US20120002654A1 - Network and node for providing a secure transmission of mobile application part messages - Google Patents

Network and node for providing a secure transmission of mobile application part messages Download PDF

Info

Publication number
US20120002654A1
US20120002654A1 US13/227,903 US201113227903A US2012002654A1 US 20120002654 A1 US20120002654 A1 US 20120002654A1 US 201113227903 A US201113227903 A US 201113227903A US 2012002654 A1 US2012002654 A1 US 2012002654A1
Authority
US
United States
Prior art keywords
domain
map
gateway node
security
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/227,903
Inventor
Reijo Pekkala
Juha Saaskilahti
Karl-Johan Wiren
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from DE10350226A external-priority patent/DE10350226B4/en
Application filed by Individual filed Critical Individual
Priority to US13/227,903 priority Critical patent/US20120002654A1/en
Assigned to TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) reassignment TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SAASKILAHTI, JUHA, WIREN, KARL-JOHAN, PEKKALA, REIJO
Publication of US20120002654A1 publication Critical patent/US20120002654A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/02Inter-networking arrangements

Definitions

  • the invention relates to a network and a node for providing a secure transmission of mobile application part messages.
  • the invention is related to a protocol layer for encrypting and decrypting messages according to the mobile application part (MAP) protocol.
  • the MAP protocol is an application protocol in the protocol stack according to the signaling system number 7 (SS7).
  • the MAP protocol that has been developed for mobile networks according to the Global System for Mobile Communications (GSM) standard.
  • GSM Global System for Mobile Communications
  • the MAP protocol is used for querying databases in GSM networks, such as a Visitor Location Register (VLR) or a Home Location Register (HLR).
  • VLR Visitor Location Register
  • HLR Home Location Register
  • the transmission of MAP messages can be secured by an encrypting of a MAP message at a sending node and a decrypting of a MAP message in a receiving node.
  • Encrypting and decrypting of MAP messages is part of a MAP application layer security that is described in the technical specification (TS) 33.200 of the third generation partnership project (3GPP).
  • a unit for encrypting and decrypting MAP messages and a MAP protocol instance are implemented on a common physical node. This is not flexible and this is related to large implementation costs if the MAP application layer security is introduced in a network comprising a large number of different network nodes.
  • a telecommunication network with a first domain comprises at least one mobile application part protocol instance connected to a gateway node which is adapted to send and receive mobile application part messages and which is connectable to a second domain.
  • the telecommunication network is remarkable in that the gateway node is adapted to receive a mobile application part message from the first domain, to convert the received mobile application part message obtaining a secured mobile application part message, and to send the obtained message towards the second domain.
  • the gateway node is further adapted to receive a secured mobile application part message from the second domain, to extract an unsecured mobile application part message from the received secured mobile application part message and to send the extracted message towards the first domain.
  • This provides a flexible method to, implement mobile application part application layer security, as a further mobile application part protocol instance can be easily added to the first domain. Further a cost efficient implementation of mobile application part application layer security is provided for a first domain comprising different kinds of network nodes on which the mobile application part protocol is implemented.
  • the gateway node is connectable to a third domain and the gateway node performs a selective discarding of mobile application part messages received from the first domain and destined for the third domain and a selective discarding of mobile application part messages received from the third domain and destined for the first domain.
  • a secured communication is provided by the gateway node towards different domains. Also a basic level of security can be provided by the gateway node if unencrypted messages are transmitted in the third domain.
  • the gateway node performs as a firewall towards the third domain.
  • the gateway node is connectable to different domains, and levels of security are configurable for the different domains. By this a secure communication can be provided by the gateway node in a flexible way.
  • a level of security is configurable for one domain independently from a configuring of a level of security for another domain.
  • a fallback to a lower level of security than the configured level of security for the particular domain is allowable and the allowing of the fallback to the lower level of security is configurable for one domain independently from a configuring of an allowing of a respective fallback to a lower level of security level for another domain.
  • a gateway node comprises an interface to a first domain of a telecommunication network for sending and receiving mobile application part messages.
  • the gateway node is remarkable in that it comprises an interface to a second domain of the telecommunication network for sending and receiving secured mobile application part messages.
  • the gateway node further comprises a conversion unit that is adapted to receive a mobile application part message via the interface to the first domain, to convert the received mobile application part message obtaining a secured mobile application part message, and to send the obtained message via the interface towards the second domain.
  • the conversion unit is further adapted to receive a secured mobile application part message via the interface to the second domain, to extract an unsecured mobile application part message from the received secured mobile application part message and to send the extracted message via the interface towards the first domain.
  • the gateway node comprises an interface to a third domain for sending and receiving mobile application part messages and a filtering unit adapted to perform a selective discarding of mobile application part messages.
  • a secured communication is provided by the gateway node towards different domains. Also a basic level of security can be provided by the gateway node if unencrypted messages are transmitted in the third domain.
  • the gateway node performs as a firewall towards the third domain.
  • the gateway node is connectable to different domains, and the gateway node comprises a security database for storing indications of levels of security for the different domains.
  • a level of security is configurable for one domain independently from a configuring of a level of security for another domain.
  • the gateway node comprises a fallback store for storing for a particular domain an indication that a fallback to a lower level of security than the configured level of security for the particular domain is allowable and the allowing of the fallback to the lower level of security is configurable for one domain independently from an allowing of a respective fallback to a lower level of security for another domain.
  • FIG. 1 depicts a telecommunication communication network providing a transmission of mobile application part messages between a first domain and further domains, in which different kinds of security mechanisms are provided
  • FIG. 2 depicts an architecture of a gateway node for converting a received MAP message obtaining a secured MAP message, and for extracting an unencrypted MAP message from a secured MAP message.
  • FIG. 3 depicts a flow chart comprising decision steps and processing steps that are performed during a set up of a secure communication channel.
  • FIG. 1 depicts a telecommunication network comprising a first domain PLMN-A, a second domain PLMN-B, a third domain PLMN-E, a fourth domain PLMN-C, and a fifth domain PLMN-D.
  • a domain can be e.g. a sub-network and the different domains can be sub-networks operated by different network operators.
  • the different domains of the telecommunication network comprise network nodes on which protocol instances of the MAP (mobile application part) protocol are implemented.
  • Communication channels between network nodes that are secured in that MAP messages are transmitted as MAP security messages are depicted as continuous thick lines.
  • Communication channels between network nodes via which mobile application part messages are transmitted as unsecured messages are depicted as continuous thin lines.
  • Connections for exchanging keys for encryption or decryption and other kinds of security information used for a mobile application part transport layer security are depicted as dashed double-headed arrows.
