Method and System for Mobile Device Credentialing

US 20090205028A1
Filed: 10/23/2008
Published: 08/13/2009
Est. Priority Date: 02/07/2008
Status: Active Grant

First Claim

Patent Images

1. A credentialing server configured to support downloading of subscriber credentials to un-credentialed communication devices, said credentialing server comprising:

a registration subsystem configured to register communication devices to be credentialed with an external registration server by providing registration information for the communication devices to the registration server;

an authentication subsystem to interrogate registered communication devices for their device certificates and to submit the device certificates to an external authentication server for verification, said registered communication devices being referred to the credentialing server by the registration server; and

a credentialing subsystem to request subscription credentials from an operator credentialing entity for verified communication devices, refer the verified communication devices to an external provisioning server for subscription credentials provisioning, and transfer the subscription credentials to the provisioning server for subscription credentials provisioning of the verified communication devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems taught herein allow communication device manufacturers to preconfigure communication devices to use preliminary access credentials to gain temporary network access for downloading subscription credentials, and particularly allow the network operator issuing the subscription credentials to verify that individual devices requesting credentials are trusted. In one or more embodiments, a credentialing server is owned or controlled by the network operator, and is used by the network operator to verify that subscription credentials are issued only to trusted communication devices, even though such devices may be referred to the credentialing server by an external registration server and may be provisioned by an external provisioning server. Particularly, the credentialing server interrogates requesting devices for their device certificates and submits these device certificates to an external authorization server, e.g., an independent OCSP server, for verification. A common Public Key Infrastructure (PKI) may be used for operator and device certificates.

129 Citations

18 Claims

1. A credentialing server configured to support downloading of subscriber credentials to un-credentialed communication devices, said credentialing server comprising:
- a registration subsystem configured to register communication devices to be credentialed with an external registration server by providing registration information for the communication devices to the registration server;
  
  an authentication subsystem to interrogate registered communication devices for their device certificates and to submit the device certificates to an external authentication server for verification, said registered communication devices being referred to the credentialing server by the registration server; and
  
  a credentialing subsystem to request subscription credentials from an operator credentialing entity for verified communication devices, refer the verified communication devices to an external provisioning server for subscription credentials provisioning, and transfer the subscription credentials to the provisioning server for subscription credentials provisioning of the verified communication devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The credentialing server of claim 1, wherein the registration subsystem includes an Internet Protocol, IP, based registration server interface to communicatively couple the credentialing server to the registration server.
  - 3. The credentialing server of claim 1, wherein the authentication subsystem includes an online certificate status protocol, OCSP, based authentication server interface to communicatively couple the credentialing server to the authentication server.
  - 4. The credentialing server of claim 1, wherein the credentialing subsystem includes a secure network interface to communicatively couple the credentialing server to a home subscriber server, HSS, serving as the operator credentialing entity.
  - 5. The credentialing server of claim 1, wherein the registration subsystem is configured to register a given communication device by generating a registration nonce that is unique for the given communication device, and sending the registration nonce to the registration server as part of the registration information.
  - 6. The credentialing server of claim 5, wherein the registration subsystem is further configured to include credentialing server routing information as part of the registration information, for use by the registration server in referring registered communication devices to the credentialing server.
  - 7. The credentialing server of claim 5, wherein, for a given communication device, the authentication subsystem is configured to verify that the communication device is a registered communication device by verifying that a registration session nonce provided by the communication device is derived from the registration nonce uniquely generated by the registration subsystem for the communication device.
  - 8. The credentialing server of claim 1, wherein, for each given communication device to be credentialed, the registration subsystem generates a unique registration nonce as part of the registration information sent to the registration server for registering that given communication device, and wherein, as part of interrogating a given communication device, the authentication subsystem verifies that a registration session nonce provided by the given communication device correctly derives from a corresponding registration nonce.
  - 9. The credentialing server of claim 1, wherein the credentialing server is configured to store or otherwise maintain authentication certificates that are part of a public key infrastructure (PKI) also encompassing the operator credentialing entity and the communication devices to be credentialed.
  - 10. The credentialing server of claim 1, wherein the operator credentialing entity is a home subscriber server, HSS, and wherein the credentialing subsystem includes a communication link with the HSS, and is configured to receive encrypted subscription credentials from the HSS, for transfer in encrypted form to the provisioning server.

11. A method of providing for subscriber credentials downloading to communication devices comprising:
- registering communication devices to be credentialed at a registration server by providing registration information for the communication devices to the registration server;
  
  receiving credentials requests from registered communication devices referred by the registration server and, in response, interrogating the registered communication devices for their device certificates;
  
  submitting the device certificates to an external authentication authority for verification, wherein registered communication devices having verified device certificates are deemed to be verified communication devices;
  
  requesting subscription credentials from an operator credentialing entity for verified communication devices and correspondingly referring verified devices to an external provisioning server for subscription credentials provisioning; and
  
  subsequently transferring subscription credentials received from the operator credentialing entity for the verified devices to the external provisioning server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein providing registration information for the communication devices to the registration server comprises communicating the registration information to the registration server via Internet Protocol, IP, communications.
  - 13. The method of claim 11, wherein submitting the device certificates to an external authentication authority for verification comprises submitting device certificates to an online certification status protocol server.
  - 14. The method of claim 11, wherein registering communication devices to be credentialed at a registration server by providing registration information for the communication devices to the registration server comprises, for a given communication device to be credentialed, generating a registration nonce that is unique for the given communication device, and sending the registration nonce to the registration server as part of the registration information sent for that given communication device.
  - 15. The method of claim 14, wherein registering communication devices to be credentialed at a registration server by providing registration information for the communication devices to the registration server comprises, for the given communication device, sending credentialing server routing information as part of the registration information, for use by the registration server in referring the given communication device to the credentialing server.
  - 16. The method of claim 14, further comprising, for a given communication device requesting credentials, verifying that the requesting communication device is a registered communication device by verifying that a registration session nonce provided by the requesting communication device is derived from the registration nonce uniquely generated by the registration subsystem for the requesting communication device.
  - 17. The method of claim 11, further comprising, for each given communication device to be credentialed, generating a unique registration nonce as part of the registration information sent to the registration server for registering that given communication device, and, as part of interrogating a given communication device, verifying that a registration session nonce provided by the given communication device correctly derives from a corresponding registration nonce.
  - 18. The method of claim 11, further comprising receiving subscription credentials from the operating credentialing entity as encrypted subscription credentials, and wherein subsequently transferring the subscription credentials to the external provisioning server comprises transferring the subscription credentials in encrypted form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Johansson, Mattias, Sallberg, Krister, Barriga, Luis, Smeets, Bernard, Lehtovirta, Vesa Petteri

Granted Patent

US 8,516,133 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 2221/2129   Authenticate client device ...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/062   for key distribution, e.g. ...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04W 12/04   Key management, e.g. using ...

H04W 12/35   Protecting application or s...

Method and System for Mobile Device Credentialing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

129 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and System for Mobile Device Credentialing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others