US005812955A
`
`
`
`5,812,955
`(114) Patent Number:
`United States Patent 55
`
`
`
`
`
`
`
`
`
`
`
`
`Dentet al.
`[45] Date of Patent:
`*Sep. 22, 1998
`
`
`
`
`
`
`
`
`
`
`
`[54] BASE STATION WHICH RELAYS
`CELLULAR VERIFICATION SIGNALS VIA A
`
`
`
`
`TELEPHONE WIRE NETWORK TO VERIFY
`
`
`
`
`
`
`
`A CELLULAR RADIO TELEPHONE
`
`
`[75]
`
`
`
`
`
`
`
`Inventors: Paul Wilkinson Dent, Stehag; Jacobus
`
`
`
`
`Cornelius Haartsen, Staffanstorp, both
`of Sweden
`
`
`
`.
`.
`
`
`
`
`
`
`[73] Assignee: Ericsson Inc., Research Triangle Park,
`Nc.
`
`
`
`
`
`
`
`0 225 607
`
`
`0643 543 A2
`
`5-48526
`
`[*] Notice:
`
`
`
`
`The term of this patent shall not extend
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`beyond the expiration date of Pat. No.
`5,428,668.
`
`
`
`
`
`
`[21] Appl. No.: 205,705
`
`
`
`[22]
`Filed:
`Mar. 3, 1994
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5,535,259
`7/1996 Dentet al. eee eeeeereeeee 379/59
`
`
`
`
`
`5,581,597 12/1996 Dentetal.
`379/59
`
`
`
`
`
`4/1997 Nilssen occ eececeeeeeceeenee 379/56
`5,623,531
`FOREIGN PATENT DOCUMENTS
`
`
`
`
`
`
`6/1987 European Pat. Off..
`
`
`
`EuropeanPat. Off.
`3/1995
`.
`
`
`Japan .
`2/1993
`
`OTHER PUBLICATIONS
`
`
`
`
`
`
`Microcellular Structures and Their Performance, H. Pers-
`
`
`
`
`
`son, IEEE, 1992, pp. 413-418.
`
`
`
`
`
`
`NIT to Market Cordless Telephone for Office Buildings,
`
`
`
`
`
`
`Comline Telecommunications, p. 4, Jun. 29, 1988.
`
`
`
`
`
`SWBell Mobile Plans PCS, A. Lindstrom, Communications
`
`
`
`
`
`
`Week, No. 448, p. 6(1), Apr. 5, 1993.
`
`
`
`(List continued on next page.)
`
`
`
`
`Primary Examiner—William Cumming
`
`
`
`
`
`
`
`Ys
`y
`AS
`g
`y
`i
`Attorney, Agent, or Firm—Myers Bigel Sibley & Sajovec
`
`
`
`
`Related U.S. Application Data
`
`
`ABSTRACT
`[57]
`
`
`
`
`
`
`
`Asecure radio personal communication system and method
`[63] NOntinuationin-part of Ser. No. 148,828, Nov. 4, 1993,Pat.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`includes a base station which relays cellular verification
`” .
`‘
`
`
`
`
`
`
`
`
`[SL] Tint, Cd nnneeeesessesseeseeseeneeneeseeseessenseese H04Q 7/30 signals between a wide area cellular network and a cellular
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[52] US. Ch o.
`.. 455/561; 380/37
`terminal via the wire telephone network. Thus, cellular
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[58] Field of Search 0.0.0.0. ee 379/58, 59, 60,
`telephone calls which are routed to a cellular terminal via a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`379/61, 62, 63; 455/33.1, 33.2, 54.1, 11.1,
`base station, when the cellular terminal is within a local
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`14, 461, 414, 445, 436, 561; 380/21
`region covered by the base station, may be exchanged
`between the cellular network and cellular terminal over the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`wire telephone network. Calls from the wide area cellular
`
`
`
`
`
`
`
`
`
`
`network which are routed through the base station can thus
`
`
`
`
`
`
`
`
`
`employ the same security systems and methods which are
`
`
`
`
`
`
`
`
`employed by the wide area cellular network. Signals
`
`
`
`
`
`
`
`
`
`between the base station and the cellular terminal are
`
`
`
`
`
`
`preferably exchanged whenthe cellular terminal is parked in
`
`
`
`
`
`
`
`
`the base station. Verification and encryption signals may be
`exchanged. The same signals may be used for enhanced
`
`
`
`
`
`
`
`
`security when the basestation is relaying wire networkcalls
`
`
`
`
`
`
`
`
`to the cellular terminal when the cellular terminal is in the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`localregion. Alternatively, separate verification and encryp-
`
`
`
`
`‘tion protocols may be used.
`
`
`[56]
`
`
`
`
`
`
`
`References Cited
`US. PATENT DOCUMENTS
`
`
`4,953,198
`8/1990 Daly etal. .
`
`
`
`
`
`
`
`
`4,979,205
`12/1990 Haraguchi 0... eceecseneenenenes 379/61
`
`
`
`
`.
`1/1991 Gillig et al.
`4,989,230
`
`
`
`
`
`
`
`. 379/63 X&
`7/1991 Sasuta et al.
`5,034,993
`.
`
`
`
`
`
`2/1992 Dent sa ceececenceeeaeneaeseaneeeaseesaens 379/59 X
`5,091,942
`
`
`
`
`Secons yt003 egot a etal
`379/59
`
`
`
`
`
`5353352 101994 Dentet .
`7 eee 380/37
`
`
`
`
`
`
`4/1996 Mizikovskyetal.wees... 379/59
`5,513,245
`
`
`
`
`
`5/1996 Chavez, Jr .......
`.. 379/60
`5,521,962
`
`
`
`
`
`
`
`5/1996 Shraderetal.
`.. 379/60
`5,521,963
`
`
`
`
`
`
`
`
`
`
`
`
`
`6/1996 Dent et al. ccc 379/59
`5,526,402
`
`
`
`
`41 Claims, 12 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page | of 29
`
`SAMSUNGEXHIBIT 1006
`
`SAMSUNG EXHIBIT 1006
`
`Page 1 of 29
`
`