  • Connections for providing security information by a security database to a network node on which a mobile application part protocol instance is implemented are depicted as dotted lines.
  • the first domain PLMN-A comprises a first and a second network node NEA 1 and NEA 2 on which MAP protocol instances are installed.
  • the first domain PLMN-A is regarded as a secure domain of the telecommunication network. Therefore no encryption is applied to the MAP messages and unencrypted MAP messages can be exchanged by the MAP protocol instances within the first domain PLMN-A.
  • the first and the second network node NEA 1 and NAE 2 are connectable to other network nodes via a first gateway node MSEGA.
  • MAP messages from MAP protocol instances in the first domain PLMN-A to MAP protocol instances in the other domains are routed within the first domain PLMN-A towards the first gateway node MSEGA.
  • encrypted MAP messages and unencrypted MAP messages. from other domains are routed towards the MAP protocol instances in the first domain via the first gateway node MSEGA.
  • the first gateway node MSEGA provides an encrypting of MAP messages received from protocol instances within the first domain PLMN-A wherein the encrypting complies with the MAP application layer security. Encrypted messages obtained by said encrypting comply with the MAP application layer security. Accordingly the first gateway node MSEGA provides a decrypting of secured MAP messages the content of which is destined to MAP protocol instances in the first domain PLMN-A and that are received from domains of the telecommunication network other than the first domain PLMN-A. Decrypted messages obtained by said decrypting comply with the MAP protocol.
  • the first gateway node MSEGA comprises a security database storing and providing security information used for the encryption of MAP messages and the decryption of secured MAP messages.
  • security information comprises keys for encrypting MAP massages, keys for decrypting secured MAP messages and security policies to be applied.
  • the first gateway node MSEGA is connected to other databases storing and providing security information.
  • the security database within the first gateway node MSEGA is connected to a security database in a second gateway node MSEGB via a first security information exchange connection IKEC_AB.
  • the security database within the first gateway node MSEGA is connected to a first security database KACC in the fourth domain PLMN-C via a second security information exchange connection IKEC_AC and to a second security database KACE in the third domain PLMN-E via a third security information exchange connection IKEC_AE.
  • the second domain PLMN-B comprises a third and a fourth network node NEB 1 and NEB 2 , that are connected to the first and the second network node NEA 1 and NEA 2 in the first domain PLMN-A via the second gateway node MSEGB.
  • the third and the fourth network node NEB 1 and NEB 2 each comprise MAP protocol instances.
  • the second domain PLMN-B is regarded as a secure domain of the telecommunication network. Therefore no encryption is applied to the MAP messages within the second domain and unencrypted MAP messages can be exchanged by the MAP protocol instances within the second domain PLMN-B.
  • a transmission of secured MAP messages between the first gateway node MSEGA and the second gateway node MSEGB is provided for by the first secured transmission channel SC_AB.
  • MAP messages from the second domain PLMN-B to other domains are routed via the second gateway node MSEGB and secured MAP messages towards the second domain PLMN-B are accordingly routed via the second gateway node MSEGB.
  • MAP messages between the first and the second domain PLMN-A and PLMN-B are transmitted as encrypted MAP messages via the first secured transmission channel SC_AB. Therefore a MAP message form a protocol instance in the first domain PLMN-A to a protocol instance in the second domain PLMN-B is routed in the first domain PLMN-A towards the first gateway node MSEGA.
  • the MAP message is received in the first gateway node MSEGA, encrypted applying encryption complying with the MAP application layer security and sent as encrypted MAP message via the first secured transmission channel SC_AB to the second gateway node MSEGB within the second domain PLMN-B.
  • the encrypted MAP message is decrypted in the second gateway node MSEGB obtaining a MAP message comprising the content of the original MAP message sent in the first domain PLMN-A.
  • the obtained MAP message is routed in the second domain PLMN-B towards a MAP protocol instance terminating the MAP message.
  • a MAP message from a MAP protocol instance in the second domain PLMN-B and destined for a MAP protocol instance in the first domain PLMN-A is routed in the second domain PLMN-B towards the second gateway node MSEGB, encrypted obtaining a secured MAP message which is transmitted via the first secured transmission channel SCAB to the first gateway node MSEGA in the first domain PLMN-A.
  • the secured MAP message is decrypted obtaining a MAP message comprising the content of the original MAP message sent in the second domain PLMN-B.
  • the obtained MAP message is routed in the first domain PLMN-A towards a destination MAP protocol instance that terminates the MAP message.
  • the fourth domain PLMN-C of the telecommunication network comprises a fifth and a sixth network node NEC 1 and NEC 2 , on each of which a MAP protocol instance and a conversion unit for MAP message encryption and decryption are installed.
  • the MAP protocol instance in the fifth and the sixth network node NEC 1 and NEC 2 respectively are connected to the first gateway node MSEGA via a second and a third secured transmission channel SCAC 1 and SC.sub.13 AC 2 respectively.
  • the fourth domain PLMN-C further comprises a first security database KACC storing and providing security information used for the encryption of MAP messages and the decryption of secured MAP messages.
  • the first security database KACC provides security information to the conversion units in the fifth and the sixth network node NEC 1 and NEC 2 . To provide an exchanging of security information the first security database KACC is connected to the security database in the first gateway node MSEGA via a second security information exchange connection IKEC_AC.
  • Either the transmission of unencrypted MAP messages in the fourth domain PLMN-C or the transmission of unencrypted MAP messages from the fourth domain PLMN-C to other domains e.g. to the first domain PLMN-A is not regarded secure.
  • MAP messages between MAP protocol instances in the first domain PLMN-A and MAP protocol instances in the fourth domain PLMN-C are therefore encrypted and transmitted as secured MAP messages.
  • Message encryption and decryption for the MAP protocol instances in the fifth and the sixth network node NEC 1 and NEC 2 is performed by the respective conversion units in the fifth and the sixth network node NEC 1 and NEC 2 respectively.
  • the transmission of secured MAP messages between the first and the fourth domain, PLMN-A and PLMN-C shows that the invented solution is compatible with the implementation of MAP application layer security according to the state of the art, in which a conversion unit for MAP message encryption and decryption is provided for every MAP protocol instance.
  • a MAP message from the MAP protocol instance in the fifth network node NEC 1 destined to the MAP protocol instance in the first network node NEA 1 is forwarded in the fifth network node NEC 1 to the conversion unit in the fifth network node NEC 1 and encrypted obtaining a secured MAP message.
  • the obtained secured MAP message is sent via the second secured transmission channel SC-AC 1 to the first gateway node MSEGA.
  • the encrypted MAP messages is decrypted in the first gateway node MSEGA obtaining a MAP message comprising the content of the original MAP message sent by the MAP protocol instance in the fifth network node NEC 1 .
  • the obtained MAP message is routed in the first domain towards the MAP protocol instance in the first network node NEA 1 terminating the MAP message.
  • a MAP message from the MAP protocol instance in the first network node NEA 1 destined for the MAP protocol instance in the fifth network node NEC 1 is routed in the first domain PLMN-A towards the first gateway node MSEGA and encrypted obtaining a secured MAP message.
  • the obtained secured MAP message is transmitted via the second secured transmission channel SC_AC 1 to the conversion unit in the fifth network node NEC 1 .
  • the conversion unit in the fifth network node NEC 1 decrypts the received secured MAP message obtaining a MAP message that comprises the content of the original MAP message sent in the first domain PLMN-A.
  • the obtained MAP message is handed over by the conversion unit in the fifth network node NEC 1 to the MAP protocol instance in the fifth network node NEC 1 .
  • the fifth domain PLMN-D of the telecommunication network comprises a seventh and an eighth network node NED 1 and NED 2 , on each of which a MAP protocol instance is installed.
