Secure network access method

US 20030091030A1
Filed: 06/28/2002
Published: 05/15/2003
Est. Priority Date: 11/09/2001
Status: Active Grant

First Claim

Patent Images

1. An authentication process comprising the steps of:

sending out from a mobile client a solicitation message that contains a proof of identity of the mobile client;

verifying the proof by a trusted entity; and

returning an advertising message from an access router only when the proof is successfully verified.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides network-layer authentication protocols for authenticating mobile client and access router to each other. The present invention uses Router Discovery as a carrier to implement the authentication protocols. In an embodiment of the present invention, a mobile client sends out a solicitation message to request connectivity service. The solicitation message contains a proof of identity of the mobile client. An access router that receives the solicitation message will not respond to it until the proof of the identity is verified. Only when the proof of identity of the mobile client is verified, will the access router respond and return an advertising message to the mobile client, thereby preventing unauthorized mobile clients from obtaining network access.

90 Citations

View as Search Results

37 Claims

1. An authentication process comprising the steps of:
- sending out from a mobile client a solicitation message that contains a proof of identity of the mobile client;
  
  verifying the proof by a trusted entity; and
  
  returning an advertising message from an access router only when the proof is successfully verified.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. An authentication process as recited in claim 1, further comprising the step of certifying by the trusted entity to the mobile client any intermediate entities located between the mobile client and the trusted entity.
  - 3. An authentication process as recited in claim 1, wherein the process is used in a communication network comprising a plurality administrative domains each served by at least one administrative server and each having at least one access router.
  - 4. An authentication process as recited in claim 3, wherein the trusted entity is a server serving a home domain to which the mobile client belongs.
  - 5. An authentication process as recited in claim 3, wherein the trusted entity is a server serving a foreign domain visited by the mobile client.
  - 6. An authentication process as recited in claim 3, wherein the trusted entity is an access router that has received the solicitation message from the mobile client.
  - 7. An authentication process as recited in claim 1, wherein the advertising message contains a proof of identity of the access router for authentication by the mobile client.
  - 8. An authentication process as recited in claim 1, further comprising the steps of:
    - voluntarily sending out from a mobility serving node an advertising message that contains a proof of the identity of the access router;
      
      verifying the proof by a mobile client; and
      
      performing the steps recited in claim 1 when the mobile client is unable to verify the proof.
  - 9. An authentication process as recited in claim 1, wherein the steps recited in claim 1 are performed while the mobile client is in communication with the access router to re-authenticate the access router to the mobile client, and wherein the advertising message from the access router contains a proof of identity of the access router.
  - 10. An authentication process as recited in claim 1, wherein an access router, while in communication with a mobile client, sends out an advertisement message with short effective lifetime to initiate the steps recited in claim 1 in order to re-authenticate the mobile client to the access router.
  - 11. An authentication process as recited in claim 1, wherein IPv4 is adopted for data communication.
  - 12. An authentication process as recited in claim 1, wherein IPv6 is adopted for data communication.
  - 13. An authentication process as recited in claim 1, wherein the verification is performed, using an asymmetric key algorithm.
  - 14. An authentication process as recited in claim 1, wherein the verification is performed, using a symmetric key algorithm.
  - 15. An authentication process as recited in claim 1, wherein at least one of the solicitation message and the advertising message includes a challenge.

16. A mobile client comprising:
- a transmitter for sending out a solicitation message that contains a proof of identity of the mobile client; and
  
  a receiver for receiving an advertising message from an access router, wherein the mobile client receives the advertising message only when the proof is successfully verified.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. A mobile client as recited in claim 16, wherein the advertising message contains a proof of identity of the access router, and the mobile client is capable of verifying the proof.
  - 18. A mobile client as recited in claim 16, wherein the transmitter sends out the solicitation message to the access router while the mobile client is in communication with the access router in order to re-authenticate the access router.
  - 19. A mobile client as recited in claim 16, wherein IPv4 is adopted for data communication.
  - 20. A mobile client as recited in claim 16, wherein IPv6 is adopted for data communication.
  - 21. A mobile client as recited in claim 16, wherein the verification is performed, using an asymmetric key algorithm.
  - 22. A mobile client as recited in claim 16, wherein the verification is performed, using a symmetric key algorithm.
  - 23. A mobile client as recited in claim 16, wherein at least one of the solicitation message and the advertising message includes a challenge.

24. An AAA network comprised of a plurality of administrative domains each served by at least one administrative server and each having at least one access router deployed therein, comprising:
- a mobile client that sends out a solicitation message that contains a proof of identity of the mobile client;
  
  a trusted entity that verifies the proof; and
  
  an access router that returns an advertising message only when the proof is successfully verified.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 25. An AAA network as recited in claim 24, wherein the trusted entity certifies to the mobile client any intermediary entities located between the mobile client and the trusted entity.
  - 26. An AAA network as recited in claim 24, wherein the trusted entity is a server serving a home domain to which the mobile client belongs.
  - 27. An AAA network as recited in claim 24, wherein the trusted entity is a server serving a foreign domain visited by the mobile client.
  - 28. An AAA network as recited in claim 24, wherein the trusted entity is an access router that has received the solicitation message from the mobile client.
  - 29. An AAA network as recited in claim 24, wherein the advertising message contains a proof of the identity of the access router for authentication by the mobile client.
  - 30. An AAA network as recited in claim 24, wherein the access router voluntarily sends out an advertisement message that contains a proof of identity of the access router, and the mobile client verifies the proof and sends out the solicitation message when it is unable to verify the proof.
  - 31. An AAA network as recited in claim 24, wherein the mobile client sends out the solicitation message while in communication with the access router, and the access router sends out an advertising message that contains a proof of identity of the access router for authentication by the mobile client.
  - 32. An AAA network as recited in claim 24, wherein the access router, while in communication with the mobile client, sends out an advertisement message with a short lifetime to induce the mobile client to send out the solicitation message.
  - 33. An AAA network as recited in claim 24, wherein IPv4 is adopted for data communication.
  - 34. An AAA network as recited in claim 24, wherein IPv6 is adopted for data communication.
  - 35. An AAA network as recited in claim 24, wherein the verification is performed, using an asymmetric key algorithm.
  - 36. An AAA network as recited in claim 24, wherein the verification is performed, using a symmetric key algorithm.
  - 37. An AAA network as recited in claim 24, wherein at least one of the solicitation message and the advertising message contains a challenge.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Godo Kaisha IP Bridge 1 (IP Bridge, Inc.)
Original Assignee
DOCOMO Communications Laboratories USA, Inc.
Inventors
Williams, Carl, Yegin, Alper E., He, Xiaoning

Granted Patent

US 7,286,671 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/352
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0892   by using authentication-aut...

H04L 63/126   the source of the received ...

H04L 63/164   at the network layer

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 48/16   Discovering, processing acc...

H04W 74/0866   using a dedicated channel f...

H04W 80/04   Network layer protocols, e....

H04W 88/005   Data network PoA devices

Secure network access method

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

37 Claims

Specification

Use Cases

Quick Links

Others

Secure network access method

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

37 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others