`

`
`
`
`
`
`In Search OfA New Market, R. Schneiderman, Microwaves
`
`
`
`
`
`
`
`& RF, vol. 30, No. 8, p. 33(5), Aug. 1991.
`
`
`
`
`
`
`
`Motorola Blurs Lines Between Cellular and Paging, Deal-
`
`
`
`
`
`
`
`
`
`erscope Merchandising, vol. 35, No. 7, pp. 36, Jul. 1993.
`
`
`
`
`
`
`
`
`Mitsubishi Electric to Enter Radio Base Station Market for
`
`
`
`
`
`Digital Cellular Phones, Comline Telecommunications, p.
`
`
`
`9, Mar. 5, 1993.
`
`
`
`
`
`
`Expected to Show Reference Design at COMDEX: Motor
`
`
`
`
`
`
`
`Sampling PCS Chip Set, Electronic Engineering Times,p. 1,
`Oct. 26, 1992.
`
`
`
`Bell Atlantic and Motorola to Test Personal Communica-
`
`
`
`
`
`
`
`
`
`
`
`
`
`tions Service, Audio Week, Feb. 17, 1992.
`
`
`
`
`
`
`
`New Service Moves Toward National Information Infra-
`
`
`
`
`
`
`
`
`
`structure Via PCS, Common Carrier Week, Feb. 17, 1992.
`
`
`
`
`
`
`
`M. Brussol, et al., Telepoint in France, Matra Communica-
`
`
`
`
`
`
`tion, vol. 15, pp. 21-30, 1993.
`
`
`
`
`
`Walker, Security in Mobile and Cordless Telecommunica-
`
`
`
`
`
`tions, IEEE, pp. 493-496, 1992.
`
`
`
`
`
`
`
`
`
`
`5,812,955
`
`Page 2
`
`OTHER PUBLICATIONS
`
`
`Bell Atlantic and Motorola To Test Personal Communica-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tions Service, Warren Publishing, Inc., Audio Week,vol. 4,
`
`
`
`
`No. 7, Feb. 17, 1992.
`
`
`
`
`
`
`RHCS Stake Claim on Personal Communications Licenses,
`
`
`
`
`
`
`
`
`
`Capitol Publications, Inc., FCC Week, vol. 7, No. 42, Nov.
`
`
`5, 1990.
`
`
`
`
`
`
`Aermica’s First Personal Communications Service (PCS) Is
`
`
`
`
`
`Claimed, Audio Week, Apr. 5, 1993.
`
`
`
`
`
`
`Nation’s First Commercial PCS Introduced by SW Bell, E.
`
`
`
`
`
`
`
`
`
`Messner, Network World, vol. 10, Issue 14, p. 4(2), Apr. 5,
`1993.
`
`Mitsubishi Electric To Enter Radio Base Station Market For
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Digital Cellular Phones, Mitsubishi Weekly, vol. 9, No. 9,
`
`
`
`
`
`Mar. 5, 1993, Digitized Information, Inc.
`
`
`
`
`
`
`Wireless System Manufacturers Develop Microcell Equip-
`
`
`
`
`
`
`
`
`ment, Phillips Business Information, Inc., PCS News,vol.4,
`No. 6, Mar. 18, 1993.
`
`
`
`
`
`
`
`
`
`
`
`
`Cox Moves Ahead On Alternate Access, PCS, G. Kim,
`
`
`
`
`
`
`
`
`
`Multichannel News, vol. 12, No. 35, p. 33(1), Sep. 2, 1991.
`
`
`
`
`
`
`
`New Service Moves Toward National Information Infra-
`
`
`
`
`
`
`
`
`structure Via PCS, Common Carrier Week,vol. 8, No. 7, p.
`
`
`
`
`5(2), Feb. 17, 1992.
`
`Page 2 of 29
`
`Page 2 of 29
`
`

