Characteristics of Security Associations

US 20140201809A1
Filed: 07/12/2013
Published: 07/17/2014
Est. Priority Date: 07/13/2012
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a user of a wireless transmit/receive unit (WTRU), the method comprising, at the WTRU:

obtaining a measure of a strength of a user authentication;

generating an assertion based on the user authentication strength measure; and

based on the assertion, receiving access to a resource via the WTRU.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authentication of a user or a wireless transmit/receive unit may be based on an obtained measure of authentication strength, which may referred to as an assurance level. For example, a user, via a WTRU, may request access to a service controlled by an access control entity (ACE). The user may be authenticated with a user authenticator and assertion function (UAAF), producing a result. A user assertion may be provided that includes the user authentication result, a user assurance level, and/or a user freshness level. The WTRU may be authenticated with a device authenticator and assertion function (DAAF), producing an associated result. A device assertion may be provided that may include the device authentication result, a device assurance level, and/or a device freshness level. The assertions may be bound together to receive access to a service or resource.

90 Citations

View as Search Results

33 Claims

1. A method of authenticating a user of a wireless transmit/receive unit (WTRU), the method comprising, at the WTRU:
- obtaining a measure of a strength of a user authentication;
  
  generating an assertion based on the user authentication strength measure; and
  
  based on the assertion, receiving access to a resource via the WTRU.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 30)
- - 2. The method as recited in claim 1, wherein the assertion comprises an indication of a freshness of the user authentication.
  - 3. The method as recited in claim 1, the method further comprising:
    - obtaining a measure of a strength of a WTRU authentication; and
      
      generating the assertion further based on the WTRU authentication strength measure.
  - 4. The method as recited in claim 3, wherein the assertion comprises an indication of a freshness of the WTRU authentication.
  - 5. The method as recited in claim 1, wherein the assertion comprises a plurality of user authentication factors.
  - 6. The method as recited in claim 3, wherein the assertion comprises a plurality of WTRU authentication factors.
  - 7. The method as recited in claim 1, wherein the assertion is a negative assertion and the received access, based on the negative assertion, is a limited access.
  - 30. The WTRU as recited in claim 3, wherein the assertion comprises an indication of a freshness of the WTRU authentication.

8. In a system comprising a wireless transmit/receive unit (WTRU) and an access control entity (ACE) which communicate via a network, a method of authenticating a user of the WTRU and the WTRU, the method comprising:
- requesting access to a service controlled by the ACE;
  
  providing a user assertion, to the ACE, associated with the user, wherein the user assertion indicates a result of an authentication between the user and a user authenticator and assertion function (UAAF), and wherein the user assertion comprises a user authentication assurance level;
  
  providing a device assertion, to the ACE, associated with a device identity of the WTRU, wherein the device assertion indicates a result of an authentication between the WTRU and a device authenticator and assertion function (DAAF), and wherein the device assertion comprises a device authentication assurance level;
  
  binding the user assertion with the device assertion to create a bounded assertion; and
  
