Authentication in communications networks

US 20070204160A1
Filed: 12/01/2006
Published: 08/30/2007
Est. Priority Date: 12/01/2005
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a user equipment in a communications network, the method comprising:

sending a message from a network entity to the user equipment including a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity said options including a “

shared key”

-based authentication procedure;

selecting an option from the set and in the event that the “

shared-key”

-based authentication procedure is selected, generating a shared secret from a security key established in a generic bootstrapping architecture (GBA) over a second interface between the user equipment and a bootstrapping service function; and

using the shared secret to compute and verify authentication payloads in the key-based authentication procedure for the communication over the first interface.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method of authenticating a user equipment in a communications network. The method involves sending a message from a network entity to the user equipment. This message includes a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity; said options including a “shared key”-based authentication procedure. The method also involves selecting an option from the set. In the event that the “shared-key”-based authentication procedure is selected, a shared secret from a security key established in a generic bootstrapping architecture (GBA) is generated over a second interface between the user equipment and a bootstrapping service function. The shared secret is then used to compute and verify authentication payloads in the key-based authentication procedure for the communication over the first interface.

52 Citations

View as Search Results

26 Claims

1. A method of authenticating a user equipment in a communications network, the method comprising:
- sending a message from a network entity to the user equipment including a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity said options including a “
  
  shared key”
  
  -based authentication procedure;
  
  selecting an option from the set and in the event that the “
  
  shared-key”
  
  -based authentication procedure is selected, generating a shared secret from a security key established in a generic bootstrapping architecture (GBA) over a second interface between the user equipment and a bootstrapping service function; and
  
  using the shared secret to compute and verify authentication payloads in the key-based authentication procedure for the communication over the first interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method according to claim 1, wherein the user equipment transmits a notification to the network entity indicating its capability of supporting authentication procedures.
  - 3. A method according to claim 1, wherein the set of options is in the form of a preference list.
  - 4. A method according to claim 1, wherein the step of selecting is carried out at the user equipment.
  - 5. A method according to claim 1, wherein the set of options includes a certificate based authentication procedure.
  - 6. A method according to claim 1, wherein the communication over the first interface uses the internet key exchange protocol.
  - 7. A method according to claim 1, wherein the first interface is wireless.
  - 8. A method according to claim 1, wherein the second interface is wireless.
  - 9. A method according to claim 1, comprising the step of transmitting a network entity identifier from the network entity to the user equipment, and using the network entity identifier to generate the shared secret from the security key.
  - 10. A method according to claim 1, wherein the step of computing the authentication payload is carried out at the user equipment.
  - 11. A method according to claim 1, wherein the step of verifying the authentication payload using the shared secret is carried out at the network entity.
  - 12. A method according to claim 1, wherein the user equipment transmits a bootstrapping transaction identifier to the network entity as part of said authentication procedure.
  - 13. A method according to claim 12, wherein the network entity uses the bootstrapping transaction identifier to access the shared secret.
  - 14. A method according to claim 1, when used to mutually authenticate the user equipment and the network entity wherein the network entity performs the step of computing the authentication payload using the shared secret.
  - 15. A method according to claim 14, wherein the user equipment verifies the authentication payload using the shared secret.
  - 16. A method according to claim 1, wherein the network entity sends a message including a digital signature and wherein the user equipment verifies the digital signature.
  - 17. A method according to claim 15, wherein the message includes at least one certificate for authenticating the digital signature.

18. A network entity for use in a communications network comprising:
- means for establishing an internet protocol communication with a user equipment over an interface;
  
  means for accessing a shared secret to be used in a key-based authentication procedure for authenticating communication with the user equipment, said shared secret having been established in a generic bootstrapping architecture (GBA);
  
  means for dispatching a message to a user equipment including a set of options for the key-based authentication procedure, the set of options including at least the option of using the shared secret derived from GBA in the “
  
  shared-key”
  
  -based authentication procedure; and
  
  means operable when the “
  
  shared-key”
  
  -based authentication procedure is selected for validating an authorisation payload received from the user equipment over the interface and computed using the shared secret.
- View Dependent Claims (19, 20)
- - 19. A network entity as claimed in claim 18, wherein communication over the interface uses the internet key exchange protocol.
  - 20. A network entity according to claim 18, wherein said means for accessing the shared secret comprises means for dispatching a user equipment identifier with a network entity identifier to a bootstrapping service function in the network.

21. A user equipment for using a communications network comprising:
- means for establishing a communication channel with a network entity in the communications network;
  
  means for receiving a message which includes a set of options for the authentication procedure, the set of options including at least the option of using the shared secret derived from GBA in the “
  
  shared-key”
  
  -based authentication procedure for authenticating communication over the channel;
  
  means for selecting one of the set of options;
  
  means operable when the “
  
  shared-key”
  
  -based authentication procedure is selected for using a security key derived from a generic bootstrapping architecture to generate the shared secret;
  
  means for computing an authentication payload for transmission to a network entity using the shared secret; and
  
  means for transmitting the payload in a message over the channel according to an internet protocol.
- View Dependent Claims (22, 23)
- - 22. A user equipment according to claim 21, wherein the internet protocol is the internet key exchange protocol.
  - 23. A user equipment according to claim 21, which comprises means for transmitting a notification indicating that the user equipment supports the “
    - shared-key”
      
      -based authentication procedure using shared secrets derived from GBA.

24. A method of authenticating a user equipment in a communications network, the method comprising:
- establishing a security key in a generic bootstrapping architecture (GBA) over a first interface between the user equipment and a bootstrapping service function;
  
  generating a shared secret from the security key;
  
  sending a message from a network entity to the user equipment including notification that the shared secret is to be used in a key-based authentication procedure for authenticating an internet protocol communication over a second interface between the user equipment and the network entity; and
  
  using the shared secret to compute and verify an authentication payload in the key-based authentication procedure for the communication over the second interface.

25. A network entity for use in a communications network comprising:
- means for establishing an internet protocol communication with a user equipment over an interface;
  
  means for accessing a shared secret to be used in a key-based authentication procedure for authenticating communication with the user equipment, said shared secret having been established in a generic bootstrapping architecture (GBA);
  
  means for dispatching a message to a user equipment including a notification that the shared secret is to be used in the key-based authentication procedure; and
  
  means for validating an authorisation payload received from the user equipment over the interface and computed using the shared secret.

26. A user equipment for using a communications network comprising:
- means for establishing a communication channel with a network entity in the communications network;
  
  means for receiving a message which includes a notification that a shared secret is to be used in a key-based authentication procedure for authenticating communication over the channel;
  
  means for using a security key derived from a generic bootstrapping architecture to generate the shared secret;
  
  means for computing an authentication payload for transmission to a network entity using the shared secret; and
  
  means for transmitting the payload in a message over the channel according to an internet protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Conversant Wireless Licensing S.à.r.l. (f/k/a Core Wireless Licensing S.a.r.l.) (MOSAID Technologies Inc. (f/k/a Conversant Intellectual Property Management))
Original Assignee
2011 Intellectual Property Asset Trust (Nokia Corporation)
Inventors
Bajko, Gabor, Chan, Tat

Granted Patent

US 8,484,467 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 2463/061   applying further key deriva...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/205   involving negotiation or de...

H04L 9/08   Key distribution or managem...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3247   involving digital signatures

H04L 9/3265   using certificate chains, t...

H04L 9/3271   using challenge-response

H04L 9/50   using hash chains, e.g. blo...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 88/02   Terminal devices

Authentication in communications networks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Authentication in communications networks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others