`
`
`[19]
`5,812,955
`[11] Patent Number:
`United States Patent
`
`
`
`
`
`
`
`
`
`
`
`
`Dent et al.
`[45] Date of Patent:
`*Sep. 22, 1998
`
`
`
`
`
`US005812955A
`
`
`
`[54] BASE STATION WHICH RELAYS
`
`
`
`
`
`
`
`
`
`CELLULAR VERIFICATION SIGNALS VIAA
`TELEPHONE WIRE NETWORK TO VERIFY
`
`
`
`
`
`
`
`A CELLULAR RADIO TELEPHONE
`
`
`[75]
`
`
`
`
`
`
`
`Inventors: Paul Wilkinson Dent, Stehag; Jacobus
`
`
`
`
`Cornelius Haartsen, Staffanstorp, both
`of Sweden
`
`
`
`.
`~
`
`
`
`
`
`
`[73] Assignee: Ericsson Inc., Research Triangle Park,
`NC.
`
`
`
`
`
`[*] Notice:
`
`
`
`
`
`
`
`
`
`
`The term of this patent shall not extend
`
`
`
`
`
`
`
`beyond the expiration date of Pat. No.
`5,428,668.
`
`
`
`[63]
`
`
`
`
`
`[21] Appl. No.2 205,705
`
`
`
`
`[22]
`Filed:
`Mar. 3, 1994
`
`
`
`Related US. Application Data
`
`
`
`
`
`
`figntsiniizaétgigrégn—part 0f Ser. NO’ 148’828’ NOV' 4’ 1993’ Pat'
`
`
`6’
`.
`.
`’
`
`
`
`
`
`
`
`[51]
`Int. Cl-
`~~~~~~~ H04Q 7/30
`
`
`
`
`
`
`
`
`[52] US. Cl.
`.. 455/561; 380/37
`............
`[58] Field of Search .................................. 379/58, 59, 60,
`
`
`
`
`
`
`
`379/61, 62, 63; 455/331, 33.2, 54.1, 11.1,
`
`
`
`
`
`
`
`14, 461, 414, 445, 436, 561; 380/21
`
`
`
`
`
`
`
`
`
`
`
`
`[56]
`
`
`
`
`
`
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`
`4,953,198
`.
`8/1990 Daly et a1.
`
`
`
`
`4,979,205
`................................. 379/61
`12/1990 Haraguchi
`
`
`
`
`
`
`
`
`.
`1/1991 Gillig et a1.
`4,989,230
`
`
`
`
`
`
`
`- 379/63 X
`7/1991 Sasuta 6t a1~
`-
`570347993
`
`
`
`
`
`2/1992 Dent ...................................... 379/59 X
`5,091,942
`
`
`
`
`6/1992 Gflhg et al’ ‘
`5’127’042
`11/1993 Schellinger et a1.
`...................... 379/59
`5,260,988
`
`
`
`
`
`380/37
`5 353 352 10/1994 Dent et al
`
`
`
`
`
`
`4/1996 Mizikovsk'y‘éi'£12722IIIIIIIIIIIIIIIIII 379/59
`5,513,245
`
`
`
`
`
`5,521,962
`5/1996 Chavez, Jr.
`.......
`.. 379/60
`
`
`
`
`
`
`
`5/1996 Shrader et al.
`.. 379/60
`5,521,963
`
`
`
`
`
`
`
`6/1996 Dent et a1.
`................................ 379/59
`5,526,402
`
`
`
`
`
`
`
`
`
`
`
`
`0 225 607
`
`
`0643 543 A2
`
`5—48526
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5,535,259
`................................ 379/59
`7/1996 Dent et a1.
`
`
`
`
`
`
`
`
`
`
`
`5,581,597 12/1996 Dom 6t 211-
`379/59
`
`
`
`
`4/1997 Nilssen ...................................... 379/56
`5,623,531
`FOREIGN PATENT DOCUMENTS
`
`
`
`
`
`.
`6/1987 Eur0pean Pat. Off.
`
`
`
`3/1995 European Pat Off- ~
`
`
`2/1993
`Japan .
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`Microcellular Structures and Their Performance, H. Pers-
`son, IEEE, 1992, pp. 413—418.
`
`
`
`
`
`
`
`
`
`
`
`NTT [0 Market Cordless Telephone for Ofiice Buildings,
`
`
`
`
`
`
`Comline Telecommunications, p. 4, Jun. 29, 1988.
`
`
`
`
`
`SWBell Mobile Plans PCS, A. Lindstrom, Communications
`
`
`
`
`
`
`Week, No. 448, p. 6(1), Apr. 5, 1993.
`
`
`
`(List continued on next page.)