  • the seventh and the eighth network node NED 1 and NED 2 are connected to the first gateway node MSEGA in the first domain PLMN-A via a first and a second unsecured communication channel USC_AD 1 and USC_AD 2 .
  • the first gateway node MSEGA performs a selective discarding of MAP messages received from the first domain PLMN-A and destined for the fifth domain PLMN-D and a selective discarding of mobile application part messages received from the fifth domain PLMN-D and destined for the first domain PLMN-A.
  • the selective discarding is based on an address in a MAP message or a type of a MAP message.
  • the selective discarding can be implemented in that the first gateway node MSEGA performs as a firewall towards the fifth domain PLMN-D.
  • the third domain PLMN-E of the telecommunication network comprises a ninth network node NEE 1 on which a MAP protocol instance and a conversion unit for MAP message encryption and decryption are installed and a tenth network node NEE 2 , on which a MAP protocol instance is installed.
  • the ninth network node NEE 1 is connected to the first gateway node MSEGA via fourth secure communication channel SC_AE, for which security information is provided by a third security database KACE and exchanged between the third security database KACE and the security database in the first gateway node MSEGA via a third security information exchange connection IKEC_AE.
  • the tenth network node NEE 2 is connected to the first gateway node MSEGA in the first domain PLMN-A via a third unsecured communication channel USC_AE.
  • the first gateway node MSEGA performs a selective discarding of MAP messages towards the third domain PLMN-E.
  • the selective discarding can be based on an address or a type of a MAP message and the selective discarding can be implemented in that the first gateway node MSEGA performs as a firewall towards the third domain PLMN-E.
  • FIG. 2 depicts an architecture of a gateway node for converting a received MAP message obtaining a secured MAP message, and for extracting an unencrypted MAP message from a secured MAP message.
  • the gateway node comprises a MAP protocol instance SMAPPI, which is adapted to process secured and unsecured MAP messages.
  • the MAP protocol instance SMAPPI comprises a protocol machine for generating and answering to secured and unsecured MAP messages.
  • the MAP protocol instance SMAPPI communicates with a TCAP (transaction capabilities application part) protocol instance TCAPPI and with a MAP user protocol-instance MAPUPI by exchanging appropriate service data units.
  • the MAP user protocol instance MAPUP is connected to an operation and maintenance unit OMU that provides operation and maintenance for the gateway node.
  • the TCAP protocol instance TCAPPI is further connected to a SCCP (Signaling Connection Control Part) protocol instance SCCPPI.
  • SCCP Signaling Connection Control Part
  • the SCCP protocol instance SCCPPI is connected to other network nodes on which MAP protocol instances are implemented for communicating using unsecured MAP messages via the Zf interface ZFI.
  • SCCP protocol instance SCCPPI is connected to other network nodes on which MAP protocol instances are implemented for communicating using unsecured MAP messages via a network interface NI.
  • the MAP protocol instance SMAPPI is connected to a cryptography unit CU, that is adapted to encrypt a MAP message obtaining a secured MAP message. Furthermore the cryptography unit CU is adapted to decrypt a secured MAP message for obtaining content of a respective unencrypted MAP message.
  • the cryptography unit CU is connected to a key exchange unit KEU for being provided with keys for encryption and keys for decryption.
  • the key exchange unit KEU is connected to other network nodes that perform an administration of encryption and decryption keys via a Zd interface ZDI.
  • the key exchange unit KEU is connected to a policy management unit PMU, that coordinates the negotiation of protection profiles and security associations for secure communication channels.
  • the policy management unit PMU is connected to a security policy database SPD and a security association database SAD for obtaining information needed for the negotiation of the protection profiles.
  • security policies to be applied for a secure communication channel are stored.
  • Information on a level of security indicated for a particular domain can be stored in a security domain information unit SDIU and provided to the policy management unit PMU in a negotiation of a security policy.
  • a security policy to be applied towards a particular domain of the communication network can be configured independently from a configuring of a security policy towards another domain.
  • a security policy can comprise an indicating whether MAP application layer security is to be applied towards a domain, an indicating whether unsecured transmission of MAP messages is allowed or an indicating that no communication using MAP messages is allowed towards a particular domain.
  • a security policy can also comprise the security mechanisms, such as encryption or integrity protection to be applied towards a particular domain.
  • Potential policies to be applied towards a domain can be preconfigured and stored as potential protection profiles in the security policy database SPD.
  • the policy management unit PMU can access the security database SPD to request a preconfigured protection profile.
  • security information to be used in a secure communication towards a domain is exchanged between the policy management unit PMU and a security database in that domain.
  • Security information can comprise an encryption or a decryption key and an indication for an algorithm to be used in an encryption or a decryption.
  • Security information is grouped in security associations and stored in the security association database SAD.
  • a database administration unit DAU is connected to the security policy database SPD and the security association database SAD such that the security policy database SPD and the security association database SAD can be administrated by the database administration unit DAU.
  • the database administration unit DAU and the security domain information unit IKEA can be controlled and configured using a user interface unit UI advantageously comprising a graphical user interface or a device for command line interpretation.
  • the MAP protocol instance SMAPPI is connected to a fallback store FBS that stores for a particular domain an indication that a fallback to a lower level of security than the configured level of security for the particular domain is allowable.
  • the allowing of the fallback to the lower level of security is configurable for one domain independently from an allowing of a respective fallback to a lower level of security for another domain.
  • the MAP protocol instance SMAPPI can check the fallback store FBS whether a fallback to a lower level of security is allowed towards that domain. If a fallback to a lower level of security is allowed towards the domain, the MAP message can be processed according to a level of security to which a fallback is allowed.
  • FIG. 3 depicts a sequence of decision steps and processing steps to be performed by a gateway node when a request for an unsecured communication channel using the MAP protocol is received in the gateway node.
  • the decision steps described preferably comprise a querying to a security database comprised in or connected to the gateway node.
  • the gateway node performs in a first decision step DS 1 a check, whether a communication is allowed towards the domain from which the request was issued. If a communication is not allowed, the request is discarded and logged by the gateway node in a first processing step PS 1 .
  • the gateway node performs in a second decision step DS 2 a check, whether an applying of MAP application layer security is mandatory according to a preconfigured level of security for a communication towards the domain that issued the request for the dialogue initiation. If an applying of MAP application layer security is not mandatory, the dialogue initiation is accepted in a second processing step PS 2 .
  • the gateway node performs in a third decision step DS 3 a check, whether a fallback to a lower level of security than the preconfigured level is allowed towards the domain from which the request was received. If a fallback to a lower level of security is allowed towards the domain, the dialogue initiation is accepted in a third processing step PS 3 .
  • the gateway node performs in a fourth decision step DS 4 a check, whether a secured transmission channel is mandatory for the type of message to which the dialogue initiation referred. If a secured transmission channel is not mandatory for type of message, the dialogue initiation is accepted in a fourth processing step PS 4 .
  • the dialogue is aborted in a fifth processing step PS 5 .
  • the aborting of the dialogue advantageously comprises an outputting of reason for the aborting of the dialogue.
  • the reason for the aborting advantageously specifies that a transport protection is not adequate for the type of message.

