System and method for secure network roaming

US 20030039234A1
Filed: 08/05/2002
Published: 02/27/2003
Est. Priority Date: 08/10/2001
Status: Active Grant

First Claim

Patent Images

1. A wireless data network process, comprising the steps of:

providing a network with prior authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN);

establishing and using an authentication mechanism between the MN and the PGN using the network connection;

establishing an encrypted channel between the MN and the PGN based on authentication established with the authentication mechanism;

providing configuration data from the PGN to the MN using the encrypted channel;

using the configuration data for communication to and from the MN via the PGN via the network connection or via another network connected to the PGN.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless data network process and system are provided based on a network with prior network-based authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN). The method and system establish and use an authentication mechanism between the MN and the PGN using the network connection. An encrypted channel is then set up between the MN and the PGN based on authentication established with the authentication mechanism. Configuration data is sent from the PGN to the MN using the encrypted channel. The configuration data may then be used by the MN for communication to and from the MN via the PGN. Any network connected to the PGN may then be used. The authentication mechanism advantageously includes exchanging public keys and then using the public keys to mutually authenticate the MN and PGN. The configuration data sent from the PGN to the MN using the encrypted channel advantageously includes providing Mobile Internet Protocol (MIP) configuration data and the IP Security protocol (IPsec) configuration data. The MN may then connect to a non-GPRS wireless local network and establish a MIP session across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).

168 Citations

26 Claims

1. A wireless data network process, comprising the steps of:
- providing a network with prior authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN);
  
  establishing and using an authentication mechanism between the MN and the PGN using the network connection;
  
  establishing an encrypted channel between the MN and the PGN based on authentication established with the authentication mechanism;
  
  providing configuration data from the PGN to the MN using the encrypted channel;
  
  using the configuration data for communication to and from the MN via the PGN via the network connection or via another network connected to the PGN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A process according to claim 1, wherein the network connection is via a serving General Packet Radio Service (GPRS) support node with a radio network connection to the PGN as a GPRS support packet gateway node.
  - 3. A process according to claim 1, wherein the authentication mechanism includes:
    - at the MN generating a public/private key pair and storing the pair with names;
      
      sending from the MN a message containing the MN'"'"'s public key and key name to the PGN via the network connection;
      
      responding from the PGN with a message containing the PGN'"'"'s public key and public key name;
      
      receiving the PGN'"'"'s public key at the MN and storing this PGN public key at the MN; and
      
      using the exchanged public keys for mutual authentication of the MN with the PGN.
  - 4. A process according to claim 1, wherein said step of providing configuration data from the PGN to the MN using the encrypted channel includes providing Mobile Internet Protocol (MIP) configuration data and the IP Security protocol (IPsec) configuration data.
  - 5. A process according to claim 4, further comprising:
    - using the Internet Key Exchange (IKE) protocol with the MN requesting Encapsulated Security Protocol for establishing a security association (SA) with the PGN;
      
      connecting the MN to a non-GPRS wireless local network;
      
      establishing a MIP sessions across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
  - 6. A wireless data network process according to claim 4, wherein said step of using the configuration data for communication to and from the MN via the PGN via the network connection or via another network connected to the PGN includes:
    - providing the network connection as a radio network connection to a serving General Packet Radio Service (SGSN) support node with a network connection to the PGN as a gateway GPRS support node (GGSN). connecting the MN, and the MN to authenticate the PGN to a non-GPRS wireless local network;
      
      establishing Mobile IP sessions across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
  - 7. A wireless data network process according to claim 6, further comprising the step of obtaining a new Mobile IP session key, including:
    - prior to the expiration of the Mobile IP session key, sending a Mobile IP registration request with a Vendor Specific Extension indicating that a new Mobile IP session key is desired;
      
      receiving, validating and authenticating this message at the PGN and generating a new Mobile IP session key and encrypting it with the MN'"'"'s public key; and
      
      extracting the encrypted value and decrypting the encrypted value with the private key of the MN.
  - 8. A wireless data network process according to claim 7, wherein the step of obtaining a new Mobile IP session key includes:
    - providing the registration reply with an authentication value based on the previous Mobile IP session key.
  - 9. A process according to claim 1, further comprising:
    - establishing a connection of the MN on a Wireless Local Area Network (WLAN);
      
