Method and apparatus for authentication in a communication system
First Claim
1. A method of generating authentication information for use in authenticating a subscriber unit communicating via a communication unit of a visited communication system using a first authentication protocol, the subscriber unit and a home communication system of the subscriber unit each storing a subscriber unit identifier and a first secret key of the subscriber unit and an authentication algorithm, the method comprising:
- in the home communication system, wherein the home communication system uses a home authentication protocol different from the first authentication protocol,(a) receiving the identifier and an indication of a request for service from the communication unit;
(b) in response to the request for service, generating an authentication challenge (RANDH) in the home authentication protocol and obtaining the first secret key;
(c) processing the RANDH into an authentication response (RESPH) in the home authentication protocol using the home communication system stored first secret key and authentication algorithm;
(d) converting the RANDH into an authentication challenge (RANDV) in the first authentication protocol and converting the RESPH into a response (RESPV) in the first authentication protocol; and
(e) communicating the RANDV and RESPV to the communication unit for use in authenticating the subscriber unit.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for authenticating a roaming subscriber. In a preferred embodiment, a subscriber receives a challenge that is in a format of a local authentication protocol, and determines whether the local authentication protocol is the subscriber'"'"'s home system authentication protocol. If it is not, the subscriber converts the challenge into a format (e.g., bit length) compatible with its home system authentication protocol, and processes the converted challenge with the subscriber'"'"'s secret key and authentication algorithm into an authentication response. The authentication response is converted to be compatible with the local authentication protocol, and transmitted to a local system communication unit. The challenge and response is then forwarded to the subscriber'"'"'s home system for similar conversion and processing, and subscriber'"'"'s response is compared against a home system generated response.
220 Citations
61 Claims
-
1. A method of generating authentication information for use in authenticating a subscriber unit communicating via a communication unit of a visited communication system using a first authentication protocol, the subscriber unit and a home communication system of the subscriber unit each storing a subscriber unit identifier and a first secret key of the subscriber unit and an authentication algorithm, the method comprising:
- in the home communication system, wherein the home communication system uses a home authentication protocol different from the first authentication protocol,
(a) receiving the identifier and an indication of a request for service from the communication unit; (b) in response to the request for service, generating an authentication challenge (RANDH) in the home authentication protocol and obtaining the first secret key; (c) processing the RANDH into an authentication response (RESPH) in the home authentication protocol using the home communication system stored first secret key and authentication algorithm; (d) converting the RANDH into an authentication challenge (RANDV) in the first authentication protocol and converting the RESPH into a response (RESPV) in the first authentication protocol; and (e) communicating the RANDV and RESPV to the communication unit for use in authenticating the subscriber unit. - View Dependent Claims (2, 3, 4)
- in the home communication system, wherein the home communication system uses a home authentication protocol different from the first authentication protocol,
-
5. A method of generating authentication information for use in authenticating a subscriber unit communicating via a communication unit of a visited communication system using a first authentication protocol, the subscriber unit and a home communication system of the subscriber unit each storing a subscriber unit identifier and a first secret key of the subscriber unit and an authentication algorithm, the method comprising:
- in the home communication system, wherein the home communication system uses a home authentication protocol different from the first authentication protocol,
(a) receiving an authentication message including the identifier of the subscriber unit, and an authentication challenge (RANDV) and response (RESPV) to the RANDV in the first authentication protocol from the communication unit; (b) in response to authentication message, converting the RANDV into an authentication challenge (RANDH) in the home authentication protocol; (c) obtaining the first secret key and processing the RANDH into an authentication response (RESPH) in the home authentication protocol using the first secret key and authentication algorithm; (d) determining whether the RESPH and RESPV are both derived from the first secret key; and (e) sending a message confirming authentication when it is determined the RESPH and RESPV are both derived from the first secret key. - View Dependent Claims (6)
- in the home communication system, wherein the home communication system uses a home authentication protocol different from the first authentication protocol,
-
7. A method of generating an authentication message for a subscriber unit communicating via a communication unit of a visited communication system using a first authentication protocol, the subscriber unit having a subscriber identity unit, and the subscriber identity unit and a home communication system of the subscriber identity unit each storing a subscriber identity unit identifier and a first secret key of the subscriber identity unit and an authentication algorithm, the method comprising:
- in the subscriber unit,
(a) receiving a first authentication challenge (RANDV) in the first authentication protocol from the communication unit; (b) converting, in response to a determination that the first authentication protocol is different from a home authentication protocol used in the home communication system, the RANDV into an authentication challenge (RANDH) in the home authentication protocol; (c) obtaining the subscriber identity unit stored first secret key and processing the RANDH into an authentication response (RESPH) in the home authentication protocol using the subscriber identity unit stored first secret key and authentication algorithm; (d) converting the RESPH into a response (RESPV) in the first authentication protocol; and (e) sending the RESPV to the communication unit. - View Dependent Claims (8)
