Title : COMMUNICATION DEVICE WITH SECURE STORAGE OF USER DATA

Description

Field of the invention

This invention relates to a communication device with user data storage.

Background of the invention

Communication devices existing today include portable apparatus whose primary function is communication such as portable telephony or electronic messaging. An example of portable telephony (or cell telephony) is the Global System for Mobile communications ('GSM') digital cellular telecommunications system. More and more, portable telephones also fulfil other functions, such as storing personal details similarly to portable digital assistants and electronic files such as electronic messages, for example. Such user data stored in the device is often confidential and the device should be provided with a security function enabling a degree of restriction of access to stored user data. The present invention is applicable to portable telephones and other portable or non-portable communications devices.

Certain known communication devices have a password protection function enabling the user to require a password he chooses to be entered into the device in order to gain access to stored user data. However, the degree of protection often used to be relatively modest, since the protection only prevents display of the user data protected, the user data being stored in clear form, that is to say un- ciphered. Also, such protection obliges the user to remember yet another password.

Other known communication devices have a function enabling the user to cipher stored user data using a ciphering key only known by the user. However, the key itself is not always safely stored in the system. The provision of such a ciphering system for stored user data adds cost and complexity to the device.

An example of security in communication between a personal device and a host computer is given in U.S. Patent Specification No. 2003/0087601. U.S. Patent Specification 5,761 ,648 discloses an interactive marketing network and process using electronic certificates in on-line communications. There is a requirement for a more secure ciphering function for stored user data in a communication device that is inexpensive to implement.

Summary of the invention

The present invention provides a communication device as described in the accompanying claims.

Brief description of the drawings

Figure 1 is a block schematic diagram of a portable telephone system, including a handset, a base station and a network, in which an embodiment of the invention, given by way of example, is implemented,

Figure 2 is a flow chart showing exchanges of signals and data in the system of Figure 1 between and within the handset and the network during authentication, transmission and reception,

Figure 3 is a flow chart showing exchanges of signals and data in the system of Figure 1 within the handset during storage and extraction of data,

Detailed description of the preferred embodiments Figure 1 shows a portable telephone system operable in conformity with the

Global System for Mobile communications ( ¹ GSM') digital cellular telecommunications system standards of the European Telecommunications Standards Institute ('ETSI'), although it will be appreciated that the invention is also applicable to other portable telephone standards and to portable telephones operable according to more than one standard. An example of the latter are the so-called 3 ^rd Generation telephones with electronic messaging capability as well as wider communication bandwidth, which have functionalities enabling higher performance in storage of personal details and other confidential electronic files.

The system shown in Figure 1 comprises a handset 10, a base station 12 and a network 14 linking with the Public Land Mobile Network, and the land lines of the Public Switched Telephone Network. It will be appreciated that although only one of each is shown, the complete system will include multiple handsets and base stations.

The handset 10 includes a man-machine interface 'MMI' 16, comprising one or more visual display panels and a keyboard for data entry. In certain MMIs the display screen can be a touch panel enabling data to be entered by touching or writing on the panel. The handset 10 also includes a baseband processor 18 for processing signals received from or to be transmitted by a radio interface 20 over an antenna 22. Storage 24 is provided in the baseband processor 18 and the storage capacity may be increased by adding a memory card providing additional memory storage, in the form of non-volatile or flash memory, for example. In addition, the user inserts a Subscriber Identification Module 'SIM' card 26 into the handset, which is specific to his subscription account. The SIM card comprises a card support, facilitating handling, in which is mounted the SIM itself, a protected integrated circuit 28 and electrical contacts enabling electrical connection to the integrated circuit. The SIM stores one or more subscriber authentication private keys Ki in memory that is inaccessible from outside the IC and the SIM is operable to generate one or more cryptographic session keys Kc enabling encryption of transmissions from the handset 10, decryption of received signals and signatures SRES enabling authentication to the network 14.

The base station 12 includes an antenna 28 and RF and baseband interfaces 30 linking with the network 14 for reception and transmission. In telephony operation, for telephone transmission and reception, the portable telephone system shown in Figure 1 functions in conformity with the GSM standard.

