Subscriber authentication for unlicensed mobile access signaling

US 20050239441A1
Filed: 04/26/2004
Published: 10/27/2005
Est. Priority Date: 04/26/2004
Status: Active Grant

First Claim

Patent Images

1. An unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the network comprising:

authenticating means for authenticating a mobile station to the unlicensed mobile access network before higher-layer messages are sent from the mobile station to a core network; and

connecting means for connecting the mobile station to the core network and for relaying signals between the mobile station and the core network;

checking means for ensuring that higher-layer messages passing through the unlicensed mobile access network from the mobile station to the core network are from the mobile station that is authenticated with the unlicensed mobile access network;

wherein during authentication between the mobile station and the unlicensed mobile access network, the unlicensed mobile access network stores an identifying means that is associated with the mobile station and after authentication between the mobile station and the core network, the unlicensed mobile access network uses the checking means to examine the higher-layer messages that are sent from the mobile station to the core network and to ensure that the identifying means associated with mobile station is stored in the higher-layer message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network. The system comprises authenticating means for authenticating a mobile station to an unlicensed mobile access network before higher-layer messages are sent from the mobile station, and thereafter, for authenticating the mobile station to a core network. The system also includes a mobile station with a subscriber identity module that includes an identifying means for identifying the mobile station. The system further includes a unlicensed mobile access network for connecting the mobile station to the core network and for relaying signals between the mobile station and the core network. The unlicensed mobile access network comprises checking means for ensuring that higher-layer messages passing through the unlicensed mobile access network to the core network are from the mobile station that authenticated with the unlicensed mobile access network. The system also includes the core network for implementing transaction control and user services. During authentication between the mobile station and the unlicensed mobile access network, the unlicensed mobile access network stores the identifying means that is associated with the mobile station and after authentication between the mobile station and the core network, the unlicensed mobile access network uses the checking means to examine higher-layer messages that are sent from the mobile station to the core network and to ensure that the identifying means associated with mobile station is stored in the higher-layer message.

Citations

32 Claims

1. An unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the network comprising:
- authenticating means for authenticating a mobile station to the unlicensed mobile access network before higher-layer messages are sent from the mobile station to a core network; and
  
  connecting means for connecting the mobile station to the core network and for relaying signals between the mobile station and the core network;
  
  checking means for ensuring that higher-layer messages passing through the unlicensed mobile access network from the mobile station to the core network are from the mobile station that is authenticated with the unlicensed mobile access network;
  
  wherein during authentication between the mobile station and the unlicensed mobile access network, the unlicensed mobile access network stores an identifying means that is associated with the mobile station and after authentication between the mobile station and the core network, the unlicensed mobile access network uses the checking means to examine the higher-layer messages that are sent from the mobile station to the core network and to ensure that the identifying means associated with mobile station is stored in the higher-layer message.

2. A unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the network comprising:
- authenticating means for authenticating a mobile station to the unlicensed mobile access network before higher-layer messages are sent from the mobile station to a core network;
  
  connecting means for connecting the mobile station to the core network and for relaying signals between the mobile station and the core network; and
  
  wherein during authentication between the mobile station and the core network, the unlicensed mobile access network includes authentication information in a command message from the core network to the mobile station and in response to the command message, the mobile station includes a code that is encrypted with the authentication information and a key that is calculated in the mobile station.

3. An unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the network comprising:
- authenticating means for authenticating a mobile station to the unlicensed mobile access network before higher-layer messages are sent from the mobile station to a core network, wherein the mobile station comprises a subscriber identity module that includes an identifying means for identifying the mobile station and a key;
  
  connecting means for connecting the mobile station to the core network; and
  
  relaying means for relaying signals between the mobile station and the core network;
  
  wherein during authentication between the mobile station and the core network, the mobile station passes the key to a IPsec or TLS layer to the unlicensed mobile access network, thereby ensuring that all further messages sent from the mobile station are protected with the key or keys derived from key.

4. A mobile station in communications with an unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the mobile station comprising:
- authenticating means for authenticating the mobile station to the unlicensed mobile access network before higher-layer messages are sent from the mobile station to a core network, a subscriber identity module that includes an identifying means for identifying the mobile station and a key;
  
  connecting means for connecting the mobile station to the core network; and
  
  relaying signals between the mobile station and the core network;
  
  wherein during authentication between the mobile station and the core network, the mobile station passes the key to a IPsec or TLS layer, thereby ensuring that all further messages sent from the mobile station are protected with the key or keys derived from key.

