Method for establishment of a service tunnel in a WLAN

US 20060104234A1
Filed: 10/28/2005
Published: 05/18/2006
Est. Priority Date: 12/08/2003
Status: Active Grant

First Claim

Patent Images

1. A method for establishment of a service tunnel in a Wireless Local Area Network (WLAN), comprising the following steps:

(A) a service authentication authorization unit making authentication and authorization to a WLAN user terminal which requests a service and then judging whether the authentication and authorization is successful, and if successful, generating service authorization information including a shared communication key used for communication between the WLAN user terminal and a destination Packet Data Gateway (PDG), and otherwise, ending the current procedure of tunnel establishment;

(B) the service authentication authorization unit sending to the PDG the service authorization information that includes the shared communication key; and

, (C) the PDG, based on the shared communication key in the service authorization information, establishing a trust relation with the WLAN user terminal through negotiation, and if establishment of the trust relation is successful, the destination PDG allocating tunnel resources for the WLAN user terminal, negotiating parameters and completing the establishment of the tunnel, and otherwise, ending the current tunnel establishment procedure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a method for the establishment of a service tunnel in a wireless local area network (WLAN). The method includes a service authentication authorization unit making authentication and authorization to a WLAN user terminal currently requesting a service, and judging whether the authentication and authorization is successful. If successful, the method includes generating service authorization information that includes a shared communication key used for communication between the WLAN user terminal and a destination packet data gateway (PDG), and otherwise ending the procedure. The method further includes the service authentication authorization unit sending to the destination PDG the generated service authorization information including the shared communication key, and the destination PDG, according to the shared communication key, establishing a trust relation with the WLAN user terminal through negotiation with the WLAN user terminal. If the establishment of the trust relation is successful, the destination PDG allocates tunnel resources for the WLAN user terminal, negotiates parameters and then establishes a tunnel with the WLAN user terminal, and otherwise, ends the procedure. As a result, a secured service data tunnel may be established between the user terminal and the PDG.

56 Citations

View as Search Results

20 Claims

1. A method for establishment of a service tunnel in a Wireless Local Area Network (WLAN), comprising the following steps:
- (A) a service authentication authorization unit making authentication and authorization to a WLAN user terminal which requests a service and then judging whether the authentication and authorization is successful, and if successful, generating service authorization information including a shared communication key used for communication between the WLAN user terminal and a destination Packet Data Gateway (PDG), and otherwise, ending the current procedure of tunnel establishment;
  
  (B) the service authentication authorization unit sending to the PDG the service authorization information that includes the shared communication key; and
  
  , (C) the PDG, based on the shared communication key in the service authorization information, establishing a trust relation with the WLAN user terminal through negotiation, and if establishment of the trust relation is successful, the destination PDG allocating tunnel resources for the WLAN user terminal, negotiating parameters and completing the establishment of the tunnel, and otherwise, ending the current tunnel establishment procedure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. A method according to claim 1, wherein, in step (A), the authentication to the WLAN user terminal further comprises:
    - the WLAN user terminal sending directly to the service authentication authorization unit an authentication request including an identity of the requested service and a user identity of the WLAN user terminal;
      
      having received the authentication request, the service authentication authorization unit, according to the user identity, making identity and service authentication to the WLAN user terminal; and
      
      the service authentication authorization unit, according to the identity of the requested service and user subscription information, determining the destination PDG to be connected with the WLAN user terminal.
  - 3. A method according to claim 2, further comprising, between step (B) and step (C), the WLAN user terminal that currently requests a service sending a tunnel establishing request to the destination PDG.
  - 4. A method according to claim 1, wherein, in step (A), the authentication to the WLAN user terminal further comprises:
    - the WLAN user terminal sending a tunnel establishing request including the user identity to the destination PDG corresponding to the requested service;
      
      having received the tunnel establishing request, the PDG sending to the service authentication authorization unit an authentication and authorization request including the user identity of the WLAN user terminal; and
      
      having received the authentication and authorization request, the service authentication authorization unit, according to the user identity, making identity and service authentication to the WLAN user terminal.
  - 5. A method according to claim 1, wherein, in step (A), the authentication to the WLAN user terminal further comprises:
    - the WLAN user terminal sending to the service authentication authorization unit an authentication request that includes an identity of the requested service and currently possessed certificate information indicating a successful identity authentication; and
      
