AUTHENTICATION IN A PACKET DATA NETWORK
First Claim
1. A method in a system comprising a mobile node;
- a packet data network and a telecommunication network;
the mobile node being capable of communicating directly over two different communication links, a telecommunications network link with the telecommunications network and a packet data network link with the packet data network;
the method comprising;
storing in the mobile node and in the telecommunication network a mobile node identity and a shared secret specific to the mobile node identity corresponding to the mobile node, which mobile node identity and shared secret are capable of authenticating the mobile node to the telecommunications network for communications over the telecommunications network link;
providing the mobile node with a protection code;
sending the mobile node identity and the protection code from the mobile node to the packet data network over the packet data network link;
the telecommunication network providing the packet data network with authentication information corresponding to said mobile node identity, the authentication information comprising a challenge and a session secret, wherein said session secret corresponds to the mobile node identity and the session secret is derivable from the challenge together with the shared secret;
forming cryptographic information using at least the protection code and the session secret;
the packet data network sending the challenge and the cryptographic information to the mobile node over the packet data network link;
the mobile node checking the validity of the cryptographic information using the challenge and the shared secret;
the mobile node deriving based on the shared secret, the session secret and a first response corresponding to the challenge;
the mobile node sending the first response to the packet data network over the packet data network link; and
the packet data network checking the first response for authenticating the mobile node.
0 Assignments
0 Petitions
Accused Products
Abstract
Authentication method for authenticating a mobile node to a packet data network, in which a shared secret for both the mobile node and the packet data network is arranged by using a shared secret of the mobile node and a telecommunications network authentication centre. In the method, the mobile node sends its subscriber identity to the packet data network together with a replay attack protector. The packet data network obtains authentication triplets, forms a session key using them, and sends back to the mobile node challenges and a cryptographic authenticator made by using the session key. The mobile node can then form the rest of the authentication triplets using the challenges and then form the session key. With the session key, the mobile node can check the validity of the cryptographic authenticator. If the authenticator is correct, the mobile node sends a cryptographic response formed using the session key to the packet data network for authenticating itself to the packet data network.
46 Citations
51 Claims
-
1. A method in a system comprising a mobile node;
- a packet data network and a telecommunication network;
the mobile node being capable of communicating directly over two different communication links, a telecommunications network link with the telecommunications network and a packet data network link with the packet data network;
the method comprising;
storing in the mobile node and in the telecommunication network a mobile node identity and a shared secret specific to the mobile node identity corresponding to the mobile node, which mobile node identity and shared secret are capable of authenticating the mobile node to the telecommunications network for communications over the telecommunications network link;
providing the mobile node with a protection code;
sending the mobile node identity and the protection code from the mobile node to the packet data network over the packet data network link;
the telecommunication network providing the packet data network with authentication information corresponding to said mobile node identity, the authentication information comprising a challenge and a session secret, wherein said session secret corresponds to the mobile node identity and the session secret is derivable from the challenge together with the shared secret;
forming cryptographic information using at least the protection code and the session secret;
the packet data network sending the challenge and the cryptographic information to the mobile node over the packet data network link;
the mobile node checking the validity of the cryptographic information using the challenge and the shared secret;
the mobile node deriving based on the shared secret, the session secret and a first response corresponding to the challenge;
the mobile node sending the first response to the packet data network over the packet data network link; and
the packet data network checking the first response for authenticating the mobile node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- a packet data network and a telecommunication network;
-
13. A system comprising:
-
a packet data network having an access to an authentication gateway of a telecommunications network;
a mobile node comprising;
a first transceiver configured to communicate directly with the telecommunications network;
a second transceiver configured to communicate directly with the packet data network; and
a memory configured to store in the mobile node a protection code and a mobile node identity and a shared secret specific to the mobile node identity corresponding to the mobile node, which mobile node identity and shared secret are capable of authenticating the mobile node to the telecommunications network for communications over the first transceiver;
whereinthe second transceiver is configured to send the mobile node identity and the protection code from the mobile node to the packet data network;