`

`U.S. Patent
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheet 1 of 12
`
`
`
`5,812,955
`
`
`
`
`
`-—wr wr Ker EOer ~“
`
`NN
`
`~N
`
`124
`
`SN
`—-—_=- Ss >
`
`“N
`
`12
`
`a
`
`7
`
`a
`
`104,”
`\-
`?
`
`4
`
`,”
`
`7
`
`i
`I
`!
`I
`
`i;
`
`
`
`t
`
`‘
`
`N
`
`“
`
`‘s
`
`~ .
`
`108
`
`
`
`‘
`
`‘
`
`“
`
`NX
`
`X\
`
`N\
`
`Neem a
`
`?
`
`
`
`7
`
`7
`
`?
`
`7
`
`, 7
`
`,
`
`a?
`
`¢
`
`a
`
`a7
`
`Page 3 of 29
`
`
`
`BASE
`STATION
`110
`
`108
`
`,
`
`7
`
`a
`x “
`~S
`‘
`\
`!
`I
`=!
`My
`'
`a!
`i
`i
`i
`'
`i
`106
`yo
`
`
`j
`7
`I
`
`
`| RADIOWKw~7TT TTT ,
`
`NETWORK|“102
`
`STATION
`
`
`Page 3 of 29
`
`

`

`104
`
`
`
`7
`
`
`\ , , 7
`
`7
`
`
`2 TERMINAL
`120
`
`
`
`
`
`
`
`
`
`
`
`114
`
`ie >
`
`
`a
`,
`|
`i
`i
`I
`i
`
`
`
`
`
`
`
`
`
`U.S. Patent
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheet 2 of 12
`
`
`5,812,955
`
`
`
`
`HG. 1B
`
`co ee XN
`
`
`
`
`
`
`
`
`
`
`
`
`122
`
`
`
`7
`
`
`“
`
`
`NN
`
`
`‘
`
`
`‘
`
`
`
`
`
`
`
`
`‘ . .
`
`; “>
`
`
`
`“> ~
`S,
`7 7
`
`i!
`i
`1
`ry
`\
`V
`1
`!
`i
`3!
`i
`vi
`
`,
`i
`I
`
`,
`1
`i
`7 7
`‘
`I
`
`Sr rte
`RADIO
`I
`
`
`; NETWORK|“102 !
`
`
`STATION
`
`
`108
`
`
`
`N
`
`
`‘ .
`
`
`
`7
`
`
`
`
`
`
`
`
`
`
`
`
`
`I
`
`‘
`
`
`‘
`
`\.
`
`“ .
`
`
`
`
`
`
`‘
`
`
`‘
`
`
`N .
`
`
`N
`
`
`~
`
`
`NN Ce ee ee ee eee ’ 7
`
`
`
`a
`
`
`
`7
`
`
`/
`
`a
`
`
`7
`
`
`?
`
`
`
`
`, ?
`
`
`
`¢
`
`
`7
`
`/
`
`Page 4 of 29
`
`Page 4 of 29
`
`

`

`U.S. Patent
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheet 3 of 12
`
`
`5,812,955
`
`
`
`
`FIG, 2
`
`
`
`
`
`
`
`Page 5 of 29
`
`Page 5 of 29
`
`

`

`U.S. Patent
`
`
`
`Sep. 22, 1998
`
`
`
`
`Sheet 4 of 12
`
`5,812,955
`
`
`
`Sot
`
`NSHM°
`
`
`
`Oct°
`
`
`
`
`
`Y3AISOSNVYL
`
`
`
`
`
`
`
`
`00'd
`
`JOXLNOS
`
`
`
`AV1dS!I0
`
`6[99900]HOSS
`fo}C=°—"]
`TWNIWHSLweHADYWHO
`sOvsuaIN,AUSLLVE
`
`=|Le
`
`
`€Dla
`|coxy|
`}ane.}ane.
`woioatsdLt
`Set
`
`ABONN
`
`Zot
`
`aeYAMOd
`
`LSL
`
`PEL
`
`
`
`
`
`Page 6 of 29
`
`Page 6 of 29
`
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`Sheet 5 of 12
`
`5,812,955
`
`
`
`il
`
`U.S. Patent Zz
`
`ILLZ60902
`|L0zy
`IJAROa
`
`voc|80220SSC«LK
`
`
`
`Page 7 of 29
`
`Page 7 of 29
`
`

`

`U.S. Patent
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheet 6 of 12
`
`
`5,812,955
`
`
`
`
`
`
`
`251
`
`
`TRANSMIT
`CIRCUIT.
`
`255
`
`
`
`STORAGE
`MEANS
`
`
`
`
`||
`
`i
`,
`
`,
`
`!
`
`\,
`
`,
`;
`;
`;
`
`
`
`257
`
`
`
`261
`
`
`265
`
`
`
`KEYPAD
`
`
`
`SPEAKER
`
`
`
`SCANNER
`
`
`
`259
`
`
`
`263
`
`
`
`267
`
`DISPLAY
`
`
`
`MiC
`
`
`
`OTHER
`
`
`
`Page 8 of 29
`
`i| | | | \
`
`i
`
`\i
`
`|\ | | | \ | | | |
`
`|
`!
`
`{| \ | i i | \ | { |
`
`
`||
`\
`i
`
`||
`
`RECEIVE
`CIRCUIT
`
`TRANSCEIVER
`
`
`CONTROL
`
`
`
`
`
`PROCESSOR
`
`
`Page 8 of 29
`
`