Abstract

According to the present invention a telecommunication network with a first domain (PLMN-A) comprising at least one mobile application part protocol instance is connected to a gateway node (MSEGA) which is adapted to send and receive mobile application part messages and which is connectable to a second domain. The telecommunication network is remarkable in that the gateway node (MSEGA) is adapted to receive a mobile application part message from the first domain, to convert the received mobile application part message obtaining a secured mobile application part message, and to send the obtained message to the second domain. The gateway node (MSEGA) is further adapted to receive a secured mobile application part message from the second domain, to extract an unsecured mobile application part message from the received secured mobile application part message and to send the extracted message to the first domain.

Description

  • This application is a continuation of U.S. application Ser. No. 10/595,447, filed Feb. 22, 2007, now pending, which was the National Stage of International Application No. PCT/EP03/11609, filed Oct. 31, 2003, which claims the benefit of German Application No. 103 50 226.2, filed Oct. 27, 2003, the disclosure of which is incorporated herein by reference.
    • FIELD OF INVENTION
  • The invention relates to a network and a node for providing a secure transmission of mobile application part messages.
    • DESCRIPTION OF PRIOR ART
  • The invention is related to a protocol layer for encrypting and decrypting messages according to the mobile application part (MAP) protocol. The MAP protocol is an application protocol in the protocol stack according to the signaling system number 7 (SS7). The MAP protocol that has been developed for mobile networks according to the Global System for Mobile Communications (GSM) standard. The MAP protocol is used for querying databases in GSM networks, such as a Visitor Location Register (VLR) or a Home Location Register (HLR). The transmission of MAP messages can be secured by an encrypting of a MAP message at a sending node and a decrypting of a MAP message in a receiving node. Encrypting and decrypting of MAP messages is part of a MAP application layer security that is described in the technical specification (TS) 33.200 of the third generation partnership project (3GPP).
  • Currently the need to secure the transmission of MAP messages has become prominent in networks which are commonly used by operators among which a relationship of trust has not yet been developed to a full extend.
  • According to the state of the art a unit for encrypting and decrypting MAP messages and a MAP protocol instance are implemented on a common physical node. This is not flexible and this is related to large implementation costs if the MAP application layer security is introduced in a network comprising a large number of different network nodes.
    • OBJECT OF THE INVENTION
  • Therefore it is object of the invention to overcome the shortcomings of the state of the art and to provide a flexible and cost-efficient implementation of the MAP application layer security.
    • SUMMARY OF THE INVENTION
  • This object is solved by the method of claim 1. The invention is also embodied in a gateway node according to claim 7. Advantageous embodiments are described in the dependent claims.
  • According to the present invention a telecommunication network with a first domain comprises at least one mobile application part protocol instance connected to a gateway node which is adapted to send and receive mobile application part messages and which is connectable to a second domain. The telecommunication network is remarkable in that the gateway node is adapted to receive a mobile application part message from the first domain, to convert the received mobile application part message obtaining a secured mobile application part message, and to send the obtained message towards the second domain. The gateway node is further adapted to receive a secured mobile application part message from the second domain, to extract an unsecured mobile application part message from the received secured mobile application part message and to send the extracted message towards the first domain.
  • This provides a flexible method to, implement mobile application part application layer security, as a further mobile application part protocol instance can be easily added to the first domain. Further a cost efficient implementation of mobile application part application layer security is provided for a first domain comprising different kinds of network nodes on which the mobile application part protocol is implemented.
  • In a further embodiment of the telecommunication network the gateway node is connectable to a third domain and the gateway node performs a selective discarding of mobile application part messages received from the first domain and destined for the third domain and a selective discarding of mobile application part messages received from the third domain and destined for the first domain.
  • By this a secured communication is provided by the gateway node towards different domains. Also a basic level of security can be provided by the gateway node if unencrypted messages are transmitted in the third domain.
  • In another embodiment of the telecommunication network, the gateway node performs as a firewall towards the third domain.
  • In an advantageous embodiment of the telecommunication network the gateway node is connectable to different domains, and levels of security are configurable for the different domains. By this a secure communication can be provided by the gateway node in a flexible way.
  • In an advantageous embodiment of the telecommunication network a level of security is configurable for one domain independently from a configuring of a level of security for another domain. By this a secure communication can be provided by the gateway node in a flexible way.
  • In a further advantageous embodiment of the telecommunication network for a particular domain a fallback to a lower level of security than the configured level of security for the particular domain is allowable and the allowing of the fallback to the lower level of security is configurable for one domain independently from a configuring of an allowing of a respective fallback to a lower level of security level for another domain.
  • By this a fallback to a lower level of security can be allowed according to a level of trust towards a domain. This provides a flexible and secure way to connect the first domain to different other domains of the telecommunication networks.
  • In another embodiment of the invention a gateway node comprises an interface to a first domain of a telecommunication network for sending and receiving mobile application part messages. The gateway node is remarkable in that it comprises an interface to a second domain of the telecommunication network for sending and receiving secured mobile application part messages. The gateway node further comprises a conversion unit that is adapted to receive a mobile application part message via the interface to the first domain, to convert the received mobile application part message obtaining a secured mobile application part message, and to send the obtained message via the interface towards the second domain. The conversion unit is further adapted to receive a secured mobile application part message via the interface to the second domain, to extract an unsecured mobile application part message from the received secured mobile application part message and to send the extracted message via the interface towards the first domain.
  • This provides a flexible method to implement mobile application part application layer security, as a further mobile application part protocol instance can be easily added to the first domain. Further a cost efficient implementation of mobile application part application layer security is provided for a first domain comprising different kinds of network nodes on which the mobile application part protocol is implemented.
  • In a further embodiment of the gateway node, the gateway node comprises an interface to a third domain for sending and receiving mobile application part messages and a filtering unit adapted to perform a selective discarding of mobile application part messages.
  • By this a secured communication is provided by the gateway node towards different domains. Also a basic level of security can be provided by the gateway node if unencrypted messages are transmitted in the third domain.
  • In another advantageous embodiment of the gateway node the gateway node performs as a firewall towards the third domain.
  • In a further advantageous embodiment of the gateway node, the gateway node is connectable to different domains, and the gateway node comprises a security database for storing indications of levels of security for the different domains. By this a secure communication can be provided by the gateway node in a flexible way.
  • In another advantageous embodiment of the gateway node, a level of security is configurable for one domain independently from a configuring of a level of security for another domain. By this a secure communication can be provided by the gateway node in a flexible way.
  • In a further advantageous embodiment of the gateway node, the gateway node comprises a fallback store for storing for a particular domain an indication that a fallback to a lower level of security than the configured level of security for the particular domain is allowable and the allowing of the fallback to the lower level of security is configurable for one domain independently from an allowing of a respective fallback to a lower level of security for another domain.
  • By this a fallback to a lower level of security can be allowed according to a level of trust towards a domain. This provides a flexible and secure Way to connect the first domain to different other domains of the telecommunication network.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The following figures show:
  • FIG. 1 depicts a telecommunication communication network providing a transmission of mobile application part messages between a first domain and further domains, in which different kinds of security mechanisms are provided
  • FIG. 2 depicts an architecture of a gateway node for converting a received MAP message obtaining a secured MAP message, and for extracting an unencrypted MAP message from a secured MAP message.
  • FIG. 3 depicts a flow chart comprising decision steps and processing steps that are performed during a set up of a secure communication channel.
