKI _ prefix and SKI _ RANDOM, where both change for each generated SK value. In other cases, the CS may wish to reduce the number of times the SKI _ RANDOM changes so that the MS 300 does not need to obtain SKI _ RANDOM often. For example, if the user changes often among multiple HSBS channels, it may be better if the SKI _ RANDOM value does not change within five minutes of when the user tunes to another channel. If SKI _ RANDOM changes, the user must wait until the new SKI _ RANDOM value is broadcast, indicating that a scheme that is as constant as possible if SKI _ RANDOM is more user friendly. A CS may wish to use multiple SK values during the lifetime of the SKI _ RANDOM value by using the value of SKI _ prefix that changes whenever a CS wishes to change SK. One example uses system time; however, using system time introduces additional synchronization related issues.
With respect to encryption and transmission of broadcast content, the CS encrypts the broadcast content using the current SK. The exemplary embodiment uses an encryption algorithm, such as the Advanced Encryption Standard (AES) cipher algorithm. In an example embodiment, the encrypted content is then transmitted by the IPSec packet according to an Encapsulating Security Payload (ESP) transmission mode, as will be discussed below. The IPSec packet also contains an SPI value that instructs the ME 306 to use the current SK to decrypt the received broadcast content. The encrypted content is transmitted through a broadcast channel.
Receive circuitry 304 provides RKI and BAKI directly to UIM 308. In addition, if the CS computes SK from SKI _ RANDOM and SKI _ PREDICT values, then receive circuitry 304 provides SKI _ RANDOM to the appropriate portion of MS 300, where it is combined with SKI _ PREDICT to obtain SKI. In one embodiment, SKIs are appended to the encrypted message and extracted for the ME 306. The SKI is provided to UIM308 by MS 300 related components. UIM308 computes RK from RKI and the A key, decrypts the BAKI using RK to obtain BAK, and computes SK using SKI and BAK to generate SK for use by ME 306. The ME 306 decrypts the broadcast content using the SK. The UIM308 of the example embodiment may not be powerful enough to decrypt broadcast content in real time, so the SK is passed to the ME 306 to decrypt the broadcast.
Fig. 5A and 5B illustrate the transmission and processing of keys, including RK, BAK, and SK, according to an example embodiment. As illustrated, upon registration, the MS 300 receives RK information (RKI) and passes it to the UIM308, where the SUPU316 calculates the RK using the RKI and the a key and stores the RK within the UIM memory storage SUMU 314. The MS 300 periodically receives BAK information (BAKI) which includes BAK encrypted using a RK value specific to the UIM 308. The encrypted BAKI is decrypted using SUPU316 to recover the BAK, which is stored in UIM memory storage SUMU 314. The MS 300 also periodically obtains SKI. In an exemplary embodiment, MS 300 receives SKI _ RANDOM, which is combined with SKI _ PREDICT to form SKI. SUPU316 calculates SK from SKI and BAK. The SK is provided to the ME 306 for decrypting the broadcast content.
In an example embodiment, the CS key is not necessarily encrypted and sent to the MS; other methods may be used by the CS. The key information generated by the CS to be delivered to each MS provides sufficient information to enable the MS to calculate the key. As illustrated in the system 350 of FIG. 6, the RK is generated by the CS, but RK information (RKI) is sent to the MS. The CS transmits information sufficient for the UIM to derive the RK, wherein a predetermined function is used to derive the RAK from the transmitted information from the CS. The RKI contains sufficient information for the MS to determine the original RK from the a-key and other values (such as system time), using a predetermined common function, denoted d1, where:
RK=d1(A-key,RKI) (3)
in an example embodiment, the function d1 defines an encryption type function. According to one embodiment, the RK is determined as:
RK=SHA’(A-key ||RKI),(4)
where "|" represents the concatenation of the modules containing the key a and RKI, and SHA' (X) represents the last 128 bits of the output of the secure hash algorithm SHA-1 given the input X. In another embodiment, the RK is determined as:
RK=AES(A-key,RKI) (5)
where AES (X, Y) denotes the encryption of the 128-bit module RKI using a 128-bit a key. In a further embodiment according to the AKA protocol, the RK is determined to be the output of the 3GPP key generation function f3, where RKI comprises the value of RAND and appropriate values of AMF and SQN as defined by the standard.
BAK is handled differently because multiple users with different values of RK must compute the same value of BAK. The CS may use any technique to determine the BAK. However, the value of the BAKI associated with a particular UIM308 must be an encryption of BAK at the unique RK associated with that UIM 308. SUPU316 decrypts the BAKI using the RK stored within SUMU314 according to a function labeled d2 according to:
BAK=d2(BAKI,RK)(6)
in another embodiment, the CS may compute the BAKI by applying a decryption process to the BAK using the RK, and the SUPU316 obtains the BAK by applying an encryption process to the BAKI using the RK. This is considered equivalent to the CS encryption BAK and SUPU316 decrypting the BAKI. Other embodiments may implement combinations of multiple keys in place of or in addition to those illustrated in fig. 6.
