METHOD AND SYSTEM FOR DISTRIBUTED, LOCALIZED AUTHENTICATION IN THE FRAMEWORK OF 802.11

US 20090187983A1
Filed: 09/05/2008
Published: 07/23/2009
Est. Priority Date: 09/07/2007
Status: Active Grant

First Claim

Patent Images

1. :

A method for controlling Internet access of a mobile device by using a communication system which includes a number of access points connected to an Internet and to mobile devices, the method comprising the steps of;

a) performing a certificate-based authentication between an access point, operating as an authentication access point, and an authenticating mobile device seeking access to an Internet, wherein the authenticating mobile device is disposed in the coverage area of the authentication access point;

a1) transmitting a certificate from the mobile device over a wireless link to the authentication access point, wherein the transmitted certificate includes at least a mobile device identifier, the public key of the mobile device or user, and a timestamp indicating a lifetime of the certificate;

a2) verifying the certificate by the authentication access point;

a3) determining by the authentication access point, based on a certificate revocation list, whether the authenticating mobile device'"'"'s certificate has been revoked prior to the expiration of the lifetime, wherein at least a portion of the certificate revocation list is stored at least temporarily at the authentication access point; and

a4) granting the authenticating mobile device access to the Internet if the certificate has been verified successfully in the verifying step and not revoked prior to the expiration of the lifetime.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling Internet access of a mobile device by using a communication system having a number of access points includes the steps of performing a certificate-based authentication between an authentication access point and a mobile device seeking access to the Internet; transmitting a certificate from the mobile device to the authentication access point; verifying the certificate by the authentication access point; determining whether the authenticating mobile device'"'"'s certificate has been revoked prior to the expiration of its lifetime; and granting the authenticating mobile device access to the Internet, if the certificate has been verified successfully and not revoked prior to the expiration of its lifetime.

Citations

30 Claims

1. :
- A method for controlling Internet access of a mobile device by using a communication system which includes a number of access points connected to an Internet and to mobile devices, the method comprising the steps of;
  
  a) performing a certificate-based authentication between an access point, operating as an authentication access point, and an authenticating mobile device seeking access to an Internet, wherein the authenticating mobile device is disposed in the coverage area of the authentication access point;
  
  a1) transmitting a certificate from the mobile device over a wireless link to the authentication access point, wherein the transmitted certificate includes at least a mobile device identifier, the public key of the mobile device or user, and a timestamp indicating a lifetime of the certificate;
  
  a2) verifying the certificate by the authentication access point;
  
  a3) determining by the authentication access point, based on a certificate revocation list, whether the authenticating mobile device'"'"'s certificate has been revoked prior to the expiration of the lifetime, wherein at least a portion of the certificate revocation list is stored at least temporarily at the authentication access point; and
  
  a4) granting the authenticating mobile device access to the Internet if the certificate has been verified successfully in the verifying step and not revoked prior to the expiration of the lifetime.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 30)
- - 2. :
    - The method of claim 1, further comprising the steps of;
      
      b) defining a plurality of groups, wherein each group comprises a plurality of access points and a plurality of mobile devices;
      
      c) segmenting the certificate revocation list (“
      
      CRL”
      
      ) into a plurality of CRL segments and associating a unique CRL segment identifier with each CRL segment, wherein each CRL segment represents a separate group of the plurality of groups;
      
      d) storing for each group the same CRL segment on each access point of the respective group and storing for each group the same CRL segment identifier associated with the respective group on each mobile device of the respective group;
      
      e) receiving at the authentication access point a CRL segment identifier of the authenticating mobile device;
      
      determining by the authentication access point, based on the CRL segment identifier received from the authenticating mobile device, whether the authentication access point belongs to the same group as the authenticating mobile device;
      
      e1) if the authentication access point and the authenticating mobile device are determined in step e) to be in the same group, then basing the determination made at step a3) on the CRL segment stored on the authentication access point;
      
      e2) if the authentication access point and the authenticating mobile device are determined in step e) to not be in the same group, then requesting, by the authentication access point, the CRL segment represented by the CRL segment identifier received from the authenticating mobile device and basing the determination made at step a3) on the requested CRL segment.
  - 3. :
    - The method of claim 2, wherein each CRL segment identifier is embedded in the certificate for at least one of the mobile devices and access points of the group represented by the CRL segment of the respective CRL segment identifier.
  - 4. :
    - The method of claim 2, further comprising the step of dividing a physical area into a plurality of geographical zones, each geographical zone being represented by a separate CRL segment, wherein each group of the plurality of groups is defined by a separate geographical zone.
  - 5. :
    - The method of claim 2, wherein step e2) further comprises the step of forwarding the requested CRL segment to the authentication access point from one of an access point which belongs to the group represented by the CRL segment identifier stored on the authenticating mobile device, and a central server storing all CRL segments and their unique CRL segment identifiers.
  - 6. :
    - The method of claim 2 further comprising the steps of;
      
      assigning each CRL segment a CRL segment timestamp indicating one of the time of generation and a last update time of the respective CRL segment;
      