    •  DETAILED DESCRIPTION OF EMBODIMENTS
  • In the following the invention is described in more detail by means of embodiments and figures. Equal reference signs indicate equal elements.
  • FIG. 1 depicts a telecommunication network comprising a first domain PLMN-A, a second domain PLMN-B, a third domain PLMN-E, a fourth domain PLMN-C, and a fifth domain PLMN-D. A domain can be e.g. a sub-network and the different domains can be sub-networks operated by different network operators.
  • The different domains of the telecommunication network comprise network nodes on which protocol instances of the MAP (mobile application part) protocol are implemented. Communication channels between network nodes that are secured in that MAP messages are transmitted as MAP security messages are depicted as continuous thick lines. Communication channels between network nodes via which mobile application part messages are transmitted as unsecured messages are depicted as continuous thin lines. Connections for exchanging keys for encryption or decryption and other kinds of security information used for a mobile application part transport layer security are depicted as dashed double-headed arrows. Connections for providing security information by a security database to a network node on which a mobile application part protocol instance is implemented are depicted as dotted lines.
  • The first domain PLMN-A comprises a first and a second network node NEA1 and NEA2 on which MAP protocol instances are installed. The first domain PLMN-A is regarded as a secure domain of the telecommunication network. Therefore no encryption is applied to the MAP messages and unencrypted MAP messages can be exchanged by the MAP protocol instances within the first domain PLMN-A.
  • To provide a connecting of the MAP protocol instances in the first domain PLMN-A to other MAP protocol instances in the other domains of the telecommunication network, the first and the second network node NEA1 and NAE2 are connectable to other network nodes via a first gateway node MSEGA. MAP messages from MAP protocol instances in the first domain PLMN-A to MAP protocol instances in the other domains are routed within the first domain PLMN-A towards the first gateway node MSEGA. Accordingly encrypted MAP messages and unencrypted MAP messages. from other domains are routed towards the MAP protocol instances in the first domain via the first gateway node MSEGA.
  • The first gateway node MSEGA provides an encrypting of MAP messages received from protocol instances within the first domain PLMN-A wherein the encrypting complies with the MAP application layer security. Encrypted messages obtained by said encrypting comply with the MAP application layer security. Accordingly the first gateway node MSEGA provides a decrypting of secured MAP messages the content of which is destined to MAP protocol instances in the first domain PLMN-A and that are received from domains of the telecommunication network other than the first domain PLMN-A. Decrypted messages obtained by said decrypting comply with the MAP protocol.
  • In an advantageous embodiment of the first gateway node MSEGA the first gateway node MSEGA comprises a security database storing and providing security information used for the encryption of MAP messages and the decryption of secured MAP messages. Such security information comprises keys for encrypting MAP massages, keys for decrypting secured MAP messages and security policies to be applied. To provide an exchanging of said security information the first gateway node MSEGA is connected to other databases storing and providing security information. In particular the security database within the first gateway node MSEGA is connected to a security database in a second gateway node MSEGB via a first security information exchange connection IKEC_AB. Moreover the security database within the first gateway node MSEGA is connected to a first security database KACC in the fourth domain PLMN-C via a second security information exchange connection IKEC_AC and to a second security database KACE in the third domain PLMN-E via a third security information exchange connection IKEC_AE.
  • The second domain PLMN-B comprises a third and a fourth network node NEB1 and NEB2, that are connected to the first and the second network node NEA1 and NEA2 in the first domain PLMN-A via the second gateway node MSEGB. The third and the fourth network node NEB1 and NEB2 each comprise MAP protocol instances. The second domain PLMN-B is regarded as a secure domain of the telecommunication network. Therefore no encryption is applied to the MAP messages within the second domain and unencrypted MAP messages can be exchanged by the MAP protocol instances within the second domain PLMN-B. A transmission of secured MAP messages between the first gateway node MSEGA and the second gateway node MSEGB is provided for by the first secured transmission channel SC_AB.
  • MAP messages from the second domain PLMN-B to other domains are routed via the second gateway node MSEGB and secured MAP messages towards the second domain PLMN-B are accordingly routed via the second gateway node MSEGB. As a transmission of unencrypted messages between the first and the second domain PLMN-A and PLMN-B is not regarded as secure, MAP messages between the first and the second domain PLMN-A and PLMN-B are transmitted as encrypted MAP messages via the first secured transmission channel SC_AB. Therefore a MAP message form a protocol instance in the first domain PLMN-A to a protocol instance in the second domain PLMN-B is routed in the first domain PLMN-A towards the first gateway node MSEGA. The MAP message is received in the first gateway node MSEGA, encrypted applying encryption complying with the MAP application layer security and sent as encrypted MAP message via the first secured transmission channel SC_AB to the second gateway node MSEGB within the second domain PLMN-B. The encrypted MAP message is decrypted in the second gateway node MSEGB obtaining a MAP message comprising the content of the original MAP message sent in the first domain PLMN-A. The obtained MAP message is routed in the second domain PLMN-B towards a MAP protocol instance terminating the MAP message.
  • Accordingly a MAP message from a MAP protocol instance in the second domain PLMN-B and destined for a MAP protocol instance in the first domain PLMN-A is routed in the second domain PLMN-B towards the second gateway node MSEGB, encrypted obtaining a secured MAP message which is transmitted via the first secured transmission channel SCAB to the first gateway node MSEGA in the first domain PLMN-A. In the first gateway node MSEGA the secured MAP message is decrypted obtaining a MAP message comprising the content of the original MAP message sent in the second domain PLMN-B. The obtained MAP message is routed in the first domain PLMN-A towards a destination MAP protocol instance that terminates the MAP message.
  • The fourth domain PLMN-C of the telecommunication network comprises a fifth and a sixth network node NEC1 and NEC2, on each of which a MAP protocol instance and a conversion unit for MAP message encryption and decryption are installed. The MAP protocol instance in the fifth and the sixth network node NEC1 and NEC2 respectively are connected to the first gateway node MSEGA via a second and a third secured transmission channel SCAC1 and SC.sub.13 AC2 respectively. The fourth domain PLMN-C further comprises a first security database KACC storing and providing security information used for the encryption of MAP messages and the decryption of secured MAP messages. The first security database KACC provides security information to the conversion units in the fifth and the sixth network node NEC1 and NEC2. To provide an exchanging of security information the first security database KACC is connected to the security database in the first gateway node MSEGA via a second security information exchange connection IKEC_AC.
  • Either the transmission of unencrypted MAP messages in the fourth domain PLMN-C or the transmission of unencrypted MAP messages from the fourth domain PLMN-C to other domains e.g. to the first domain PLMN-A is not regarded secure. MAP messages between MAP protocol instances in the first domain PLMN-A and MAP protocol instances in the fourth domain PLMN-C are therefore encrypted and transmitted as secured MAP messages. Message encryption and decryption for the MAP protocol instances in the fifth and the sixth network node NEC1 and NEC2 is performed by the respective conversion units in the fifth and the sixth network node NEC1 and NEC2 respectively. The transmission of secured MAP messages between the first and the fourth domain, PLMN-A and PLMN-C shows that the invented solution is compatible with the implementation of MAP application layer security according to the state of the art, in which a conversion unit for MAP message encryption and decryption is provided for every MAP protocol instance.
  • In the following the encryption and decryption of MAP messages between the fourth and the first domain PLMN-C and PLMN-A shall be described by the example of the MAP protocol instances in the first and the fifth network node NEA1 and NEC1. A MAP message from the MAP protocol instance in the fifth network node NEC1 destined to the MAP protocol instance in the first network node NEA1 is forwarded in the fifth network node NEC1 to the conversion unit in the fifth network node NEC1 and encrypted obtaining a secured MAP message. The obtained secured MAP message is sent via the second secured transmission channel SC-AC1 to the first gateway node MSEGA. The encrypted MAP messages is decrypted in the first gateway node MSEGA obtaining a MAP message comprising the content of the original MAP message sent by the MAP protocol instance in the fifth network node NEC1. The obtained MAP message is routed in the first domain towards the MAP protocol instance in the first network node NEA1 terminating the MAP message.
  • Accordingly a MAP message from the MAP protocol instance in the first network node NEA1 destined for the MAP protocol instance in the fifth network node NEC1 is routed in the first domain PLMN-A towards the first gateway node MSEGA and encrypted obtaining a secured MAP message. The obtained secured MAP message is transmitted via the second secured transmission channel SC_AC1 to the conversion unit in the fifth network node NEC1. The conversion unit in the fifth network node NEC1 decrypts the received secured MAP message obtaining a MAP message that comprises the content of the original MAP message sent in the first domain PLMN-A. The obtained MAP message is handed over by the conversion unit in the fifth network node NEC1 to the MAP protocol instance in the fifth network node NEC1.