The GSM standard includes a GSM Technical Specification (GTS) of the

Subscriber Identity Module - Mobile Equipment (SIM - ME) interface (GSM 11.11 ), which defines the interface between the Subscriber Identity Module (SIM) and the

Mobile Equipment (ME) 16 to 24 of a Mobile Station (MS) 10 for use during the network operation phase of GSM as well as those aspects of the internal

organisation of the SIM 26 which are related to the network operation phase. This is to ensure interoperability between a SIM and an ME independently of the respective manufacturers and operators.

The following abbreviations are used in the GTS and will be used in this specification:

Kc: Cryptographic key; used by the cipher algorithm A5

Ki: Subscriber authentication key; the cryptographic key used by the authentication algorithm, A3, and cipher key generator, A8 RAND: A RANDom challenge issued by the network SIM: Subscriber Identity Module

SRES: Signed RESponse calculated by a SIM

The security aspects of GSM are described in the normative references TS GSM 02.09 and TS GSM 03.20, which defines the ciphering algorithm A8. The security features supported by the SIM include enabling the following: - authentication of the subscriber identity to the network;

- data confidentiality over the air interface;

- file access conditions.

Sub-clause 7.1 of the GTS: Authentication and cipher key generation procedure describes the authentication mechanism and cipher key generation which are invoked by the network.

The mobile station 10 stores permanently:

- authentication algorithm A3;

- encryption algorithm A5;

- ciphering key generating algorithm A8; - individual subscriber authentication key Ki;

- ciphering key Kc;

In GSM telephone operation, the network 14 sends a Random Number

(RAND) to the MS 10. The ME passes the RAND to the SIM in the command RUN

GSM ALGORITHM. The SIM returns the values SRES and Kc to the ME which are derived using the algorithms and processes given below. The ME sends SRES to

the network 14. The network compares this value with the value of SRES which it calculates for itself. The comparison of these SRES values provides the authentication. The value Kc is used by the ME 16 to 24 in any future enciphered communications with the network 14 until the next invocation of this mechanism. A subscriber authentication private key Ki is used in this procedure. This key

Ki has a length of 128 bits and is stored within the integrated circuit 28 of the SIM 26 for use within the SIM in the algorithms described below, the key Ki being inaccessible from outside the integrated circuit (28) of the SIM 26.

7.2 Algorithms and processes The names and parameters of the algorithms supported by the SIM 26 are defined in TS GSM 03.20 [10].

These are:

- Algorithm A3 to authenticate the MS to the network;

- Algorithm A8 to generate the encryption key. These algorithms may exist either discretely or combined (into A38) within the SIM. In either case the output on the SIM/ME interface is 12 bytes. The inputs to both A3 and A8, or to A38, are Ki (128 bits) internally derived in the SIM 26, and RAND (128 bits) across the SIM/ME interface. The output is SRES (32 bits)/Kc (64 bits) the coding of which is defined in the command RUN GSM ALGORITHM in clause 9.

When involved in GSM network operations the SIM 26 interfaces with an ME 16 to 24 with which messages are exchanged. A message can be a command or a response.

- A GSM command/response pair is a sequence consisting of a command and the associated response.

- A GSM procedure consists of one or more GSM command/response pairs which are used to perform all or part of an application-oriented task. A procedure shall be considered as a whole, that is to say, that the corresponding task is achieved if and only if the procedure is completed. The ME 16 to 24 shall ensure that, when operated according to the manufacturer's manual, any unspecified interruption of

the sequence of command/response pairs which realises the procedure, leads to the abortion of the procedure itself.

- A GSM session of the SIM 26 in the GSM application is the interval of time starting at the completion of the SIM initialisation procedure and ending either with the start of the GSM session termination procedure, or at the first instant the link between the SIM and the ME is interrupted.

During the GSM network operation phase, the ME 16 to 24 plays the role of the master and the SIM 26 plays the role of the slave.

Subscriber identity authentication 3.1 Generality

The definition and operational requirements of subscriber identity authentication are given in GSM 02.09.

The authentication procedure will also be used to set the ciphering key (see clause 4). Therefore, it is performed after the subscriber identity (TMSI/IMSI) is known by the network and before the channel is encrypted.

