Authentication and authorization in heterogeneous networks

US 20050166043A1
Filed: 04/07/2004
Published: 07/28/2005
Est. Priority Date: 01/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method for authentication and authorization of a mobile terminal roaming to or in a foreign network different from its home network, the home network having an authentication and authorization home server, and the foreign network having a plurality of domains each of which comprises at least one local server for authentication, authorization and accounting, each of the local servers being connected to at least one network access server for handling access for mobile terminals roaming to or in the foreign network, the method comprises the steps of:

detecting a roaming of the mobile terminal;

identifying a combination of network elements involved in the detected roaming; and

selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and network elements for authentication and authorization of a mobile terminal (MT) roaming to or in a foreign network different from its home network is provided, the home network having an authentication and authorization home server (AAAH), and the foreign network having a plurality of domains each of which comprises at least one local server (AAAL1, AAAL2) for authentication, authorization and accounting, each of which local servers being connected to at least one network access server (NAS) for handling access for mobile terminals roaming to or in the foreign network, wherein an authentication and authorization of the mobile terminal is performed whenever the mobile terminal performs a roaming, wherein the authentication and authorization is performed according to a procedure pursuant to one of a plurality of hierarchy levels, whereby a combination of network elements involved in the roaming determines the hierarchy level to be used.

261 Citations

33 Claims

1. A method for authentication and authorization of a mobile terminal roaming to or in a foreign network different from its home network, the home network having an authentication and authorization home server, and the foreign network having a plurality of domains each of which comprises at least one local server for authentication, authorization and accounting, each of the local servers being connected to at least one network access server for handling access for mobile terminals roaming to or in the foreign network, the method comprises the steps of:
- detecting a roaming of the mobile terminal;
  
  identifying a combination of network elements involved in the detected roaming; and
  
  selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, further comprising a step of performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures.
  - 3. The method according to claim 2, wherein the method, upon attaching of the mobile terminal to the foreign network, further comprises the steps of:
    - allocating a local identity to the mobile terminal by the local server, in the domain of which the mobile terminal attaches to the foreign network;
      
      defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and
      
      allocating the local security information to the mobile terminal by the local server;
      
      wherein the step of performing uses the allocated local security information for authentication and authorization.
  - 4. The method according to claim 3, wherein the local security information is generated in accordance with a used authentication technique.
  - 5. The method according to claim 4, wherein the authentication and authorization is performed based on a procedure of a first hierarchy level upon the mobile terminal performing an inter-domain roaming from its home server to a local server of the foreign network, when the mobile terminal attaches to the foreign network, wherein the procedure comprises the following steps:
    - asking the mobile terminal for authentication information by the network access server handling the attachment of the mobile terminal to the foreign network;
      
      transmitting, by the mobile terminal, its authentication information to the asking network access server;
      
      forwarding, by the network access server, the received authentication information of the mobile terminal to the local server being connected thereto;
      
      requesting, by the local server, identification of the mobile terminal at the home server;
      
      distributing, by the local server, the local security information to the mobile terminal upon receiving of the identification of the mobile terminal from the home server; and
      
      authenticating and authorizing, by the mobile terminal, its identity within the local domain of the foreign network upon receiving of the local security information.
  - 6. The method according to claim 5, wherein the step of distributing of the local security information from the local server to the mobile terminal is performed in a confidential manner.
  - 7. The method according to claim 5, wherein the distributing of the local security information comprises the steps of:
    - transmitting the local security information from the local server to the network access server by means of a predetermined security association between the local server and the network access server; and
      
      when a mutual authentication method is used, transmitting of the local security information from the network access server to the mobile terminal by means of a secure channel which has been established according to a used mutual authentication method.
  - 8. The method according to claim 5, wherein the distributing of the local security information comprises the steps of:
    - when an authentication method without a secure channel between the network access server and the mobile terminal is used, transmitting a request for an encryption key from the local server to the home server along with the authentication information of the mobile terminal;
      
      generating an encryption key by the home server using at least the received authentication information of the mobile terminal and transmitting the encryption key to the local server; and
      
