Secure on-line sign-up and provisioning for Wi-Fi hotspots using a device-management protocol

US 10,341,328 B2
Filed: 02/13/2017
Issued: 07/02/2019
Est. Priority Date: 07/21/2011
Status: Active Grant

First Claim

Patent Images

1. A device including one or more processors, the one or more processors including circuitry, the circuitry having logic to:

associate with a Wi-Fi Alliance Hotspot 2.0 (HS2.0)-enabled Wi-Fi network;

establish a transport-layer security (TLS) session with a sign-up server;

send a first OMA-DM package 3 message over a wireless link of the TLS session, the first OMA-DM package 3 message including a generic alert;

send a second OMA-DM package 3 message over the wireless link of the TLS session subsequent to successful certificate enrollment; and

receive a first OMA-DM package 4 message in response to the second OMA-DM package 3 message, the first OMA-DM package 4 message to comprise a command to add a subscription management object (MO) to an OMA-DM tree of the device, the OMA-DM tree having a hierarchical structure comprised of at least a root and nodes, and wherein the OMA-DM tree comprises a fully-qualified domain name (FQDN) for at least one service provider, and a subscription MO for the at least one service provider.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of a mobile device and method for secure on-line sign-up and provisioning of credentials for Wi-Fi hotspots are generally described herein. In some embodiments, the mobile device may be configured to establish a transport-layer security (TLS) session with a sign-up server through a Wi-Fi Hotspot to receive a certificate of the sign-up server. When the certificate is validated, the mobile device may be configured to exchange device management messages with the sign-up server to sign-up for a Wi-Fi subscription and provisioning of credentials, and retrieve a subscription management object (MO) that includes a reference to the provisioned credentials for storage in a device management tree. The credentials are transferred/provisioned securely to the mobile device. In some embodiments, an OMA-DM protocol may be used. The provisioned credentials may include certificates in the case of certificate-based credentials, machine-generated credentials such as username/password credentials, or SIM-type credentials.

79 Citations

View as Search Results

21 Claims

1. A device including one or more processors, the one or more processors including circuitry, the circuitry having logic to:
- associate with a Wi-Fi Alliance Hotspot 2.0 (HS2.0)-enabled Wi-Fi network;
  
  establish a transport-layer security (TLS) session with a sign-up server;
  
  send a first OMA-DM package 3 message over a wireless link of the TLS session, the first OMA-DM package 3 message including a generic alert;
  
  send a second OMA-DM package 3 message over the wireless link of the TLS session subsequent to successful certificate enrollment; and
  
  receive a first OMA-DM package 4 message in response to the second OMA-DM package 3 message, the first OMA-DM package 4 message to comprise a command to add a subscription management object (MO) to an OMA-DM tree of the device, the OMA-DM tree having a hierarchical structure comprised of at least a root and nodes, and wherein the OMA-DM tree comprises a fully-qualified domain name (FQDN) for at least one service provider, and a subscription MO for the at least one service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The device of claim 1, wherein the logic is further to:
    - add the subscription MO to the OMA-DM tree in response to receipt of the first OMA-DM package 4 message.
  - 3. The device of claim 2, wherein the logic is further to:
    - add the subscription MO to the OMA-DM tree based on a location specified in the first OMA-DM package 4 message.
  - 4. The device of claim 1, wherein the OMA-DM tree comprises a device information (Devlnfo) MO and a device detail (DevDetail) MO.
  - 5. The device of claim 4, wherein the Devlnfo MO comprises a unique identifier for the device, a manufacturer identifier, a device model identifier, an OMA-DM client version identifier, and a language setting for the device.
  - 6. The device of claim 4, wherein the DevDetail MO comprises information to indicate whether the device supports OMA-DM large object handling.
  - 7. The device of claim 1, wherein the OMA-DM tree comprises a Wi-Fi MO.
  - 8. The device of claim 1, wherein the logic is further to:
    - send a third OMA-DM package 3 message toindicate a status of the command comprised in the first OMA-DM package 4 message, and confirm an addition of the subscription MO to the OMA-DM tree.
  - 9. The device of claim 8, wherein the logic is further to:
    - receive a second OMA-DM package 4 message in response to the third OMA-DM package 3 message;
      
      release the TLS session; and
      
      disassociate with the HS2.0-enabled Wi-Fi network following receipt of the second OMA-DM package 4 message.
  - 10. The device of claim 9, wherein the logic is further to:
    - associate with a Wi-Fi network using credentials comprised in the subscription MO following the disassociation with the HS2.0-enabled Wi-Fi network.
  - 11. The device of claim 1, wherein the logic is further to:
    - perform server-side authentication using a secure hypertext transfer protocol (HTTPS).
  - 12. The device of claim 1, wherein the device further includes:
    - two or more antennas, anda transceiver configured to be coupled to the two or more antennas.

