System and method for secure network roaming
First Claim
1. A wireless data network process, comprising the steps of:
- providing a network with prior authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN);
establishing and using an authentication mechanism between the MN and the PGN using the network connection;
establishing an encrypted channel between the MN and the PGN based on authentication established with the authentication mechanism;
providing configuration data from the PGN to the MN using the encrypted channel;
using the configuration data for communication to and from the MN via the PGN via the network connection or via another network connected to the PGN.
9 Assignments
0 Petitions
Accused Products
Abstract
A wireless data network process and system are provided based on a network with prior network-based authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN). The method and system establish and use an authentication mechanism between the MN and the PGN using the network connection. An encrypted channel is then set up between the MN and the PGN based on authentication established with the authentication mechanism. Configuration data is sent from the PGN to the MN using the encrypted channel. The configuration data may then be used by the MN for communication to and from the MN via the PGN. Any network connected to the PGN may then be used. The authentication mechanism advantageously includes exchanging public keys and then using the public keys to mutually authenticate the MN and PGN. The configuration data sent from the PGN to the MN using the encrypted channel advantageously includes providing Mobile Internet Protocol (MIP) configuration data and the IP Security protocol (IPsec) configuration data. The MN may then connect to a non-GPRS wireless local network and establish a MIP session across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
168 Citations
26 Claims
-
1. A wireless data network process, comprising the steps of:
-
providing a network with prior authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN);
establishing and using an authentication mechanism between the MN and the PGN using the network connection;
establishing an encrypted channel between the MN and the PGN based on authentication established with the authentication mechanism;
providing configuration data from the PGN to the MN using the encrypted channel;
using the configuration data for communication to and from the MN via the PGN via the network connection or via another network connected to the PGN. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A wireless data network process, comprising the steps of:
-
providing a serving GPRS support node with a radio network connection to a Gateway GPRS support packet gateway node (PGN);
providing a mobile node client (MN);
at the client generating a public/private key pair and storing the pair with names;
sending from the client a message containing its public key and key name to the PGN via the radio network connection;
responding from the PGN with a message containing the PGN'"'"'s public key and public key name;
receiving the PGN'"'"'s public key at the client and storing this PGN public key at the client;
establishing an encrypted channel between the MN and the PGN based on authentication established using one or more of the exchanged public keys;
performing at the client a secure copy from the PGN to copy a configuration file from a designated directory on the PGN to a designated directory on the client;
using a configuration application at the client to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from the configuration file. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A wireless network system, comprising:
-
a mobile node with a wireless transceiver;
a serving General Packet Radio Service (GPRS) support node;
a radio access network;
a GPRS gateway including a packet gateway node (PGN) with an internet connection, the PGN being capable of acting as a Mobile IP home agent (HA);
a wireless local area network (WLAN) with a wireless access node and an internet connection;
at least one or both of a connection from the MN to the PGN and a connection between the MN and the WLAN;
a PGN public key;
a MN generated public/private key pair stored with names at the MN, the MN public key being sent from the client to the PGN via the radio network connection and the PGN'"'"'s public key and public key name being sent in reply to the MN via the radio network;
a configuration file at the MN and sent by the PGN using a secure copy format based on the exchanged public keys;
a configuration application at the client to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from the configuration file; and
an IPSec Security Association between the MN and the PGN with a security parameters index obtained from the SA for identifying the MN, the IPSec Security association being established between the PGN and the MN using the IP Security protocol (IPsec) configuration data.
-
-
20. A wireless network system, comprising:
-
a mobile node with a wireless transceiver;
a serving GPRS support node (SGPRS);
a radio access network;
a gateway GPRS including a packet gateway node (PGN) with an internet connection, the PGN being capable of acting as a Mobile IP home agent (HA) with authentication of a MN handled by the GPRS/UMTS to establish a Mobile IP connection including a PGN public and private key;
a MN generated public/private key pair stored with names at the MN, the MN public key being sent from the client to the PGN via the radio network connection and the PGN'"'"'s public key and public key name being sent in reply to the MN via the radio network;
a configuration file at the MN and sent by the PGN using a secure copy format based on the exchanged public keys;
a configuration application at the client to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from configuration file. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A wireless data network process, comprising the steps of:
-
providing a serving GPRS support node with a radio network connection to a packet gateway node (PGN);
providing a mobile node client (MN);
performing a public key exchange across the GPRS/UMTS network between a mobile node and the PGN 7 to establish authentication;
using a secure copy facility based on the authentication to obtain IPsec and Mobile IP configuration data at the MN from the PGN to provide the MN and the PGN with a shared secret session key used by Mobile IP as well as a shared secret IPsec authentication key used for IKE authentication;
using the MN to establish a connection on wireless Local Area Network (LAN) and requesting a Mobile IP Care-Of-Address (COA) from a Dynamic Host Configuration Protocol (DHCP) server on the Internet;
receiving the COA across the wireless LAN 3;
sending a Mobile IP registration request to the PGN as a Home Agent (HA) hosted in the PGN;
receiving the Mobile IP registration request at the PGN and authenticating the request using a 128-bit key established from the IPsec and Mobile IP configuration data;
negotiating an IPsec Encapsulated Security Protocol (ESP) using the IPsec authentication key established from the IPsec and Mobile IP configuration data;
using the MN and the wireless LAN to send packets to a target host using the ESP to the PGN with the PGN forwarding the packets to the target host;
replying with the target host sending packets to the PGN with the PGN forwarding packets using the ESP to the MN;
at the conclusion of the data session with the wireless LAN, terminating the connection of the MN with the PGN and detaching the MN from the wireless LAN. - View Dependent Claims (26)
-
Specification