AUTHENTICATION IN SECURE USER PLANE LOCATION (SUPL) SYSTEMS

US 20130067552A1
Filed: 11/03/2011
Published: 03/14/2013
Est. Priority Date: 11/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method of authentication, comprising:

storing, at a mobile device, at least one security credential that is specific to the mobile device, wherein the at least one security credential includes a device identifier of the mobile device; and

transmitting the at least one security credential to a secure user plane location (SUPL) location platform (SLP) to authenticate the mobile device as associated with a SUPL user based on a comparison of the device identifier to a stored device identifier.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A particular method includes storing, at a mobile device, at least one security credential that is specific to the mobile device. The method also includes transmitting the at least one security credential to a secure user plane location (SUPL) location platform (SLP) to authenticate the mobile device as associated with a SUPL user based on a comparison of the device identifier to a stored device identifier.

Citations

70 Claims

1. A method of authentication, comprising:
- storing, at a mobile device, at least one security credential that is specific to the mobile device, wherein the at least one security credential includes a device identifier of the mobile device; and
  
  transmitting the at least one security credential to a secure user plane location (SUPL) location platform (SLP) to authenticate the mobile device as associated with a SUPL user based on a comparison of the device identifier to a stored device identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the at least one security credential includes a public key.
  - 3. The method of claim 1, wherein the at least one security credential includes at least one of an international mobile equipment identity (IMEI), a mobile station identification (MSID), and a serial number of the mobile device.
  - 4. The method of claim 1, wherein the at least one security credential includes a device certificate of the mobile device.
  - 5. The method of claim 1, wherein the at least one security credential is stored at a universal integrated smart card (UICC) of the mobile device, a secure portion of a memory of the mobile device, or any combination thereof.
  - 6. The method of claim 1, wherein the mobile device includes a SUPL enabled terminal (SET).
  - 7. The method of claim 1, wherein the mobile device transmits the at least one security credential to the SLP via a network that operates in accordance with an Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard.

8. An apparatus comprising:
- a memory storing at least one security credential that is specific to a mobile device, wherein the at least one security credential includes a device identifier of the mobile device; and
  
  a processor configured to cause the mobile device to transmit the at least one security credential to a secure user plane location (SUPL) location platform (SLP) to authenticate the mobile device as associated with a SUPL user based on a comparison of the device identifier to a stored device identifier.
- View Dependent Claims (9)
- - 9. The apparatus of claim 8, wherein the at least one security credential includes at least one of a device certificate of the mobile device, a public key, an international mobile equipment identity (IMEI), a mobile station identification (MSID), and a serial number of the mobile device.

10. An apparatus comprising:
- means for storing at least one security credential that is specific to a mobile device, wherein the at least one security credential includes a device identifier of the mobile device; and
  
  means for causing the mobile device to transmit the at least one security credential to a secure user plane location (SUPL) location platform (SLP) to authenticate the mobile device as associated with a SUPL user based on a comparison of the device identifier to a stored device identifier.
- View Dependent Claims (11)
- - 11. The apparatus of claim 10, wherein the mobile device includes a SUPL enabled terminal (SET).

12. A non-transitory processor-readable medium comprising instructions that, when executed by a processor, cause the processor to:
- generate, at a secure user plane location (SUPL) server, a message to be sent to a mobile device, the message including;
  
  a server certificate including an identifier of the SUPL server and a public key of the SUPL server; and
  
  a request for a device certificate of the mobile device;
  
  receive a reply from the mobile device that includes a device certificate of the mobile device; and
  
  authenticate the mobile device as associated with a SUPL user based on the device certificate.
- View Dependent Claims (13, 14, 15)
- - 13. The non-transitory processor-readable medium of claim 12, wherein the mobile device comprises a SUPL enabled terminal (SET) and the SUPL server comprises a SUPL location platform (SLP).
  - 14. The non-transitory processor-readable medium of claim 12, wherein the message is sent in response to receiving from the mobile device an indication of one or more transport layer security (TLS) cipher suites supported by the mobile device, and wherein the message further includes a selection of at least one of the one or more TLS cipher suites.
  - 15. The non-transitory processor-readable medium of claim 12, wherein the device certificate includes a device identifier of the mobile device.

16. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory is configured to store instructions; and
  
  wherein the instructions are executable by the processor to;
  
  generate, at a secure user plane location (SUPL) server, a message to be sent to a mobile device, the message including;
  
  a server certificate including an identifier of the SUPL server and a public key of the SUPL server; and
  
  a request for a device certificate of the mobile device;
  
  receive a reply from the mobile device that includes a device identifier of the mobile device; and
  
  authenticate the mobile device as associated with a SUPL user based on the device certificate.
- View Dependent Claims (17)
- - 17. The apparatus of claim 16, wherein the message is sent in response to receiving at the SUPL server from the mobile device an indication of one or more transport layer security (TLS) cipher suites supported by the mobile device, and wherein the message further includes a selection of at least one of the one or more TLS cipher suites.

18. A method comprising:
- receiving, at a secure user plane location (SUPL) server, an indication from a mobile device of one or more transport layer security (TLS) cipher suites supported by the mobile device;
  
  determining whether the one or more TLS cipher suites include a TLS pre-shared key (TLS-PSK) cipher suite that is supported by the SUPL server;
  
  in response to determining that the one or more TLS cipher suites include the TLS-PSK cipher suite that is supported by the SUPL server, performing a generic bootstrapping architecture (GBA)-based authentication process to authenticate the mobile device; and
  
  in response to determining that the one or more TLS cipher suites do not include a TLS-PSK cipher suite that is supported by the SUPL server, determining whether the SUPL server supports a certificate-based authentication method;
  
  in response to determining that the SUPL server supports the certificate-based authentication method, performing the certificate-based authentication method that includes sending a server certificate to the mobile device and receiving a device certificate from the mobile device.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, further comprising in response to determining that the SUPL server does not support the certificate-based authentication method, performing an alternative client authentication (ACA)-based authentication method when the mobile device is connected to a 3^rdGeneration Partnership Project (3GPP) network or a 3GPP2 network.
  - 20. The method of claim 18, wherein the certificate-based authentication method is independent of an access network used by the mobile device.

21. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory is configured to store instructions; and
  
  wherein the instructions are executable by the processor to;
  
  receive, at a secure user plane location (SUPL) server, an indication from a mobile device of one or more transport layer security (TLS) cipher suites supported by the mobile device;
  
  determine whether the one or more TLS cipher suites include a TLS pre-shared key (TLS-PSK) cipher suite that is supported by the SUPL server;
  
  in response to determining that the one or more TLS cipher suites include the TLS-PSK cipher suite that is supported by the SUPL server, perform a generic bootstrapping architecture (GBA)-based authentication process to authenticate the mobile device; and
  
  in response to determining that the one or more TLS cipher suites do not include a TLS-PSK cipher suite that is supported by the SUPL server, determine whether the SUPL server supports a certificate-based authentication method;
  
  in response to determining that the SUPL server supports the certificate-based authentication method, perform a certificate-based authentication process that includes sending a server certificate to the mobile device and receiving a device certificate from the mobile device.
- View Dependent Claims (22, 23)
- - 22. The apparatus of claim 21, wherein the instructions are further executable by the processor to, in response to determining that the SUPL server does not support the certificate-based authentication method, perform an alternative client authentication (ACA)-based authentication method when the mobile device is connected to a 3^rdGeneration Partnership Project (3GPP) network or a 3GPP2 network.
  - 23. The apparatus of claim 21, wherein the certificate-based authentication process is independent of an access network used by the mobile device.