the packet data network being configured to pass the protection code to the authentication gateway and respectively to obtain cryptographic information and a challenge corresponding to the mobile node, which cryptographic information is derivable from the protection code in combination with the shared secret and the challenge;
the packet data network being further configured to pass the challenge and the cryptographic information to the mobile node;
the mobile node further comprising a processor configured to check the cryptographic information based on the challenge in combination with the protection code and the shared secret;
so as to authenticate the packet data network;
wherein the processor is further configured to derive a session secret and a first response based on the challenge and the shared secret, the session secret and a first response corresponding to the challenge;
the second transceiver being further configured to send the first response to the packet data network so as to authenticate the mobile node to the packet data network;
whereinthe packet data network is further configured to check the first response for authenticating the mobile node. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. In a mobile node capable of communicating directly over two different communication links, a telecommunications network link with the telecommunications network and a packet data network link with the packet data network, a method comprising:
-
storing a mobile node identity and a shared secret specific to the mobile node identity corresponding to the mobile node, which mobile node identity and shared secret are capable of authenticating the mobile node to the telecommunications network for communications over the telecommunications network link;
obtaining a protection code;
sending the mobile node identity and the protection code to the packet data network over the packet data network link;
receiving a challenge and cryptographic information from the packet data network over the packet data network link;
checking the validity of the cryptographic information using the challenge and the shared secret;
deriving based on the shared secret a session secret and a first response corresponding to the challenge; and
sending the first response to the packet data network over the packet data network link to prove authenticity. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. A mobile node comprising:
-
a first transceiver configured to communicate directly with a telecommunications network;
a second transceiver configured to communicate directly with a packet data network; and
a memory configured to store in the mobile node a protection code and a mobile node identity and a shared secret specific to the mobile node identity corresponding to the mobile node, which mobile node identity and shared secret are capable of authenticating the mobile node to the telecommunications network for communications over the first transceiver;
whereinthe second transceiver has been configured to send the mobile node identity and the protection code from the mobile node to the packet data network and to receive cryptographic information and a challenge corresponding to the mobile node, which cryptographic information is derivable from the protection code in combination with the shared secret and the challenge;
the mobile node further comprising a processor configured to check the cryptographic information based on the challenge in combination with the protection code and the shared secret in order to authenticate the packet data network;
wherein the processor is further configured to derive a session secret and a first response based on the challenge and the shared secret, the session secret and a first response corresponding to the challenge; and
the second transceiver being further configured to send the first response to the packet data network so as to authenticate the mobile node to the packet data network. - View Dependent Claims (32, 33, 34, 35, 36, 37)
-
-
38. A method in a packet data network, comprising:
-
receiving from a mobile node a mobile node identity and a protection code;
passing to a telecommunications network the mobile node identity and the protection code;
receiving from the telecommunications network a challenge and cryptographic information based on at least the protection code together with the challenge, wherein the cryptographic information is derivable from a shared secret accessible to the mobile node and to the telecommunications network but not to the packet data network;
sending the challenge and the cryptographic information to the mobile node;
receiving from the mobile node a response corresponding to the challenge; and
verifying with the telecommunications network if the response is correct so as to authenticate the mobile node to the packet data network. - View Dependent Claims (39, 40)
-
-
41. A packet data network comprising:
-
a unit configured to receive from a mobile node a mobile node identity and a protection code;
a unit configured to pass to a telecommunications network the mobile node identity and the protection code;
a unit configured to receive from the telecommunications network a challenge and cryptographic information based on at least the protection code together with the challenge, wherein the cryptographic information is derivable from a shared secret accessible to the mobile node and to the telecommunications network but not to the packet data network;
a unit configured to send the challenge and the cryptographic information to the mobile node;
a unit configured to receive from the mobile node a response corresponding to the challenge; and
a unit configured to verify with the telecommunications network if the response is correct so as to authenticate the mobile node to the packet data network. - View Dependent Claims (42, 43)
-
-
44. A method in a gateway for interfacing a packet data access network and a telecommunications network, which telecommunications network has subscribers and an access to an authentication server that knows shared secrets of the subscribers, the method comprising:
-
receiving a mobile node identity and a protection code from the packet data access network;
providing the authentication server with the mobile node identity;