5. A system for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the system comprising:
- authenticating means for authenticating a mobile station to an unlicensed mobile access network before higher-layer messages are sent from the mobile station, and thereafter, for authenticating the mobile station to a core network;
  
  a mobile station including a subscriber identity module that includes an identifying means for identifying the mobile station;
  
  a unlicensed mobile access network for connecting the mobile station to the core network and for relaying signals between the mobile station and the core network, the unlicensed mobile access network comprising checking means for ensuring that higher-layer messages passing through the unlicensed mobile access network to the core network are from the mobile station that authenticated with the unlicensed mobile access network; and
  
  the core network for implementing transaction control and user services, wherein during authentication between the mobile station and the unlicensed mobile access network, the unlicensed mobile access network stores the identifying means that is associated with the mobile station and after authentication between the mobile station and the core network, the unlicensed mobile access network uses the checking means to examine higher-layer messages that are sent from the mobile station to the core network and to ensure that the identifying means associated with mobile station is stored in the higher-layer message.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 6. The system of claim 5, wherein the unlicensed mobile access network comprises:
    - mapping means for mapping a IMSI for identifying the mobile station, the unlicensed mobile access network obtains the IMSI from a authentication process between the mobile station and the unlicensed mobile access network, with the IMSI of the mobile station sending the higher layer message to the core network; and
      
      storing means for storing the IMSI from the authentication process in the higher layer message if the IMSI already in the higher layer message is different from the IMSI obtained from the authentication process.
  - 7. The system of claim 6, wherein the unlicensed mobile access network comprises fetching means for fetching the IMSI from a subscriber profiler, if the unlicensed mobile access network did not save the IMSI during the authentication process.
  - 8. The system of claim 5, wherein the mobile station provides dual mode radios and an access mode switch to enable the mobile station to switch between the dual mode radios.
  - 9. The system of claim 5, wherein the mobile station is included in a customer premise, the system further comprises:
    - a broadband IP network for connecting the customer premise and the unlicensed mobile access network; and
      
      an access point in the customer premise for providing unlicensed radio link to the mobile station and for connecting to the unlicensed mobile access network through the broadband IP network, wherein the mobile station supports an IP transport interface that enables an IP network to extend from the unlicensed mobile access network to the mobile station through the access point, and wherein the IP transport network enables a single interface, Ut, to be defined between the unlicensed mobile access network and the mobile station.
  - 10. The system of claim 9, wherein the Ut interface comprises a relay component for relaying GSM/GPRS signaling from a PLMN Core Network towards the mobile station, wherein the Ut interface enables protocols at or above the GSM Mobility Management level to be carried transparently between the mobile station and a mobile switching center in the core network thereby allowing the mobile station to derive all GSM services as if the mobile station were communicating with a GSM BSS.
  - 11. The system of claim 9, wherein the access point is a standard access point.
  - 12. The system of claim 9, wherein the unlicensed mobile access network comprises a mapping component for mapping voice from the customer premise to PCM voice when a Mobile Switching Center in the Core Network is not implementing certain features.
  - 13. The system of claim 9, further comprising protocol means for enabling a transport and multiplexing protocol to transport messages that are associated with a radio resources protocol over a secure tunnel between the mobile station and the unlicensed mobile access network, wherein the secure tunnel uses SSL/TCP over IP and is responsible for managing the unlicensed radio link with the access point and wherein the mobile station uses standard IP technology to access the unlicensed radio link.
  - 14. The system of claim 5, wherein the unlicensed mobile access network includes communication means for enabling the unlicensed mobile access network to communicate with the mobile station via the standard GSM A-interface and GPRS Gb-interface.
  - 15. The system of claim 5, further wherein the authentication means is used for enabling the mobile station to authenticate with the unlicensed mobile access network via at least one of a password, a certificate or an SIM card.
  - 16. The system of claim 5, further comprising encryption means for encrypting signaling traffic between the mobile station and the unlicensed mobile access network.

