User Authentication and Authorisation in a Communications System

US 20090013381A1
Filed: 01/28/2005
Published: 01/08/2009
Est. Priority Date: 01/28/2005
Status: Active Grant

First Claim

Patent Images

1-37. -37. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret. The method comprises authenticating the client to a first server using said shared secret, signalling associated with this authentication process being sent between the client and said first server via a second server, generating a session key at the client and at the first server, and providing the session key to said second server, and using the session key to authenticate the client to the second server.

44 Citations

View as Search Results

57 Claims

1-37. -37. (canceled)

38. A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret, the method comprising:
- sending an authentication request from the client to said first sever via a second server;
  
  upon receipt of said request at the first server, generating a first authentication challenge using said shared secret, and sending the challenge to the second server;
  
  generating a second authentication challenge at the second server, and sending the first and second challenges together from the second server to the client;
  
  upon receipt of the challenges at the client, generating a first challenge response to the first challenge, and a session key, using the shared secret, and generating a second challenge response to the second challenge using the session key;
  
  sending said challenge responses together to said second server, and forwarding the first challenge response to the first server;
  
  authenticating the client at the first server using the first challenge response and said shared secret, and, in the event that the client is authenticated, generating said session key at the first server and sending this to the second server; and
  
  authenticating the client at the second server using the second challenge response and said session key.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 57)
- - 39. A method according to claim 38, the method comprising authenticating the second server to the first server, and providing said session key from the first server to the second server after this authentication process.
  - 40. A method according to claim 38, wherein one or both of the steps of authenticating the client to a first server and authenticating the client to the second server use an HTTP Digest protocol.
  - 41. A method according to claim 40, wherein said HTTP Digest protocol is the HTTP Digest AKA protocol.
  - 42. A method according to claim 40, wherein HTTP Digest information is tunnelled between the first and second servers using another protocol.
  - 43. A method according to claim 42, wherein said other protocol is DIAMETER.
  - 44. A method according to claim 38, comprising authenticating the first and/or second server to the client.
  - 45. A method according to claim 43, the client authenticating the first server using said first authentication challenge.
  - 46. A method according to claim 43, the client authenticating the second server upon receipt of said second authentication challenge.
  - 57. A method according to claim 38, wherein said communication system comprises a radio access network, and said client or communication equipment is a mobile radio communication terminal.

47. A method of operating an authentication server within a communications system, the method comprising:
- relaying authentication signalling between a client and a further authentication server, the client and said further authentication server sharing a secret, the authentication signalling comprising a first authentication challenge sent from the client to said further authentication server and a first challenge response sent from the client to the further authentication server;
  
  generating a second authentication challenge and sending this to the client together with said first authentication challenge, and receiving from the client a second challenge response together with said first challenge response; and
  
  receiving a session key from said further authentication server, and using the session key and said second challenge response to authenticate the client.
- View Dependent Claims (48)
- - 48. A method according to claim 47, said authentication server being a Network Authentication Function communicating with a client via a Ua interface, and with a further authentication server via a Zn interface.

49. An authentication server suitable for use in a communications network and comprising:
- relay means for relaying authentication signalling between a client and a further authentication server, the authentication signalling comprising a first authentication challenge sent from further authentication server to said client and a first challenge response sent from the client to the further authentication server;
  
  processing means for generating a second authentication challenge and sending this to the client together with said first authentication challenge, and for receiving from the client a second challenge response together with said first challenge responsereceiving means for receiving a session key from said further authentication server following authentication of the client by said further authentication server; and
  
  processing means for using the session key and said second challenge response to authenticate the client.
- View Dependent Claims (50, 51)
- - 50. A server according to claim 49, the server being a Network Authentication Server.
  - 51. A server according to claim 50, said relay means being arranged to determine that an access request received from the client relates to an authentication which must be performed by some other function within the network, and to relay the request to the further server accordingly.

52. A method of operating a client coupled to a communication network, the method comprising:
- exchanging signalling with a first authentication server via a second authentication server for the purpose of authenticating the client to said first server, the authentication signalling comprising a first authentication challenge sent from said first authentication server to said client and a first challenge response sent from the client to the first authentication server;
  
  generating a session key using a secret shared between the client and said first server; and
  
  receiving a second authentication challenge from said second server together with said first authentication challenge, and generating a second challenge response using said session key and sending this to the second server together with said first challenge response.
- View Dependent Claims (53)
- - 53. A method according to claim 52, the client being a mobile radio communications terminal.

54. A client terminal comprising:
- processing and communication means for exchanging signalling with a first authentication server via a second authentication server for the purpose of authenticating the client to said first server, the authentication signalling comprising a first authentication challenge sent from said first authentication server to said client and a first challenge response sent from the client to the first authentication server;
  
  further processing means for generating a session key using a secret shared between the client and said first server; and
  
  input and processing means for receiving a second authentication challenge from said second authentication server together with said first authentication challenge, and for generating a second challenge response using said session key and for sending this to the second authentication server together with said first challenge response.
- View Dependent Claims (56)
- - 56. A method according to claim 54, wherein the user equipment and said other function share a secret, and derive a session key from that secret during the authentication procedure, said function providing the session key to the network application function, and the user equipment using the session key to generate the said challenge response.

55. A method of authenticating user equipment to a network application function of a communications network, the method comprising:
- sending an access request from the user equipment to the network application function;
  
  determining at the network application function that the request relates to an authentication which must be performed by some other function within the network;
  
  forwarding the request to said other function;
  
  returning a challenge from said other function to the network application function;
  
  sending the said challenge together with a further challenge of the network application function to the user equipment;
  
  sending challenge responses together from the user equipment to the network application function, and forwarding the response relating to the challenge of said other function, to that other function; and
  
  verifying the validity of the responses at the network application function and at said other function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Torvinen, Vesa Matti, Wifvesson, Monica, Lehtovirta, Vesa Petteri

Granted Patent

US 8,555,345 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/08   for authentication of entit...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/321   involving a third party or ...

H04L 9/3273   for mutual authentication n...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

User Authentication and Authorisation in a Communications System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

User Authentication and Authorisation in a Communications System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links