`
`
`
`
`Primary Examiner—William Cumming
`
`
`
`
`
`
`
`Attorney, Agent, or Firm—Myers Bigel Sibley & Sajovec
`
`
`ABSTRACT
`[57]
`A secure radio personal communication system and method
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`includes a base station which relays cellular verification
`
`
`
`
`
`
`
`
`signals between a wide area cellular network and a cellular
`
`
`
`
`
`
`
`
`terminal Via the wire telephone network. Thus, cellular
`
`
`
`
`
`
`
`
`telephone calls which are routed to a cellular terminal Via a
`base station, when the cellular terminal is within a local
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`region covered by the base station, may be exchanged
`between the cellular network and cellular terminal over the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`wire telephone network. Calls from the wide area cellular
`
`
`
`
`
`
`
`
`
`
`network which are routed through the base station can thus
`
`
`
`
`
`
`
`
`
`employ the same security systems and methods which are
`
`
`
`
`
`
`
`
`employed by the wide area cellular network. Signals
`between the base station and the cellular terminal are
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`preferably exchanged when the cellular terminal is parked in
`
`
`
`
`
`
`
`
`the base station. Verification and encryption signals may be
`
`
`
`
`
`
`
`
`exchanged. The same signals may be used for enhanced
`security when the base station is relaying wire network calls
`
`
`
`
`
`
`
`
`.
`.
`.
`.
`
`
`
`
`
`
`
`
`to the cellular terminal when the cellular terminal is in the
`
`
`
`
`
`
`
`local region AlternatiVely> separate Verification and encryp'
`
`
`
`
`tion protocols may be used
`
`
`
`
`41 Claims, 12 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 1 0f 29
`
`SAMSUNG EXHIBIT 1006
`
`
`
`
`
`
`
`
`
`
`
`SAMSUNG EXHIBIT 1006
`
`Page 1 of 29
`
`

`

`In Search OfA New Market, R. Schneiderman, Microwaves
`
`
`
`
`
`
`
`
`
`
`
`
`& RF, vol. 30, No. 8, p. 33(5), Aug. 1991.
`
`
`
`
`
`
`
`Motorola Blurs Lines Between Cellular and Paging, Deal-
`
`
`
`
`
`
`
`
`
`erscope Merchandising, vol. 35, No. 7, pp. 36, Jul. 1993.
`Mitsubishi Electric to Enter Radio Base Station Market for
`
`
`
`
`
`
`
`
`
`
`
`
`
`Digital Cellular Phones, Comline Telecommunications, p.
`9, Mar. 5, 1993.
`
`
`
`
`
`
`
`
`
`Expected to Show Reference Design at COMDEX: Motor
`
`
`
`
`
`
`
`Sampling PCS Chip Set, Electronic Engineering Times, p. 1,
`Oct. 26, 1992.
`
`
`
`Bell Atlantic and Motorola to Test Personal Communica-
`
`
`
`
`
`
`tions Service, Audio Week, Feb. 17, 1992.
`
`
`
`
`
`
`
`New Service Moves Toward National Information Infra-
`
`
`
`
`
`
`
`structure Via PCS, Common Carrier Week, Feb. 17, 1992.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`M. Brussol, et al., Telepoint in France, Matra Communica-
`
`
`
`
`
`
`tion, vol. 15, pp. 21—30, 1993.
`
`
`
`
`
`Walker, Security in Mobile and Cordless Telecommunica-
`tions, IEEE, pp. 493—496, 1992.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5,812,955
`Page 2
`
`
`OTHER PUBLICATIONS
`
`
`Bell Atlantic and Motorola To Test Personal Communica-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tions Service, Warren Publishing, Inc., Audio Week, vol. 4,
`No. 7, Feb. 17, 1992.
`
`
`
`
`RHCS Stake Claim on Personal Communications Licenses,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Capitol Publications, Inc., FCC Week, vol. 7, No. 42, Nov.
`5, 1990.
`
`
`
`
`
`
`
`
`Aermica ’s First Personal Communications Service (PCS) Is
`
`
`
`
`
`Claimed, Audio Week, Apr. 5, 1993.
`Nation ’s First Commercial PCS Introduced by SW Bell, E.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Messner, Network World, vol. 10, Issue 14, p. 4(2), Apr. 5,
`1993.
`
`Mitsubishi Electric To Enter Radio Base Station Market For
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Digital Cellular Phones, Mitsubishi Weekly, vol. 9, No. 9,
`
`
`
`
`
`Mar. 5, 1993, Digitized Information, Inc.
`
`
`
`
`
`
`Wireless System Manufacturers Develop Microcell Equip-
`
`
`
`
`
`
`
`
`ment, Phillips Business Information, Inc., PCS News, vol. 4,
`No. 6, Mar. 18, 1993.
`
`
`
`
`Cox Moves Ahead 0n Alternate Access, PCS, G. Kim,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Multichannel News, vol. 12, No. 35, p. 33(1), Sep. 2, 1991.
`New Service Moves Toward National Information Infra-
`
`
`
`
`
`
`
`structure Via PCS, Common Carrier Week, vol. 8, No. 7, p.
`
`
`
`
`
`
`
`
`
`
`
`
`5(2), Feb. 17, 1992.