  • The fifth domain PLMN-D of the telecommunication network comprises a seventh and an eighth network node NED1 and NED2, on each of which a MAP protocol instance is installed. The seventh and the eighth network node NED1 and NED2 are connected to the first gateway node MSEGA in the first domain PLMN-A via a first and a second unsecured communication channel USC_AD1 and USC_AD2. To provide a basic level of security, the first gateway node MSEGA performs a selective discarding of MAP messages received from the first domain PLMN-A and destined for the fifth domain PLMN-D and a selective discarding of mobile application part messages received from the fifth domain PLMN-D and destined for the first domain PLMN-A. In an advantageous embodiment the selective discarding is based on an address in a MAP message or a type of a MAP message. The selective discarding can be implemented in that the first gateway node MSEGA performs as a firewall towards the fifth domain PLMN-D.
  • The third domain PLMN-E of the telecommunication network comprises a ninth network node NEE1 on which a MAP protocol instance and a conversion unit for MAP message encryption and decryption are installed and a tenth network node NEE2, on which a MAP protocol instance is installed. The ninth network node NEE1 is connected to the first gateway node MSEGA via fourth secure communication channel SC_AE, for which security information is provided by a third security database KACE and exchanged between the third security database KACE and the security database in the first gateway node MSEGA via a third security information exchange connection IKEC_AE. The tenth network node NEE2 is connected to the first gateway node MSEGA in the first domain PLMN-A via a third unsecured communication channel USC_AE. To provide a basic level of security for unencrypted MAP messages exchanged between the first gateway node MSEGA and network nodes in the third domain PLMN-E the first gateway node MSEGA performs a selective discarding of MAP messages towards the third domain PLMN-E. As described for the MAP messages towards the fifth domain PLMN-D, the selective discarding can be based on an address or a type of a MAP message and the selective discarding can be implemented in that the first gateway node MSEGA performs as a firewall towards the third domain PLMN-E.
  • FIG. 2 depicts an architecture of a gateway node for converting a received MAP message obtaining a secured MAP message, and for extracting an unencrypted MAP message from a secured MAP message. The gateway node comprises a MAP protocol instance SMAPPI, which is adapted to process secured and unsecured MAP messages. The MAP protocol instance SMAPPI comprises a protocol machine for generating and answering to secured and unsecured MAP messages. The MAP protocol instance SMAPPI communicates with a TCAP (transaction capabilities application part) protocol instance TCAPPI and with a MAP user protocol-instance MAPUPI by exchanging appropriate service data units. The MAP user protocol instance MAPUP is connected to an operation and maintenance unit OMU that provides operation and maintenance for the gateway node. The TCAP protocol instance TCAPPI is further connected to a SCCP (Signaling Connection Control Part) protocol instance SCCPPI. The SCCP protocol instance SCCPPI is connected to other network nodes on which MAP protocol instances are implemented for communicating using unsecured MAP messages via the Zf interface ZFI. Furthermore the SCCP protocol instance SCCPPI is connected to other network nodes on which MAP protocol instances are implemented for communicating using unsecured MAP messages via a network interface NI.
  • The MAP protocol instance SMAPPI is connected to a cryptography unit CU, that is adapted to encrypt a MAP message obtaining a secured MAP message. Furthermore the cryptography unit CU is adapted to decrypt a secured MAP message for obtaining content of a respective unencrypted MAP message. The cryptography unit CU is connected to a key exchange unit KEU for being provided with keys for encryption and keys for decryption. The key exchange unit KEU is connected to other network nodes that perform an administration of encryption and decryption keys via a Zd interface ZDI. The key exchange unit KEU is connected to a policy management unit PMU, that coordinates the negotiation of protection profiles and security associations for secure communication channels.
  • The policy management unit PMU is connected to a security policy database SPD and a security association database SAD for obtaining information needed for the negotiation of the protection profiles. In the security policy database SPD security policies to be applied for a secure communication channel are stored. Information on a level of security indicated for a particular domain can be stored in a security domain information unit SDIU and provided to the policy management unit PMU in a negotiation of a security policy. In a preferable embodiment a security policy to be applied towards a particular domain of the communication network can be configured independently from a configuring of a security policy towards another domain. A security policy can comprise an indicating whether MAP application layer security is to be applied towards a domain, an indicating whether unsecured transmission of MAP messages is allowed or an indicating that no communication using MAP messages is allowed towards a particular domain. A security policy can also comprise the security mechanisms, such as encryption or integrity protection to be applied towards a particular domain.
  • Potential policies to be applied towards a domain can be preconfigured and stored as potential protection profiles in the security policy database SPD. In the negotiation of a protection profile to be applied towards a domain the policy management unit PMU can access the security database SPD to request a preconfigured protection profile. When a protection profile has been negotiated by the policy management unit PMU, security information to be used in a secure communication towards a domain is exchanged between the policy management unit PMU and a security database in that domain. Security information can comprise an encryption or a decryption key and an indication for an algorithm to be used in an encryption or a decryption. Security information is grouped in security associations and stored in the security association database SAD.
  • A database administration unit DAU is connected to the security policy database SPD and the security association database SAD such that the security policy database SPD and the security association database SAD can be administrated by the database administration unit DAU.
  • The database administration unit DAU and the security domain information unit IKEA can be controlled and configured using a user interface unit UI advantageously comprising a graphical user interface or a device for command line interpretation.
  • The MAP protocol instance SMAPPI is connected to a fallback store FBS that stores for a particular domain an indication that a fallback to a lower level of security than the configured level of security for the particular domain is allowable. In a preferable embodiment of the invention the allowing of the fallback to the lower level of security is configurable for one domain independently from an allowing of a respective fallback to a lower level of security for another domain.
  • If an unencrypted MAP message or a secured MAP message compliant to a lower level of security than the preconfigured level of security for the domain from that the secured MAP message was sent is received in the MAP protocol instance SMAPPI, the MAP protocol instance SMAPPI can check the fallback store FBS whether a fallback to a lower level of security is allowed towards that domain. If a fallback to a lower level of security is allowed towards the domain, the MAP message can be processed according to a level of security to which a fallback is allowed.
  • FIG. 3 depicts a sequence of decision steps and processing steps to be performed by a gateway node when a request for an unsecured communication channel using the MAP protocol is received in the gateway node. The decision steps described preferably comprise a querying to a security database comprised in or connected to the gateway node. When the request for the dialogue initiation for the unsecured communication channel is received in the gateway node in an initiating processing step PS0, the gateway node performs in a first decision step DS1 a check, whether a communication is allowed towards the domain from which the request was issued. If a communication is not allowed, the request is discarded and logged by the gateway node in a first processing step PS1.
  • If a communication is allowed towards the domain from which the request was received, the gateway node performs in a second decision step DS2 a check, whether an applying of MAP application layer security is mandatory according to a preconfigured level of security for a communication towards the domain that issued the request for the dialogue initiation. If an applying of MAP application layer security is not mandatory, the dialogue initiation is accepted in a second processing step PS2.
  • If an applying of MAP application layer security is mandatory according to a preconfigured level of security, the gateway node performs in a third decision step DS3 a check, whether a fallback to a lower level of security than the preconfigured level is allowed towards the domain from which the request was received. If a fallback to a lower level of security is allowed towards the domain, the dialogue initiation is accepted in a third processing step PS3.
  • If a fallback to a lower level of security is not allowed, the gateway node performs in a fourth decision step DS4 a check, whether a secured transmission channel is mandatory for the type of message to which the dialogue initiation referred. If a secured transmission channel is not mandatory for type of message, the dialogue initiation is accepted in a fourth processing step PS4.
  • If a secured transmission channel is mandatory for the type of message to which the dialogue initiation referred, the dialogue is aborted in a fifth processing step PS5. The aborting of the dialogue advantageously comprises an outputting of reason for the aborting of the dialogue. The reason for the aborting advantageously specifies that a transport protection is not adequate for the type of message.