      the service authentication authorization unit, according to the identity of the requested service and user subscription information, determining the destination PDG to be connected with the WLAN user terminal, and judging whether the received certificate information is legal, and if legal, the authentication being successful, and otherwise, the authentication being unsuccessful.
  - 6. A method according to claim 5, further comprising, between step (B) and step (C), the WLAN user terminal that currently requests a service sending a tunnel establishing request to the destination PDG.
  - 7. A method according to claim 5, wherein the certificate information is a certificate currently possessed by the WLAN user terminal, or a certificate-index identity used for finding the certificate currently possessed by the WLAN user terminal.
  - 8. A method according to claim 7, wherein, if the certificate information is the certificate-index identity, the judging whether the certificate information is legal comprises the service authentication authorization unit finding the certificate currently possessed by the WLAN user terminal according to the received certificate-index identity, and then judging whether the found certificate is legal.
  - 9. A method according to claim 1, wherein, in step (A), the authentication to the WLAN user terminal further comprises:
    - the WLAN user terminal sending a tunnel establishing request, including an identity of the requested service and currently possessed certificate information indicating a successful authentication, to the destination PDG corresponding to the requested service;
      
      having received the tunnel establishing request, the destination PDG sending to the service authentication authorization unit an authentication and authorization request including certificate information of the WLAN user terminal; and
      
      the service authentication authorization unit judging whether the received certificate information is legal, and if legal, the authentication being successful, and otherwise, the authentication being unsuccessful.
  - 10. A method according to claim 9, wherein the certificate information is a certificate currently possessed by the WLAN user terminal, or a certificate-index identity used for finding the certificate currently possessed by the WLAN user terminal.
  - 11. A method according to claim 10, wherein, if the certificate information is the certificate-index identity, the judging whether the certificate information is legal comprises the service authentication authorization unit finding the certificate currently possessed by the WLAN user terminal according to the received certificate-index identity, and then judging whether the found certificate is legal.
  - 12. A method according to claim 1, wherein, in step (A), the authentication to the WLAN user terminal further comprises:
    - the WLAN user terminal sending to the service authentication authorization unit an authentication request including an identity of the requested service and a shared secret Transaction Identifier (TID) currently possessed by the WLAN user terminal; and
      
      the service authentication authorization unit determining the destination PDG to be connected with the WLAN user terminal according to the identity of the requested service and user subscription information, and judging whether the received shared secret TID is legal, if legal, the authentication being successful;
      
      otherwise, the authentication being unsuccessful.
  - 13. A method according to claim 12, further comprising, between step (B) and step (C), the WLAN user terminal that currently requests a service sending a tunnel establishing request to the destination PDG.
  - 14. A method according to claim 1, wherein, in step (A), the authentication to the WLAN user terminal further comprises:
    - the WLAN user terminal sending a tunnel establishing request, including an identity of the requested service and a shared secret TID currently possessed by the WLAN user terminal, to the destination PDG corresponding to the requested service;
      
      having received the tunnel establishing request, the destination PDG sending to the service authentication authorization unit an authentication and authorization request including the shared secret TID of the WLAN user terminal; and
      
      the service authentication authorization unit judging whether the received shared secret TID is legal, if legal, the authentication being successful;
      
      otherwise, the authentication being unsuccessful.
  - 15. A method according to claim 1, wherein, in step (A), the authentication to the WLAN user terminal further comprises:
    - the WLAN user terminal sending to the service authentication authorization unit an authentication request including an identity of the requested service and a re-authentication identity currently possessed by the WLAN user terminal; and
      
      the service authentication authorization unit, according to the service identity and the user subscription information, determining the destination PDG to be connected with the WLAN user terminal, and judging whether the re-authentication identity is legal, if legal, the authentication being successful;
      
      otherwise, the authentication being unsuccessful.
  - 16. A method according to claim 15, further comprising, between step (B) and step (C), the WLAN user terminal that currently requests a service sending a tunnel establishing request to the destination PDG.
  - 17. A method according to claim 1, wherein, in step (A), the authentication to the WLAN user terminal further comprises:
    - the WLAN user terminal sending a tunnel establishing request, including an identity of the requested service and a re-authentication identity currently possessed by the WLAN user terminal, to the destination PDG corresponding to the requested service;
      
      having received the tunnel establishing request, the destination PDG sending to the service authentication authorization unit an authentication and authorization request including the re-authentication identity; and
      
      the service authentication authorization unit judging whether the re-authentication identity is legal, if legal, the authentication being successful;
      
      otherwise, the authentication being unsuccessful.
  - 18. A method according to claim 1, wherein step (B), before sending the shared communication key to the destination PDG, further comprises the destination PDG sending a service authorization request to the service authentication authorization unit, and having received the service authorization request, the service authentication authorization unit sending to the destination PDG the shared communication key generated by the destination PDG and the service authorization information.
  - 19. A method according to claim 1, wherein said service authentication authorization unit is an Authentication Authorization and Accounting Server.
  - 20. A method according to claim 19, wherein said service authentication authorization unit is a 3 GPP Authentication Authorization and Accounting Server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Zhang, Wenlin

Granted Patent

US 7,450,554 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/328
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0892   by using authentication-aut...

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 84/12   WLAN [Wireless Local Area N...

H04W 92/02   Inter-networking arrangements

Method for establishment of a service tunnel in a WLAN

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for establishment of a service tunnel in a WLAN

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links