`
`Page 2 of 29
`
`Page 2 of 29
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep.22, 1998
`
`
`
`
`
`Sheet 1 0f 12
`
`5,812,955
`
`
`
`
`
`’- ——————————— \
`
`l
`
`l
`
`\
`
`\
`
`124
`
`\
`
`\ x
`_. .. _ \x \x
`
`112
`
`BASE
`STATION
`no
`
`, ’
`
`/
`
`104
`\x
`/
`
`/
`
`x’
`
`/
`
`I
`I
`I
`I
`
`I n
`
`I
`I
`I
`
`II
`
`I
`
`I
`
`\
`
`\
`
`\
`
`\
`
`\ \
`
`Page 3 of 29
`
`
`
`l/
`
`_____ /
`
`
`
`
`NEIWORK
`
`
`STATION
`
`102
`
`108
`
`
`
`\
`
`\
`
`\
`
`\
`
`\
`
`\
`
`\. ___________ J
`
`/
`
`/
`
`z
`
`x
`
`I /
`
`z
`
`I
`
`I
`
`I
`
`/
`
`\\\
`\ \
`‘5
`l
`'
`'
`:
`J
`
`108
`
`/
`
`’
`
`\
`I
`|
`I
`I
`'
`I
`I
`I
`I
`'
`:
`
`
`x
`
`Page 3 of 29
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep.22, 1998
`
`
`
`
`Sheet 2 0f 12
`
`5,812,955
`
`
`
`
`FIG. 18
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`\
`
`
`
`
`
`
`114
`\ x
`
`
`\/ _____ \x \\
`
`
`I /
`
`
`/
`
`
`
`
`’
`
`r
`'
`'
`'
`'
`'
`
`
`
`
`
`
`x \
`
`
`
`x
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`\ x _____ l
`
`NETWORK
`
`STATION
`
`
`
`102
`
`
`
` \
`
`
`\\
`
`\\\\
`\\
`
`I ‘
`I
`'
`I
`I
`I
`'
`I
`)
`
`
`II
`
`I
`I
`I
`I
`I
`II
`
`I
`
`I
`I ’
`
`
`/
`
`
`
`
`
`
`
`
`
`I/
`
`TERMINAL
`/
`120
`
`
`
`
`//
`
`
`l
`I
`I
`I
`I
`I
`l
`I
`
`:
`.
`.
`
`|\
`
`\
`
`
`\ .
`
`\
`
`
`\
`
`
`108
`
`
`
`\
`
`
`\
`
`
`\
`
`
`\
`
`
`\
`
`
`\
`
`
`\
`
`
`I
`
`I
`
`
`I
`
`
`I
`
`I
`
`
`I
`
`
`
`I
`
`
`/
`
`I
`
`
`I
`
`
`I
`
`
`\ ___________ J
`
`Page 4 of 29
`
`Page 4 of 29
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep.22, 1998
`
`
`
`
`Sheet 3 0f 12
`
`5,812,955
`
`
`
`
`FIG. 2
`
`
`
`
`
`135
`
`
`
`Page 5 of 29
`
`Page 5 of 29
`
`

`

`US. Patent
`
`
`
`Sep. 22, 1998
`
`
`
`
`Sheet 4 0f 12
`
`5,812,955
`
`
`
`m0<mmm._.2_
`
`omw4<Z=2mmlr
`
`mm?
`
`ZMIB
`
`Qwvzugi
`
`
`
`
`
`
`
`mfiqmujmo
`.
`mmom<zo
`ENFEm1&3
`mmzmml
`
`O 000
`
`
`
`
`
`mm>_m0m2<m.rI
`
`
`
`Imommmooml
`
`
`JOEZOO
`
`rul_E-.I|1.l.Iu_—IOk.
`
`
`
`I18I586
`
`Egon.v?
`
`
`
`$4$0..»m9
`
`
`
`
`
`02.
`
`Page 6 of 29
`
`3he‘-
`
`IoBmEo
`
`Imjm02<0
`
`N9
`
`—E
`
`Ignaw
`
`Page 6 of 29
`
`
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`Sheet 5 0f 12
`
`5,812,955
`
`
`
`
`
`8213.200«mum;amumEzEEN
`”@81269dzz<zo«mama
`
`
`
`
`
`52w
`
`
`
`_
`
`
`
`8m.IIE2‘?...<..5<a:88m8aBa8m8m5“_Bu_aaan?5%“
`5&3
`
`220
`
`mmmjmsz
`
`OWJOEZOO$2:
`
`
`
`«10¢
`
`
`
`
`
`_2m8aa:_lllllllllllllllllllllllllllllllllllllllllllll3%
`
`Page 7 of 29
`
`Page 7 of 29
`
`
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep.22, 1998
`
`
`
`
`Sheet 6 0f 12
`
`5,812,955
`
`
`
`I I I I I I I I I I I I I I I I I I I
`
`l
`
`:I I I I I I I I I I I I I I I I I
`
`
`
`TRANSCEIVER
`
`
`
`253
`
`
`
`RECEIVE
`CIRCUIT
`
`
`
`
`
`CONTROL
`
`PROCESSOR
`
`
`
`
`251
`
`
`TRANSMIT
`CIRCUIT
`
`.