SK is processed in a similar manner as RK. In some embodiments, SKI is first derived from SKI _ PREDICT and SKI _ RANDOM, where SKI _ RANDOM is the information sent from the CS to the MS. A predetermined function, labeled d3, is then used to derive SK from SKI and BAK (stored within SUMU 314), according to:
SK=d3(BAK,SKI)(7)
in one embodiment, function d3 defines an encryption type function. In an example embodiment, SK is calculated as:
SK=SHA(BAK||SKI),(8)
where in another embodiment, SK is calculated as:
SK=AES(BAK,SKI)(9)
a method of providing security for broadcast messages is illustrated in fig. 7A-7D. Fig. 7A illustrates a registration process 400 in which a subscriber negotiates a registration with a CS at step 402. The registration at step 404 provides the UIM with a unique RK. The UIM stores the RK in a secure memory unit (SUMU) at step 406. Fig. 7B illustrates a subscription procedure between the CS and the MS. At step 422, CS generates BAK for BAK time period T1. BAK is legal during the entire BAK period T1, where BAK is updated periodically. At step 424, the CS authorizes the UIM to access Broadcast Content (BC) during BAK timer period T1. At step 426, the CS encrypts the BAK using a single RK for each subscriber. The encrypted BAK is called BAKI. The CS then sends the BAKI to the UIM at step 428. In step 430, UIM receives the BAKI and uses RAK to effect decryption. The decrypted BAKI results in the originally generated BAK. The UIM stores the BAK in SUMU at step 432.
When a user subscribes to broadcast within a particular BAK update period, the CS sends the appropriate information BAKI, which encrypts the BAK applying the RK. This typically occurs before the beginning of the BAK update period or when the MS tunes to the broadcast channel for the first time during the BAK update period. This may be initiated by the MS or CS according to various criteria. Multiple BAKI may be sent and decrypted simultaneously.
It is worth noting that when the BAK update period is about to expire, the MS may request an updated BAK from the CS if the MS has subscribed to the next BAK update period. In another embodiment, a first timer t1 is used by the CS, wherein the CS sends the BAK when the timer times out, i.e., when the BAK update period is met. The CS may change the value of BAK before a time better than planned in advance. This may be required if, for example, the current BAK value is publicly published.
Notably, it is possible for a user to receive the BAK during a BAK update period, where, for example, BAK updates are performed once per month while the subscriber joins the service during the month. In addition, the periods of BAK and SK updates may be synchronized so that all subscribers are updated at a given time.
Fig. 8A illustrates a registration process for a wireless communication system 500 according to an example embodiment. The CS 502 negotiates with each subscriber, i.e., the MS 512, to generate a RK specific to each subscriber. The RK is provided to SUMU units within the UIM of each MS. As illustrated, CS 502 generates storage UIM1SUMU of1RK within 5101. Similarly, CS 502 generates a response for storage in UIM2SUMU of2510 Innovation and UIMNSUMU ofNRK within 5102RK ofN。
Fig. 8B illustrates a subscriber process within system 500. The CS 502 further includes a plurality of encoders 504. Each encoder 504 receives a unique RK and BAK value generated within the CS 502. The output of each encoder 504 is a BAKI that is specifically encoded for the subscriber. The BAKI is received at the UIM of each MS, such as the UIM1512. Each UIM includes a SUPU and a SUMU, such as UIM1SUPU of 5121514 and SUMU1510, and UIMNSUPU of 532N534 and SUMUN530. The SUPU includes a decoder, such as decoder 516 or decoder 536, which recovers the BAK by applying the RAK of the UIM. The process is repeated at each subscriber.
Fig. 8D illustrates processing of the BC after registration and subscription. The CS 502 includes an encoder 560 that encodes the BC using the current SK to generate the EBC. The EBC is then sent to the subscriber. Each MS includes an encoder, such as encoder 544 or encoder 554, which uses SK to extract BC from the EBC.
The following description considers four example embodiments that may be used to update the SK and broadcast the content. In a first example embodiment, SK is derived from BAK and SPI values within the header of an IPSec packet containing broadcast content. In a second example embodiment, the SK is derived from the BAK table, broadcast random values labeled RAND and SPI values within the header of an IPSec packet containing broadcast content. In a third example embodiment, SK is derived from BAK, system time, and a broadcast random value labeled SK _ RAND. In a fourth example embodiment, SK is sent as a BAK encrypted IPSec packet. Other embodiments may provide the SK as a combination of the above embodiments, or use other mechanisms to provide the SK to the MS on a regular basis, forcing the release of unauthorized access to the broadcast service.
