Modular authentication and authorization scheme for internet protocol

US 20030028763A1
Filed: 07/09/2002
Published: 02/06/2003
Est. Priority Date: 07/12/2001
Status: Active Grant

First Claim

Patent Images

1. A system for authentication and authorization, comprising:

(a) an authorizer configured to determine if a requestor is authorized to access a resource associated with a request;

(b) a client that is an Internet Protocol version 6 (IPv6) host, wherein the client is configured to make the request; and

(c) a local attendant that is accessible to the authorizer and the client and that provides a conduit through which messages between the client and the authorizer pass, wherein the authorizer, the client, and a peer on which the resource may be accessed are each in separate domains, wherein each domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by static credentials that are known by each of the two entities.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for three-party authentication and authorization. The system includes an authorizer that authorizes requestors, a client that makes a request, and a local attendant that provides a conduit through which messages between the client and the authorizer pass. The authorizer, the client, and a peer on which the requested resource may be accessed are each in separate domains. A domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by static credentials that are known by each of the two entities. A subscriber identity module (SIM) may be used to generate a copy of a key for the client to be used in accessing a requested resource.

180 Citations

22 Claims

1. A system for authentication and authorization, comprising:
- (a) an authorizer configured to determine if a requestor is authorized to access a resource associated with a request;
  
  (b) a client that is an Internet Protocol version 6 (IPv6) host, wherein the client is configured to make the request; and
  
  (c) a local attendant that is accessible to the authorizer and the client and that provides a conduit through which messages between the client and the authorizer pass, wherein the authorizer, the client, and a peer on which the resource may be accessed are each in separate domains, wherein each domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by static credentials that are known by each of the two entities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the static credentials include a key.
  - 3. The system of claim 1, wherein the static credentials include a mutually known algorithm.
  - 4. The system of claim 1, wherein the static credentials include a key and a mutually known algorithm.
  - 5. The system of claim 1, wherein the client employs a subscriber identity module (SIM) that includes credentials for use in authenticating the client to another device.
  - 6. The system of claim 5, wherein if the requestor is authorized to access the resource associated with the request, the authorizer is further configured to provide to the peer a session key for accessing the resource, wherein the session key indicates that the requestor is authorized to access the resource.
  - 7. The system of claim 6, wherein the SIM generates a copy of the session key for use by the client.
  - 8. The system of claim 6, wherein the peer provides access to a network.
  - 9. The system of claim 6, wherein the peer provides a service to the client.
  - 10. The system of claim 6, wherein the peer is a home agent of the client.
  - 11. The system of claim 1, wherein the client is a mobile node.
  - 12. The method of claim 1, wherein the request and a reply are sent using an authentication, authorization, and accounting (AAA) version 6 or higher protocol.
  - 13. The system of claim 1, wherein the local attendant is an access router.
  - 14. The system of claim 1, wherein the local attendant is an Internet Protocol version 6 (IPv6) router.
  - 15. The system of claim 1, wherein the local attendant communicates with at least one local AAA server.

16. A method for authentication and authorization, comprising:
- (a) sending an identity associated with a client to an authorizer, wherein the identity is sent using Internet Protocol version 6 (IPv6);
  
  (b) generating, by the authorizer, a challenge that is calculated using the client identity;
  
  (c) sending the challenge to the client;
  
  (d) generating, by the client, a response employing the client identity and the challenge;
  
  (e) sending the response to the authorizer;
  
  (f) comparing, by the authorizer, the challenge to the client response;
  
  (g) transferring, by the authorizer, a key to a device providing a service to the client; and
  
  (h) automatically generating a copy of the key for use by the client by employing a subscriber identity module (SIM) associated with the client.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, wherein each message between the authorizer and the client passes through a local attendant.
  - 18. The method of claim 17, wherein the authorizer, the client, and a peer providing access to a resource requested by the client are each in separate domains, wherein each domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by static credentials that are known by each of the two entities.
  - 19. The method of claim 16, wherein the client is a mobile node.
  - 20. The method of claim 16, wherein the challenge and the response are sent using an authentication, authorization, and accounting (AAA) version 6 or higher protocol.
  - 21. The method of claim 16, further comprising the step of acknowledging, by the authorizer, that the transfer step is complete.

22. A system for authenticating and authorization, comprising:
- (a) means for determining if a requestor is authorized to access a resource associated with a request;
  
  (b) means for requesting access to the resource;
  
  (c) means for passing messages between the requestor and the determining means, wherein the determining means, the requesting means, and the message passing means are each in a separate domain, wherein each domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by static credentials that are known by each of the two entities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
INVT SPE LLC (SoftBank Group Corp.)
Original Assignee
Nokia Corporation
Inventors
Haverinen, Henry, Malinen, Jari T., Kniveton, Timothy J.

Granted Patent

US 7,900,242 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless network architectu...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0853   using an additional device,...

H04L 63/0892   by using authentication-aut...

H04L 69/16   Implementation or adaptatio...

H04L 69/167   Adaptation for transition b...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 80/04   Network layer protocols, e....

Modular authentication and authorization scheme for internet protocol

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

180 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Modular authentication and authorization scheme for internet protocol

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links