17. A system for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the system comprising:
- authenticating means for authenticating a mobile station to an unlicensed mobile access network before higher-layer messages are sent from the mobile station, and thereafter, for authenticating the mobile station to a core network;
  
  a mobile station including a subscriber identity module that includes an identifying means for identifying the mobile station and a key;
  
  a unlicensed mobile access network for connecting the mobile station to the core network and for relaying signals between the mobile station and the core network; and
  
  the core network for implementing transaction control and user services, wherein during authentication between the mobile station and the core network, the unlicensed mobile access network includes authentication information in a command message from the core network to the mobile station and in response to the command message, the mobile station includes a code that is encrypted with the authentication information and the key.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the authentication information includes at least a randomly selected challenge.
  - 19. The system of claim 17, wherein the code includes a IMSI associated with the mobile station and the identity of the unlicensed mobile access network, wherein the mobile station obtains the identity of the unlicensed mobile access network during authentication between the mobile station and the unlicensed mobile access network.
  - 20. The system of claim 17, wherein the code includes messages related to a secure tunnel that was established between the mobile station and the unlicensed mobile access network during authentication between the mobile station and the unlicensed mobile access network.

21. A system for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the system comprising:
- authenticating means for authenticating a mobile station to an unlicensed mobile access network before higher-layer messages are sent from the mobile station, and thereafter, for authenticating the mobile station to a core network;
  
  a mobile station including a subscriber identity module that includes an identifying means for identifying the mobile station and a key;
  
  a unlicensed mobile access network for connecting the mobile station to the core network and for relaying signals between the mobile station and the core network; and
  
  the core network for implementing transaction control and user services, wherein during authentication between the mobile station and the core network, the mobile station passes the key to a IPsec or TLS layer, thereby ensuring that all further messages sent from the mobile station are protected with the key or keys derived from key Kc.

22. A method in an unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the method comprising the steps of:
- authenticating, in an unlicensed mobile access network, a mobile station before higher-layer messages are sent from the mobile station to a core network;
  
  forwarding, in the unlicensed mobile access network, a service request from the mobile station to the core network, wherein a IMSI for the mobile station is included in the service request;
  
  transmitting, in the unlicensed mobile access network, an authentication request from the core network to the mobile station;
  
  forwarding, in the unlicensed mobile access network, an authentication response in response to the authentication request; and
  
  examining, by the unlicensed mobile access network, higher-layer messages from the mobile station to the core network to ensure that identifying means associated with mobile station is stored in the higher-layer message.

23. A method in an unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the method comprising the steps of:
- authenticating, in an unlicensed mobile access network, a mobile station before higher-layer messages are sent from the mobile station to a core network;
  
  forwarding, in the unlicensed mobile access network, a service request from the mobile station to the core network, wherein a IMSI for the mobile station is included in the service request;
  
  transmitting, in the unlicensed mobile access network, an authentication request from the core network to the mobile station;
  
  forwarding, in the unlicensed mobile access network, an authentication response in response to the authentication request, wherein the mobile station creates a key in response to the authentication request;
  
  forwarding, in the unlicensed mobile access network, a Cipher Mode Command message created by the core network to the mobile station;
  
  including, by the unlicensed mobile access network, authentication information in the Cipher Mode Command message from the core network to the mobile station and forwarding the modified Cipher Mode Command message to the mobile station; and
  
  receiving, by the unlicensed mobile access network from the mobile station, a code that is encrypted with the authentication information and the key.

24. A method in an arrangement implementing an unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the method comprising the steps of:
- authenticating a mobile station to the unlicensed mobile access network before higher-layer messages are sent from the mobile station;
  
  requesting service, by the mobile station, from the core network and including a IMSI for the mobile station in the request message;
  
  forwarding, by the unlicensed mobile access network, the request message to the core network without examination of the message by the unlicensed mobile access network;
  
  sending an authentication request from the core network to the mobile station through the unlicensed mobile access network;
  
  creating an authentication response, by the mobile station, in response to the authentication request and forwarding the authentication response to the core network through the unlicensed mobile access network;
  
  verifying the authentication response, by the core network, and sending a Cipher Mode Command message to the unlicensed mobile access network;
  
  forwarding a list of permitted algorithms in the Cipher Mode Command message, by the unlicensed mobile access network, to the mobile station; and
  
  examining higher-layer messages from the mobile station, by the unlicensed mobile access network, to ensure that the identifying means associated with mobile station is stored in the higher-layer message.
- View Dependent Claims (25, 26)
- - 25. The method of claim 24, further comprising the steps of:
    - mapping a IMSI for identifying the mobile station from a authentication process between the mobile station and the unlicensed mobile access network, by the unlicensed mobile access network, with the IMSI of the mobile station sending the higher layer message to the core network; and
      
      storing the IMSI from the authentication process in the higher layer message if the IMSI already in the higher layer message is different from the IMSI obtained from the authentication process.
  - 26. The system of claim 25, further comprising the step of fetching the IMSI from a subscriber profiler, if the unlicensed mobile access network did not save the IMSI during the authentication process.