`
`255
`
`
`
`STORAGE
`MEANS
`
`
`
`
`257
`
`
`
`
`261
`
`265
`
`
`
`KEYPAD
`
`
`
`SPEAKER
`
`
`
`SCANNER
`
`
`
`259
`
`
`
`263
`
`
`
`267
`
`DISPLAY
`
`
`
`MIC
`
`
`
`OTHER
`
`
`
`
`
`Page 8 Of 29
`
`Page 8 of 29
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep.22, 1998
`
`
`
`
`Sheet 7 0f 12
`
`5,812,955
`
`
`
`
`
`300
`
`
`
`
`
`DETECT
`
`
`
`INITIAUZE
`CONDITIONS
`
`
`
`
`INITIATE
`
`
`CALL
`
`
`NOTIFY
`
`OF LOCATION
`
`
`
`
`
`REQUEST
`CONTROL
`
`
`
`
`
`
`MESSAGE
`
`
`RECEIVE CONTROL
`
`MESSAGE
`
`
`
`STORE
`
`
`
`TRANSMIT
`
`
`
`STORE
`
`
`
`302
`
`
`
`304
`
`
`
`306
`
`
`
`308
`
`
`
`310
`
`
`312
`
`
`
`314
`
`
`
`6
`
`
`
`
`NOg
`
`YES
`
`
`
`Page 9 of 29
`
`Page 9 of 29
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep.22, 1998
`
`
`
`
`Sheet 8 0f 12
`
`5,812,955
`
`
`
`FIG. 7
`
`
`
`
`
`Page 10 of 29
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep.22, 1998
`
`
`
`
`Sheet 9 0f 12
`
`5,812,955
`
`
`
`100
`
`
`
`
`
`
`
`Page 11 of 29
`
`Page 11 of 29
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep.22, 1998
`
`
`
`
`Sheet 10 0f 12
`
`5,812,955
`
`
`
`
`FIG. 9
`
`352
`
`
`
`
`APPLY POWER TO
`
`
`TERMINAL 120
`
`
`
`
`
`354
`
`
`
`
`
`SCAN BASE
`
`STATION FREQUENCY
`
`
`
`
`
`
`
` 360
`NETWORK STATION 102
`
`
`SIGNAL
`
`
`LEVEL ABOVE
`
`THRESHOLD
`?
`
`
`
`358
`
`
`
`
`
`
`COMMUNICATE TO
`
`
`
`
`
`COMMUNICATE TO
`
`
`
`BASE STATION 110
`
`Page 12 of 29
`
`Page 12 of 29
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheetll 0f12
`
`5,812,955
`
`
`
`SECURWY
`
`
`
`
`TERMHVAL
`
`
`
`
`COUPLED TO BASE
`
`STAWON?
`r________--_________ _—_—————————————————__—_________________ -~____J___-___-____
`
`
`EXCHANGNG
`
`412G
`
`NO
`
`
`
`
`
`
`
`
`
`
`
`_____-________4
`
`RELAWNG
`
`
`-_____--"_________.______________________ _____-_____________-___\
`420
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TO HG.
`
`
`
`1
`
`08.
`
`
`
`
`HG.
`
`
`
`10A.
`
`Page 13 of 29
`
`Page 13 of 29
`
`
`
`

`

`
`US. Patent
`
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`Sheet12 0f12
`
`5,812,955
`
`
`
`
`FROM HG.
`
`
`
`
`10A
`
`
`
`
`
`434 436
`
`
`
`
`
`
`
`Page 14 of 29
`
`
`
`lllllllllllllllllllllllllll
`
`lllllllllllllllllll
`
`YES
`
`REACUVAWNG
`
`
`FIG.
`
`
`108.
`
`Page 14 of 29
`
`
`

`

`5,812,955
`
`
`1
`BASE STATION WHICH RELAYS
`
`
`
`
`CELLULAR VERIFICATION SIGNALS VIAA
`
`
`
`
`TELEPHONE WIRE NETWORK TO VERIFY
`
`
`
`
`A CELLULAR RADIO TELEPHONE
`
`
`
`CROSS-REFERENCE TO RELATED
`
`APPLICATIONS
`
`
`
`
`
`
`
`
`This application is a Continuation-in-Part of application
`Ser. No. 08/148,828 filed on Nov. 4, 1993, now US. Pat. No.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5,428,668, and assigned to the assignee of the present
`
`
`
`
`
`
`invention, the disclosure of which is incorporated herein by
`reference.
`
`
`10
`
`
`
`
`15
`
`20
`
`FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`This invention relates to communications systems and
`
`
`
`
`
`more particularly to radio personal communications systems
`for use within wide area cellular networks.
`
`
`
`
`
`
`
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`
`Radio communications systems are increasingly being
`
`
`
`
`
`
`used for wireless mobile communications. An example of a
`
`
`
`
`
`
`radio communications system is a cellular phone network.
`
`
`
`
`
`
`
`
`Cellular radio communications systems are wide area com-
`25
`
`
`
`
`
`
`munications networks which utilize a frequency (channel)
`
`
`
`
`
`
`
`
`reuse pattern. The design and operation of an analog cellular
`
`
`
`
`
`
`
`phone system is described in an article entitled Advanced
`Mobile Phone Service by Blecher, IEEE Transactions on
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Vehicular Technology, Vol. VT29, No. 2, May, 1980, pp.