Since the short-term key (SK) is used to encrypt and decrypt broadcast content and is stored in a memory that is vulnerable to illegal access, SK typically changes frequently. There is a problem how to change SK often while balancing the following four goals: 1) minimizing SK update latency or interruption periods for mobile stations that have just tuned to broadcast; 2) minimizing the amount of bandwidth used to update the SK value; 3) increasing the security level; and 4) increase the ease of merging SK with IPSec. Frequent updates may reduce the outage period, but at the cost of requiring more bandwidth to send frequent updates.
One solution provides a method to provide sufficient information to enable SK updates within each encrypted broadcast content packet without using additional bandwidth. Thus, the outage period may not necessarily need additional bandwidth to be minimized. The four exemplary embodiments disclosed herein for implementing SK updating have various advantages and disadvantages. All four embodiments provide a sufficiently secure approach. The first embodiment removes the period of outage and does not use additional bandwidth to update the SK value. Other embodiments may have periods of interruption during periods of high usage. The first embodiment can be easily incorporated with IPSec.
According to a first embodiment for implementing SK updating, the above problem is solved by defining SK, which encrypts a given IPSec packet as a function of Broadcast Access Key (BAK) and SPI within the ESP header. Thus, rather than providing the SK in a separate stream, the SK is calculated from the content stream. Assuming that the MS has received the BAK as described above, the MS can compute the SK immediately for each content packet without waiting for additional SK update information. This effectively removes any update latency of the SK for new broadcast reception. Once the MS receives the content packet, the MS can immediately determine the SK and decrypt the content.
Information sufficient to compute SK at the MS is provided within the IPSec packet. IPSec packets use IP Encapsulation Security Payload (ESP) and are specified in RFC 1827, entitled "IP Encapsulation Security Payload (ESP)", r.atkinson, month 8 1995, as described above. ESP is a mechanism that provides IP datagram integrity and confidentiality. In some cases, it may also provide for verification of IP datagrams. Fig. 9A illustrates an IPSec packet 600 including an IP header 602, an ESP header 604, and a payload 606, according to an embodiment. The Encapsulating Security Payload (ESP) may appear anywhere after the IP header and before the last transport layer protocol. In general, an ESP includes an unencrypted header followed by encapsulated data.
ESP header field 604 includes a security association identifier, referred to as an SPI. According to the first embodiment described above, the IPSec packet containing broadcast content includes an SPI related to SK, referred to as SPI _ SK. Fig. 9B illustrates the format of the corresponding 32-bit SPI _ SK 610. The SPI _ SK 610 is broken down into two parts, SPI _ RAND612 and BAK _ ID 614. SPI _ RAND612 is a statistically random number and is also used to calculate SK for encrypting or decrypting corresponding broadcast content or payload. The SPI _ RAND parameter allows the Content Server (CS) to change the effective SK value of the content, often by changing the SPI _ RAND value, thereby providing the MS with the parameters needed to calculate the SK value immediately. In addition, SPI _ RAND implements the role of SKI _ RANDOM, as described above. The randomness of the SPI _ RAND ensures that an attacker cannot predict the value of SK with high accuracy. Since SPI is already a standard parameter within IPSec encrypted packets, i.e., specified for ESP, this embodiment would not require the additional bandwidth normally associated with transmitting SK as a separate stream. The BAK _ ID indicates which BAK value is used to calculate the SK value. In one embodiment, the BAK _ ID is a four-bit flag, where each flag is associated with a BAK value. When the MS fulfills the subscription, the MS stores each received BAK _ ID and the corresponding BAK value in the memory storage unit. According to an embodiment, the MS includes a look-up table (LUT) for storing BAK values identified with each corresponding BAK _ ID. The BAK LUT is contained within secure memory within the UIM.
Fig. 9D illustrates BAK LUT 630. Each entry within LUT 630 identifies a BAK ID, a corresponding BAK value, and a timeout for the combined validity period. The timeout is introduced because of the fractional value of the BAK ID. Further embodiments may avoid using timeout values within the BAK LUT. In one embodiment, only 16 values of BAK _ ID are used. If a new BAK is issued every month, the value of BAK _ ID may repeat after 16 months. At that time, there may be confusion as to which BAK value is valid. The timeout provides a timeout after which a new item replaces an expired item. One reason is because the CS may wish to send BAK values to the MS before they become valid. In addition, the CS may desire multiple BAK values that are valid at the same time, where different BAK values may be used to calculate different BAK values. If the BAK LUT does not contain the current BAK for the BAK _ ID, the MS may perform a subscription to acquire a valid BAK.