      storing at least one of a newly generated updated CRL segment and a currently updated CRL segment with its respective CRL segment timestamp and its respective CRL segment identifier on the central server and on each access point of the group represented by the respective CRL segment;
      
      storing on each mobile device of each group the same CRL segment which represents the respective group and the timestamp associated with the respective CRL segment;
      
      whereinstep e2) further comprises the step of;
      
      i) forwarding from the authenticating mobile device to the authentication access point the requested CRL segment and the timestamp associated therewith;
      
      ii) forwarding from the authentication access point to at least on of the central server, and the group of access points represented by the CRL segment stored on the authenticating mobile device a request for a CRL segment reference timestamp;
      
      iii) forwarding the requested CRL segment reference timestamp to the authentication access point;
      
      iv) determining, by the authentication access point, whether the CRL segment timestamp received from the authenticating mobile device matches the CRL segment reference timestamp, or lies within a predetermined time interval;
      
      if the received CRL segment time stamp matches the reference time stamp or lies within a predetermined time interval, then basing the determination made at step a3) on the CRL segment received from the authenticating mobile device.
  - 7. :
    - The method of claim 6 further comprising the steps of;
      
      determining, by the authentication access point, whether the CRL segment timestamp received from the authenticating mobile device is determined to be valid;
      
      if the CRL segment timestamp received from the authenticating mobile device is deemed to be valid, then basing the determination made at step a3) on the CRL segment received from the authenticating mobile device; and
      
      if the CRL segment timestamp received from the authenticating mobile device is deemed not to be valid, then proceeding with step e2)ii.
  - 8. :
    - The method of claim 6, wherein the request for a CRL segment reference timestamp according to step e2)ii) and the requested CRL segment reference timestamp forwarded in step e2)iii) are transmitted over a trusted peer-to-peer network arranged by the access points using information based on a trusted friendship of at least one owner of the access points.
  - 9. :
    - The method of claim 8, further comprising the step of storing, at each access point, at least one of user identifiers, a current IP-addresses of its friendship access points, a number of intra-zone connections of each friendship access point, the CRL segment identifiers, and a listing of all geographical zones and their coordinates, wherein each CRL segment identifier represents the geographical zone to which the respective friendship access point belongs.
  - 10. :
    - The method of claim 9, further comprising the steps of;
      
      centrally storing a listing which assigns for each access point its current IP-address to its user identifier;
      
      retrieving from the centrally stored listing the current IP-address of at least one of the friendship access points of a first access point;
      
      establishing a connection from the first access point to its at least one friendship access point using the retrieved IP-address;
      
      performing a predetermined authentication between the first access point and its friendship access point to establish a trusted connection therebetween;
      
      exchanging the number of intra-zone connections and the CRL segment identifier between the access points; and
      
      repeating, for each access point, the steps of centrally storing, retrieving, establishing, performing, and exchanging;
      
      wherein each access point only updates its own IP-address on the listing.
  - 11. :
    - The method of claim 9, wherein the request for the CRL segment reference timestamp is transmitted from the authentication access point to the geographical zone which is represented by the same CRL segment identifier as stored on the authenticating mobile by using a location based routing algorithm, wherein the request is only routed over the authentication access point'"'"'s friendship access points and the friendship access points of its friendship access points.
  - 12. :
    - The method of claim 1, wherein the location-based routing algorithm is the GFG algorithm.
  - 13. :
    - The method of claim 11, wherein the request is first transmitted from the authentication access point to its friendship access point having more intra-zone connections than other friendship access points, wherein the friendship access point is located in the same geographical zone as the authentication access point.
  - 14. :
    - The method of claim 2, further comprising the steps of;
      
      updating a CRL segment in dependence of a predetermined event on the central server;
      
      forwarding the updated CRL segment from the central server to at least one access point of the group represented by the updated CRL segment; and
      
      forwarding the updated CRL segment from the respective access point to its friendship access points which belong to the same group.
  - 15. :
    - The method of claim 6, wherein the CRL segment reference timestamp corresponds to the most recent CRL segment timestamp.
  - 16. :
    - The method of claim 1, wherein the access points of the communication system are centrally registered and owned by private entities.
  - 30. :
    - A computer readable medium having stored thereon a plurality of computer executable instructions operable to implement on an access point and a mobile device a method for controlling Internet access of the mobile device according to claim 1.

17. :
- A communication system for controlling Internet access of a mobile device, comprising;
  
  at least one mobile device including;
  
  a storage medium configured to store a certificate including at least a mobile device identifier and a timestamp indicating a lifetime of the certificate;
  
  a transmitting device configured to transmit the certificate via a wireless link;
  
  a first certificate-based authentication module; and
  
  at least one access point connected to an Internet, the at least one access point including;
  
  a second certificate-based authentication module;
  
  a verification device;
  
  a determining device configured to determine, on the basis of a certificate revocation list, whether the certificate has been revoked prior to the expiration of the lifetime;
  
  a storage device configured to store the certificate revocation list or a predetermined segment of the certificate revocation list at least temporarily; and
  