- in the subscriber unit,
-
9. A method of authenticating a subscriber unit via a temporary subscriber unit terminal in a visited communication system using a first authentication protocol, the subscriber unit and a home communication system of the subscriber unit each storing a subscriber unit identifier and a first secret key of the subscriber unit and an authentication algorithm, the method comprising:
- in the terminal,
(a) establishing a proximity communication link with the subscriber unit; (b) establishing a communication channel with a communication unit of the visited communication system, and requesting and receiving from the communication unit a first authentication challenge (RANDV) in the first authentication protocol from the visited communication system; (c) converting, in response to a determination that the first authentication protocol is different from a home authentication protocol used in the home communication system of the subscriber unit, the RANDV into an authentication challenge (RANDH) in the home authentication protocol, and sending the RANDH to the subscriber unit; (d) receiving an authentication response (RESPH) from the subscriber unit, and converting the RESPH into a response (RESPV) in the first authentication protocol; (e) sending the RESPV to the communication unit; and (f) receiving an authentication message notifying the terminal to activate a temporary subscriber unit when the RESPV, converted into the home authentication protocol, is determined to match a further response calculated from the RANDV, converted into the home authentication protocol, and the first secret key using the authentication algorithm. - View Dependent Claims (10, 11, 12)
- in the terminal,
-
13. A subscriber unit adapted for interfacing with a subscriber identity unit and for communicating via a communication unit of a local communication system and being authenticated by a home communication system, wherein the subscriber identity unit includes a memory having a subscriber identifier, a first secret key and an authentication algorithm, the subscriber unit comprising:
-
(a) communications means for sending and receiving signals to and from the communication unit; (b) determining means for determining that the local communication system uses a local system authentication protocol different from a home system authentication protocol used in the subscriber identity unit, and for activating a converting means in response to such a determination; (c) the converting means, coupled to the determining means and communications means, being operable for converting a first authentication challenge (RANDV) from the communication unit in the local system authentication protocol into a home authentication challenge (RANDH) in the home authentication protocol; and (d) interface means, coupled to the converting means and the subscriber identity unit when the subscriber identity unit is interfaced with the subscriber unit, for inputting the RANDH into the subscriber identity unit for processing by the subscriber identity unit into a response (RESPH) and first encryption key using the first secret key and home system authentication algorithm, and for receiving the RESPH and first encryption key from the subscriber identity unit; wherein the converting means is further operable for converting the RESPH into a first response (RESPV) in the local system authentication protocol and outputting the RESPV to the communication means for transmission to the communication unit. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A subscriber unit for communicating via a communication unit of a local communication system and being authenticated by a home communication system, wherein the subscriber unit includes a memory having a subscriber identifier, a first secret key and an authentication algorithm, the subscriber unit comprising:
-
(a) communications means for sending and receiving signals to and from the communication unit; (b) determining means for determining that the local communication system uses a local system authentication protocol different from a home system authentication protocol used in the subscriber unit, and for activating an authentication means in response to such a determination; and (c) the authentication means, coupled to the determining means and communications means, being operable for (i) converting a first authentication challenge (RANDV) from the communication unit in the local system authentication protocol into a home authentication challenge (RANDH) in the home authentication protocol, (ii) processing the RANDH into a response (RESPH) and first encryption key using the first secret key and authentication algorithm, and for converting the RESPH into a first response (RESPV) in the local system authentication protocol and outputting the RESPV to the communication means for transmission to the communication unit. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A subscriber identity unit adapted for being received in a subscriber unit communicating via a communication unit of a local communication system, wherein the subscriber identity unit includes a memory having a subscriber identifier, a first secret key and at least one authentication algorithm, the subscriber identity unit comprising:
-
(a) interface means for sending and receiving information to and from the subscriber unit; (b) determining means for determining whether a challenge (RAND) received from the subscriber unit is in a home system authentication protocol or a visited system authentication protocol different from the home system authentication protocol, and for activating a converting means in response to such a determination that the RAND is in a visited system authentication protocol; (c) the converting means, coupled to the determining means and interface means, being operable for converting a first authentication challenge (RANDV) from the communication unit in the visited system authentication protocol into a home authentication challenge (RANDH) in the home system authentication protocol; and (d) processing means, coupled to the converting means, for inputting the RANDH and calculating a response (RESPH) using the RANDH, the first secret key and the authentication algorithm; wherein the converting means is further operable for receiving and converting the RESPH into a first response (RESPV) in the visited system authentication protocol and outputting the RESPV to the SU. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
-
-
36. A subscriber terminal, for providing communication services to a subscriber having an authentication unit including a communications interface, a processor and a memory storing a subscriber identifier, a secret key and an authentication algorithm, and for communicating information between the authentication unit and a communication unit of a local communication system and authenticating the authentication unit by a home communication system of the authentication unit, the terminal comprising:
-
(a) communications means for sending and receiving information to and from the communication unit, and for sending and receiving information to and from the authentication unit via the communications interface; (b) determining means for determining that the authentication unit uses a home system authentication protocol different from a local system authentication protocol used in the communication unit, and for activating a converting means in response to such a determination; (c) the converting means, coupled to the determining means and communications means, being operable for converting a first authentication challenge (RANDV) in the local system authentication protocol into a home authentication challenge (RANDH) in the home authentication protocol, and for converting a first response (RESPH) to the RANDH from the authentication unit in the home system authentication protocol into a response (RESPV)in the local system authentication protocol; wherein the communications means is further operable for communicating the RANDH to the authentication unit and receive the RESPH from the authentication unit, and for communicating the RESPV to the communication unit. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A temporary subscriber unit for communicating user information via a local communication system, comprising:
-
(a) a temporary memory; (b) interface means, coupled to the temporary memory, for receiving and inputting authentication information and at least one use parameter into the temporary memory, wherein the at least one use parameter includes information specifying an amount of communications services allowed after which further communications with the temporary subscriber unit are inhibited; (c) communications means, coupled to the temporary memory, for using the authentication information to authenticate the temporary subscriber unit, and communicating the user information, with a local system for the specified amount of communications services; and (d) deactivation means for to inhibit the communication means and erase the authentication information and any subscriber-specific information following the specified amount of communications services. - View Dependent Claims (52)
-
-
53. A communication unit of a home communication system of a subscriber unit capable of operation in a second local communication system, wherein the communication unit and subscriber unit each have a memory including an authentication algorithm, a stored first secret key and a subscriber identifier of the subscriber unit, the communication unit comprising:
-
(a) communication means for receiving and sending authentication information for the subscriber unit, wherein the authentication information includes at least a challenge (RAND) and a response to the challenge (RESP) by the subscriber unit; (b) determining means for determining that the authentication information from the local communication system is in a local system authentication protocol different from a home system authentication protocol used in the subscriber unit; and (c) authentication means, coupled to the determining means and communications means, for (i) converting a first authentication challenge (RANDV) from the local communication system in the local system authentication protocol into a home authentication challenge (RANDH) in the home authentication protocol, (ii) processing the RANDH into a response (RESPH) using the first secret key and authentication algorithm, and for converting the RESPH into a first response (RESPV) in the local system authentication protocol and outputting the RESPV to the communication means for transmission to the local communication system. - View Dependent Claims (54, 55)
-
-
56. A communication unit of a home communication system of a subscriber unit capable of operation in a second local communication system, wherein the communication unit and subscriber unit each have a memory including an authentication algorithm, a stored first secret key and a subscriber identifier of the subscriber unit, the communication unit comprising:
-
(a) communication means for receiving a request for authentication of the subscriber unit from the local communication system; (b) determining means, coupled to the communication means, for determining, following receipt of the request for authentication, that the local communication system uses a local system authentication protocol different from a home system authentication protocol used in the subscriber unit; (c) authentication means, coupled to the determining means and communications means, for generating authentication information in the local system authentication protocol for outputting to the communications means, the authentication means comprising means for generating a challenge and a response and means for converting the challenge and response from the home system authentication protocol into a challenge and response in the local system authentication protocol. - View Dependent Claims (57, 58)
-
-
59. A communication system including a first subscriber unit, a home system having at least one home communication unit using a first authentication protocol and having memory for storing an identifier and first secret key of the first subscriber unit, wherein the home communication unit is operable for processing an authentication challenge into a response using the authentication challenge and first secret key, the communication system comprising:
-
(a) a second local system having a local communication unit using a second authentication protocol, wherein the subscriber unit is operable for communicating with both the home system and local system; (b) interworking means, coupled to at least one of the local communication unit and home communication unit, for converting a first authentication challenge (RANDV) in the second authentication protocol into a home authentication challenge (RANDH) in the home authentication protocol, and converting a response to the RANDH (RESPH) in the home authentication protocol into a response (RESPV) in the second authentication protocol; and (c) communication means for coupling the local communication unit to the home communication unit for communicating between the local communication unit and home communication unit one of the group consisting of the RANDV and the RANDH and one of the group consisting of the RESPH and the RESPV. - View Dependent Claims (60, 61)
-
Specification