After extracting SPI _ RAND and BAK _ ID from SPI _ SK and obtaining BAK corresponding to BAK _ ID, UIM calculates SK value from BAK and SPI _ RAND using cryptographic function g:
SK=g(BAK,SPI_RAND) (10)
in one embodiment, the function g (BAK, SPI _ RAND) encrypts an SPI _ RAND that applies zero padding to 128 bits, using the AES encryption algorithm with BAK as the key:
SK=AES(BAK,SPI_RAND) (11)
in another embodiment, the function g (BAK, SPI _ RAND) corresponds to computing the 128 least significant bits applied to the output of the BAK and SPI _ RAND connected SHA-1:
SK=SHA(BAK,SPI_PAND). (12)
thus, the UIM need not calculate the value of SK for each packet received by the MS. The MS stores each SPI _ SK value with a corresponding SK value in a memory storage unit, such as a look-up table (LUT). The MS may store the SPI _ SK and SK values as security associations within a Security Association Database (SAD), which is a LUT, where the MS stores general security associations required by other applications. The security association is indexed according to the destination address and the SPI. When a new SK is generated from a new value of SPI _ SK, the old security association is replaced by a security association containing the new SPI _ SK and SK values. Alternatively, the MS may store SPI _ SK and SK values in an SK _ LUT, one assigned to each broadcast channel. Fig. 9C illustrates an SK LUT 620. Each entry within LUT 620 identifies SPI _ SK and a corresponding SK value. When the MS receives a broadcast content packet, the ME first checks the SAD and SK LUTs to see if the table contains an SPI _ SK value equal to the SPI of the received packet. If the table contains this value, then the ME uses this value, otherwise the UIM calculates a new value for the SK. The CS may also have a BAK LUT, SAD or SK _ LUT.
FIGS. 10 and 11 illustrate an embodiment for implementing SK updating. Fig. 10 illustrates a method 700 of operation of the CS. For each IP packet, the CS determines the BAK used to derive the SK and determines the BAK _ ID of the corresponding BAK at step 702. The BAK ID may be any type of identifier that can distinguish between multiple BAK values. The CS sends the BAK and BAK _ ID to the single user by implementing the subscription at step 706. The user may effect the subscription at different times before or during the subscription period. Steps 702 and 706 may occur before the start of the subscription period. At step 710, CS selects a random value for the SPI _ RAND value. If BAK _ ID is represented using b bits, then SPI _ RAND is represented using (32-b) bits. The SPI _ RAND value should not be repeated during one BAK period. At step 712, once SPI _ RAND and BAK _ ID are known, CS combines them (e.g., concatenates BAK _ ID with SPI _ RAND) to form SPI _ SK. At step 714, the CS forms SK by combining SPI _ RAND with BAK corresponding to BAK _ ID using an encryption function to form SK. The CS then encrypts the broadcast message or portion of the message with the SK at step 716 and then sends the encrypted message at step 718. It is noted that the encrypted broadcast message is part of an IP packet that includes an IP header and an ESP header. The ESP header includes SPI _ SK. At decision diamond 720, the CS decides whether to change the SK. If the CS decides not to change the SK, the CS proceeds to step 716. If the CS decides to change SK, the CS proceeds to decision diamond 724 where the CS decides whether to change BAK. If the CS decides not to change BAK, the CS proceeds to step 710. If the CS decides to change BAK, the CS proceeds to step 702.
Fig. 11 illustrates the corresponding operation at a receiver, such as an MS. The method 750 begins at step 752 when the receiver receives an IP packet containing SPI _ SK within the ESP header. It is worth noting that the receiver extracts the SPI _ SK information from the IP packets. Upon receiving the SPI _ SK, the receiver first checks whether SK corresponding to the received SPI _ SK value is stored in the memory.
In one embodiment, SPI _ SK is stored in an SK LUT stored in the ME 306 unit of fig. 4, and in another embodiment, SPI _ SK is stored in a security association database: these two tables are designated by the SPI table in fig. 11. The checking of the SPI table is implemented at decision diamond 754. If the SK value is stored in memory at the receiver, the receiver can decode the payload of the content packet using the stored SK value at step 756. If the receiver does not have an SK value stored in memory, the receiver extracts the BAK _ ID and SPI _ RAND from SPI _ SK at step 758. The receiver then checks the BAK LUT for valid BAK entries for the corresponding BAK _ ID, step 760. If the BAK LUT has a valid BAK for the BAK _ ID, the receiver selects that value and proceeds to step 764. If the BAK LUT does not have a valid BAK for the BAK _ ID, such as when the user wishes to subscribe for the period, the receiver implements the subscription to obtain a valid BAK, as shown in step 762. The new BAK is stored in the BAK LUT together with the BAK ID, and the receiver proceeds to step 764. In step 764, the receiver combines the BAK corresponding to the BAK _ ID value (i.e., the BAK _ ID within the received SPI _ SK) with the SPI _ RAND value to compute a new SK. The receiver then uses the new SK value to decrypt the payload of the content packet at step 766. The receiver will also index this SK value by the corresponding SPI _ SK and possibly the destination address of the IPSec packet.
SK is calculated directly from BAK and SPI _ SK values within the content packets. BAK changes less frequently than SK changes, e.g., BAK may change once a month. Thus, the receiver can immediately determine the SK value from the content packet without additional delay and without requiring more bandwidth to send the SK update.