receiving from the authentication server a challenge and a session secret, which session secret corresponds to the mobile node identity in combination with the challenge and the shared secret;
forming cryptographic information using at least the protection code and the session secret;
providing the packet data access network with the challenge and the cryptographic information for further transmission to a mobile node;
receiving from the mobile node via the packet data access network a first response corresponding to the challenge, based on the shared secret specific to the subscriber identity; and
verifying the first response for authenticating the mobile node. - View Dependent Claims (45, 47)
-
-
46. Gateway for interfacing a packet data access network and a telecommunications network, which telecommunications network has subscribers and an access to an authentication server that knows shared secrets of the subscribers, the gateway comprising:
-
an input configured to receive a mobile node identity and a protection code from the packet data access network;
an output configured to provide the authentication server with the mobile node identity;
an input configured to receive from the authentication server a challenge and a session secret, which session secret corresponds to the mobile node identity in combination with the challenge and the shared secret;
a unit configured to form cryptographic information using at least the protection code and the session secret;
an output for providing the packet data access network with the challenge and the cryptographic information for further transmission to a mobile node;
an input for receiving from the mobile node via the packet data access network a first response corresponding to the challenge, based on the shared secret specific to the subscriber identity; and
a unit for verifying the first response for authenticating the mobile node.
-
-
48. Computer readable medium comprising a computer program for controlling a mobile node capable of communicating directly over two different communication links, a telecommunications network link with the telecommunications network and a packet data network link with the packet data network, the medium comprising:
-
computer executable code to store a mobile node identity and a shared secret specific to the mobile node identity corresponding to the mobile node, which mobile node identity and shared secret are capable of authenticating the mobile node to the telecommunications network for communications over the telecommunications network link;
computer executable code to enable the mobile node to obtain a protection code;
computer executable code to enable the mobile node to send the mobile node identity and the protection code to the packet data network over the packet data network link;
computer executable code to enable the mobile node to receive a challenge and cryptographic information from the packet data network over the packet data network link;
computer executable code to enable the mobile node to check the validity of the cryptographic information using the challenge and the shared secret;
computer executable code to enable the mobile node to derive based on the shared secret a session secret and a first response corresponding to the challenge; and
computer executable code to enable the mobile node to send the first response to the packet data network.
-
-
49. Computer readable medium comprising a computer program for controlling a packet data network, the medium comprising:
-
computer executable code to enable the network to receive from a mobile node a mobile node identity and a protection code;
computer executable code to enable the network to pass to a telecommunications network the mobile node identity and the protection code;
computer executable code to enable the network to receive from the telecommunications network a challenge and cryptographic information based on at least the protection code together with the challenge, wherein the cryptographic information is derivable from a shared secret accessible to the mobile node and to the telecommunications network but not to the packet data network;
computer executable code to enable the network to send the challenge and the cryptographic information to the mobile node;
computer executable code to enable the network to receive from the mobile node a response corresponding to the challenge; and
computer executable code to enable the network to verify with the telecommunications network if the response is correct so as to authenticate the mobile node to the packet data network. - View Dependent Claims (50)
-
-
51. Computer readable medium comprising a computer program for controlling a gateway interfacing a packet data access network and a telecommunications network which telecommunications network has subscribers and an access to an authentication server that knows shared secrets of the subscribers, the medium comprising:
-
computer executable code to enable the gateway to receive a mobile node identity and a protection code from the packet data access network;
computer executable code to enable the gateway to provide the authentication server with the mobile node identity;
computer executable code to enable the gateway to receive from the authentication server a challenge and a session secret, which session secret corresponds to the mobile node identity in combination with the challenge and the shared secret;
computer executable code to enable the gateway to form cryptographic information using at least the protection code and the session secret;
computer executable code to enable the gateway to provide the packet data access network with the challenge and the cryptographic information for further transmission to a mobile node;
computer executable code to enable the gateway to receive from the mobile node via the packet data access network a first response corresponding to the challenge, based on the shared secret specific to the subscriber identity; and
computer executable code to enable the gateway to verify the first response for authenticating the mobile node.
-
Specification