      requesting a Mobile IP Care-Of-Address (COA) from a dynamic Host configuration protocol server;
      
      receiving the COA at the MN from across the Wireless LAN and sending data packets from the MN to a target host via the wireless LAN connection and receiving data packets from the target host via the wireless LAN connection.
  - 10. A process according to claim 9, further comprising:
    - terminating the connection with the PGN and detatching from the WLAN after the conclusion of a data session of the MN.
  - 11. A process according to claim 9, further comprising:
    - roaming with the MN into a region of the radio network and sending a message from the MN as a Mobile IP registration request to the Home Agent hosted in the PGN indicating that the MN is on the home network and using an authentication value within the message;
      
      sending a Mobile IP registration reply from the PGN to the MN using the authentication value.

12. A wireless data network process, comprising the steps of:
- providing a serving GPRS support node with a radio network connection to a Gateway GPRS support packet gateway node (PGN);
  
  providing a mobile node client (MN);
  
  at the client generating a public/private key pair and storing the pair with names;
  
  sending from the client a message containing its public key and key name to the PGN via the radio network connection;
  
  responding from the PGN with a message containing the PGN'"'"'s public key and public key name;
  
  receiving the PGN'"'"'s public key at the client and storing this PGN public key at the client;
  
  establishing an encrypted channel between the MN and the PGN based on authentication established using one or more of the exchanged public keys;
  
  performing at the client a secure copy from the PGN to copy a configuration file from a designated directory on the PGN to a designated directory on the client;
  
  using a configuration application at the client to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from the configuration file.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. A process according to claim 12, further comprising using the Internet Key Exchange (IKE) protocol with the MN requesting Encapsulated Security Protocol for establishing the security association (SA).
  - 14. A wireless data network process according to claim 12, further comprising the step of:
    - connecting the MN to a non-GPRS wireless local network;
      
      establishing a MIP sessions across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
  - 15. A wireless data network process according to claim 14, further comprising the steps of:
    - whenever configuration material (keys or other data) is required by initiates an SSH session by the MN to the PGN with the PGN replying with fresh keying material to the MN using a secured copy between the MN and PGN and with an Internet Key Exchange (IKE) required whenever the IPsec Security Association (SA) expires.
  - 16. A process according to claim 12, further comprising:
    - establishing a connection of the MN on a Wireless LAN;
      
      requesting a Mobile IP Care-Of-Address (COA) from Dynamic Host Configuration Protocol (DHCP) server on the Internet;
      
      receiving the COA at the MN from across the Wireless LAN and sending data packets from the MN to a target host via the wireless LAN connection and receiving data packets from the target host via the wireless LAN connection.
  - 17. A process according to claim 16, further comprising:
    - terminating the connection with the PGN and detatching from the WLAN after the conclusion of a data session of the MN.
  - 18. A process according to claim 16, further comprising:
    - roaming with the MN into a region of the radio network and sending a message from the MN a Mobile IP registration request to the Home Agent hosted in the PGN indicating that the MN is on the home network authenticated using the value obtained;
      
      sending a Mobile IP registration reply from the PGN to the MN using the authentication value obtained.

19. A wireless network system, comprising:
- a mobile node with a wireless transceiver;
  
  a serving General Packet Radio Service (GPRS) support node;
  
  a radio access network;
  
  a GPRS gateway including a packet gateway node (PGN) with an internet connection, the PGN being capable of acting as a Mobile IP home agent (HA);
  
  a wireless local area network (WLAN) with a wireless access node and an internet connection;
  
  at least one or both of a connection from the MN to the PGN and a connection between the MN and the WLAN;
  
  a PGN public key;
  
  a MN generated public/private key pair stored with names at the MN, the MN public key being sent from the client to the PGN via the radio network connection and the PGN'"'"'s public key and public key name being sent in reply to the MN via the radio network;
  
  a configuration file at the MN and sent by the PGN using a secure copy format based on the exchanged public keys;
  
  a configuration application at the client to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from the configuration file; and
  
  an IPSec Security Association between the MN and the PGN with a security parameters index obtained from the SA for identifying the MN, the IPSec Security association being established between the PGN and the MN using the IP Security protocol (IPsec) configuration data.