According to one embodiment, the SK calculation is given by:
SK=f(SPI_SK,BAK), (13)
where the function is defined as encryption of SPI _ SK using BAK. Since SPI _ SK consists of SPI _ RAND and BAK _ ID, equation (13) may be given as:
SK=f(SPI_RAND,BAK_ID) (14)
a second example embodiment for implementing SK updating introduces an additional randomness aspect to SK computation, where SK is defined as a function of BAK, SPI _ RAND, and an additional parameter RAND. The RAND parameter remains constant for several SK values. RAND enables more different SK values to be derived from a single BAK value by varying SPI _ SK and RAND. If RAND is not used, there is a maximum of 232The SK value of (a) can be derived from a single BAK by varying SPI. However, if a 96-bit RAND is used, there may be up to 2218Individual SK values are derived from a single BAK by varying SPI _ RAND and RAND. (these numbers do not account for the bits of the SPI used to represent the BAK _ ID). Now, instead of SPI _ SK identifying only BAK, SPI _ SK must also contain information identifying RAND. To achieve the RAND value, SPI _ SK is formed with three parts: 1) BAK _ ID identifies the BAK value to be used; 2) RAND _ ID identifies the RAND to be used; and 3) the SPI _ RAND value provides randomness that changes frequently within the SPI _ SK.
Fig. 12 illustrates the SPI _ SK 800 portion of an IP packet, including SPI _ RAND 802, BAK _ ID 804, and RAND _ ID 806. SPI _ RAND 802 and BAK _ ID 804 are as described above. To maintain SPI _ SK at a predetermined or particular bit length, SPI _ RAND 802 may use fewer bits than SPI _ RAND612 in fig. 9B, which allows RAND ID 806 to be used. RAND _ ID 806 corresponds to the RAND value used to calculate SK, and may be a four-bit flag or other identifier. The RAND _ ID and corresponding RAND value are stored in a LUT at the receiver. Fig. 12B illustrates RAND LUT 820. The RAND LUT 820 includes entries for each RAND value, listing the RAND _ ID and the timeout associated with the RAND value.
Fig. 13 illustrates the operation 900 of the CS. For each IP packet, the transmitter determines the BAK used to derive the SK and determines the BAK _ ID of the corresponding BAK in step 902. The BAK ID may be any type of identifier that can distinguish between multiple BAK values. The CS sends the BAK and BAK _ ID to a single user by implementing the subscription at step 904. The user may fulfill the subscription at different times before or during the subscription period. Steps 902 and 904 may occur before the start of the reserved period. In step 906, the transmitter selects a RAND value and determines a corresponding RAND _ ID. In step 908, the CS may send the RAND and RAND _ ID to the MS separately or on a broadcast channel for broadcasting. The RAND value need not be secret, so it is not encrypted. If the RAND and RAND _ ID are broadcast, there should not be much time between retransmissions so that the MS does not need to wait a long time before obtaining the RAND value. Broadcasting RAND and RAND _ ID uses a large bandwidth in time. However, if there are a large number of users tuned to the channel, a large amount of bandwidth is required to send RAND to each user individually. As a result, RAND and RAND _ ID can only be broadcast if there are a large number of users tuned to the channel. At step 910, the CS selects a random value of SPI _ RAND.
Once the SPI _ RAND, the BAK _ ID, and RAND _ ID are known, the transmitter combines them (e.g., concatenates RAND _ ID and BAK _ ID into SPI _ RAND) to form SPI _ SK in step 912. In step 914, the CS uses a cryptographic function to combine SPI _ RAND, BAK (identified with BAK _ ID), and RAND (identified with RAND _ ID) to form SK. The CS then encrypts the broadcast message or message portion with the SK at step 916 and sends the encrypted message at step 918. It is noted that the encrypted broadcast message is part of an IP packet that includes an IP header and an ESP header. The ESP header includes SPI _ SK. At decision diamond 920, the CS decides whether to change SK. If the CS decides not to change the SK, the CS proceeds to step 916. If the CS decides to change SK, the CS proceeds to decision diamond 922 where the CS decides whether to change RAND. If the CS decides not to change RAND, the CS proceeds to step 910. If the CS decides to change RAND, the CS proceeds to decision diamond 924 where the CS decides whether to change BAK. If the CS decides not to change BAK, the CS proceeds to step 906. If the CS decides to change BAK, the CS returns to step 902.