24. A method comprising:
- receiving, at a mobile device, a session initiation message from a secure user plane location (SUPL) server to initiate a SUPL session between the SUPL server and the mobile device; and
  
  in response to the mobile device receiving a valid session initiation message key from the SUPL server prior to the mobile device receiving the session initiation message;
  
  authenticating the session initiation message using the valid session initiation message key; and
  
  initiating the SUPL session with the SUPL server in response to successful authentication of the session initiation message.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The method of claim 24, wherein the session initiation message includes a SUPL INIT message.
  - 26. The method of claim 24, wherein the valid session initiation message key includes a SUPL_INIT_ROOT_KEY.
  - 27. The method of claim 24, further comprising, in response to the mobile device not receiving the valid session initiation message key:
    - transmitting a message to the SUPL server; and
      
      receiving a session initiation message key from the SUPL server in response to the message.
  - 28. The method of claim 27, wherein the message includes a SUPL_INIT_KeyRequest parameter.
  - 29. The method of claim 27, wherein the message includes a SUPL INIT Root Key Status parameter included within a SET Capabilities parameter.

30. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory is configured to store instructions; and
  
  wherein the instructions are executable by the processor to;
  
  receive, at a mobile device, a session initiation message from a secure user plane location (SUPL) server to initiate a SUPL session between the SUPL server and the mobile device; and
  
  in response to the mobile device receiving a valid session initiation message key from the SUPL server prior to the mobile device receiving the session initiation message;
  
  authenticate the session initiation message using the valid session initiation message key; and
  
  initiate the SUPL session with the SUPL server in response to successful authentication of the session initiation message.
- View Dependent Claims (31, 32)
- - 31. The apparatus of claim 30, wherein the session initiation message includes a SUPL INIT message.
  - 32. The apparatus of claim 30, wherein the valid session initiation message key includes a SUPL_INIT_ROOT_KEY.

33. A method comprising:
- transmitting a message from a mobile device to a secure user plane location (SUPL) server, wherein the message includes a SUPL INIT Root Key Status parameter.
- View Dependent Claims (34, 35, 36)
- - 34. The method of claim 33, wherein the SUPL INIT Root Key Status parameter indicates that the mobile device includes an invalid SUPL_INIT_ROOT_KEY or an out of sync SUPL_INIT_ROOT_KEY.
  - 35. The method of claim 33, wherein the SUPL INIT Root Key Status parameter is included in a SUPL enabled terminal (SET) Capabilities parameter of the message.
  - 36. The method of claim 33, wherein the message comprises a user location protocol (ULP) message.

37. A method comprising:
- transmitting, from a secure user plane location (SUPL) server to a mobile device, a SUPL END message that includes a SUPL INIT Key Response parameter.
- View Dependent Claims (38)
- - 38. The method of claim 37, wherein the SUPL INIT Key Response parameter includes at least one of a Mode A Key Identifier, a Temporary Mode A Key Identifier, a SUPL_INIT_ROOT_KEY, and a Mode A Key Lifetime.

39. A method comprising:
- receiving, at a mobile device, a session re-initiation message from a secure user plane location (SUPL) server to continue a SUPL session between the SUPL server and the mobile device; and
  
  in response to the mobile device receiving a valid session initiation message key from the SUPL server prior to the mobile device receiving the session re-initiation message;
  
  authenticating the session re-initiation message using the valid session initiation message key; and
  
  continuing the SUPL session with the SUPL server in response to successful authentication of the session re-initiation message.
- View Dependent Claims (40, 41)
- - 40. The method of claim 39, wherein the session re-initiation message includes a SUPL REINIT message.
  - 41. The method of claim 39, further comprising in response to the mobile device not receiving the valid session initiation message key:
    - transmitting a message to the SUPL server; and
      
      receiving a session initiation message key from the SUPL server in response to the message.

42. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory is configured to store instructions; and
  
  wherein the instructions are executable by the processor to;
  
  receive, at a mobile device, a session re-initiation message from a secure user plane location (SUPL) server to continue a SUPL session between the SUPL server and the mobile device; and
  
  in response to the mobile device receiving a valid session initiation message key from the SUPL server prior to the mobile device receiving the session re-initiation message;
  
  authenticate the session re-initiation message using the valid session initiation message key; and
  
  continue the SUPL session with the SUPL server in response to successful authentication of the session re-initiation message.
- View Dependent Claims (43, 44)
- - 43. The apparatus of claim 42, wherein the session re-initiation message includes a SUPL REINIT message.
  - 44. The apparatus of claim 42, wherein the valid session initiation message key includes a SUPL_INIT_ROOT_KEY.

