Authenticating mobile network provider equipment

Abstract

Providing mobile network security is disclosed. A first mobile network provider equipment registers using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register and embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output. An encryption data usable to communicate securely with a second mobile network provider equipment over a packet data network is received from the registration entity.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.

FIG. 1 is a block diagram illustrating elements of a typical GSM network.

FIG. 2 is a block diagram illustrating an embodiment of a mobile network with packet data network backhaul.

FIG. 3 is a block diagram illustrating an embodiment of a system 300 for authenticating mobile network provider equipment.

FIG. 4 is a flow chart illustrating an embodiment of a process for establishing a connection with a mobile network element, such as an aggregation gateway, via an IP or other packet data network.

FIG. 5 is a flow chart illustrating an embodiment of a process for mutually authenticating a base transceiver station (BTS) and registration server (RS), from the perspective of the BTS.

FIG. 6 is a flow chart illustrating an embodiment of a process for mutually authenticating a base transceiver station (BTS) and registration server (RS), from the perspective of the RS.

Claims

1. A method of providing mobile network security, comprising: registering a first mobile network provider equipment using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register and embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output; andreceiving from the registration entity an encryption data usable to communicate securely with a second mobile network provider equipment over a packet data network.

2. A method as recited in claim 1, wherein the encryption data comprises one or more keys.

3. A method as recited in claim 2, wherein the one or more keys comprise one or more session keys.

4. A method as recited in claim 1, wherein the first mobile network provider equipment and the second mobile network provider equipment are used in providing mobile network service to a mobile handset.

5. A method as recited in claim 1, wherein the physical device comprises a smart card.

6. A method as recited in claim 1, wherein the first mobile network provider equipment is a base transceiver station.

7. A method as recited in claim 1, wherein the packet data network is used as a backhaul of a mobile network.

8. A method as recited in claim 1, further comprising receiving a Uniform Resource Locator (URL) or an Internet Protocol (IP) address that can be used by the first mobile network provider equipment to locate the second mobile network provider equipment.

9. A method as recited in claim 1, wherein registering the first mobile network provider equipment includes establishing a secure connection between the first network provider equipment and the registration entity.

10. A method as recited in claim 9, wherein the secure connection comprises Secure Socket Layer (SSL) or other privacy-protected session.

11. A method as recited in claim 1, wherein the second network provider equipment comprises a base station controller.

12. A method as recited in claim 1, wherein the second network provider equipment comprises an entity forwarding data received from the first network provider equipment via the packet data network to a base station controller.

13. A method as recited in claim 1, wherein the second network provider equipment and the registration entity are included in the same physical computing system.

14. A method as recited in claim 13, wherein the second network provider equipment and the registration entity are both associated with different Internet Protocol (IP) addresses.

15. A method as recited in claim 1, wherein the secret data is embodied in the physical device at a time the physical device is manufactured.

16. A method as recited in claim 1, wherein the encryption data comprises one or more keys that can be used to communicate securely over the packet data network using at least one of the following protocols: Secure Real-time Transport Protocol (S-RTP) and Stream Control Transmission Protocol (SCTP).

17. A method as recited in claim 1, wherein registering the first mobile network provider equipment using the secret data includes sending to the registration entity a random value, receiving from the registration entity a response to the random value, using the physical device to perform a computation using the secret data and the random value, comparing the result of the computation with the received response, and concluding the registration entity is trustworthy if the received response matches the result of the computation.

18. A method as recited in claim 1, wherein registering the first mobile network provider equipment using the secret data includes receiving from the registration entity a random value, performing a computation using the physical device and the random value, and sending to the registration entity a result of the computation.

19. A method as recited in claim 1, wherein the encryption data is associated with a prescribed or a specified lifetime.

20. A method as recited in claim 1, wherein the encryption data is received both at the registration entity and at the second network provider equipment.

21. A method as recited in claim 1, wherein encryption data is dynamically generated by the registration sever.

22. A system for providing mobile network security, comprising: a physical device in which a secret data is embodied in a manner enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output;a processor configured to use the physical device to register the system with a registration entity to which the secret data is known, including by using the secret data to perform the cryptographic function; anda communication interface configured to receive from the registration entity an encryption data usable to communicate securely with a mobile network provider equipment over a packet data network.

23. A system as recited in claim 22, the communication interface is further configured to receive from the registration entity a Uniform Resource Locator (URL) or an Internet Protocol (IP) address that can be to locate the mobile network provider equipment.

24. A system as recited in claim 22, wherein the physical device comprises a smart card.

25. A system as recited in claim 22, wherein the system includes a base transceiver station.

26. A system as recited in claim 22, wherein the encryption data comprises one or more keys that can be used to communicate securely over the packet data network using at least one of the following protocols: Secure Real-time Transport Protocol (S-RTP) and Stream Control Transmission Protocol (SCTP).

27. A computer program product for providing mobile network security, the computer program product being embodied in a computer readable medium and comprising computer instructions for: registering a first mobile network provider equipment using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register and embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output; andreceiving from the registration entity an encryption data usable to communicate securely with a second mobile network provider equipment over a packet data network.

28. A computer program product as recited in claim 27, wherein the first mobile network provider equipment and the second mobile network provider equipment are used in providing mobile network service to a mobile handset.

29. A computer program product as recited in claim 27, wherein the physical device comprises a smart card.

30. A computer program product as recited in claim 27, wherein the first mobile network provider equipment is a base transceiver station.

31. A computer program product as recited in claim 27, wherein the encryption data comprises one or more keys that can be used to communicate securely over the packet data network using at least one of the following protocols: Secure Real-time Transport Protocol (S-RTP) and Stream Control Transmission Protocol (SCTP).