`

`U.S. Patent
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheet 7 of 12
`
`
`5,812,955
`
`
`
`
`
`
`
`
`DETECT
`
`INITIALIZE
`CONDITIONS
`
`
`
`
`INITIATE
`
`CALL
`
`
`NOTIFY
`
`OF LOCATION
`
`
`
`
`
`
`
`
`REQUEST
`
`CONTROL
`
`MESSAGE
`
`
`RECEIVE CONTROL
`
`MESSAGE
`
`
`
`STORE
`
`
`
`TRANSMIT
`
`
`
`STORE
`
`
`
`300
`
`
`
`302
`
`
`
`304
`
`
`
`306
`
`
`
`308
`
`
`
`
`310
`
`312
`
`
`
`314
`
`
`
`
`
`
`
`
`YES << NO
`
`Page 9 of 29
`
`Page 9 of 29
`
`

`

`U.S. Patent
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheet 8 of 12
`
`
`5,812,955
`
`
`
`FIG. 7
`
`
`
`
`
`Page 10 of 29
`
`

`

`U.S. Patent
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheet 9 of 12
`
`
`5,812,955
`
`
`
`
`
`
`
`100
`
`Page 11 of 29
`
`Page 11 of 29
`
`

`

`U.S. Patent
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheet 10 of 12
`
`
`5,812,955
`
`
`
`
`FIG. 9
`
`352
`
`
`
`
`APPLY POWER TO
`
`
`TERMINAL 120
`
`
`
`
`
`
`
`
`
`SCAN BASE
`
`STATION FREQUENCY
`
`
`
`
`
`
`
`
`
`COMMUNICATE TO
`
`
`NETWORKSTATION 102
`
`
`
`
`SIGNAL
`
`
`
`LEVEL ABOVE
`
`
`THRESHOLD
`?
`
`
`
`
`
`
`
`
`
`
`
`
`COMMUNICATE TO
`
`
`
`BASE STATION 110
`
`Page 12 of 29
`
`Page 12 of 29
`
`

`

`
`U.S. Patent
`
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`
`Sheet 11 of 12
`
`5,812,955
`
`
`
`SECURITY
`
`
`
`
`
`peteaeeeeeen eee
`
`
`
`EXCHANGING
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`RELAYING
`Lannaeeeeeeeee arcanenog
`
`
`420
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TO FIG.
`
`
`
`1
`
`OB.
`
`
`
`
`FIG.
`
`
`
`LOA.
`
`Page 13 of 29
`
`Page 13 of 29
`
`
`

`

`
`U.S. Patent
`
`
`
`
`
`Sep. 22, 1998
`
`
`
`
`Sheet 12 of 12
`
`5,812,955
`
`
`
`
`FROM FIG.
`
`
`
`
`10A.
`
`
`
`
`432
`
`ewweaeeeteeeei
`
`YES
`
`REACTIVATING
`
`
`FIG.
`
`
`TQB.
`
`st
`
`xtN)
`
`436
`
`
`
`
`
`
`
`
`
`U--y+—f eeet
`
`
`
`Page 14 of 29
`
`Page 14 of 29
`
`
`
`
`