Fig. 14 illustrates the corresponding operation at a receiver, such as an MS. The method 950 begins when the receiver receives an IP packet containing SPI _ SK within the ESP header at step 952. It is worth noting that the receiver extracts the SPI _ SK information from the IP packets. Upon receiving the SPI _ SK, at decision diamond 952, the receiver first checks whether SK corresponding to the received SPI _ SK value is stored in memory. In one embodiment, SPI _ SK is stored in an SK LUT that is stored in ME unit 306 of FIG. 4, and in another embodiment SPI _ SK is stored in a security-related database, which tables are labeled as SPI tables in FIG. 14. Checking the SK LUT is implemented at decision diamond 954. If the SK value is stored in memory at the receiver, then at step 956 the receiver can decrypt the payload of the content packet using the stored SK value. If the receiver does not have an SK value stored in memory, the receiver extracts the BAK _ ID and SPI _ RAND from SPI _ SK in step 958. The receiver then checks the BAK LUT for valid BAK entries for the corresponding BAK _ ID, step 960. If the BAK LUT has a legitimate RAND for the BAK _ ID, the receiver selects that value and proceeds to step 964. If the bakut does not have a legitimate BAK for the BAK _ ID, then (if the user wishes to subscribe for the period) the receiver implements the subscription to obtain a legitimate BAK, as shown in step 962. The new BAK is stored in the BAK LUT at the BAK _ ID, and the receiver proceeds to step 864. At step 964, the receive then checks the RAND LUT for legitimate RAND entries for the corresponding RAND _ ID. If the RAND LUT has a legitimate RAND corresponding to RAND _ ID, the receiver selects the value and proceeds to step 964. If the RAND LUT does not have a legitimate RAND for the RAND _ ID, then the receiver obtains the RAND and RAND _ ID, either by requesting the value from the CS or from a broadcast, as shown in step 966. The new RAND value is stored in the RAND LUT at RAND _ ID and the receiver proceeds to step 968. The receiver combines the BAK corresponding to the BAK _ ID value, the RAND corresponding to the RAND _ ID value (i.e., RAND _ ID within the received SPI _ SK), and the SPI _ RAND value (also within the received SPI _ SK) to form a new SK at step 968. The receiver then uses the new SK value to decrypt the payload of the content packet at step 970. The receiver also stores the SK value indexed by the corresponding SPI _ SK and possibly the destination address of the IPSec packet.
The frequency of change of RAND is not as high as SPI _ RAND. The RAND value is the same for all mobile stations listening to the broadcast. Thus, the RAND may be broadcast to all mobile stations and is not necessarily encrypted specifically per recipient. Thus, if there are enough mobile stations to listen to the broadcast stream, it is more efficient to have the air interface broadcast the RAND value to all mobile stations several times than to need each mobile station to request the RAND value from the CS separately.
According to one embodiment, the SK calculation is given as follows:
SK=f(SPI_SK,BAK,RAND),(15)
where the function is defined as encrypting SPI SK using BAK. Since the SPI _ SK is composed of SPI _ RAND, BAK _ ID and RAND _ ID. Equation (15) can also be given as:
SK=f(SPI_RAND,BAK_ID,RAND_ID,RAND)(16)
it is noted that using the RAND value may introduce some "outage period" because the receiver needs to receive the RAND value when changing. However, these periods are less frequent than when the SK is updated on separate streams and the receiver waits for periodic updates. RAND is designed to be slower than the change in SK value, so updates to RAND are sent less frequently. The CS may wish to reduce the probability of "interruptions" being generated when the MS stops listening to a channel due to lost signals, tuning to another channel, or responding to an interruption, such as a telephone call. The interruption is most likely to occur at the beginning of the lifetime of the RAND value. To address this, the CS may rebroadcast new RAND values more frequently when the new RAND becomes legitimate. At the end of the lifetime of RAND, it may be necessary to broadcast the current RAND value and the next RAND value. The RAND value should not be predictable and the CS should be able to start sending RAND a short time before it becomes legitimate.
As described above, according to the third exemplary embodiment, SK is derived from BAK, system time, and a broadcast random value referred to as SK _ RAND. Fig. 7C illustrates a method of updating a key for security encryption in a wireless communication system supporting a broadcast service. The method 440 implements the time periods as given in fig. 7E. BAK is periodically updated at time period T1. Timer T1 is started when BAK is calculated and when T1 times out. SK, referred to as SK _ RAND, is computed using variables, which are periodically updated at time period T2. When SK _ RAND is generated and a time out at T2, timer T2 starts. In one embodiment, SK is further updated periodically with a time period T3. A timer T3 is started when each SK is generated and times out at time T3. The SK _ RAND is generated at the CS and provided to the MS periodically. The MS and CS use the SK _ RAND to generate SK, as will be described in detail below.
The first timer t1 is reset when the applicable BAK value is updated. The length of time between two BAK updates is the update period of the BAK. In an example embodiment, the BAK update period is one month, however, other embodiments may achieve any time period required for optimal operation of the system, or meet various system criteria.
Continuing with fig. 7C, the method 440 starts a timer T2 at step 442 to start the SK _ REG time period T2. At step 444, the CS generates SK _ RAND and provides the value to the transmit circuitry for transmission throughout the system. The timer T3 begins at step 446 to begin the SK period T3. At step 448, CS generates SK from SK _ RAND, BAK and TIME. The CS then encrypts the BC using the current SK at step 450. The encrypted product is the EBC, where the CS provides the ECB to the transmit circuitry for transmission within the system. If the timer t2 times out at decision diamond 452, the process returns to step 442. When T2 is less than T2, if the timer T3 times out at decision diamond 454, processing returns to step 446, otherwise processing returns to 450.