27. A method in an arrangement implementing an unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the method comprising the steps of:
- authenticating a mobile station to an unlicensed mobile access network before higher-layer messages are sent from the mobile station;
  
  requesting service, by the mobile station, from the core network and including a IMSI for the mobile station in the request message;
  
  forwarding, by the unlicensed mobile access network, the request message to the core network without examination of the message by the unlicensed mobile access network;
  
  sending an authentication request from the core network to the mobile station through the unlicensed mobile access network;
  
  creating an authentication response, by the mobile station, in response to the authentication request and forwarding the authentication response to the core network through the unlicensed mobile access network;
  
  verifying the authentication response, by the core network, and sending a Cipher Mode Command message to the unlicensed mobile access network;
  
  including authentication information in a Cipher Mode Command message from the core network to the mobile station and forwarding in the Cipher Mode Command message, by the unlicensed mobile access network, to the mobile station; and
  
  in response to the command message, including, by the mobile station, a code that is encrypted with the authentication information and the key and forwarding the response to the unlicensed mobile access network.
- View Dependent Claims (28, 29, 30)
- - 28. The method of claim 27, further comprising the step of storing at least a randomly selected challenge in the authentication information.
  - 29. The method of claim 27, further comprising the step of storing a IMSI associated with the mobile station and the identity of the unlicensed mobile access network in the code, wherein the mobile station obtains the identity of the unlicensed mobile access network during authentication between the mobile station and the unlicensed mobile access network.
  - 30. The method of claim 27, further comprising the step of storing messages related to a secure tunnel that was established between the mobile station and the unlicensed mobile access network during authentication between the mobile station and the unlicensed mobile access network, in the code.

31. A method in an arrangement implementing an unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the method comprising the steps of:
- authenticating a mobile station to an unlicensed mobile access network before higher-layer messages are sent from the mobile station;
  
  requesting service, by the mobile station, from the core network and including a IMSI for the mobile station in the request message;
  
  forwarding, by the unlicensed mobile access network, the request message to the core network without examination of the message by the unlicensed mobile access network;
  
  sending an authentication request from the core network to the mobile station through the unlicensed mobile access network;
  
  creating an authentication response, by the mobile station, in response to the authentication request and forwarding the authentication response to the core network through the unlicensed mobile access network;
  
  verifying the authentication response, by the core network, and sending a Cipher Mode Command message to the unlicensed mobile access network;
  
  forwarding, by the unlicensed mobile access network, the Cipher Mode Command Message to the mobile station; and
  
  passing a key to a IPsec or TLS layer, by the mobile station, thereby ensuring that all further messages sent from the mobile station are protected with the key or keys derived from key.

32. A method in an arrangement implementing an unlicensed mobile access network for ensuring that a first subscriber in a unlicensed mobile access system is prevented from unauthorized use of a second subscriber'"'"'s identity when the first subscriber requests services from a mobile station to a core network, the method comprising the steps of:
- authenticating a mobile station to an unlicensed mobile access network before higher-layer messages are sent from the mobile station;
  
  requesting service, by the mobile station, from the core network and including a IMSI for the mobile station in the request message;
  
  creating an authentication response, by the mobile station, in response to the authentication request from the core network and forwarding the authentication response to the core network through the unlicensed mobile access network; and
  
  passing a key to a IPsec or TLS layer, by the mobile station, thereby ensuring that all further messages sent from the mobile station are protected with the key or keys derived from key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Eronen, Pasi

Granted Patent

US 7,200,383 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/411
CPC Class Codes

H04L 12/2854   Wide area networks, e.g. pu...

H04M 2207/18   wireless networks

H04M 3/382   using authorisation codes o...

H04W 12/02   Protecting privacy or anony...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/72   Subscriber identity

Subscriber authentication for unlicensed mobile access signaling

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Subscriber authentication for unlicensed mobile access signaling

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links