`

`5,812,955
`
`
`1
`BASE STATION WHICH RELAYS
`
`
`
`
`CELLULAR VERIFICATION SIGNALS VIA A
`
`
`
`
`TELEPHONE WIRE NETWORK TO VERIFY
`
`
`
`
`A CELLULAR RADIO TELEPHONE
`
`
`
`
`CROSS-REFERENCE TO RELATED
`
`APPLICATIONS
`
`
`
`
`
`
`
`
`This application is a Continuation-in-Part of application
`
`
`
`
`
`
`
`
`
`
`Ser. No. 08/148,828filed on Nov.4, 1993, now U.S. Pat. No.
`
`
`
`
`
`
`
`
`
`5,428,668, and assigned to the assignee of the present
`
`
`
`
`
`
`invention, the disclosure of which is incorporated herein by
`reference.
`
`
`10
`
`FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`This invention relates to communications systems and
`
`
`
`
`
`moreparticularly to radio personal communications systems
`for use within wide area cellular networks.
`
`
`
`
`
`
`
`
`
`
`
`15
`
`
`
`
`
`20
`
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`Radio communications systems are increasingly being
`
`
`
`
`
`
`used for wireless mobile communications. An example of a
`
`
`
`
`
`
`radio communications system is a cellular phone network.
`
`
`
`
`
`
`
`
`Cellular radio communications systems are wide area com-
`25
`
`
`
`
`
`
`munications networks which utilize a frequency (channel)
`
`
`
`
`
`
`
`
`reuse pattern. The design and operation of an analog cellular
`
`
`
`
`
`
`
`phone system is described in an article entitled Advanced
`
`
`
`
`
`
`
`Mobile Phone Service by Blecher, IEEE Transactions on
`
`
`
`
`
`
`
`
`Vehicular Technology, Vol. VT29, No. 2, May, 1980, pp.
`
`
`
`
`
`
`
`
`238-244. The analog mobile cellular system is also referred
`
`
`
`
`
`to as the “AMPS” system.
`
`
`
`
`
`
`
`
`Recently, digital cellular phone systems have also been
`
`
`
`
`
`
`proposed and implemented using a Time-Division Multiple
`
`
`
`
`
`
`
`Access (TDMA)architecture. Standards have also been set
`
`
`
`
`
`
`
`
`by the Electronics Industries Association (EIA) and the
`
`
`
`
`
`
`Telecommunications Industries Association (TIA) for an
`
`
`
`
`
`
`American Digital Cellular (ADC) architecture which is a
`
`
`
`
`
`
`
`
`dual mode analog and digital system following EIA/TIA
`
`
`
`
`
`
`document IS-54B. Telephones which implementthe IS-54B
`
`
`
`
`
`
`
`
`dual mode architecture are presently being marketed by the
`
`
`
`
`
`
`
`
`assignee of the present invention. Different standards have
`
`
`
`
`
`
`
`been promulgated for digital cellular phone systems in
`
`
`
`
`
`
`
`
`Europe. The European digital cellular system, also referred
`
`
`
`
`
`
`to as GSM, also uses a TDMAarchitecture.
`
`
`
`
`
`
`
`
`Proposals have recently been made to expand the cellular
`
`
`
`
`
`
`
`phone network into a radio personal communications sys-
`
`
`
`
`
`
`
`tem. The radio personal communications system provides
`
`
`
`
`
`
`
`
`mobile radio voice, digital, video and/or multimedia com-
`50
`
`
`
`
`
`
`munications using radio personal communications termi-
`
`
`
`
`
`
`
`
`
`nals. Thus, any form of information may be sent and
`
`
`
`
`
`
`received. Radio personal communications terminals include
`
`
`
`
`
`
`
`
`a radio telephone, such as a cellular telephone, and may
`
`
`
`
`
`
`
`
`include other components for voice, digital, video and/or
`multimedia communications.
`
`
`
`
`
`
`
`
`Aradio personal communications system includesat least
`
`
`
`
`
`
`
`
`one telephonebasestation,also referred to herein as a “base
`
`
`
`
`
`
`station”. A base station is a low power transceiver which
`
`
`
`
`
`
`communicates with a radio personal communications termi-
`
`
`
`
`
`
`
`
`nal such as a cellular telephone over a limited distance, such
`
`
`
`
`
`
`
`
`as tens of meters, and is also electrically connected to the
`
`
`
`
`
`
`
`
`conventional public wire telephone network. The base sta-
`
`
`
`
`
`
`
`tion allows the owner of a radio personal communications
`
`
`
`
`
`
`
`
`terminal
`to directly access the wire telephone network
`
`
`
`
`
`
`
`
`without passing through the cellular phone network, whose
`
`
`
`
`
`
`
`
`
`access rates are typically more costly. When located outside
`
`
`
`
`
`
`
`
`the range of the base station, the personal communications
`
`30
`
`40
`
`45
`
`55
`
`60
`
`65
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 15 of 29
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`2
`
`
`
`
`
`terminal automatically communicates with the cellular
`
`
`
`
`
`
`phone network at the prevailing access rates.
`
`
`
`
`
`
`
`A major problem in implementing a radio personal com-
`
`
`
`
`
`