Fig. 7D illustrates an operation of the MS accessing the broadcast service. The method 460 first synchronizes the timers t2 and t3 with the value at CS at step 462. At step 464, the UIM of the MS receives the SK _ RAND generated by the CS. At step 466, the UIM generates SK using SK _ RAND, BAK, and a time measurement. The UIM passes the SK to the ME of the MS. The UIM then decrypts the received EBC using SK to extract the original BC at step 468. When the timer t2 times out at step 470, processing returns to step 462. When the timer T2 is less than T2, if the timer T3 times out at step 472, the timer T3 starts at step 474 and returns to 466.
Fig. 7E is a timing diagram of a key update period for a security option in a wireless communication system that supports broadcast transmissions. Key management and updating is illustrated in fig. 8C, where the CS applies a function 508 to generate an SK _ RAND value, which is an intermediate value used by the CS and MS to compute SK. In particular, function 508 applies the BAK value, SK _ RAND, and a time factor. While the embodiment in FIG. 8C applies a timer to determine when to update SK, other embodiments may use other measures to provide periodic updates, such as the occurrence of errors or other events. The CS provides each subscriber SK _ RAND value with the function 518 or 538 residing within each UIM applying the same function as function 508 of the CS. Function 518 operates on the SK _ RAND, BAK, and timer values to generate SK that is stored in a memory location within the ME, such as the ME1540 MEM1542, and MEN550 MEMN552。
As described above, according to the fourth exemplary embodiment, the SK is encrypted using the BAK to form SKI, which is transmitted to the MS. In an example embodiment, the SK is sent within an IPSec packet encrypted using BAK. The CS may also broadcast an SPI that may be used to identify the data encrypted with the SK. This embodiment need not be discussed further.
In the example embodiment described above, the CS may choose to update the SK as expected by the CS. The more frequently SK changes, the more frequently CS can prevent an attacker from publishing SK values. Sometimes an attacker may consider the benefit of publishing the SK value more than at other times. This is due to the nature of the content being broadcast. For example, at times of high importance, unsubscribed users may be more interested in receiving news on the HSBS and, therefore, may be more willing to pay for illegal access charges than at other times. At these times, the CS may add expense and inconvenience to deter attackers and unsubscribed users by changing SK more frequently than normal. The CS must know that this is limited to the processing power of the UIM. If the CS changes the SK too frequently, the UIM will not be able to calculate the SK value in real time, and the user will not be able to decrypt the content in real time.
Those of skill in the art would understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, circuits, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The various logical blocks, modules, and circuits disclosed in the illustrative embodiments herein may be implemented or performed in the manner of: a general purpose processor, a Digital Signal Processor (DSP) or other processor, an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, to implement the functions described herein. A general purpose processor is preferably a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, SPI _ SKPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary processor is preferably coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an application specific integrated circuit, ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
The previous description of the preferred embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without the use of the inventive faculty. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (36)
1. A method for secure transmission, the method comprising the steps of:
a short-term key is obtained for the message to be transmitted,
obtaining an access key for the message, the access key having an access key identifier;
encrypting the message with the short-term key;
forming an IPSec packet header comprising the access key identifier and a random value; and
the encrypted message is sent with the IPSec packet header.
2. The method of claim 1, wherein the random value is associated with the short-term key.
3. The method of claim 1, wherein the short-term key is a function of the access key and the random value.
4. The method of claim 1, wherein the short-term key has a short-term key identifier that includes the access key identifier and the random value.
5. The method of claim 1, wherein the random value is a security parameter index value.
6. The method of claim 5, wherein the security parameter index value is a random number.
7. The method of claim 1, wherein the method operates in a content server and sends an encrypted message to a mobile device with the IPSec packet header.
8. The method of claim 1, wherein the sending of the encrypted message and the IPSec packet header is a wireless transmission.
9. A content server apparatus, the apparatus comprising processing circuitry for secure transmission, the processing circuitry to:
a short-term key is obtained for the message to be transmitted,
obtaining an access key for the message, the access key having an access key identifier;
encrypting the message with the short-term key;
forming an IPSec packet header comprising the access key identifier and a random value; and
the encrypted message is sent with the IPSec packet header.
10. The apparatus of claim 9, wherein the short-term key is a function of the access key and the random value.
11. The apparatus of claim 9, wherein the short term key has a short term key identifier that includes the access key identifier and the random value.
12. The apparatus of claim 9, wherein the random value is a security parameter index value.
13. A secure transmission device comprising:
means for obtaining a short-term key for a message to be transmitted;
means for obtaining an access key for the message, the access key having an access key identifier;
means for encrypting the message with the short-term key;
means for forming an IPSec packet header comprising the access key identifier and a random value; and
means for sending the encrypted message with the IPSec packet header.
