SECURE CLIENT AUTHENTICATION AND SERVICE AUTHORIZATION IN A SHARED COMMUNICATION NETWORK

US 20130160086A1
Filed: 06/19/2012
Published: 06/20/2013
Est. Priority Date: 06/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a secure communication channel between a client network device and a managing network device of a communication network based, at least in part, on a client identifier of the client network device;

causing the client network device to perform an account authorization process with an accounting network device in parallel with a service matching process with the managing network device and one or more of a plurality of service providers of the communication network;

securely matching the client network device with a first of the plurality of service providers;

securely receiving a service voucher at the managing network device from the accounting network device authorizing one or more of the service providers of the communication network to service the client network device in response to the accounting network device executing the account authorizing process with the client network device; and

securely transmitting the service voucher from the managing network device to the matching service provider to allow the client network device to be serviced by the matching service provider.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Functionality for secure client authentication and service authorization in a shared communication network are disclosed. A managing network device of a communication network causes a securely connected client network device to perform an account authorization process with an accounting network device in parallel with a service matching process with the managing network device and one or more service providers of the communication network. The managing network device executes the service matching process and securely matches the client network device with one of the service providers. The accounting network device executes the account authorizing process with the client network device and provides a service voucher to the managing network device authorizing one or more of the service providers to service the client network device. The managing network device transmits the service voucher to the matched service provider to prompt the matched service provider to service the client network device.

63 Citations

View as Search Results

33 Claims

1. A method comprising:
- establishing a secure communication channel between a client network device and a managing network device of a communication network based, at least in part, on a client identifier of the client network device;
  
  causing the client network device to perform an account authorization process with an accounting network device in parallel with a service matching process with the managing network device and one or more of a plurality of service providers of the communication network;
  
  securely matching the client network device with a first of the plurality of service providers;
  
  securely receiving a service voucher at the managing network device from the accounting network device authorizing one or more of the service providers of the communication network to service the client network device in response to the accounting network device executing the account authorizing process with the client network device; and
  
  securely transmitting the service voucher from the managing network device to the matching service provider to allow the client network device to be serviced by the matching service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said securely matching the client network device with the first of the plurality of service providers further comprises:
    - generating, at the managing network device, a client key that is unique to the client network device based, at least in part, on the client identifier and on a master key known to the managing network device and the plurality of service providers of the communication network;
      
      providing the client key from the managing network device to the client network device via the secure communication channel to allow the client network device to securely communicate with the plurality of service providers of the communication network;
      
      receiving, from each of the plurality of service providers, a message that indicates a signal level detected at the service provider in response to a service matching message from the client network device; and
      
      selecting the first of the plurality of service providers that detected the highest signal level as the matching service provider for the client network device.
  - 3. The method of claim 2, further comprising:
    - transmitting, from the managing network device to the client network device, a number of service matching messages that should be transmitted from the client network device to the plurality of service providers.
  - 4. The method of claim 2, wherein the client key is a temporary key and is generated based, at least in part, on the master key, the client identifier, and one or more of a sequence number, a random number, a start/end timestamp, a lifetime duration, a message counter, and/or a location identifier.
  - 5. The method of claim 2, wherein the client key is a public encryption key.
  - 6. The method of claim 1, wherein the client identifier is authenticated by the managing network device and by the accounting network device, and the service voucher is bound to the client identifier.
  - 7. The method of claim 1, wherein the managing network device is one of the plurality of service providers.
  - 8. The method of claim 7, further comprising:
    - determining, at the managing network device, a message counter value from a message received from the client network device;
      
      comparing the received message counter value with a previously received message counter value from the client network device;
      
      discarding the received message if the received message counter value is less than or equal to the previously received message counter value; and
      