`munications system is security for communications between
`
`
`
`
`
`
`
`
`the base station and the personal communications terminal.
`
`
`
`
`
`
`
`Modern cellular telephone networks include security sys-
`
`
`
`
`
`
`
`tems and methods to prevent eavesdropping and telephone
`
`
`
`
`
`
`fraud. Eavesdropping may be prevented by using encryption
`
`
`
`
`
`
`
`of radio transmissions between a cellular phone and a
`
`
`
`
`
`
`cellular network. Fraud may be prevented by preventing
`
`
`
`
`
`
`
`radio telephone transmissions between the cellular phone
`and the cellular network unless identification information is
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`successfully exchanged between the cellular phone and the
`
`
`
`
`
`
`
`
`cellular network. Existing cellular systems, such as the
`
`
`
`
`
`
`
`
`
`
`AMPSsystem, the ADC system, and the GSM system each
`
`
`
`
`
`
`
`
`include their own security systems and methods. Security
`
`
`
`
`
`should not be compromised by communications between the
`
`
`
`
`
`
`
`radio personal communications terminal and the base station
`
`
`
`
`
`of a radio personal communications system.
`SUMMARYOF THE INVENTION
`
`
`
`
`
`
`
`
`It is therefore an object of the present invention to provide
`
`
`
`
`
`
`an improved radio personal communications system includ-
`
`
`
`
`
`
`ing a base station and a radio personal communications
`
`
`
`
`
`
`
`terminal, and methods for using the same.
`
`
`
`
`
`
`
`
`It is another object of the present invention to provide
`
`
`
`
`
`
`radio personal communications systems which do not com-
`
`
`
`
`
`
`
`promise security of a wide area cellular system with which
`
`
`they interact.
`
`
`
`
`
`
`
`
`In the present invention, a base station connects a wire
`
`
`
`
`
`telephone network to a radio personal communications
`
`
`
`
`
`
`terminal, also referred to herein as a “cellular terminal” or
`
`
`
`
`
`
`
`simply a “terminal”, within a local region of a wide area
`
`
`
`
`
`
`
`
`cellular network. The base station includes a wire telephone
`
`
`
`
`
`
`
`
`
`network connector, for connecting the base station to the
`
`
`
`
`
`
`
`
`wire telephone network. The base station relays cellular
`
`
`
`
`
`
`
`
`verification signals between the wide area cellular network
`
`
`
`
`
`
`
`
`and a cellular terminal via the wire telephone network
`
`
`
`
`
`
`
`connector. Thus, wireless telephone calls which are routed to
`
`
`
`
`
`
`
`
`
`the cellular terminal via the base station, when the cellular
`
`
`
`
`
`
`
`
`
`terminal
`is within the local region covered by the base
`
`
`
`
`
`
`
`station, may be secured by exchange of data between the
`cellular network and cellular terminal over the wire tele-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`phone network via the wire telephone connector and the
`
`
`
`
`
`
`
`
`base station. Calls from the public switched telephone
`
`
`
`
`
`
`
`
`
`network including the wide area cellular network which are
`
`
`
`
`
`
`
`
`
`
`routed through the base station can thus employ the same
`
`
`
`
`
`
`
`
`security systems and methods which are employed by the
`wide area cellular network.
`
`
`
`
`
`
`
`
`
`
`In a preferred embodiment, the telephone base station
`
`
`
`
`
`
`includes a coupler whichis adapted for cooperatively mating
`
`
`
`
`
`
`
`with a cellular terminal which is parked in the basestation.
`
`
`
`
`
`
`The coupler couples the cellular security information
`between the cellular terminal and the base station. Cellular
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`security information can include encryption keys that are
`
`
`
`
`
`
`
`
`relayed from the wide area cellular network to the cellular
`
`
`
`
`
`
`
`
`terminal via the wire telephone connector for use in encrypt-
`
`
`
`
`
`
`ing communications with the base station.
`
`
`
`
`
`
`Enhanced security is provided by relaying the security
`information between the cellular terminal and the base
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`station when the cellular terminal is parked in the base
`
`
`
`
`
`
`
`station,
`to avoid their
`radio frequency transmission.
`
`
`
`
`
`
`
`Exchanged security information can also include authenti-
`
`
`
`
`
`
`
`
`
`cation signals that bilaterally verify both the identity of the
`
`
`
`
`
`
`
`
`cellular phone to the cellular network andthe identity of the
`
`
`
`
`
`
`
`network to the phone, as described in U.S. patent application
`
`Page 15 of 29
`
`

