Server, terminal control device and terminal authentication method
First Claim
1. A server device comprising:
- a processor for issuing and guaranteeing public key certification;
a memory for holding information on prefix allocation allow/prohibit information of a terminal device; and
a communications interface for receiving a public key issue certification request from said terminal device and rewriting said prefix allocation allow/prohibit information, and said processor structured to run a routine wherein public key certification issue request is received from said terminal device, a public key certification of said terminal device is issued by the server device;
said prefix allocation allow/prohibit information is rewritten by the server device, and said certification is sent to said terminal device from the server device.
1 Assignment
0 Petitions
Accused Products
Abstract
Due to the mobility of mobile node devices including for example a laptop computer used on a work network and also on a home network with different home addresses, a mobile node (MN) home address and HA (home agent) address may need to be dynamically changed when using prefix communication functions and HA address discovery functions so methods for manually setting the IPsec SA security for encryption between the MN and HA are not practical in this environment. The current Mobile IPv6 protocol also has no function allowing recognition of the MN itself.
In the present invention may perform the following. Information on whether a prefix is distributable to a MN is held by a CA (certification authority). The server section of the HA allots prefix information to a MN approved by the CA. When the server section of the HA receives an IKE packet from the MN, the server section generates an IPsec SA after checking the prefix information in the server section. The server section allows an MN location registration request to fulfill the IPsec SA. The CA approves distribution of a prefix to the MN and verifies that the MN is genuine by generating an IPsec SA with the HA by utilizing the prefix distributed by the MN.
-
Citations
16 Claims
-
1. A server device comprising:
-
a processor for issuing and guaranteeing public key certification;
a memory for holding information on prefix allocation allow/prohibit information of a terminal device; and
a communications interface for receiving a public key issue certification request from said terminal device and rewriting said prefix allocation allow/prohibit information, and said processor structured to run a routine wherein public key certification issue request is received from said terminal device, a public key certification of said terminal device is issued by the server device;
said prefix allocation allow/prohibit information is rewritten by the server device, and said certification is sent to said terminal device from the server device. - View Dependent Claims (2, 3)
-
-
4. A terminal control device comprising:
-
a connection for communication with a server device containing a function to issue and guarantee public key certification, and prefix allocation allow/prohibit information;
a transceiver for acquiring public key certification from said server device; and
a routine to maintain security by utilizing IPsec technology, and a storage to store a terminal device location information, wherein information confirming the identity of said terminal is received from said terminal device, and a terminal device public key certification is acquired. - View Dependent Claims (5, 6, 7)
-
-
8. A terminal authentication method for a communication system containing an information processor device with a prefix allocation function, and a server device containing a processor and memory to guarantee and issue public key certification, and a visited network and a terminal device capable of connecting to said visited network, and a home network which is associated with the terminal device, and which is mutually connected with said visited network, and a terminal control device connected to said home network via said visited network, wherein
said server device issues a public key certification to said terminal device and rewrites prefix allocation information for said terminal device; -
said information processor device receives a prefix allocation request from said terminal device, and makes an inquiry for prefix allocation allow/prohibit information to said server device, and allocates prefix information to said terminal device when allocation of the prefix is approved;
said terminal control device receives information confirming the identity of the terminal device from said terminal device, and sends prefix information of said terminal device to said information processor device; and
said information processor device establishes a security association between the terminal device to which said prefix information is issued and said terminal control device. - View Dependent Claims (9, 10, 11)
-
-
12. A combination method for authentication and location registration of a terminal located in a visited network comprising:
-
powering on a terminal;
sending a router advertisement to the terminal from a visited network router;
creating a care of address (CoA) in the terminal;
sending a device authentication request to the visited network router from the terminal;
sending a public key certification issue request with a public key of the terminal and a terminal ID to a calling authority server (CA) over an IP protocol network;
issuing a public key certification issue response from the calling authority server (CA) compatible with IPv6 protocol;
sending a DHCP solicit message from the terminal to a home agent server (HA) compatible with IPv6 protocol wherein the home agent server (HA) is linked to the calling authority server and checks with the calling authority server (CA) to allow prefix allocation;
responding to the terminal with a DHCP advertise message included in an IPv6 protocol payload;
sending a DHCP request to the home agent server from the terminal;
sending a DHCP reply to the terminal with prefix delegation;
creating a home address in the terminal;
sending a home agent address discover request to the home agent server;
responding with a home agent address discovery reply from the home agent server to the terminal;
aquiring the home agent server home address in the in terminal;
establishing a IPsec security association (SA), and digital signature via IKE (internet key exchange) and a secure communication channel using phase I and II IPsec ISAKMP protocols between the terminal and a home agent server which is linked to the calling authority server (CA) and which located in a home area;
making a location binding update in the terminal using the IPsec security association (SA);
thereby providing an authentication method for verifying a terminal authenticity by linking a digital signature method with a location binding update method. - View Dependent Claims (13, 14, 15)
-
-
16. A combination method for authentication and location registration of a terminal located in a visited network comprising:
-
powering on a terminal;
sending a router advertisement to the terminal from a visited network router;
creating a care of address (CoA) in the terminal;
sending a device authentication request to the visited network router;
sending a public key certification issue request with a public key and a terminal ID to a calling authority server over an IP protocol network;
issuing a public key certification issue response from the calling authority server (CA) compatible with IPv6 protocol;
establishing a IPsec security association (SA), and digital signature via IKE (internet key exchange) and a secure communication channel using phase I and II IPsec ISAKMP protocols between the terminal in the visited network and a home agent server which is linked to the calling authority server (CA) and which located in a home area;
making a location binding update in the terminal using the IPsec security association (SA);
sending a request to check the public key certification to the calling authority server (CA) from the home agent server;
responding from the calling authority server whether prefix allocation is allowed with a prefix and creating a home address for the terminal;
discovering and obtaining a home address of the home agent server by the terminal;
making a location binding update by the terminal using a binding cache from the home agent server;
thereby providing an authentication method for verifying a terminal authenticity by linking a digital signature method with a location binding update method.
-
Specification