      processing the received message if the received message counter value is greater than the previously received message counter value.
  - 9. The method of claim 1, wherein the client network device comprises a plug-in electric vehicle, the plurality of service providers comprise a plurality of electric charging stations, the managing network device comprises a managing system associated with the plurality of electric charging stations, and the accounting network device comprises a remote account authorization server for one or more client accounts.
  - 10. The method of claim 1, further comprising:
    - determining, at the managing network device, a first value of the client identifier associated with the client network device, wherein the first value of the client identifier was used for executing the service matching process;
      
      determining a second value of the client identifier associated with the client network device, wherein the second value was used for executing the account authorization process;
      
      determining whether the first value of the client identifier matches the second value of the client identifier;
      
      in response to determining that the first value of the client identifier matches the second value of the client identifier, said securely transmitting the service voucher from the managing network device to the matching service provider to allow the client network device to be serviced by the matching service provider;
      
      in response to determining that the first value of the client identifier does not match the second value of the client identifier, preventing the matching service provider from servicing the client network device.

11. A method comprising:
- establishing, at a client network device, a secure communication channel with a managing network device of a communication network based, at least in part, on a client identifier of the client network device;
  
  receiving, from the managing network device, identification information associated with the managing network device via the secure communication channel;
  
  providing the client identifier and the identification information associated with the managing network device to an accounting network device to cause the accounting network device to execute an account authorization process with the client network device;
  
  in parallel with the account authorization process, executing a service matching process with the managing network device and one or more of a plurality of service providers of the communication network;
  
  detecting receipt of service from a first of the plurality of service providers of the communication network after completion of the account authorization process and the service matching process; and
  
  transmitting an acknowledgement message to one of the managing network device and the first of the plurality of service providers in response to said detecting receipt of service from the first of the plurality of service providers of the communication network.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the identification information associated with the managing network device comprises a device identifier of the managing network device and a location of the managing network device.
  - 13. The method of claim 11, wherein said receiving, from the managing network device, identification information associated with the managing network device further comprises:
    - receiving, from the managing network device, one or more service matching parameters to cause the client network device to initiate the service matching process with the managing network device and the plurality of service providers of the communication network.
  - 14. The method of claim 11, further comprising:
    - receiving, from the managing network device, a client key that is unique to the client network device, via the secure communication channel, wherein the client key enables the client network device to securely communicate with the plurality of service providers of the communication network;
      
      receiving client key generation parameters based on which the client key was determined, wherein the client key generation parameters comprise one or more of a sequence number, a random number, a start/end timestamp, a lifetime duration, a message counter, and a location identifier;
      
      wherein said executing the service matching process with the managing network device and one or more of a plurality of service providers of the communication network comprises;
      
      signing one or more service matching messages using the client key; and
      
      transmitting the one or more service matching messages and the client key generation parameters to the plurality of service providers.
  - 15. The method of claim 14, wherein said transmitting the one or more service matching messages and the client key generation parameters to the plurality of service providers comprises:
    - determining whether a length of the service matching message scheduled to be transmitted to the plurality of service providers is greater than a predetermined threshold message length;
      
      in response to determining that the length of the service matching message is greater than the predetermined threshold message length,transmitting an initialization message including the client key generation parameters to the plurality of service providers; and
      
      transmitting the client identifier and the sequence number in the one or more service matching messages; and
      
      in response to determining that the length of the service matching message is less than the predetermined threshold message length,transmitting the client key generation parameters as part of the one or more service matching messages.

16. A managing network device comprising:
- a network interface; and
  
  a matching authorization unit coupled with the network interface, the matching authorization unit operable to;
  
  establish a secure communication channel between a client network device and the managing network device of a communication network based, at least in part, on a client identifier of the client network device;
  
  cause the client network device to perform an account authorization process with an accounting network device in parallel with a service matching process with the managing network device and one or more of a plurality of service providers of the communication network;
  
  securely match the client network device with a first of the plurality of service providers;
  
  securely receive a service voucher from the accounting network device authorizing one or more of the service providers of the communication network to service the client network device in response to the accounting network device executing the account authorizing process with the client network device; and
  