Claims (10)

1. A telecommunication network with a first domain comprising:
at least one Mobile Application Part (MAP) protocol instance connected to a gateway node, which is adapted to send and receive MAP messages and which is connectable to a second domain;
wherein the gateway node is adapted to:
receive a MAP message from the first domain;
convert the received MAP message obtaining a secured MAP message;
send the obtained message towards the second domain;
receive a secured MAP message from the second domain;
extract an unsecured MAP message from the received secured MAP message; and
send the extracted message towards the first domain.
2. The telecommunication network according to claim 1, wherein the gateway node is connected to a third domain and wherein the gateway node performs a selective discarding of MAP messages received from the first domain and destined for the third domain and a selective discarding of MAP messages received from the third domain and destined for the first domain.
3. The telecommunication network according to claim 2, wherein the gateway node performs as a firewall towards the third domain.
4. The telecommunication network according to claim 1 wherein the gateway node is connectable to different domains, and levels of security are configurable for the different domains.
5. The telecommunication network according to claim 4,
wherein for a particular domain a fallback to a lower level of security than the configured level of security for the particular domain is allowable and
wherein allowing the fallback to the lower level of security is configurable for one domain independently from a configuring of an allowing of a respective fallback to a lower level of security level for another domain.
6. A gateway node comprising an interface to a first domain of a telecommunication network for sending and receiving Mobile Application Part (MAP) messages, the gateway node comprising:
an interface to a second domain of the telecommunication network for sending and receiving secured MAP messages
a conversion unit that is adapted to:
receive a MAP message via the interface to the first domain,
convert the received MAP message obtaining a secured MAP message,
send the obtained message via the interface towards the second domain,
receive a secured MAP message via the interface to the second domain,
extract an unsecured MAP message from the received secured MAP message and
send the extracted message via the interface towards the first domain.
7. The gateway node according to claim 6, further comprising:
an interface to a third domain for sending and receiving MAP messages and
a filtering unit adapted to perform a selective discarding of MAP messages.
8. The gateway node according to claim 7, wherein the gateway node performs as a firewall towards the third domain.
9. The gateway node according to claim 7, wherein the gateway node is connectable to different domains, and the gateway node comprises a security database for storing indications of levels of security for the different domains.
10. The gateway node according to claim 9, further comprising:
a fallback store for storing for a particular domain an indication that a fallback to a lower level of security than the configured level of security for the particular domain is allowable, and
wherein allowing of the fallback to the lower level of security is configurable for one domain independently from an allowing of a respective fallback to a lower level of security for another domain.
US13/227,903 2003-10-20 2011-09-08 Network and node for providing a secure transmission of mobile application part messages Abandoned US20120002654A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/227,903 US20120002654A1 (en) 2003-10-20 2011-09-08 Network and node for providing a secure transmission of mobile application part messages

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
PCT/EP2003/011609 WO2005043859A1 (en) 2003-10-20 2003-10-20 Network and node for providing a secure transmission of mobile application part messages
DE10350226A DE10350226B4 (en) 2003-10-27 2003-10-27 Method for conveying multiphase mixtures and pump system
DE10350226.2 2003-10-27
US59544707A 2007-02-22 2007-02-22
US13/227,903 US20120002654A1 (en) 2003-10-20 2011-09-08 Network and node for providing a secure transmission of mobile application part messages

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
PCT/EP2003/011609 Continuation WO2005043859A1 (en) 2003-10-20 2003-10-20 Network and node for providing a secure transmission of mobile application part messages
US59544707A Continuation 2003-10-20 2007-02-22

Publications (1)

Publication Number Publication Date
US20120002654A1 true US20120002654A1 (en) 2012-01-05

Family

ID=34530623

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/595,447 Active 2027-03-10 US8037297B2 (en) 2003-10-20 2003-10-20 Network and node for providing a secure transmission of mobile application part messages
US13/227,903 Abandoned US20120002654A1 (en) 2003-10-20 2011-09-08 Network and node for providing a secure transmission of mobile application part messages

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/595,447 Active 2027-03-10 US8037297B2 (en) 2003-10-20 2003-10-20 Network and node for providing a secure transmission of mobile application part messages

Country Status (7)

Country Link
US (2) US8037297B2 (en)
EP (1) EP1676409B1 (en)
CN (1) CN1860759B (en)
AT (1) ATE536691T1 (en)
AU (1) AU2003304649A1 (en)
ES (1) ES2378816T3 (en)
WO (1) WO2005043859A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100174814A1 (en) * 2009-01-08 2010-07-08 Alcatel-Lucent Connectivity, adjacencies and adaptation functions
US8892876B1 (en) * 2012-04-20 2014-11-18 Trend Micro Incorporated Secured application package files for mobile computing devices
US9762385B1 (en) 2015-07-20 2017-09-12 Trend Micro Incorporated Protection of program code of apps of mobile computing devices
US20180074764A1 (en) * 2016-09-15 2018-03-15 Ricoh Company, Ltd. Information processing device, information processing system, and information processing method
WO2019160776A1 (en) * 2018-02-13 2019-08-22 Palo Alto Networks, Inc. Transport layer signaling security with next generation firewall
US10693838B2 (en) 2018-02-13 2020-06-23 Palo Alto Networks, Inc. Transport layer signaling security with next generation firewall
US10701033B2 (en) 2018-02-13 2020-06-30 Palo Alto Networks, Inc. Network layer signaling security with next generation firewall
US10701032B2 (en) 2018-02-13 2020-06-30 Palo Alto Networks, Inc. Application layer signaling security with next generation firewall
US10715491B2 (en) 2018-02-13 2020-07-14 Palo Alto Networks, Inc. Diameter security with next generation firewall
US11658822B1 (en) * 2020-02-19 2023-05-23 Twitch Interactive, Inc. Dynamic cross origin resource control
US11914686B2 (en) 2021-10-15 2024-02-27 Pure Storage, Inc. Storage node security statement management in a distributed storage cluster

Families Citing this family (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070067838A1 (en) * 2005-09-19 2007-03-22 Nokia Corporation System, mobile node, network entity, method, and computer program product for network firewall configuration and control in a mobile communication system
US8225380B2 (en) 2006-05-25 2012-07-17 Celltrust Corporation Methods to authenticate access and alarm as to proximity to location
US9572033B2 (en) 2006-05-25 2017-02-14 Celltrust Corporation Systems and methods for encrypted mobile voice communications
CA2650852C (en) 2006-05-25 2013-10-08 Celltrust Corporation Secure mobile information management system and method
US8280359B2 (en) 2006-05-25 2012-10-02 Celltrust Corporation Methods of authorizing actions
US9848081B2 (en) 2006-05-25 2017-12-19 Celltrust Corporation Dissemination of real estate information through text messaging
US8260274B2 (en) 2006-05-25 2012-09-04 Celltrust Corporation Extraction of information from e-mails and delivery to mobile phones, system and method
US8965416B2 (en) 2006-05-25 2015-02-24 Celltrust Corporation Distribution of lottery tickets through mobile devices
RU2453048C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between data network users
RU2467489C2 (en) * 2007-08-17 2012-11-20 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453041C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between telecommunication network users
RU2453047C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between data network users
RU2453061C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453058C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453054C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between telecommunication network users
RU2453064C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453057C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2467487C2 (en) * 2007-08-17 2012-11-20 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453046C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between data network users
RU2467488C2 (en) * 2007-08-17 2012-11-20 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453062C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453042C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between telecommunication network users
RU2453052C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453043C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between telecommunication network users
RU2453044C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between telecommunication network users
RU2467490C2 (en) * 2007-08-17 2012-11-20 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453065C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal call of telephone network user
RU2453066C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal call of telephone network user (versions)
RU2453059C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453056C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453055C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453053C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between telecommunication network users
RU2453045C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between data network users
RU2453060C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453040C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between telecommunication network users
RU2453039C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between data network users
RU2453063C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method for personal transmission of information between data network users
RU2453049C2 (en) * 2007-08-17 2012-06-10 Александр Степанович Ракушин Method of conducting personal communication session between data network users
AP2010005442A0 (en) * 2008-03-28 2010-10-31 Celltrust Corp Systems and methods for secure short messaging service and multimedia messaging service.
US8943200B2 (en) * 2008-08-05 2015-01-27 At&T Intellectual Property I, L.P. Method and apparatus for reducing unwanted traffic between peer networks
US10789594B2 (en) 2013-01-31 2020-09-29 Moshir Vantures, Limited, LLC Method and system to intelligently assess and mitigate security risks on a mobile device
US9208348B1 (en) * 2014-01-15 2015-12-08 Symantec Corporation Systems and methods for managing encrypted files within application packages
US11038923B2 (en) * 2018-02-16 2021-06-15 Nokia Technologies Oy Security management in communication systems with security-based architecture using application layer security

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6308276B1 (en) * 1999-09-07 2001-10-23 Icom Technologies SS7 firewall system
US20020052200A1 (en) * 2000-09-11 2002-05-02 Jari Arkko Secured map messages for telecommunications networks
US7043000B2 (en) * 2002-09-04 2006-05-09 Tekelec Methods and systems for enhancing network security in a telecommunications signaling network