14. The apparatus of claim 13, wherein the short-term key is a function of the access key and the random value.
15. The apparatus of claim 13, wherein the short term key has a short term key identifier that includes the access key identifier and the random value.
16. The apparatus of claim 13, wherein the random value is a security parameter index value.
17. An apparatus for secure transmission, comprising:
circuitry for obtaining a short-term key for a message to be transmitted,
circuitry for obtaining an access key for the message, the access key having an access key identifier;
circuitry for encrypting the message with the short-term key;
circuitry for forming an IPSec packet header comprising the access key identifier and a random value; and
circuitry for transmitting the encrypted message with the IPSec packet header.
18. The apparatus of claim 17, wherein the short-term key is a function of the access key and the random value.
19. A method for securely receiving a transmission, the method comprising the steps of:
receiving a transmission, the transmission including an access key identifier, a random value, and encrypted content;
determining an access key according to the access key identifier;
generating a short-term key according to the access key and the random value; and
decrypting the encrypted content in the transmission with the short-term key.
20. The method of claim 19, wherein the access key identifier and the random value define a short-term key identifier associated with the short-term key.
21. The method of claim 19, wherein the method is operating in a mobile device, and the transmission is a wireless transmission.
22. The method of claim 19, wherein the access key identifier and random value are part of a packet header of the transmission.
23. The method of claim 19, wherein the access key identifier and random value are specific to the transmission.
24. The method of claim 19, wherein the step for generating a short-term key comprises:
encrypting the random value with the access key to recover the short-term key.
25. A wireless communications apparatus that supports broadcast services, the apparatus comprising:
a wireless receiver to receive a transmission, the transmission including an access key identifier, a random value, and encrypted content;
a subscriber identification unit for recovering a short-term key for decrypting broadcast messages, the subscriber identification unit comprising processing circuitry for:
determining an access key according to the access key identifier;
generating a short-term key according to the access key and the random value;
a mobile device unit to decrypt the encrypted content in the transmission with the short-term key.
26. The apparatus of claim 25, wherein the access key identifier and the random value define a short-term key identifier associated with the short-term key.
27. The apparatus of claim 25, wherein the access key identifier and random value are part of a header of the transmitted IPSec packet.
28. The apparatus of claim 25, wherein the access key identifier and random value are specific to the transmission.
29. A wireless device for securely receiving a transmission, the wireless device comprising:
means for receiving a transmission, the transmission comprising an access key identifier, a random value, and encrypted content;
and means for determining an access key based on said access key identifier;
means for generating a short-term key from the access key and the random value; and
means for decrypting the encrypted content in the transmission with the short-term key.
30. The apparatus of claim 29, wherein the access key identifier and the random value define a short-term key identifier associated with the short-term key.
31. The apparatus of claim 29, wherein the access key identifier and random value are part of a header of the transmitted IPSec packet.
32. The apparatus of claim 29, wherein the access key identifier and random value are specific to the transmission.
33. An apparatus for securely receiving a broadcast, comprising:
circuitry for receiving a transmission, the transmission comprising an access key identifier, a random value, and encrypted content;
circuitry for determining an access key based on the access key identifier;
circuitry for generating a short-term key based on the access key and the random value; and
circuitry for decrypting the encrypted content in the transmission with the short-term key.
34. The apparatus of claim 33, wherein the access key identifier and random value are specific to the transmission.
35. The apparatus of claim 33, wherein the access key identifier and the random value define a short-term key identifier associated with the short-term key.
36. The apparatus of claim 33, wherein generating a short term key comprises encrypting the random value with the access key to recover the short term key.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US09/973,301 US7352868B2 (en) | 2001-10-09 | 2001-10-09 | Method and apparatus for security in a data processing system |
| US09/973,301 | 2001-10-09 |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| HK05108328.1A Addition HK1076553B (en) | 2001-10-09 | 2002-10-08 | Method and apparatus for security in a data processing system |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| HK05108328.1A Division HK1076553B (en) | 2001-10-09 | 2002-10-08 | Method and apparatus for security in a data processing system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1137269A1 HK1137269A1 (en) | 2010-07-23 |
| HK1137269B true HK1137269B (en) | 2015-08-14 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7352868B2 (en) | Method and apparatus for security in a data processing system | |
| CA2442656C (en) | Method and apparatus for security in a data processing system | |
| CN100380270C (en) | Method and apparatus for secure data transmission in a mobile communication system | |
| AU2002342014A1 (en) | Method and apparatus for security in a data processing system | |
| HK1137269B (en) | Method and apparatus for security in a data processing system | |
| HK1076553B (en) | Method and apparatus for security in a data processing system | |
| HK1149673B (en) | Method and apparatus for security in a data processing system | |
| HK1084201B (en) | Method and apparatus for secure data transmission in a mobile communication system | |
| HK1112548A (en) | Method and apparatus for secure data transmission in a mobile communication system |