45. A method comprising:
- receiving, at a web server, a message from a secure user plane location (SUPL)-enabled mobile device, wherein the message includes a security credential of the mobile device;
  
  receiving, at the web server, user identification information from the mobile device;
  
  authenticating the user identification information as identifying an authorized user of a SUPL service; and
  
  sending the security credential of the mobile device to a SUPL server to enable the SUPL server to authenticate the mobile device as associated with the authorized user of the SUPL service.
- View Dependent Claims (46, 47, 48, 49)
- - 46. The method of claim 45, wherein the security credential includes a device certificate that includes a public key.
  - 47. The method of claim 45, further comprising:
    - sending a server certificate including a public key of the web server to the mobile device prior to receiving the message from the mobile device; and
      
      decrypting the message using a private key of the web server.
  - 48. The method of claim 45, wherein the security credential includes at least one of an international mobile equipment identity (IMEI), a mobile station identification (MSID), and a serial number of the mobile device.
  - 49. The method of claim 45, wherein the user identification information includes an identifier and a password.

50. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory is configured to store instructions; and
  
  wherein the instructions are executable by the processor to;
  
  receive, at a web server, a message from a secure user plane location (SUPL)-enabled mobile device, wherein the message includes a security credential of the mobile device;
  
  receive, at the web server, user identification information from the mobile device;
  
  authenticate the user identification information as identifying an authorized user of a SUPL service; and
  
  send the security credential of the mobile device to a SUPL server to enable the SUPL server to authenticate the mobile device as associated with the authorized user of the SUPL service.
- View Dependent Claims (51)
- - 51. The apparatus of claim 50, wherein the security credential includes a device certificate that includes a public key.

52. An apparatus, comprising:
- means for receiving, at a web server, a message from a secure user plane location (SUPL)-enabled mobile device, wherein the message includes a security credential of the mobile device;
  
  means for receiving, at the web server, user identification information from the mobile device;
  
  means for authenticating the user identification information as identifying an authorized user of a SUPL service; and
  
  means for sending the security credential of the mobile device to a SUPL server to enable the SUPL server to authenticate the mobile device as associated with the authorized user of the SUPL service.
- View Dependent Claims (53)
- - 53. The apparatus of claim 52, wherein the security credential includes a device certificate that includes a public key.

54. A non-transitory processor-readable medium comprising instructions that, when executed by a processor, cause the processor to:
- receive, at a web server, a message from a secure user plane location (SUPL)-enabled mobile device, wherein the message includes a security credential of the mobile device;
  
  receive, at the web server, user identification information from the mobile device;
  
  authenticate the user identification information as identifying an authorized user of a SUPL service; and
  
  send the security credential of the mobile device to a SUPL server to enable the SUPL server to authenticate the mobile device as associated with the authorized user of the SUPL service.
- View Dependent Claims (55)
- - 55. The non-transitory processor-readable medium of claim 54, wherein the security credential includes a device certificate that includes a public key.

56. A method comprising:
- receiving, at a secure user plane location (SUPL) server, a first identifier and a first password from a mobile device;
  
  authenticating the first identifier and the first password as associated with an authorized user of a SUPL service; and
  
  sending a second identifier and a second password to the mobile device to replace the first identifier and the first password, wherein the SUPL server is configured to establish a SUPL session with the mobile device upon receiving the second identifier and the second password from the mobile device.
- View Dependent Claims (57, 58, 59, 60)
- - 57. The method of claim 56, wherein the first password is user-selected and wherein the second identifier and the second password are generated at the SUPL server.
  - 58. The method of claim 56, further comprising:
    - receiving, at the SUPL server, the first identifier and the first password from a second mobile device;
      
