MANIPULATION AND RESTORATION OF AUTHENTICATION CHALLENGE PARAMETERS IN NETWORK AUTHENTICATION PROCEDURES

US 20130343538A1
Filed: 06/20/2012
Published: 12/26/2013
Est. Priority Date: 06/20/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a processor and a memory communicatively connected to the processor, the processor configured to;

receive an authentication challenge parameter; and

determine whether the authentication challenge parameter is encrypted.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A challenge manipulation and restoration capability is provided for use during network authentication. A mobile device (MD) and a subscriber server (SS) each have provisioned therein a binding key (B-KEY) that is associated with a subscriber identity of a network authentication module (NAM) of the MD. The SS obtains an authentication vector (AV) in response to a request from a Radio Access Network (RAN) when the MD attempts to attach to the RAN. The AV includes an original authentication challenge parameter (ACP). The SS encrypts the original ACP based on its B-KEY, and updates the AV by replacing the original ACP with the encrypted ACP. The MD receives the encrypted ACP, and decrypts the encrypted ACP based on its B-KEY to recover the original ACP. The MD provides the original ACP to the NAM for use in computing an authentication response for validation by the RAN.

26 Citations

View as Search Results

23 Claims

1. An apparatus, comprising:
- a processor and a memory communicatively connected to the processor, the processor configured to;
  
  receive an authentication challenge parameter; and
  
  determine whether the authentication challenge parameter is encrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the processor is configured to determine whether the authentication challenge parameter is encrypted based on a subscriber identity associated with a network authentication module.
  - 3. The apparatus of claim 1, wherein the processor is configured to:
    - when a determination is made that the authentication challenge parameter is encrypted;
      
      decrypt the encrypted authentication challenge parameter based on a binding key stored in the memory; and
      
      propagate the decrypted authentication challenge parameter toward a network authentication module.
  - 4. The apparatus of claim 3, wherein the binding key comprises one of a pre-provisioned random number or string, a string provisioned during a bootstrapping procedure, an output of a hash function, or a string or number.
  - 5. The apparatus of claim 3, wherein the processor is configured to:
    - receive, from the network authentication module, an authentication response computed by the network authentication module based on the decrypted authentication challenge parameter; and
      
      propagate the authentication response toward a Radio Access Network (RAN).
  - 6. The apparatus of claim 1, wherein the processor is configured to:
    - when a determination is made that the authentication challenge parameter is not encrypted;
      
      propagate the authentication challenge parameter toward a network authentication module.
  - 7. The apparatus of claim 6, wherein the processor is configured to:
    - receive, from the network authentication module, an authentication response computed by the network authentication module based on the authentication challenge parameter; and
      
      propagate the authentication response toward a Radio Access Network (RAN).
  - 8. The apparatus of claim 1, wherein the processor is configured to:
    - prior to receiving the authentication challenge parameter;
      
      propagate, toward a Radio Access Network (RAN), a request to attach to the RAN;
      
      wherein the request to attach to the RAN includes a subscriber identity of a network authentication module.
  - 9. The apparatus of claim 8, wherein the request to attach to the RAN further comprises an equipment identity.
  - 10. The apparatus of claim 1, wherein the apparatus further comprises a network authentication module.
  - 11. The apparatus of claim 10, wherein the network authentication module is one of:
    - a device configured to be inserted within the apparatus and removed from the apparatus;
      
      ora software module stored in the memory of the apparatus.

12. A method for use by a mobile device comprising a processor and a memory, the method comprising:
- receiving, by the processor, an authentication challenge parameter; and
  
  determining, by the processor, whether the authentication challenge parameter is encrypted.

13. An apparatus, comprising:
- a processor and a memory communicatively connected to the processor, the processor configured to;
  
  encrypt an original authentication challenge parameter of an authentication vector (AV), based on a binding key, to form an encrypted authentication challenge parameter; and
  
  replace the original authentication challenge parameter of the AV with the encrypted authentication challenge parameter.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The apparatus of claim 13, wherein the processor is configured to:
    - when an AV request is received from a Radio Access Network (RAN);
      
      retrieve the AV including the encrypted authentication challenge parameter; and
      
      propagate the AV including the encrypted authentication challenge parameter toward the RAN.
  - 15. The apparatus of claim 13, wherein the processor is configured to:
    - prior to encrypting the original authentication challenge parameter of the AV to form the encrypted authentication challenge parameter;
      
      receive an AV request from a Radio Access Network (RAN); and
      
      obtain the AV including the original authentication challenge parameter.
  - 16. The apparatus of claim 13, wherein the processor is configured to:
    - determine a subscriber identity associated with an AV request received from a Radio Access Network; and
      
      retrieve the binding key based on the determined subscriber identity.
  - 17. The apparatus of claim 13, wherein the processor is configured to:
    - determine an equipment identity associated with an AV request received from a Radio Access Network; and
      
      retrieve the binding key based on the determined equipment identity.
  - 18. The apparatus of claim 13, wherein the processor is configured to:
    - propagate the AV including the encrypted authentication challenge parameter toward a Radio Access Network (RAN) for delivery to a mobile device.
  - 19. The apparatus of claim 13, wherein the processor is configured to:
    - prior to encrypting the original authentication challenge parameter of the AV to form the encrypted authentication challenge parameter;
      
      receive an AV request from a Radio Access Network (RAN), wherein the AV request comprises an equipment identity of a mobile node and a subscriber identity of a network authentication module of the mobile node; and
      
      determine, based on the subscriber identity and the equipment identity, whether the network authentication module is authorized to be used with the mobile device.
  - 20. The apparatus of claim 13, wherein the binding key stored in the memory corresponds to a binding key maintained by a mobile device for which the AV is intended.
  - 21. The apparatus of claim 13, wherein the binding key comprises one of a pre-provisioned random number or string, a string provisioned during a bootstrapping procedure, an output of a hash function, or a string or number.
  - 22. The apparatus of claim 13, wherein the processor is configured to:
    - receive, from a Radio Access Network, the encrypted authentication challenge parameter; and
      
      decrypt the encrypted authentication challenge parameter based on the binding key associated with a subscriber identity.

23. A method, comprising:
- encrypting, using a processor, an original authentication challenge parameter of an authentication vector (AV), based on a binding key, to form an encrypted authentication challenge parameter; and
  
  replacing the original authentication challenge parameter of the AV with the encrypted authentication challenge parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Mizikovsky, Semyon, Broustis, Ioannis, Cakulev, Violeta

Granted Patent

US 9,537,663 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/255
CPC Class Codes

H04L 63/0853   using an additional device,...

H04L 9/3271   using challenge-response

H04W 12/06   Authentication

H04W 12/48   using secure binding, e.g. ...

H04W 12/72   Subscriber identity

MANIPULATION AND RESTORATION OF AUTHENTICATION CHALLENGE PARAMETERS IN NETWORK AUTHENTICATION PROCEDURES

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

MANIPULATION AND RESTORATION OF AUTHENTICATION CHALLENGE PARAMETERS IN NETWORK AUTHENTICATION PROCEDURES

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links