`

`5,812,955
`
`
`
`10
`
`15
`
`
`
`20
`
`
`
`3
`4
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the
`Ser. No. 08/043,758 and U.S. Pat. No. 5,091,942,
`it
`is overwritten by a
`tion between the two units until
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`subsequent exchange. If the transfer of the number to be
`disclosure of both of which are hereby incorporated herein
`
`
`
`
`
`
`
`
`called is part of the encrypted further communications, an
`by reference.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`unauthorized cellular terminal, that is unable to generate the
`As an alternative to physically mating the terminal with
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`correct B-key because it does not have access to the A-key,
`the base however, signals may be relayed between the
`
`
`
`
`
`
`
`
`will notbe able to continue and set upacall, thus preventing
`
`
`
`
`
`
`
`
`
`cellular terminal and the cellular network, via the base
`useful unauthorized access.
`
`
`
`
`
`
`
`
`
`
`
`
`station and the wire network connector, by using radio
`
`
`
`
`
`
`
`
`
`
`
`
`
`frequency transmission over cellular frequencies, between
`The above description showsthat appropriate encryption
`the cellular terminal and the base station. This radio fre-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`may also inherently prevent fraud. An alternative technique
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`quency transmission may be necessary when verification
`of denying unauthorized access may also be used, called
`
`
`
`
`
`
`
`
`
`
`
`
`
`“authentication”.
`In authentication, a random number
`and encryption signals are exchanged uponreactivation of
`RANDis transmitted from the base station to the cellular
`
`
`
`
`
`
`
`
`the base station, when the cellular terminal moves outside
`
`
`
`
`
`
`
`
`
`terminal as described above. The RANDis in this case
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the local region and then returns to the local region. Tele-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`phone communication between the terminal and the public
`knownas an authentication challenge. The cellular terminal
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`switched networkvia the basestation is prevented unless the
`combines RAND with A-key to obtain a response RESP to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`relayed cellular verification signals indicate that the radio
`the challenge, and transmits RESPto the base station. The
`
`
`
`
`
`
`
`
`
`
`
`
`telephone communication is authorized.
`base station also locally computes RESP and checks the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`received version against its locally computed version. If they
`The base station and the cellular terminal may also
`
`
`
`
`
`
`
`
`
`
`
`
`do not match, access is denied.
`exchange local verification information, separate from the
`
`
`
`
`
`
`
`
`
`
`
`cellular verification information,
`for communications
`Authentication alone however does not guarantee that
`between the base station and terminal when the terminal is
`access will be denied to a fraudulent cellular terminal. For
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`within the local region and is receiving communications via
`example, one could construct a false base station that issues
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the wire telephone network connector from the wire tele-
`many random challenges to a genuinecellular terminal in its
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`phone network. Thus, the wide area cellular network need
`vicinity and records the corresponding responses,increasing
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`not be contacted in order to provide security for local
`the probability of having in its memory a challenge-response
`communications between the cellular terminal and the base
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`pair that the real base station will accept. Even worse, it can
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`station within local region forcalls originating from the wire
`initiate a call to the real base station, wait for the real base
`
`
`
`
`
`
`
`
`
`
`telephone network.
`station to issue a challenge, then temporarily shut off its
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`transmitter just as the genuine cellular terminal replies with
`It will be understood by those having skill in the art that
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`RESP. Whenthe real base station indicates it has accepted
`the local authentication procedure preferably uses the same
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the call, the fraudulent base station starts up its transmitter
`protocol as the cellular telephone verification procedure.
`
`
`
`
`
`
`
`
`
`
`
`
`
`again at a sufficient power level to overpower the genuine
`The local authentication key is preferably exchanged when
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cellular terminal, and can then proceed to set up a call.
`the cellular terminal is parked in the base station, via the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`coupler, but may also be established by exchanging radio
`Encryption can be used to prevent
`these fraudulent
`
`
`
`
`
`
`
`frequency transmissions. Local encryption keys mayalso be
`
`
`
`
`
`
`
`
`practices, and can be used in combination with the authen-
`
`
`
`
`
`
`
`
`
`
`
`
`
`established along with local authentication keys. Telephone
`tication techniques described above. Encryption security
`
`
`
`
`
`
`
`
`
`
`
`
`
`communication between the terminal and the wire telephone
`depends on preventing access to the long-term secret A-key.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network via the wire telephone network connector on a
`This can be done by providing a device, such as an inte-
`
`
`
`
`
`
`
`subsequent occasionis prevented unless the exchanged local
`
`
`
`
`
`
`
`
`grated circuit chip, that includes the A-key embedded in
`
`
`
`
`
`
`
`
`
`
`
`
`authentication signals are consistent with the previously
`electronic form, an authentication algorithm processor, an
`established authentication information.
`
`
`
`
`
`
`
`
`
`
`
`electrical input for RANDandanelectrical output for RESP
`
`
`
`
`
`
`
`
`
`The above described security systems serve two primary
`and/or B-key.
`
`
`
`
`
`
`
`
`
`
`
`
`
`purposes. First they prevent an unauthorized cellular termi-
`The chip preferably provides no access to read out the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`nal from making calls via a base station for which someone
`A-key, and performs only one operation, namely to respond
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`else will be billed. Second, they prevent eavesdropping,
`to a challenge with RAND by returning RESP and B-key.
`
`
`
`
`
`
`which is otherwise easy when communications are trans-
`
`
`
`
`
`
`
`
`The internal processor buss that must be able to access the
`ferred from the hardwired medium to the radio medium.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`internally stored A-key is not accessible external to the chip
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Eavesdropping may be prevented by the use of digital
`and can even be prevented from access under a microscope
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`voice transmission using digital encryption. Digital encryp-
`and microprobe system by covering the chip with a metallic
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tion typically requires the use of a secret quantity or “key”
`screening layer. Such a device is employed in the European
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`knownonlyto the cellular terminal and the basestation with
`GSMcellular system and is known as a “smart card”. In one
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`which it is communicating. One function of the security
`form it is supplied to subscribers by their service providers
`
`
`
`
`
`
`
`
`
`
`
`
`system is thus to establish this common key.
`in a thin, plug-in card like a credit-card.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`It is more secure to establish the key for encryption of
`The A-key of every subscriber for such a security system
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`conversations separately for each call, instead of using the
`is stored in a secure computer somewhere in the cellular
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`same key forever, although the exposure risk in using the
`system. Information on a particular subscriber is stored in
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`same key for several calls is small. Such temporary keys can
`the network in his Home Location Register (HLR) which is
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`be formed by combining a secret key with a random number
`part of a cellular exchange belongingto the service provider
`
`
`
`
`
`
`
`
`
`
`
`upon call set up.
`with whom hehas a subscription. When a subscriber uses his
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cellular terminal to access a visited network (VLR), the
`The secret key or A-key is preferably stored in both the
`cellular terminal and the base station or network in a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cellular terminal first transmits its telephone numberto the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`non-accessible manner. At call set up,
`the base station
`VLR. The VLR can identify that subscriber’s HLR from the
`transmits a random number RANDto the cellular terminal.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`telephone number and contacts the HLR via a telephone
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The cellular terminal combines RAND and A-keyto obtain
`trunk signalling system knownas signalling system no. 7 in
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a temporary key “B-key”andthe base station does the same.
`Europe, or via a system called IS41 in the U.S. The VLR
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The B-key is then used for encrypting further communica-
`then requests security variables from the HLR that can be
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`25
`
`
`
`30
`
`35
`
`
`
`
`
`45
`
`
`
`50
`
`
`
`55
`
`
`
`60
`
`
`
`65
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 16 of 29
`
`Page 16 of 29
`
`