`
`
`
`
`
`
`
`
`238—244. The analog mobile cellular system is also referred
`
`
`
`
`
`to as the “AMPS” system.
`
`
`
`
`
`
`
`
`Recently, digital cellular phone systems have also been
`
`
`
`
`
`
`proposed and implemented using a Time-Division Multiple
`
`
`
`
`
`
`
`Access (TDMA) architecture. Standards have also been set
`
`
`
`
`
`
`
`
`by the Electronics Industries Association (EIA) and the
`
`
`
`
`
`
`Telecommunications Industries Association (TIA) for an
`
`
`
`
`
`
`American Digital Cellular (ADC) architecture which is a
`
`
`
`
`
`
`
`
`dual mode analog and digital system following EIA/TIA
`
`
`
`
`
`
`document IS-54B. Telephones which implement the IS-54B
`
`
`
`
`
`
`
`
`dual mode architecture are presently being marketed by the
`
`
`
`
`
`
`
`
`assignee of the present invention. Different standards have
`
`
`
`
`
`
`
`been promulgated for digital cellular phone systems in
`
`
`
`
`
`
`
`
`Europe. The European digital cellular system, also referred
`to as GSM, also uses a TDMA architecture.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Proposals have recently been made to expand the cellular
`
`
`
`
`
`
`
`phone network into a radio personal communications sys-
`
`
`
`
`
`
`
`tem. The radio personal communications system provides
`mobile radio voice, digital, video and/or multimedia com-
`
`
`
`
`
`
`
`
`50
`
`
`
`
`
`
`munications using radio personal communications termi-
`nals. Thus, any form of information may be sent and
`
`
`
`
`
`
`
`
`
`received. Radio personal communications terminals include
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a radio telephone, such as a cellular telephone, and may
`
`
`
`
`
`
`
`
`include other components for voice, digital, video and/or
`multimedia communications.
`
`
`
`
`
`
`
`
`Aradio personal communications system includes at least
`one telephone base station, also referred to herein as a “base
`
`
`
`
`
`
`
`
`station”. A base station is a low power transceiver which
`
`
`
`
`
`
`communicates with a radio personal communications termi-
`
`
`
`
`
`
`nal such as a cellular telephone over a limited distance, such
`
`
`
`
`
`
`
`
`as tens of meters, and is also electrically connected to the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`conventional public wire telephone network. The base sta-
`tion allows the owner of a radio personal communications
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`terminal
`to directly access the wire telephone network
`
`
`
`
`
`
`
`
`without passing through the cellular phone network, whose
`
`
`
`
`
`
`
`
`
`access rates are typically more costly. When located outside
`
`
`
`
`
`
`
`
`the range of the base station, the personal communications
`
`30
`
`35
`
`40
`
`45
`
`55
`
`60
`
`65
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 15 of 29
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`2
`
`
`
`
`
`terminal automatically communicates with the cellular
`
`
`
`
`
`
`phone network at the prevailing access rates.
`
`
`
`
`
`
`
`A major problem in implementing a radio personal com-
`
`
`
`
`
`
`munications system is security for communications between
`
`
`
`
`
`
`
`
`the base station and the personal communications terminal.
`
`
`
`
`
`
`
`Modern cellular telephone networks include security sys-
`
`
`
`
`
`
`
`tems and methods to prevent eavesdropping and telephone
`
`
`
`
`
`
`fraud. Eavesdropping may be prevented by using encryption
`
`
`
`
`
`
`
`of radio transmissions between a cellular phone and a
`
`
`
`
`
`
`cellular network. Fraud may be prevented by preventing
`
`
`
`
`
`
`
`radio telephone transmissions between the cellular phone
`and the cellular network unless identification information is
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`successfully exchanged between the cellular phone and the
`
`
`
`
`
`
`
`
`cellular network. Existing cellular systems, such as the
`
`
`
`
`
`
`
`
`
`
`AMPS system, the ADC system, and the GSM system each
`
`
`
`
`
`
`
`
`include their own security systems and methods. Security
`
`
`
`
`
`should not be compromised by communications between the
`
`
`
`
`
`
`
`radio personal communications terminal and the base station
`
`
`
`
`
`of a radio personal communications system.
`SUMMARY OF THE INVENTION
`
`
`
`
`
`
`
`
`It is therefore an object of the present invention to provide
`
`
`
`
`
`
`an improved radio personal communications system includ-
`
`
`
`
`
`
`ing a base station and a radio personal communications
`
`
`
`
`
`
`
`terminal, and methods for using the same.
`
`
`
`
`
`
`
`
`It is another object of the present invention to provide
`
`
`
`
`
`
`radio personal communications systems which do not com-
`
`
`
`
`
`
`
`promise security of a wide area cellular system with which
`
`
`they interact.
`
`
`
`
`
`
`
`
`In the present invention, a base station connects a wire
`
`
`
`
`
`telephone network to a radio personal communications
`terminal, also referred to herein as a “cellular terminal” or
`
`
`
`
`
`
`
`
`
`
`
`
`
`simply a “terminal”, within a local region of a wide area
`cellular network. The base station includes a wire telephone
`
`
`
`
`
`
`
`
`network connector, for connecting the base station to the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`wire telephone network. The base station relays cellular
`verification signals between the wide area cellular network
`
`
`
`
`
`
`
`
`and a cellular terminal via the wire telephone network
`
`
`
`
`
`
`
`
`connector. Thus, wireless telephone calls which are routed to
`
`
`
`
`
`
`
`the cellular terminal via the base station, when the cellular
`
`
`
`
`
`
`
`
`
`terminal
`is within the local region covered by the base
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`station, may be secured by exchange of data between the
`cellular network and cellular terminal over the wire tele-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`phone network via the wire telephone connector and the
`
`
`
`
`
`
`
`
`base station. Calls from the public switched telephone
`network including the wide area cellular network which are
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`routed through the base station can thus employ the same
`
`
`
`
`
`
`
`
`security systems and methods which are employed by the
`wide area cellular network.
`
`
`
`
`
`
`
`
`
`
`In a preferred embodiment, the telephone base station
`
`
`
`
`
`
`includes a coupler which is adapted for cooperatively mating
`with a cellular terminal which is parked in the base station.
`
`
`
`
`
`
`
`
`
`
`
`
`
`The coupler couples the cellular security information
`between the cellular terminal and the base station. Cellular
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`security information can include encryption keys that are
`relayed from the wide area cellular network to the cellular
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`terminal via the wire telephone connector for use in encrypt-
`ing communications with the base station.
`
`
`
`
`
`
`
`
`
`
`
`
`Enhanced security is provided by relaying the security
`information between the cellular terminal and the base
`
`
`
`
`
`
`
`
`station when the cellular terminal is parked in the base
`
`
`
`
`
`
`
`
`station,
`to avoid their
`radio frequency transmission.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Exchanged security information can also include authenti-
`
`
`
`
`
`
`
`
`
`cation signals that bilaterally verify both the identity of the
`
`
`
`
`
`
`
`
`cellular phone to the cellular network and the identity of the
`
`
`
`
`
`
`
`network to the phone, as described in US. patent application
`
`Page 15 of 29
`
`

`

`
`
`5,812,955
`
`
`3
`the
`Ser. No. 08/043,758 and US. Pat. No. 5,091,942,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`disclosure of both of which are hereby incorporated herein
`
`
`by reference.
`
`
`
`
`
`
`
`
`As an alternative to physically mating the terminal with
`
`
`
`
`
`
`
`
`the base however, signals may be relayed between the
`cellular terminal and the cellular network, via the base
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`station and the wire network connector, by using radio
`
`
`
`
`
`
`frequency transmission over cellular frequencies, between
`the cellular terminal and the base station. This radio fre-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`quency transmission may be necessary when verification
`
`
`
`
`
`
`
`
`and encryption signals are exchanged upon reactivation of
`the base station, when the cellular terminal moves outside
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the local region and then returns to the local region. Tele-
`
`
`
`
`
`
`
`
`phone communication between the terminal and the public
`
`
`
`
`
`
`
`
`
`switched network via the base station is prevented unless the
`
`
`
`
`
`
`
`
`relayed cellular verification signals indicate that the radio
`
`
`
`telephone communication is authorized.
`The base station and the cellular terminal may also
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`exchange local verification information, separate from the
`cellular verification information,
`for communications
`
`
`
`
`
`between the base station and terminal when the terminal is
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`within the local region and is receiving communications via
`
`
`
`
`
`
`
`
`
`the wire telephone network connector from the wire tele-
`
`
`
`
`
`
`
`
`
`phone network. Thus, the wide area cellular network need
`
`
`
`
`
`
`
`
`
`
`not be contacted in order to provide security for local
`communications between the cellular terminal and the base
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`station within local region for calls originating from the wire
`
`
`telephone network.
`
`
`
`
`
`
`
`
`
`It will be understood by those having skill in the art that
`
`
`
`
`
`
`
`
`the local authentication procedure preferably uses the same
`
`
`
`
`
`
`
`protocol as the cellular telephone verification procedure.
`
`
`
`
`
`
`
`The local authentication key is preferably exchanged when
`
`
`
`
`
`
`
`
`
`the cellular terminal is parked in the base station, via the
`
`
`
`
`
`
`
`coupler, but may also be established by exchanging radio
`
`
`
`
`
`
`
`frequency transmissions. Local encryption keys may also be
`
`
`
`
`
`
`
`established along with local authentication keys. Telephone
`communication between the terminal and the wire telephone
`
`
`
`
`
`
`network via the wire telephone network connector on a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`subsequent occasion is prevented unless the exchanged local
`
`
`
`
`
`
`
`authentication signals are consistent with the previously
`established authentication information.