13. A non-transitory computer-readable storage medium that stores instructions for execution by one or more processors to perform operations comprising:
- associating with a Wi-Fi Alliance Hotspot 2.0 (HS2.0)-enabled Wi-Fi network;
  
  establishing a transport-layer security (TLS) session with a sign-up server;
  
  sending a first OMA-DM package 3 message over a wireless link of the TLS session, the first OMA-DM package 3 message including a generic alert;
  
  sending a second OMA-DM package 3 message over the wireless link of the TLS session subsequent to successful certificate enrollment;
  
  receiving a first OMA-DM package 4 message in response to the second OMA-DM package 3 message, the first OMA-DM package 4 message to comprise a command to add a subscription management object (MO) to an OMA-DM tree of the device, the OMA-DM tree having a hierarchical structure comprised of at least a root and nodes, and wherein the OMA-DM tree comprises a fully-qualified domain name (FQDN) for at least one service provider, and a subscription MO for the at least one service provider; and
  
  adding the subscription MO to the OMA-DM tree in response to receipt of the first OMA-DM package 4 message and based on a location specified in the first OMA-DM package 4 message.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the operations further comprise:
    - receiving a sign-up server certificate via the TLS session, the sign-up server certificate comprising an HS2.0 certificate issued by an HS2.0 certificate authority.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein the operations further comprise:
    - verifying that the sign-up server certificate has been signed by an HS2.0 trust root using a public key of the HS2.0 trust root.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the operations further comprise:
    - sending an OMA-DM package 1 message over the wireless link in response to a determination that the sign-up server certificate has been signed by an HS2.0 trusted root, the OMA-DM package 1 message to comprise a generic alert set to subscription creation, a device information (Devlnfo) MO and a device detail (DevDetail) MO.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the operations further comprise:
    - receiving an OMA-DM package 2 message in response to the OMA-DM package 1 message, the OMA-DM package 2 message comprising an Exec;
      
      LaunchBrowsertoURI command and to identify a uniform resource identifier (URI); and
      
      establishing a secure hypertext transfer protocol (HTTPS) connection to the URI identified by the OMA-DM package 2 message.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the operations further comprise:
    - sending an HTTPS GET request over the HTTPS connection; and
      
      exchanging information over the HTTPS connection to obtain subscription credentials, the information including at least one of a selection of a rate plan, payment information, and user identification information.

19. An apparatus for a station (STA), the apparatus comprising:
- transceiver circuitry; and
  
  hardware processing circuitry to configure the transceiver circuitry to;
  
  associate with a Wi-Fi Alliance Hotspot 2.0 (HS2.0)-enabled Wi-Fi network;
  
  establish a transport-layer security (TLS) session with a sign-up server;
  
  send a first OMA-DM package 3 message over a wireless link of the TLS session, the first OMA-DM package 3 message including a generic alert;
  
  send a second OMA-DM package 3 message over the wireless link of the TLS session subsequent to successful certificate enrollment; and
  
  receive a first OMA-DM package 4 message in response to the second OMA-DM package 3 message, the first OMA-DM package 4 message to comprise a command to add a subscription management object (MO) to an OMA-DM tree of the device, the OMA-DM tree having a hierarchical structure comprised of at least a root and nodes, and wherein the OMA-DM tree comprises a fully-qualified domain name (FQDN) for at least one service provider, and a subscription MO for the at least one service provider.
- View Dependent Claims (20, 21)
- - 20. The apparatus of claim 19, wherein the hardware processing circuitry is further to configure the transceiver circuitry to determine that the HS2.0 hotspot supports HS2.0 connectivity based on an indication in a beacon of an HS2.0 access point (AP).
  - 21. The apparatus of claim 19, wherein the hardware processing circuitry is further to configure the transceiver circuitry to perform server-side authentication using a secure hypertext transfer protocol (HTTPS).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daedalus Prime LLC (Daedalus Group LLC)
Original Assignee
Intel Corporation
Inventors
Gupta, Vivek, Canpolat, Necati
Primary Examiner(s)
Bechtel, Kevin

Application Number

US15/431,149
Publication Number

US 20170290088A1
Time in Patent Office

869 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0806   for initial configuration o...

H04L 41/28   Restricting access to netwo...

H04L 63/0823   using certificates cryptogr...

H04L 63/164   at the network layer

H04L 67/02   based on web technology, e....

H04L 67/125   involving control of end-de...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

H04W 4/50   Service provisioning or rec...

H04W 76/12   Setup of transport tunnels

H04W 84/12   WLAN [Wireless Local Area N...

Secure on-line sign-up and provisioning for Wi-Fi hotspots using a device-management protocol

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure on-line sign-up and provisioning for Wi-Fi hotspots using a device-management protocol

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links