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6327267B1 (en) * 1998-12-21 2001-12-04 Ericssoninc Systems and methods for routing a message through a signaling network associated with a public switched telephone network (PSTN), including a method for performing global title routing on an internet protocol (IP) address
CN1154326C (en) * 1999-03-12 2004-06-16 诺基亚网络有限公司 Interception system and method
US6757823B1 (en) * 1999-07-27 2004-06-29 Nortel Networks Limited System and method for enabling secure connections for H.323 VoIP calls
AU2001284693A1 (en) * 2000-07-31 2002-02-13 Nokia Networks Oy Method for securing information exchanges in a telecommunication network
GB2370732B (en) * 2001-10-17 2003-12-10 Ericsson Telefon Ab L M Security in communications networks
US7536183B2 (en) * 2003-04-23 2009-05-19 Alcatel-Lucent Usa Inc. Network interworking through message translation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6308276B1 (en) * 1999-09-07 2001-10-23 Icom Technologies SS7 firewall system
US20020052200A1 (en) * 2000-09-11 2002-05-02 Jari Arkko Secured map messages for telecommunications networks
US7043000B2 (en) * 2002-09-04 2006-05-09 Tekelec Methods and systems for enhancing network security in a telecommunications signaling network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
3rd Generation Partnership Project - Technical Specification Group Core Network ("Mobile Application Part (MAP) specification for GLR (Release 5)" page 22 published June 2002 *
Faccin et al ("METHOD FOR SECURING INFORMATION EXCHANGES IN A TELECOMMUNICATION NETWORK" WO 2002/11395 A1 published on February 07 2002) *
Faccin et al ("Method for Securing Information Exchanges in a Telelcommunications Network", WO2002/11395 A1 published on February 07 2002) *
Patterson et al ("SYSTEM AND METHOD FOR PROTECTING NETWORKS FROM INADVERTENT, FRAUDULENT AND/OR MALICIOUS SIGNALING" EP1159816 A1 published on May 12 2001) *

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100174814A1 (en) * 2009-01-08 2010-07-08 Alcatel-Lucent Connectivity, adjacencies and adaptation functions
US8495245B2 (en) * 2009-01-08 2013-07-23 Alcatel Lucent Connectivity, adjacencies and adaptation functions
US20130227169A1 (en) * 2009-01-08 2013-08-29 Peter Busschbach Connectivity, adjacencies and adaptation functions
US9049187B2 (en) * 2009-01-08 2015-06-02 Alcatel Lucent Connectivity, adjacencies and adaptation functions
US8892876B1 (en) * 2012-04-20 2014-11-18 Trend Micro Incorporated Secured application package files for mobile computing devices
US9762385B1 (en) 2015-07-20 2017-09-12 Trend Micro Incorporated Protection of program code of apps of mobile computing devices
US20180074764A1 (en) * 2016-09-15 2018-03-15 Ricoh Company, Ltd. Information processing device, information processing system, and information processing method
JP2021508994A (en) * 2018-02-13 2021-03-11 パロ アルト ネットワークス, インコーポレイテッドPalo Alto Networks, Inc. Transport layer signal security with next-generation firewall
US11283766B2 (en) 2018-02-13 2022-03-22 Palo Alto Networks, Inc. Network layer signaling security with next generation firewall
US10701033B2 (en) 2018-02-13 2020-06-30 Palo Alto Networks, Inc. Network layer signaling security with next generation firewall
US10701032B2 (en) 2018-02-13 2020-06-30 Palo Alto Networks, Inc. Application layer signaling security with next generation firewall
US10715491B2 (en) 2018-02-13 2020-07-14 Palo Alto Networks, Inc. Diameter security with next generation firewall
WO2019160776A1 (en) * 2018-02-13 2019-08-22 Palo Alto Networks, Inc. Transport layer signaling security with next generation firewall
JP2021040319A (en) * 2018-02-13 2021-03-11 パロ アルト ネットワークス, インコーポレイテッドPalo Alto Networks, Inc. Transport layer signaling security with next generation firewall
US11265290B2 (en) 2018-02-13 2022-03-01 Palo Alto Networks, Inc. Transport layer signaling security with next generation firewall
US11283767B2 (en) 2018-02-13 2022-03-22 Palo Alto Networks, Inc. Diameter security with next generation firewall
US10693838B2 (en) 2018-02-13 2020-06-23 Palo Alto Networks, Inc. Transport layer signaling security with next generation firewall
US11283765B2 (en) 2018-02-13 2022-03-22 Palo Alto Networks, Inc. Application layer signaling security with next generation firewall
US11652794B2 (en) 2018-02-13 2023-05-16 Palo Alto Networks, Inc. Transport layer signaling security with next generation firewall
US11784972B2 (en) 2018-02-13 2023-10-10 Palo Alto Networks, Inc. Diameter security with next generation firewall
US11777902B2 (en) 2018-02-13 2023-10-03 Palo Alto Networks, Inc. Application layer signaling security with next generation firewall
US11784971B2 (en) 2018-02-13 2023-10-10 Palo Alto Networks, Inc. Network layer signaling security with next generation firewall
US11658822B1 (en) * 2020-02-19 2023-05-23 Twitch Interactive, Inc. Dynamic cross origin resource control
US11914686B2 (en) 2021-10-15 2024-02-27 Pure Storage, Inc. Storage node security statement management in a distributed storage cluster

Also Published As

Publication number Publication date
ATE536691T1 (en) 2011-12-15
EP1676409B1 (en) 2011-12-07
CN1860759B (en) 2012-01-11
US8037297B2 (en) 2011-10-11
US20070127418A1 (en) 2007-06-07
WO2005043859A1 (en) 2005-05-12
EP1676409A1 (en) 2006-07-05
AU2003304649A1 (en) 2005-05-19
CN1860759A (en) 2006-11-08
ES2378816T3 (en) 2012-04-18

Similar Documents

Publication Publication Date Title
US8037297B2 (en) Network and node for providing a secure transmission of mobile application part messages
FI108827B (en) A method for implementing connection security in a wireless network
KR101438243B1 (en) Sim based authentication
EP1835652B1 (en) A method for ensuring the safety of the media-flow in ip multimedia sub-system
US8295488B2 (en) Exchange of key material
EP1374533B1 (en) Facilitating legal interception of ip connections
CN102036230B (en) Method for implementing local route service, base station and system
US11218873B2 (en) Communication system and method
CN100527875C (en) Method for achieving media flow security and communication system
CN112153641A (en) Secondary authentication enhancement and end-to-end encryption method and system based on edge UPF
WO2012024905A1 (en) Method, terminal and ggsn for encrypting and decrypting data in mobile communication network
US8181013B2 (en) Method, media gateway and system for transmitting content in call established via media gateway control protocol
EP4152717A1 (en) Secure communication method, related apparatus, and system
CN100471313C (en) Method for carrying out encryption transfer on 2833 information in CDMA
CN114867004A (en) Core network system
CN100583733C (en) Method for realizing safety of media flow and communication system
EP1659805A1 (en) Secure voice signalling gateway
CN108965262B (en) MPTCP authentication method and system for private network
CN113765900B (en) Protocol interaction information output transmission method, adapter device and storage medium
EP4297386A1 (en) Call processing method, related device, and storage medium
CN104796869A (en) Multimedia message service encryption method based on sectional encryption

Legal Events

Date Code Title Description
AS Assignment

Owner name: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL), SWEDEN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:PEKKALA, REIJO;SAASKILAHTI, JUHA;WIREN, KARL-JOHAN;SIGNING DATES FROM 20060424 TO 20060425;REEL/FRAME:026974/0055

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION