Method and apparatus for binding subscriber authentication and device authentication in communication systems

US 20110314287A1
Filed: 06/15/2011
Published: 12/22/2011
Est. Priority Date: 06/16/2010
Status: Active Grant

First Claim

Patent Images

1. A method operational in a device, comprising:

performing subscriber authentication with a network entity;

performing device authentication of the device with the network entity;

generating a security key that binds the subscriber authentication and the device authentication; and

using the security key to secure communications between the device and a serving network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication method is provided between a device (e.g., a client device or access terminal) and a network entity. A removable storage device may be coupled to the device and stores a subscriber-specific key that may be used for subscriber authentication. A secure storage device may be coupled to the device and stores a device-specific key used for device authentication. Subscriber authentication may be performed between the device and a network entity. Device authentication may also be performed of the device with the network entity. A security key may then be generated that binds the subscriber authentication and the device authentication. The security key may be used to secure communications between the device and a serving network.

108 Citations

View as Search Results

50 Claims

1. A method operational in a device, comprising:
- performing subscriber authentication with a network entity;
  
  performing device authentication of the device with the network entity;
  
  generating a security key that binds the subscriber authentication and the device authentication; and
  
  using the security key to secure communications between the device and a serving network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein subscriber authentication is based on an authentication key agreement exchange between the device and the network entity.
  - 3. The method of claim 1, wherein device authentication is based on a challenge-response exchange between the device and the network entity.
  - 4. The method of claim 1, wherein subscriber authentication is performed by a first authentication server that is part of the network entity, and device authentication is performed by a second authentication server that is part of the network entity.
  - 5. The method of claim 1, wherein device authentication is performed by:
    - receiving data from the network entity that is encrypted with a public key of the device;
      
      using a corresponding private key to decrypt the encrypted data; and
      
      subsequently proving to the network entity that the device has knowledge of the data.
  - 6. The method of claim 1, further comprising:
    - sending an attach request from the device to the network entity, the attach request including an indication of device authentication capabilities of the device.
  - 7. The method of claim 1, wherein device authentication is secured by at least one key generated during the subscriber authentication.
  - 8. The method of claim 1, wherein subscriber authentication and device authentication are concurrently performed in combined message exchanges.
  - 9. The method of claim 1, wherein subscriber authentication is performed in an earlier and separate security exchange from the device authentication.
  - 10. The method of claim 1, wherein the security key is generated as a function of at least a first key obtained from subscriber authentication and a second key obtained from device authentication.
  - 11. The method of claim 10, wherein the security key is also a function of a network nonce and a device nonce.
  - 12. The method of claim 1, wherein the device is a relay node that appears as an access terminal to the network entity and appears as a network device to one or more access terminals.
  - 13. The method of claim 1, wherein the security key is separately generated by the device and the network entity.
  - 14. The method of claim 1, further comprising:
    - provisioning a subscriber-specific key as part of a service agreement, where the subscriber-specific key is used for the subscriber authentication; and
      
      provisioning a device-specific key in the device during manufacturing, where the device-specific key is used for the device authentication.

15. A device, comprising:
- a communication interface; and
  
  a processing circuit coupled to the communication interface, the processing circuit adapted to;
  
  perform subscriber authentication with a network entity;
  
  perform device authentication of the device with the network entity;
  
  generate a security key that binds the subscriber authentication and the device authentication; and
  
  use the security key to secure communications between the device and a serving network.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The device of claim 15, wherein subscriber authentication is based on an authentication key agreement exchange between the device and the network entity.
  - 17. The device of claim 15, wherein device authentication is based on a challenge-response exchange between the device and the network entity.
  - 18. The device of claim 15, wherein device authentication is performed by:
    - receiving data from the network entity that is encrypted with a public key of the device;
      
      using a corresponding private key to decrypt the encrypted data; and
      
      subsequently proving to the network entity that the device has knowledge of the data.
  - 19. The device of claim 15, further comprising:
    - sending an attach request from the device to the network entity, the attach request including an indication of device authentication capabilities of the device.
  - 20. The device of claim 15, wherein device authentication is secured by at least one key generated during the subscriber authentication.
  - 21. The device of claim 15, wherein subscriber authentication and device authentication are concurrently performed in combined message exchanges.
  - 22. The device of claim 15, wherein subscriber authentication is performed in an earlier and separate security exchange from the device authentication.
  - 23. The device of claim 15, wherein the security key is generated as a function of at least a first key obtained from subscriber authentication and a second key obtained from device authentication.
  - 24. The device of claim 15, wherein the device is a relay node that appears as an access terminal to the network entity and appears as a network device to one or more access terminals.
  - 25. The device of claim 15, further comprising:
    - a removable storage device coupled to the processing circuit and storing a subscriber-specific key used for the subscriber authentication; and
      
      a secure storage device coupled to the processing circuit and storing a device-specific key used for the device authentication.

26. A device, comprising:
- means for performing subscriber authentication with a network entity;
  
  means for performing device authentication of the device with the network entity;
  
  means for generating a security key that binds the subscriber authentication and the device authentication; and
  
  means for using the security key to secure communications between the device and a serving network.
- View Dependent Claims (27)
- - 27. The device of claim 26, further comprising:
    - means for storing a subscriber-specific key used for the subscriber authentication; and
      
      means for storing a device-specific key used for the device authentication.

28. A processor-readable medium comprising instructions operational on a device, which when executed by a processor causes the processor to:
- perform subscriber authentication with a network entity;
  
  perform device authentication of the device with the network entity;
  
  generate a security key that binds the subscriber authentication and the device authentication; and
  
  use the security key to secure communications between the device and a serving network.

29. A method operational in a network entity, comprising:
- performing subscriber authentication with a device;
  
  performing device authentication of the device;
  
  generating a security key that binds the subscriber authentication and the device authentication; and
  
  using the security key to secure communications between the network entity and the device.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 30. The method of claim 29, wherein subscriber authentication is based on an authentication key agreement exchange between the network entity and the device.
  - 31. The method of claim 29, wherein device authentication is based on a challenge-response exchange between the network entity and the device.
  - 32. The method of claim 29, wherein device authentication includes:
    - receiving a certificate from the device;
      
      verifying the certificate associated with the device has not been revoked.
  - 33. The method of claim 29, further comprising:
    - receiving an attach request from the device, the attach request including an indication of device authentication capabilities of the device.
  - 34. The method of claim 29, wherein device authentication is secured by at least one key generated during the subscriber authentication.
  - 35. The method of claim 29, wherein subscriber authentication and device authentication are concurrently performed in combined message exchanges.
  - 36. The method of claim 29, wherein subscriber authentication is performed in an earlier and separate security exchange from the device authentication.
  - 37. The method of claim 29, wherein the security key is generated as a function of at least a first key obtained from subscriber authentication and a second key obtained from device authentication.
  - 38. The method of claim 29, wherein the security key is separately generated by the device and the network entity.
  - 39. The method of claim 29, further comprising:
    - obtaining a subscriber-specific key as part of a service agreement, the subscriber-specific key used for the subscriber authentication; and
      
      obtaining a device-specific key for the device, the device-specific key used for the device authentication.

40. A network entity, comprising:
- a communication interface; and
  
  a processing circuit coupled to the communication interface, the processing circuit adapted to;
  
  perform subscriber authentication with a device;
  
  perform device authentication of the device;
  
  generate a security key that binds the subscriber authentication and the device authentication; and
  
  use the security key to secure communications between the network entity and the device.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48)
- - 41. The network entity of claim 40, wherein subscriber authentication is based on an authentication key agreement exchange between the network entity and the device.
  - 42. The network entity of claim 40, wherein device authentication is based on a challenge-response exchange between the network entity and the device.
  - 43. The network entity of claim 40, wherein the processing circuit is further adapted to:
    - receive an attach request from the device, the attach request including an indication of device authentication capabilities of the device.
  - 44. The network entity of claim 40, wherein device authentication is secured by at least one key generated during the subscriber authentication.
  - 45. The network entity of claim 40, wherein subscriber authentication and device authentication are concurrently performed in combined message exchanges.
  - 46. The network entity of claim 40, wherein subscriber authentication is performed in an earlier and separate security exchange from the device authentication.
  - 47. The network entity of claim 40, wherein the security key is generated as a function of at least a first key obtained from subscriber authentication and a second key obtained from device authentication.
  - 48. The network entity of claim 40, further comprising:
    - obtaining a subscriber-specific key as part of a service agreement, the subscriber-specific key used for the subscriber authentication; and
      
      obtaining a device-specific key for the device, the device-specific key used for the device authentication.

49. A network entity, comprisingmeans for performing subscriber authentication with a device;
- means for performing device authentication of the device;
  
  means for generating a security key that binds the subscriber authentication and the device authentication; and
  
  means for using the security key to secure communications between the network entity and the device.

50. A processor-readable medium comprising instructions operational on a network entity, which when executed by a processor causes the processor to:
- perform subscriber authentication with a device;
  
  perform device authentication of the device;
  
  generate a security key that binds the subscriber authentication and the device authentication; and
  
  use the security key to secure communications between the network entity and the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
ESCOTT, Adrian Edward, PALANIGOUNDER, Anand

Granted Patent

US 9,385,862 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 2463/061   applying further key deriva...

H04L 2463/082   applying multi-factor authe...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0844   with user authentication or...

H04L 9/32   including means for verifyi...

H04L 9/3271   using challenge-response

H04L 9/3273   for mutual authentication n...

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

H04W 88/02   Terminal devices

Method and apparatus for binding subscriber authentication and device authentication in communication systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

50 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for binding subscriber authentication and device authentication in communication systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

50 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others