20. A wireless network system, comprising:
- a mobile node with a wireless transceiver;
  
  a serving GPRS support node (SGPRS);
  
  a radio access network;
  
  a gateway GPRS including a packet gateway node (PGN) with an internet connection, the PGN being capable of acting as a Mobile IP home agent (HA) with authentication of a MN handled by the GPRS/UMTS to establish a Mobile IP connection including a PGN public and private key;
  
  a MN generated public/private key pair stored with names at the MN, the MN public key being sent from the client to the PGN via the radio network connection and the PGN'"'"'s public key and public key name being sent in reply to the MN via the radio network;
  
  a configuration file at the MN and sent by the PGN using a secure copy format based on the exchanged public keys;
  
  a configuration application at the client to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from configuration file.
- View Dependent Claims (21, 22, 23, 24)
- - 21. A system according to claim 20, wherein in addition, an initial key exchanged based on Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data forms the basis for subsequent key exchanges using a standard'"'"'s based protocol.
  - 22. A system according to claim 20, wherein the standard'"'"'s based protocol is IPsec.
  - 23. A system according to claim 22, wherein subsequent traffic between the MN and the PGN is encrypted with the IKE aggressive mode key exchange using the shared key to establish a large encryption key and a SA.
  - 24. A system according to claim 20, further comprising:
    - a wireless local area network (WLAN) with a wireless access node and an internet connection;
      
      a connection between the MN and the WLAN;
      
      a Mobile IP care-of-address obtained from a DHCP server through the connection between the MN and the WLAN.

25. A wireless data network process, comprising the steps of:
- providing a serving GPRS support node with a radio network connection to a packet gateway node (PGN);
  
  providing a mobile node client (MN);
  
  performing a public key exchange across the GPRS/UMTS network between a mobile node and the PGN 7 to establish authentication;
  
  using a secure copy facility based on the authentication to obtain IPsec and Mobile IP configuration data at the MN from the PGN to provide the MN and the PGN with a shared secret session key used by Mobile IP as well as a shared secret IPsec authentication key used for IKE authentication;
  
  using the MN to establish a connection on wireless Local Area Network (LAN) and requesting a Mobile IP Care-Of-Address (COA) from a Dynamic Host Configuration Protocol (DHCP) server on the Internet;
  
  receiving the COA across the wireless LAN 3;
  
  sending a Mobile IP registration request to the PGN as a Home Agent (HA) hosted in the PGN;
  
  receiving the Mobile IP registration request at the PGN and authenticating the request using a 128-bit key established from the IPsec and Mobile IP configuration data;
  
  negotiating an IPsec Encapsulated Security Protocol (ESP) using the IPsec authentication key established from the IPsec and Mobile IP configuration data;
  
  using the MN and the wireless LAN to send packets to a target host using the ESP to the PGN with the PGN forwarding the packets to the target host;
  
  replying with the target host sending packets to the PGN with the PGN forwarding packets using the ESP to the MN;
  
  at the conclusion of the data session with the wireless LAN, terminating the connection of the MN with the PGN and detaching the MN from the wireless LAN.
- View Dependent Claims (26)
- - 26. A process according to claim 25, further comprising:
    - roaming with the MN back into the GPRS/UMTS network and sending from the MN a Mobile IP registration request to the Home Agent hosted in the PGN indicating that the MN is back on the home network with the PGN 7 sending a Mobile IP registration reply to the MN using the 128-bit authentication value obtained from the IPsec and Mobile IP configuration data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Syniverse Technologies LLC (Syniverse Corp.)
Original Assignee
Skylead Assets Limited
Inventors
Sharma, Mukesh, Roberts, Philip, Sanchez, Luis, Skiscim, Christopher

Granted Patent

US 7,389,412 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/338
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/164   at the network layer

H04L 9/0844   with user authentication or...

H04L 9/3273   for mutual authentication n...

H04W 12/041   Key generation or derivation

H04W 12/0471   Key exchange

H04W 12/069   using certificates or pre-s...

H04W 60/00   Affiliation to network, e.g...

H04W 76/20   Manipulation of established...

H04W 80/04   Network layer protocols, e....

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/16   Gateway arrangements

H04W 92/02   Inter-networking arrangements

System and method for secure network roaming

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

168 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure network roaming

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links