`

`5,812,955
`
`
`5
`
`
`
`
`
`
`
`
`used to verify the mobile’s claimed identity and/or to
`
`
`
`
`
`
`encrypt the conversation, that is a RAND/RESPpair and a
`
`
`
`
`
`
`
`
`
`
`B-key. To reduce use of the trunk lines, several RAND/
`
`
`
`
`
`
`
`RESP/B-keytriplets can be sent by the HLR to the VLR in
`
`
`
`
`
`
`
`
`
`the sametransaction, sufficient perhaps for a day’s use at the
`visited location.
`
`
`
`
`
`
`
`
`
`
`
`Another threat to the security of such a system is the
`
`
`
`
`
`
`possibility of unauthorized access to signalling system no. 7
`
`
`
`
`
`
`
`
`IS41 lines, which connect all
`telephone exchanges
`or
`
`
`
`
`
`
`
`together, even those in different countries and continents. An
`
`
`
`
`
`
`unauthorized request to an HLR for security variables per-
`
`
`
`
`
`
`
`taining to particular telephone numbercan then be made. If
`
`
`
`
`
`
`
`the VLR were permitted to specify RAND, a previously
`
`
`
`
`
`
`
`
`
`used RAND could be specified and then the fraudulent VLR
`
`
`
`
`
`
`
`
`
`
`would receive a B-key that had the recorded call to be
`
`
`
`
`
`
`
`deciphered. Therefore, the VLR should not be allowed to
`
`
`
`
`
`
`
`specify the RAND, but rather it should be generated extem-
`
`
`
`
`
`
`
`
`poraneously by the HLR. However,
`the fraudulent VLR
`
`
`
`
`
`
`
`
`would still receive a valid security triplet. This may not be
`
`
`
`
`
`
`
`
`
`
`useful for making fraudulent calls, as the real VLR would
`
`
`
`
`
`
`
`
`
`again contact the HLR and would receive new triplets not
`
`
`
`
`
`
`
`possessed by the fraudulent VLR. Nevertheless, it is pref-
`
`
`
`
`
`
`
`
`erable to prevent a fraudulent VLR from receiving any
`
`
`
`
`
`
`
`security information pertaining to any subscriber. This can
`
`
`
`
`
`
`
`
`
`be prevented if the HLRfirst issues only the RAND to the
`
`
`
`
`
`
`
`
`VLR,
`the VLR transmits it
`to the cellular terminal,
`the
`
`
`
`
`
`
`
`
`cellular terminal replies with RESP and the VLR conveys
`
`
`
`
`
`
`
`
`
`RESPto the HLR. Only if the HLR confirmsthe identity of
`
`
`
`
`
`
`
`
`the cellular terminal would it then release a B-key and
`
`
`
`possibly further triplets.
`
`
`
`
`
`
`
`
`The above described technique maystill allow a false
`
`
`
`
`
`
`
`VLR to extract RAND/RESP pairs from genuine cellular
`
`
`
`
`
`
`
`terminals in the hope of collecting sufficientpairs to provide
`
`
`
`
`
`
`
`
`a high probability of being able to make a fraudulent access
`
`
`
`
`
`
`
`
`to the real system. This is prevented by introducing the
`
`
`
`
`
`
`bilateral authentication procedure described in the afore-
`
`
`
`
`
`
`
`
`mentioned patent application and U.S. patent
`that were
`
`
`
`
`
`
`above incorporated by reference. In a preferred implemen-
`
`
`
`
`
`
`
`
`tation of bilateral authentication, the cellular terminal first
`identifies itself to the VLR. The VLR determinesthe cellular
`
`
`
`
`
`
`
`
`
`terminal’s HLR from the ID and contacts the HLR for
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`security variables. The HLR extemporaneously issues a
`
`
`
`
`
`
`
`random challenge RAND and computes the B-key and two
`
`
`
`
`
`
`
`responses, RESP1 and RESP2 by combining RAND with
`
`
`
`
`
`
`
`
`the identified subscriber’s A-key. The HLR releases the
`
`
`
`
`
`
`
`
`
`RANDandthe first response RESP1 only to the VLR. The
`VLR transmits RAND and RESP1 to the cellular terminal.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The cellular terminal combines RAND withits stored A-key
`
`
`
`
`
`
`
`
`and