`
`
`
`
`
`
`
`
`
`
`The above described security systems serve two primary
`
`
`
`
`
`
`purposes. First they prevent an unauthorized cellular termi-
`nal from making calls via a base station for which someone
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`else will be billed. Second, they prevent eavesdropping,
`which is otherwise easy when communications are trans-
`
`
`
`
`
`
`ferred from the hardwired medium to the radio medium.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Eavesdropping may be prevented by the use of digital
`
`
`
`
`
`
`
`voice transmission using digital encryption. Digital encryp-
`
`
`
`
`
`
`
`
`tion typically requires the use of a secret quantity or “key”
`known only to the cellular terminal and the base station with
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`which it is communicating. One function of the security
`
`
`
`
`
`
`system is thus to establish this common key.
`
`
`
`
`
`
`
`
`
`
`It is more secure to establish the key for encryption of
`
`
`
`
`
`
`
`
`conversations separately for each call, instead of using the
`
`
`
`
`
`
`
`
`
`
`same key forever, although the exposure risk in using the
`
`
`
`
`
`
`
`
`
`
`same key for several calls is small. Such temporary keys can
`
`
`
`
`
`
`
`
`be formed by combining a secret key with a random number
`
`
`
`
`upon call set up.
`
`
`
`
`
`
`
`
`The secret key or A-key is preferably stored in both the
`cellular terminal and the base station or network in a
`
`
`
`
`
`
`
`
`non-accessible manner. At call set up,
`the base station
`
`
`
`
`
`
`
`
`
`transmits a random number RAND to the cellular terminal.
`
`
`
`
`
`
`
`The cellular terminal combines RAND and A-key to obtain
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a temporary key “B-key” and the base station does the same.
`
`
`
`
`
`
`
`
`The B-key is then used for encrypting further communica-
`
`
`
`
`
`
`
`10
`
`15
`
`
`
`20
`
`25
`
`
`
`30
`
`35
`
`
`
`40
`
`
`
`45
`
`
`
`50
`
`
`
`55
`
`
`
`60
`
`
`
`65
`
`
`
`Page 16 of 29
`
`
`4
`it
`is overwritten by a
`tion between the two units until
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`subsequent exchange. If the transfer of the number to be
`
`
`
`
`
`
`called is part of the encrypted further communications, an
`
`
`
`
`
`
`
`unauthorized cellular terminal, that is unable to generate the
`
`
`
`
`
`
`
`
`
`correct B-key because it does not have access to the A-key,
`
`
`
`
`
`
`
`
`will not be able to continue and set up a call, thus preventing
`useful unauthorized access.
`
`
`
`
`
`
`
`
`
`
`The above description shows that appropriate encryption
`
`
`
`
`
`
`
`may also inherently prevent fraud. An alternative technique
`
`
`
`
`
`
`
`
`of denying unauthorized access may also be used, called
`“authentication”.
`In authentication, a random number
`
`
`
`
`
`RAND is transmitted from the base station to the cellular
`
`
`
`
`
`
`
`
`
`terminal as described above. The RAND is in this case
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`known as an authentication challenge. The cellular terminal
`
`
`
`
`
`
`
`combines RAND with A-key to obtain a response RESP to
`
`
`
`
`
`
`
`
`
`the challenge, and transmits RESP to the base station. The
`
`
`
`
`
`
`
`
`
`base station also locally computes RESP and checks the
`
`
`
`
`
`
`
`received version against its locally computed version. If they
`do not match, access is denied.
`
`
`
`
`
`
`
`
`
`
`
`Authentication alone however does not guarantee that
`access will be denied to a fraudulent cellular terminal. For
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`example, one could construct a false base station that issues
`
`
`
`
`
`
`many random challenges to a genuine cellular terminal in its
`
`
`
`
`
`
`vicinity and records the corresponding responses, increasing
`
`
`
`
`
`the probability of having in its memory a challenge-response
`
`
`
`
`
`
`
`
`
`
`pair that the real base station will accept. Even worse, it can
`initiate a call to the real base station, wait for the real base
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`station to issue a challenge, then temporarily shut off its
`
`
`
`
`
`
`
`transmitter just as the genuine cellular terminal replies with
`
`
`
`
`
`
`
`RESP. When the real base station indicates it has accepted
`the call, the fraudulent base station starts up its transmitter
`
`
`
`
`
`
`
`
`
`
`
`
`
`again at a sufficient power level to overpower the genuine
`
`
`
`
`
`
`
`
`cellular terminal, and can then proceed to set up a call.
`
`
`
`
`
`
`
`
`Encryption can be used to prevent
`these fraudulent
`practices, and can be used in combination with the authen-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tication techniques described above. Encryption security
`
`
`
`
`
`
`
`depends on preventing access to the long-term secret A-key.
`
`
`
`
`
`
`
`This can be done by providing a device, such as an inte-
`
`
`
`
`
`
`
`
`grated circuit chip, that includes the A-key embedded in
`
`
`
`
`
`electronic form, an authentication algorithm processor, an
`electrical input for RAND and an electrical output for RESP
`
`
`
`
`
`
`
`
`
`
`and/or B-key.
`
`
`
`
`
`
`
`The chip preferably provides no access to read out the
`
`
`
`
`
`
`
`A-key, and performs only one operation, namely to respond
`
`
`
`
`
`
`
`to a challenge with RAND by returning RESP and B-key.
`The internal processor buss that must be able to access the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`internally stored A-key is not accessible external to the chip
`
`
`
`
`
`
`
`and can even be prevented from access under a microscope
`
`
`
`
`
`
`
`and microprobe system by covering the chip with a metallic
`
`
`
`
`
`
`screening layer. Such a device is employed in the European
`GSM cellular system and is known as a “smart card”. In one
`
`
`
`
`
`
`
`
`
`
`
`
`
`form it is supplied to subscribers by their service providers
`in a thin, plug-in card like a credit-card.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The A-key of every subscriber for such a security system
`is stored in a secure computer somewhere in the cellular
`
`
`
`
`
`
`
`
`
`
`
`
`system. Information on a particular subscriber is stored in
`
`
`
`
`
`
`
`
`the network in his Home Location Register (HLR) which is
`
`
`
`
`
`
`
`part of a cellular exchange belonging to the service provider
`with whom he has a subscription. When a subscriber uses his
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cellular terminal to access a visited network (VLR), the
`cellular terminal first transmits its telephone number to the
`
`
`
`
`
`
`
`
`VLR. The VLR can identify that subscriber’s HLR from the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`telephone number and contacts the HLR via a telephone
`
`
`
`
`
`
`
`trunk signalling system known as signalling system no. 7 in
`
`
`
`
`
`
`
`
`
`Europe, or via a system called IS41 in the US. The VLR
`
`
`
`
`
`
`
`
`then requests security variables from the HLR that can be
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 16 of 29
`
`

`

`5,812,955
`
`5
`
`
`
`
`
`
`
`
`
`used to verify the mobile’s claimed identity and/or to
`
`
`
`
`
`
`encrypt the conversation, that is a RAND/RESP pair and a
`
`
`
`
`
`
`
`
`
`
`B-key. To reduce use of the trunk lines, several RAND/
`
`
`
`
`
`
`
`RESP/B-key triplets can be sent by the HLR to the VLR in
`
`
`
`
`
`
`
`
`
`the same transaction, sufficient perhaps for a day’s use at the
`visited location.
`
`
`
`
`
`
`
`
`
`
`
`Another threat to the security of such a system is the
`
`
`
`
`
`
`possibility of unauthorized access to signalling system no. 7
`
`
`
`
`
`
`
`
`IS41 lines, which connect all
`telephone exchanges
`or
`
`
`
`
`
`
`
`together, even those in different countries and continents. An
`
`
`
`
`
`
`unauthorized request to an HLR for security variables per-
`
`
`
`
`
`
`
`taining to particular telephone number can then be made. If
`
`
`
`
`
`
`
`the VLR were permitted to specify RAND, a previously
`
`
`
`
`
`
`
`
`
`used RAND could be specified and then the fraudulent VLR
`
`
`
`
`
`
`
`
`
`
`would receive a B-key that had the recorded call to be
`
`
`
`
`
`
`
`deciphered. Therefore, the VLR should not be allowed to
`
`
`
`
`
`
`
`specify the RAND, but rather it should be generated extem-
`
`
`
`
`
`
`
`
`poraneously by the HLR. However,
`the fraudulent VLR
`
`
`
`
`
`
`
`
`would still receive a valid security triplet. This may not be
`
`
`
`
`
`
`
`
`
`
`useful for making fraudulent calls, as the real VLR would
`
`
`
`
`
`
`
`
`
`again contact the HLR and would receive new triplets not
`
`
`
`
`
`
`
`possessed by the fraudulent VLR. Nevertheless, it is pref-
`
`
`
`
`
`
`
`
`erable to prevent a fraudulent VLR from receiving any
`
`
`
`
`
`
`
`security information pertaining to any subscriber. This can
`
`
`
`
`
`
`
`
`
`be prevented if the HLR first issues only the RAND to the
`the VLR transmits it
`to the cellular terminal,
`VLR,
`the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cellular terminal replies with RESP and the VLR conveys
`
`
`
`
`
`
`
`
`
`RESP to the HLR. Only if the HLR confirms the identity of
`
`
`
`
`
`
`
`
`the cellular terminal would it then release a B-key and
`
`
`
`possibly further triplets.
`
`
`
`
`
`
`
`
`The above described technique may still allow a false
`
`
`
`
`
`
`
`VLR to extract RAND/RESP pairs from genuine cellular
`
`
`
`
`
`
`
`terminals in the hope of collecting sufficient pairs to provide
`
`
`
`
`
`
`
`
`a high probability of being able to make a fraudulent access
`
`
`
`
`
`
`
`
`to the real system. This is prevented by introducing the
`bilateral authentication procedure described in the afore-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mentioned patent application and US. patent
`that were
`
`
`
`
`
`
`above incorporated by reference. In a preferred implemen-
`tation of bilateral authentication, the cellular terminal first
`
`
`
`
`
`
`
`
`identifies itself to the VLR. The VLR determines the cellular
`
`
`
`
`
`
`
`
`
`terminal’s HLR from the ID and contacts the HLR for
`
`
`
`
`
`
`
`
`