      encrypting of the local security information with the encryption key at the local server and transmitting the encrypted local security information from the local server to the mobile terminal, wherein the mobile terminal generates the same encryption key using at least its authentication information, by means of which encryption key it decrypts the received encrypted local security information.
  - 9. The method according to claim 4, wherein the authentication and authorization is performed based on a procedure of a second hierarchy level upon the mobile terminal performing an inter-domain roaming from a first network access server being connected to a first local server of a first domain of the foreign network to a second network access server being connected to a second local server of a second domain of the foreign network, the procedure comprising the steps of:
    - sending a request for the local security information of the mobile terminal from the second local server to the first local server;
      
      transmitting of the local security information of the mobile terminal from the first local server to the second local server; and
      
      using the local security information at the second local server for authentication and authorization of the mobile terminal within the local domain.
  - 10. The method according to claim 9, wherein the step of using the local security information comprises a step of transmitting the local security information to the second network access server by means of a predetermined security association between the second local server and the second network access server.
  - 11. The method according to claim 4, wherein the authentication and authorization is performed based on a procedure of a third hierarchy level upon the mobile terminal performing an intra-domain roaming from a first network access server of a domain of the foreign network to a second network access server of the same domain, the procedure comprising the steps of:
    - sending a request for the local security information of the mobile terminal from the second network access server to the local server of the domain;
      
      transmitting of the local security information of the mobile terminal from the local server of the domain to the second network access server by means of a predetermined security association between the local server of the domain and the second network access server; and
      
      using the local security information at the second network access server for authentication and authorization of the mobile terminal within the local domain.
  - 12. The method according to claim 4, wherein the authentication and authorization is performed based on a procedure of a fourth hierarchy level upon the mobile terminal performing an intra-domain roaming from a first network access server of an authentication and authorization area of the foreign network to a second network access server of the same authentication and authorization area, wherein the first network access server knows the local security information of the mobile terminal, the procedure comprising the steps of:
    - sending a request for the local security information of the mobile terminal from the second network access server to the first network access server;
      
      transmitting of the local security information of the mobile terminal from the first network access server to the second network access server; and
      
      using the local security information at the second network access server for authentication and authorization of the mobile terminal within the local domain.
  - 13. The method according to claim 12, wherein an authentication and authorization area is an area within a domain of a network, within which area network access servers have a predetermined security association with each other, by means of which they can share authentication and authorization information in a confidential manner.

14. A system for authentication and authorization of a mobile terminal roaming to or in a foreign network different from its home network, the system comprising an authentication and authorization home server in the home network, at least one local server for authentication, authorization and accounting in each of a plurality of domains of the foreign network, and at least one network access server for handling access of mobile terminals roaming to or in the foreign network, each of which network access servers being connectable to one of the local servers, the system comprises:
- a detector for detecting a roaming of the mobile terminal;
  
  an identifier for identifying a combination of network elements involved in the roaming being detected by the detector; and
  
  a selector for selecting one of a plurality of authentication and authorization procedures to be performed based on the combination being identified by the identifier.
- View Dependent Claims (15, 16)
- - 15. The system according to claim 14, further comprising an authentication and authorization processor being configured to perform authentication and authorization of the mobile terminal based on the selected one of the plurality of authentication and authorization procedure.
  - 16. A system according to claim 14, wherein the home network and the foreign network are either IP-based, cellular networks or IP-based cellular networks.

17. A serving node for authentication, authorization and accounting in a domain of a network, the serving node being a local server of the domain to which a mobile terminal is attachable, which mobile terminal is registered with a home server of its home network, and the serving node being connectable to at least one network access server for handling access of mobile terminals roaming to or in the network, the serving node comprising:
- an authentication and authorization processor for authentication and authorization of the mobile terminal, which processor is operable according to a procedure being selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The serving node according to claim 17, further comprising:
    - allocating means for allocating a temporary local identity to the mobile terminal, when the mobile terminal attaches to the network, and for allocating a local security information to the mobile terminal;
      