  sending the bounded assertion to the ACE to receive access to the service.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 9. The method as recited in claim 8, wherein the user assertion further comprises an indication of a user authentication freshness level.
  - 10. The method as recited in claim 8, wherein the device assertion further comprises an indication of a device authentication freshness level.
  - 11. The method as recited in claim 8, wherein the bounded assertion comprises a combined result of the user authentication assurance level and the device authentication assurance level.
  - 12. The method as recited in claim 8, wherein the user assertion comprises a negative user assertion, and wherein the negative user assertion indicates that the result of the authentication between the user and the UAAF is negative, the method further comprising:
    - in response to the negative user assertion, receiving a limited access or no access to the service.
  - 13. The method as recited in claim 8, wherein the device assertion comprises a negative device assertion, wherein the negative device assertion indicates that the result of the authentication between the WTRU and the DAAF is negative, the method further comprising:
    - in response to the negative device assertion, receiving a limited access or no access to the service.
  - 14. The method as recited in claim 8, wherein the bounded assertion comprises a negative bounded assertion, and wherein the negative bounded assertion indicates that at least one of the results of the authentication between the user and the UAAF or the authentication between the WTRU and the DAAF is negative, the method further comprising:
    - in response to the negative bounded assertion, receiving a limited access or no access to the service.
  - 15. The method as recited in claim 8, wherein the device assertion comprises a positive device assertion and the user assertion comprises a positive user assertion, and wherein the positive device assertion indicates that the WTRU is authenticated with the DAAF, and wherein the positive user assertion indicates that the user is authenticated with the UAAF, the method further comprising:
    - in response to the bounded assertion, receiving a limitless access to the service.
  - 16. The method as recited in claim 8, the method further comprising:
    - if at least one of the device authentication assurance level, the device authentication freshness level, the user authentication assurance level, and the user authentication freshness level are not within a respective acceptable range, receiving a limited access or no access to the service.
  - 17. The method as recited in claim 8, wherein the UAAF resides on the WTRU and the DAAF resides on a server of the network.
  - 18. The method as recited in claim 8, wherein the UAAF and the DAAF are co-located.
  - 19. The method as recited in claim 8, the method further comprising:
    - if at least one of the device authentication assurance level and the device authentication freshness level are not with a respective acceptable range, re-authenticating the WTRU with the DAAF.
  - 20. The method recited in claim 8, the method further comprising:
    - if at least one of the user authentication assurance level and the user authentication freshness level are not with within a respective acceptable range, re-authenticating the user with the UAAF.
  - 21. The method recited in claim 19, wherein each respective acceptable range is determined by a policy of a service provider that provides the service.
  - 22. The method as recited in claim 20, wherein each respective acceptable range is determined by a policy of a service provider that provides the service.
  - 23. The method recited in claim 8, wherein the UAAF and the DAAF are bound together into a single authenticator and assertion function (AAF).
  - 24. The method as recited in claim 8, wherein the DAAF and the ACE are co-located.
  - 25. The method as recited in claim 8, wherein the result of the authentication between the user and the UAAF is based on at least one of one or more authentication factors, the one or more authentication factors comprising information indicative of knowledge of the user, one or more physiological characteristics of the user, and one or more behavioral characteristics of the user.
  - 26. The method as recited in claim 11, the method further comprising:
    - storing a user authentication freshness level, the user authentication assurance level, the device authentication freshness level, and the device authentication assurance level; and
      
      based on at least one of the stored levels, receiving a limited access to the service.

27. A wireless transmit/receive unit (WTRU), the WTRU comprising:
- a memory comprising executable instructions; and
  
  a processor in communications with the memory, the instructions, when executed by the processor, cause the processor to effectuate operations comprising;
  
  obtaining a measure of a strength of a user authentication;
  
  generating an assertion based on the user authentication strength measure; and
  
  based on the assertion, receiving access to a resource.
- View Dependent Claims (28, 29, 31, 32, 33)
- - 28. The WTRU as recited in claim 27, wherein the assertion comprises an indication of a freshness of the user authentication.
  - 29. The WTRU as recited in claim 27, wherein the processor is further configured to execute the instructions to perform operations comprising:
    - obtaining a measure of a strength of a WTRU authentication; and
      
      generating the assertion further based on the WTRU authentication strength measure.
  - 31. The WTRU as recited in claim 27, wherein the assertion comprises a plurality of user authentication factors.
  - 32. The WTRU as recited in claim 29, wherein the assertion comprises a plurality of WTRU authentication factors.
  - 33. The WTRU as recited in claim 27, wherein the assertion is a negative assertion and the received access, based on the negative assertion, is a limited access or no access to the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Original Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Inventors
CHOYI, VINOD KUMAR, SHAH, YOGENDRA C., MEYERSTEIN, MICHAEL V., GUCCIONE, LOUIS J.

Granted Patent

US 9,503,438 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 2463/081   applying self-generating cr...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/205   involving negotiation or de...

H04W 12/068   using credential vaults, e....

Characteristics of Security Associations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

90 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Characteristics of Security Associations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links