  an access granting device configured to grant the mobile device access to the Internet if the mobile device'"'"'s certificate has been verified successfully and the certificate is absent from the certificate revocation list;
  
  wherein;
  
  the transmitting device is configured to transmit the certificate to the at least one access point;
  
  the verification device is configured to verify the certificate received from the at least one mobile device; and
  
  the first certificate-based authentication module and the second certificate-based authentication module are configured to control an authentication between the at least one mobile device and the at least one access point.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. :
    - The communication system of claim 17, further comprising;
      
      a central server including a central server storage medium configured to store;
      
      a plurality of CRL segments each representing a divided portion of the certificate revocation list, wherein a unique CRL segment identifier is associated with each CRL segment; and
      
      a plurality of geographical zones each representing a divided portion of a physical area, wherein each geographical zone is associated with a separate CRL segment, and wherein each geographical zone comprises a plurality of access points and a plurality of mobile devices.
  - 19. :
    - The communication system of claim 18, wherein each access point and each mobile device associated with the same geographical zone stores the same CRL segment representing the respective geographical zone, and wherein the CRL segment identifier associated with the CRL segment representing the respective geographical zone is embedded in the certificate stored on each mobile device of the same geographical zone.
  - 20. :
    - The communication system of claim 19, wherein each access point further includes;
      
      a first determining device configured to determine, based on the CRL segment identifier received from the mobile device, whether the respective access point belongs to the same geographical zone as the mobile device; and
      
      a second determining device configured to determine, based on the stored CRL segment, whether the mobile device'"'"'s certificate has been revoked prior to the expiration of its lifetime.
  - 21. :
    - The communication system of claim 20, wherein each access point further includes;
      
      a generating device configured to generated a request for the CRL segment which is represented by the CRL segment identifier received from the mobile device; and
      
      a third determining device configured to determine, based on the requested CRL segment, whether the mobile device'"'"'s certificate has been revoked prior to the expiration of its lifetime.
  - 22. :
    - The communication system of claim 21, wherein at least one of each access point and the central server is adapted to forward a CRL segment on request to a requesting access point.
  - 23. :
    - The communication system of claim 18, wherein;
      
      the central server is adapted to assign to each CRL segment a CRL segment timestamp indicating at least one of the time of generation and the last update of the respective CRL segment;
      
      each access point and each mobile device includes a respective storage element configured to store at least one of a newly generated and currently updated CRL segment together with a CRL segment timestamp assigned thereto;
      
      each mobile device is adapted to further transmit its stored CRL segment and the timestamp associated therewith to the access point; and
      
      each access point is further adapted to forward a request for a CRL segment reference timestamp to at least one of the central server and the geographical zone which includes the access points having stored the requested CRL segment reference timestamp, and further adapted to determine whether the CRL segment timestamp received from the authenticating mobile device matches the received CRL segment reference timestamp, or lies within a predetermined time interval.
  - 24. :
    - The communication system of claim 18, wherein the access points are configured to a trusted peer-to-peer network.
  - 25. :
    - The communication system of claim 24, wherein each access point is configured to store the user identifiers and the current IP-addresses of its friendship access points, the number of intra-zone connections of each friendship access point, the CRL segment identifiers, each representing the geographical zone which the respective friendship access point belongs to, and a listing of all geographical zones and their coordinates.
  - 26. :
    - The communication system of claim 25, further comprising a central storage medium configured to store a listing assigning each access point'"'"'s current IP-address to its respective user identifier; and
      
      wherein each access point is further adapted to;
      
      retrieve from the listing the current IP-address of at least one of its friendship access points and to establish a connection to the friendship access point using the retrieved IP-address, the certificate-based authentication module of each access point being further adapted to perform a predetermined authentication with its friendship access point to establish a trusted connection therebetween;
      
      exchange the number of intra-zone connections and the CRL segment identifier with its friendship access point over the trusted connection, andupdate only its own IP-address on the listing.
  - 27. :
    - The communication system of claim 18, wherein the central server is configured to;
      
      update a CRL segment in dependence of a predetermined event; and
      
      forward the updated CRL segment to at least one first access point located in the geographical zone represented by the updated CRL segment; and
28. :
- A wireless access point adapted to perform a certificate-based authentication with a mobile device of the communication system of claim 17.
29. :
- A mobile device adapted to perform a certificate-based authentication with an access point of the communication system of claim 17.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Board of Trustees of The University of Illinois, Deutsche Telekom AG
Original Assignee
Board of Trustees of The University of Illinois, Technische Universitã¤T Berlin (Tu)
Inventors
Vidales, Pablo, Thompson, Nathanael, Solarski, Marcin, Luo, Haiyun, Singh, Jatinder Pal, Zerfos, Petros

Granted Patent

US 8,307,414 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0823   using certificates cryptogr...

H04W 12/069   using certificates or pre-s...

H04W 88/00   Devices specially adapted f...

METHOD AND SYSTEM FOR DISTRIBUTED, LOCALIZED AUTHENTICATION IN THE FRAMEWORK OF 802.11

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DISTRIBUTED, LOCALIZED AUTHENTICATION IN THE FRAMEWORK OF 802.11

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links