      authenticating the first identifier and the first password as associated with the authorized user of the SUPL service; and
      
      determining whether allowing the second mobile device to access the SUPL service would exceed a threshold number of mobile devices associated with the authorized user that are permitted to access the SUPL service.
  - 59. The method of claim 58, further comprising, in response to determining that allowing the second mobile device to access the SUPL service would not exceed the threshold number of mobile devices, sending a third identifier and a third password to the second mobile device to replace the first identifier and the first password.
  - 60. The method of claim 59, wherein the third identifier is distinct from the second identifier and wherein the SUPL server is configured to monitor usage of the SUPL service by the mobile device using the second identifier and by the second mobile device using the third identifier.

61. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory is configured to store instructions; and
  
  wherein the instructions are executable by the processor to;
  
  receive, at a secure user plane location (SUPL) server, a first identifier and a first password from a mobile device;
  
  authenticate the first identifier and the first password as associated with an authorized user of a SUPL service; and
  
  send a second identifier and a second password to the mobile device to replace the first identifier and the first password, wherein the SUPL server is configured to establish a SUPL session with the mobile device upon receiving the second identifier and the second password from the mobile device.
- View Dependent Claims (62)
- - 62. The apparatus of claim 61, wherein the first password is user-selected and wherein the second identifier and the second password are generated at the SUPL server.

63. An apparatus comprising:
- means for receiving, at a secure user plane location (SUPL) server, a first identifier and a first password from a mobile device;
  
  means for authenticating the first identifier and the first password as associated with an authorized user of a SUPL service; and
  
  means for sending a second identifier and a second password to the mobile device to replace the first identifier and the first password, wherein the SUPL server is configured to establish a SUPL session with the mobile device upon receiving the second identifier and the second password from the mobile device.
- View Dependent Claims (64)
- - 64. The apparatus of claim 63, wherein the first password is user-selected and further comprising means for generating the second identifier and the second password.

65. A non-transitory processor-readable medium comprising instructions that, when executed by a processor, cause the processor to:
- receive, at a secure user plane location (SUPL) server, a first identifier and a first password from a mobile device;
  
  authenticate the first identifier and the first password as associated with an authorized user of a SUPL service; and
  
  send a second identifier and a second password to the mobile device to replace the first identifier and the first password, wherein the SUPL server is configured to establish a SUPL session with the mobile device upon receiving the second identifier and the second password from the mobile device.
- View Dependent Claims (66)
- - 66. The non-transitory processor-readable medium of claim 65, wherein the first password is user-selected and wherein the second identifier and the second password are generated at the SUPL server.

67. A method comprising:
- transmitting a SUPL INIT message including a Protection Level parameter from a secure user plane location (SUPL) server to a mobile device.
- View Dependent Claims (68)
- - 68. The method of claim 67, wherein the Protection Level parameter includes at least one of:
    - a Level parameter indicating one of Null protection, Mode A Protection, and Mode B Protection; and
      
      a Protection parameter including at least one of a Key Identifier Type and a Key Identifier.

69. A method comprising:
- transmitting a SUPL REINIT message including a Protection Level parameter from a secure user plane location (SUPL) server to a mobile device.
- View Dependent Claims (70)
- - 70. The method of claim 69, wherein the Protection Level parameter includes at least one of:
    - a Level parameter indicating one of Null protection, Mode A Protection, and Mode B Protection; and
      
      a Protection parameter including at least one of a Key Identifier Type and a Key Identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Hawkes, Philip Michael, Wachter, Andreas, Escott, Adrian Edward, Edge, Stephen William

Granted Patent

US 8,627,422 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/0876   based on the identity of th...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 4/02   Services making use of loca...

H04W 4/029   Location-based management o...

AUTHENTICATION IN SECURE USER PLANE LOCATION (SUPL) SYSTEMS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATION IN SECURE USER PLANE LOCATION (SUPL) SYSTEMS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links