  securely transmit the service voucher to the matching service provider to allow the client network device to be serviced by the matching service provider.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The managing network device of claim 16, wherein the matching authorization unit operable to securely match the client network device with the first of the plurality of service providers further comprises the matching authorization unit operable to:
    - generate a client key that is unique to the client network device based, at least in part, on the client identifier and on a master key known to the managing network device and the plurality of service providers of the communication network;
      
      provide the client key to the client network device via the secure communication channel to allow the client network device to securely communicate with the plurality of service providers of the communication network;
      
      receive, from each of the plurality of service providers, a message that indicates a signal level detected at the service provider in response to a service matching message from the client network device; and
      
      select the first of the plurality of service providers that detected the highest signal level as the matching service provider for the client network device.
  - 18. The managing network device of claim 17, wherein the matching authorization unit is further operable to:
    - transmit, to the client network device, a number of service matching messages that should be transmitted from the client network device to the plurality of service providers.
  - 19. The managing network device of claim 17, wherein the client key is a temporary key and is generated based, at least in part, on the master key, the client identifier, and one or more of a sequence number, a random number, a start/end timestamp, a lifetime duration, a message counter, and/or a location identifier.
  - 20. The managing network device of claim 16, wherein the matching authorization unit is further operable to:
    - determine a first value of the client identifier associated with the client network device, wherein the first value of the client identifier was used for executing the service matching process;
      
      determine a second value of the client identifier associated with the client network device, wherein the second value was used for executing the account authorization process;
      
      determine whether the first value of the client identifier matches the second value of the client identifier;
      
      in response to the matching authorization unit determining that the first value of the client identifier matches the second value of the client identifier, the matching authorization unit is operable to securely transmit the service voucher to the matching service provider to allow the client network device to be serviced by the matching service provider;
      
      in response to the matching authorization unit determining that the first value of the client identifier does not match the second value of the client identifier, the matching authorization unit is operable to prevent the matching service provider from servicing the client network device.

21. A network device comprising:
- a network interface; and
  
  a communication unit coupled with the network interface, the communication unit operable to;
  
  establish a secure communication channel with a managing network device of a communication network based, at least in part, on a client identifier of the network device;
  
  receive, from the managing network device, identification information associated with the managing network device via the secure communication channel;
  
  provide the client identifier and the identification information associated with the managing network device to an accounting network device to cause the accounting network device to execute an account authorization process with the network device;
  
  in parallel with the account authorization process, execute a service matching process with the managing network device and one or more of a plurality of service providers of the communication network;
  
  detect receipt of service from a first of the plurality of service providers of the communication network after completion of the account authorization process and the service matching process; and
  
  transmit an acknowledgement message to one of the managing network device and the first of the plurality of service providers in response to the communication unit detecting receipt of service from the first of the plurality of service providers of the communication network.
- View Dependent Claims (22, 23, 24)
- - 22. The network device of claim 21, wherein the communication unit operable to receive, from the managing network device, identification information associated with the managing network device further comprises the communication unit operable to:
    - receive, from the managing network device, one or more service matching parameters to cause the network device to initiate the service matching process with the managing network device and the plurality of service providers of the communication network.
  - 23. The network device of claim 21, wherein the communication unit is further operable to:
    - receive, from the managing network device, a client key that is unique to the network device, via the secure communication channel, wherein the client key enables the network device to securely communicate with the plurality of service providers of the communication network;
      
      receive client key generation parameters based on which the client key was determined, wherein the client key generation parameters comprise one or more of a sequence number, a random number, a start/end timestamp, a lifetime duration, a message counter, and a location identifier;
      
      wherein the communication unit operable to execute the service matching process with the managing network device and one or more of a plurality of service providers of the communication network comprises the communication unit operable to;
      
      sign one or more service matching messages using the client key; and
      
      transmit the one or more service matching messages and the client key generation parameters to the plurality of service providers.
  - 24. The network device of claim 23, wherein the communication unit operable to transmit the one or more service matching messages and the client key generation parameters to the plurality of service providers comprises the communication unit operable to:
    - determine whether a length of the service matching message scheduled to be transmitted to the plurality of service providers is greater than a predetermined threshold message length;
      
      in response to the communication unit determining that the length of the service matching message is greater than the predetermined threshold message length,transmit an initialization message including the client key generation parameters to the plurality of service providers; and
      
      transmit the client identifier and the sequence number in the one or more service matching messages; and
      
      in response to the communication unit determining that the length of the service matching message is less than the predetermined threshold message length,transmit the client key generation parameters as part of the one or more service matching messages.

25. A method comprising:
- establishing a secure communication channel between a plug-in electric vehicle and a managing network device of a communication network based, at least in part, on a client identifier of the plug-in electric vehicle;
  
  causing the plug-in electric vehicle to perform an account authorization process with an accounting network device in parallel with a service matching process with the managing network device and one or more of a plurality of electric charging stations of the communication network;
  
  securely matching the plug-in electric vehicle with a first of the plurality of electric charging stations;
  
  securely receiving a service voucher at the managing network device from the accounting network device authorizing one or more of the electric charging stations of the communication network to provide electric power to the plug-in electric vehicle in response to the accounting network device executing the account authorizing process with the plug-in electric vehicle; and
  
  securely transmitting the service voucher from the managing network device to the matching electric charging station to allow the plug-in electric vehicle to receive electric power from the matching electric charging station.
- View Dependent Claims (26, 27)
- - 26. The method of claim 25, wherein said securely matching the plug-in electric vehicle with the first of the plurality of electric charging stations further comprises:
    - generating, at the managing network device, a client key that is unique to the plug-in electric vehicle based, at least in part, on the client identifier and on a master key known to the managing network device and the plurality of electric charging stations of the communication network;
      
      providing the client key from the managing network device to the plug-in electric vehicle via the secure communication channel to allow the plug-in electric vehicle to securely communicate with the plurality of electric charging stations of the communication network;
      
      receiving, from each of the plurality of electric charging stations, a message that indicates a signal level detected at the electric charging station in response to a service matching message from the plug-in electric vehicle; and
      
      selecting the first of the plurality of electric charging stations that detected the highest signal level as the matching electric charging station for the plug-in electric vehicle.
  - 27. The method of claim 26, wherein the client key is a temporary key and is generated based, at least in part, on the master key, the client identifier, and one or more of a sequence number, a random number, a start/end timestamp, a lifetime duration, a message counter, and/or a location identifier.

28. One or more machine-readable storage media having instructions stored therein, which when executed by one or more processors causes the one or more processors to perform operations that comprise:
- establishing a secure communication channel between a client network device and a managing network device of a communication network based, at least in part, on a client identifier of the client network device;
  
  causing the client network device to perform an account authorization process with an accounting network device in parallel with a service matching process with the managing network device and one or more of a plurality of service providers of the communication network;
  
  securely matching the client network device with a first of the plurality of service providers;
  
  securely receiving a service voucher at the managing network device from the accounting network device authorizing one or more of the service providers of the communication network to service the client network device in response to the accounting network device executing the account authorizing process with the client network device; and
  
  securely transmitting the service voucher from the managing network device to the matching service provider to allow the client network device to be serviced by the matching service provider.
- View Dependent Claims (29, 30)
- - 29. The machine-readable storage media of claim 28, wherein said operation of securely matching the client network device with the first of the plurality of service providers further comprises:
    - generating a client key that is unique to the client network device based, at least in part, on the client identifier and on a master key known to the managing network device and the plurality of service providers of the communication network;
      
      providing the client key to the client network device via the secure communication channel to allow the client network device to securely communicate with the plurality of service providers of the communication network;
      