      defining and generating means for defining and generating the local security information representing a binding of a user identity of the mobile terminal and the temporary local identity allocated by the allocating means;
      
      storing means for storing the temporary local identity and the local security information of the terminal; and
      
      mapping means for mapping the local security information to a real user account.
  - 19. The serving node according to claim 17, further comprising:
    - a transceiver being configured to transmit and receive the local security information and other information to and from another local serving node and a network access server being connectable to the serving node.
  - 20. The serving node according to claim 19, wherein the transceiver is further adapted to transmit and receive information of the mobile terminal to and from the home server of the mobile terminal for identification of the mobile terminal.
  - 21. The serving node according to claim 17, further comprising encrypting means being configured to encrypt local security information with an encryption key receivable from the home server;
    - and distributing means being configured to control a distribution the encrypted local security information to the mobile terminal based on a used authentication method.

22. A home serving node for authentication, authorization and accounting in a domain of a network, the home serving node being a home server of a mobile terminal being attachable to another network, the home serving node comprising:
- key generating means being configured to generate an encryption key for the mobile terminal using at least authentication information of the mobile terminal, which information is receivable from a serving node of the other network; and
  
  a transceiver being configured to receive at least the authentication information from and to transmit the encryption key to the serving node.
- View Dependent Claims (23)
- - 23. The home serving node according to claim 22, wherein the home serving node is a home subscriber server of a cellular network.

24. A network access server being connectable to a local server of a domain of a network, the network access server comprising accessing means being configured to handle access of a mobile terminal to the network;
- and a transceiver being configured to transmit and receive a local security information of the mobile terminal and other information to and from the connectable local server, another connectable network access server and a connectable mobile terminal;
  
  wherein the network access server is adapted to authenticate and authorize according to a procedure being selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The network access server according to claim 24, being configured to support an authentication and authorization area, which is an area within a domain of a network, within which area network access servers have a predetermined security association with each other, by means of which they are adapted to share authentication and authorization information in a confidential manner.
  - 26. The network access server according to claim 24, wherein the network access server is operable as an access router of an IP network.
  - 27. The network access server according to claim 24, wherein the network access server is operable as a base station system of a GPRS network.
  - 28. The network access server according to claim 24, wherein the network access server is operable as a Node B of a UMTS network.
  - 29. The network access server according to claim 24, wherein the network access server is operable as a radio network controller, RNC, of a UMTS network.

30. A mobile terminal which is able to register with a home server in its home network and which is attachable to a foreign network by means of a network access server of the foreign network, the foreign network having a plurality of domains each of which comprises at least one local server for authentication, authorization and accounting, each of the local servers being connectable to at least one of the network access servers, wherein the mobile terminal is configured to perform an authentication and authorization according to a procedure being selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal.
- View Dependent Claims (31, 32, 33)
- - 31. The mobile terminal according to claim 30, further comprising:
    - a transceiver being configured to transmit and receive information to and from one of the network access servers of the foreign network.
  - 32. The mobile terminal according to claim 30, further comprising:
    - storing means being configured to keep a list of local security information of each network having been attached to, wherein the local security information is allocable to the mobile terminal by one of the local servers of the foreign networks.
  - 33. The mobile terminal according to claim 30, further comprising:
    - key generating means being configured to generate an encryption key using at least its authentication information for communicating with a local server; and
      
      decrypting means being configured to decrypt received encrypted information by means of the encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Zhang, Hong, Zhang, Dajiang, Jiang, Luliang

Granted Patent

US 7,461,248 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/205   involving negotiation or de...

H04Q 2213/13095   PIN / Access code, authenti...

H04Q 2213/13096   Digital apparatus individua...

H04Q 2213/13098   Mobile subscriber

H04Q 2213/1329   Asynchronous transfer mode,...

H04Q 2213/13389   LAN, internet

H04W 12/03   Protecting confidentiality,...

H04W 12/06   Authentication

H04W 12/75   Temporary identity

Authentication and authorization in heterogeneous networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

261 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Authentication and authorization in heterogeneous networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

261 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others