Two network functions are necessary: the authentication procedure itself, and the key management inside the fixed subsystem.

3.2 The authentication procedure

The GSM communication authentication procedure 200 is shown in Figure 2 and consists of the following exchange between the fixed subsystem 14 and the MS 10.

- At 202, the fixed subsystem 14 transmits a non-predictable number RAND to the MS 10.

- The phone equipment 16 to 24 receives the number RAND and passes it to the SIM 26 at 204. At 206, the SIM 26 computes the signature of RAND, say SRES, using algorithm A3 and some secret information: the Individual Subscriber Authentication Key Ki.

- at 208, the SIM 26 passes the signature SRES to the phone equipment 16 to 24, which transmits the signature SRES to the fixed subsystem at 210.

- The fixed subsystem generates its version of SRES and Kc from its own stored value of Ki and algorithm A3 at 212 and tests SRES from the MS 10 for validity at 214 by checking identity of the two versions of SRES.

The Subscriber Authentication Key Ki is allocated, together with the IMSI, at subscription time and is stored in the internal secure memory of the SIM 26 before the SIM is delivered to the end-user.

Ki is stored on the network side in the Home Public Land Mobile Network (HPLMN), in a secure Authentication Centre (AuC).

4 Encryption of data to be stored in the Mobile Station As shown in Figure 3, in this embodiment of the invention, the baseband processor 18 is operable to encrypt data presented in clear text before storage in the data storage memory 24 of the mobile station 10 and decrypt data extracted from the data storage.

- At the start of encryption or decryption, the baseband processor 18 generates a 'public key'. For example in this embodiment the end-user's identity number (or name in digital form) is entered or is extracted from storage in the SIM 26 or the processor 18 and is passed to the SIM 26 at 304 as the value of the number RAND, requesting a cipher session key Kc and a 'RUN_GSM_ALGORITHM command from the SIM 26. At 306, the SIM 26 computes a cipher session key Kc (and SRES), using the GSM algorithms A3 and A8 or A38 and a private Individual Subscriber Authentication Key, Ki, stored inaccessibly in the integrated circuit 28 of the SIM and sends the cryptographic session key Kc and the 'RUN_GSM_ALGORITHM command to the baseband processor 18 at 308. The Individual Subscriber Authentication Key Ki may be the same as that used for enciphering and deciphering transmission and reception of communications or may be a different key.

- For encryption, data presented in clear, unencrypted form is entered into Random Access Memory ('RAM') in the baseband processor 18, for example by using the MMI 16 or by receiving data from another source. The baseband processor 18 uses the cipher session key Kc to encrypt the data at 310 and sends the encrypted data at 312 to the data storage memory 24. The algorithm used in

this embodiment of the invention is a symmetrical algorithm, in which the same session key is used for encryption and for decryption. The algorithm used for encryption and decryption of stored and extracted data may be the same algorithm as used for data communicated or may be a different algorithm; examples of suitable algorithms are various AES or triple DES algorithms. The data may be encrypted in the baseband processor 18, especially if large quantities of data are to be encrypted.

- For decryption, encrypted data is extracted from the data storage memory 24 and sent to the baseband processor 18 at 314. The baseband processor 18 uses the cipher session key Kc to decrypt the data at 316 and displays the decrypted data on the MMI 16 or transmits it for use elsewhere or stores it in clear form for subsequent use. The algorithm used in this embodiment of the invention is the same symmetrical algorithm as used for encrypting at 310 and the session key Kc is necessarily identical. It will be appreciated that this embodiment of the invention offers a high degree of security of protection of stored data. No additional password is needed, avoiding the attendant issues of the password being forgotten or stored in clear form, which presents a security risk. Using the user's SIM card to generate the algorithm enciphering session key allows the user to only need his SIM PIN number to access his personal ciphered data.

- If the SIM card is changed, the data will not be available, preventing access to protected data in the data storage of the MS 10 by another user.

- If the SIM pin has not been entered correctly, the data will not be available.

- The cost of the high level of protection is small, since only software adaptation is needed.

While the embodiments of the invention shown in the drawings have been described with reference to telephony communication using the GSM specification, it will be appreciated that the invention is applicable to other telephony standards and, more generally, to other forms of communication.