      receiving, from each of the plurality of service providers, a message that indicates a signal level detected at the service provider in response to a service matching message from the client network device; and
      
      selecting the first of the plurality of service providers that detected the highest signal level as the matching service provider for the client network device.
  - 30. The machine-readable storage media of claim 28, wherein the operations further comprise:
    - determining a first value of the client identifier associated with the client network device, wherein the first value of the client identifier was used for executing the service matching process;
      
      determining a second value of the client identifier associated with the client network device, wherein the second value was used for executing the account authorization process;
      
      determining whether the first value of the client identifier matches the second value of the client identifier;
      
      in response to determining that the first value of the client identifier matches the second value of the client identifier, said securely transmitting the service voucher from the managing network device to the matching service provider to allow the client network device to be serviced by the matching service provider;
      
      in response to determining that the first value of the client identifier does not match the second value of the client identifier, preventing the matching service provider from servicing the client network device.

31. One or more machine-readable storage media having instructions stored therein, which when executed by one or more processors causes the one or more processors to perform operations that comprise:
- establishing a secure communication channel with a managing network device of a communication network based, at least in part, on a client identifier of a client network device;
  
  receiving, from the managing network device, identification information associated with the managing network device via the secure communication channel;
  
  providing the client identifier and the identification information associated with the managing network device to an accounting network device to cause the accounting network device to execute an account authorization process with the client network device;
  
  in parallel with the account authorization process, executing a service matching process with the managing network device and one or more of a plurality of service providers of the communication network;
  
  detecting receipt of service from a first of the plurality of service providers of the communication network after completion of the account authorization process and the service matching process; and
  
  transmitting an acknowledgement message to one of the managing network device and the first of the plurality of service providers in response to said detecting receipt of service from the first of the plurality of service providers of the communication network.
- View Dependent Claims (32, 33)
- - 32. The machine-readable storage media of claim 31, wherein the operations further comprise:
    - receiving, from the managing network device, a client key that is unique to the client network device, via the secure communication channel, wherein the client key enables the client network device to securely communicate with the plurality of service providers of the communication network;
      
      receiving client key generation parameters based on which the client key was determined, wherein the client key generation parameters comprise one or more of a sequence number, a random number, a start/end timestamp, a lifetime duration, a message counter, and a location identifier;
      
      wherein said executing the service matching process with the managing network device and one or more of a plurality of service providers of the communication network comprises;
      
      signing one or more service matching messages using the client key; and
      
      transmitting the one or more service matching messages and the client key generation parameters to the plurality of service providers.
  - 33. The machine-readable storage media of claim 32, wherein said operation of transmitting the one or more service matching messages and the client key generation parameters to the plurality of service providers comprises:
    - determining whether a length of the service matching message scheduled to be transmitted to the plurality of service providers is greater than a predetermined threshold message length;
      
      in response to determining that the length of the service matching message is greater than the predetermined threshold message length,transmitting an initialization message including the client key generation parameters to the plurality of service providers; and
      
      transmitting the client identifier and the sequence number in the one or more service matching messages; and
      
      in response to determining that the length of the service matching message is less than the predetermined threshold message length,transmitting the client key generation parameters as part of the one or more service matching messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm Atheros Incorporated (Qualcomm, Inc.)
Inventors
YONGE, Lawrence W. III, KATAR, Srinivas, NEWMAN, Richard E.

Granted Patent

US 9,003,492 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H02J 7/00045   Authentication, i.e. circui...

H04B 2203/5458   Monitor sensor; Alarm systems

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 67/1021   based on client or server l...

H04L 67/1023   based on a hash applied to ...

H04L 67/51   Discovery or management the...

SECURE CLIENT AUTHENTICATION AND SERVICE AUTHORIZATION IN A SHARED COMMUNICATION NETWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE CLIENT AUTHENTICATION AND SERVICE AUTHORIZATION IN A SHARED COMMUNICATION NETWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links