Method and system for validating subscriber identities in a communications network

US 6,338,140 B1
Filed: 11/24/1998
Issued: 01/08/2002
Est. Priority Date: 07/27/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for validating an identity of a subscriber in a communications network, comprising:

at least one communication server including a database mapping valid communications device identification numbers to respective cryptographic keys, an input including a possible device identification number, and an output including a valid cryptographic key mapped thereto, if the possible device identification number is included in the database; and

at least one authentication server including a first time-varying element for generating a time-varying value, and a processor, said authentication server receiving the valid cryptographic key from said communication server, said processor cryptographically processing the cryptographic key and the time-varying value to generate at least one acceptable, dynamic personal identification number, said processor comparing for identity the at least one acceptable generated personal identification number with a dynamic personal identification number to validate an identity of a subscriber, the dynamic personal identification number being generated independently of said communications server, said authentication server, and elements responsive to the communications network.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and/or system for validating subscribers includes an insecure communications network, such as, an IS-41 wireless telephone network connecting a plurality of telephone switches. A subscriber or user of the system enters a sequence of digits, namely, a random PIN (personal identification number), and a telephone number of whom he wishes to call. The random PIN provides effectively a “digital signature” to the telephone number. A second number is dialed to effect call completion. An authentication center exists which authenticates the user by verifying the digital signature and updating a user profile to permit a call only to the telephone number in the sequence dialed by the user. The profile is sent to the serving switch which permits calls only to the destination in the profile. This technique eliminates fraudulent users from stealing telephone identities, “cloning” phones and placing calls. Calls are optionally completed only to destinations that have been validated.

199 Citations

31 Claims

1. A system for validating an identity of a subscriber in a communications network, comprising:
- at least one communication server including a database mapping valid communications device identification numbers to respective cryptographic keys, an input including a possible device identification number, and an output including a valid cryptographic key mapped thereto, if the possible device identification number is included in the database; and
  
  at least one authentication server including a first time-varying element for generating a time-varying value, and a processor, said authentication server receiving the valid cryptographic key from said communication server, said processor cryptographically processing the cryptographic key and the time-varying value to generate at least one acceptable, dynamic personal identification number, said processor comparing for identity the at least one acceptable generated personal identification number with a dynamic personal identification number to validate an identity of a subscriber, the dynamic personal identification number being generated independently of said communications server, said authentication server, and elements responsive to the communications network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system according to claim 1, further comprising:
3. The system according to claim 2, further comprising at least one protocol analyzer connecting at least one of the communication networks to said interoperability unit, said at least one protocol analyzer converting a data format of received communications messages into a data format readable by said interoperability unit and queuing the converted communications messages for said communications server.
4. The system according to claim 1, further comprising at least one password generator cryptographically processing at least two inputs thereto, the at least two inputs comprising a second time-varying element and at least one of the cryptographic keys to generate an output comprising the dynamic personal identification number.
5. The system according to claim 4, further comprising at least one communications device communicating with said communications network and with said communications server, said at least one communications device including at least one input element for receiving the dynamic personal identification number from said password generator.
6. The system according to claim 5, wherein said password generator includes a display for displaying the dynamic personal identification number, said communication device including a keypad.
7. The system according to claim 5, wherein said password generator includes a transmitter for transmitting at least one electromagnetic signal including the dynamic personal identification number to said communications device, said communications device including a receiver for receiving the at least one electromagnetic signal including the dynamic personal identification number from the password generator.
8. The system according to claim 7, wherein said transmitter includes a photo-emitter and said receiver includes a photo-detector.
9. The system according to claim 7, wherein said password generator includes one of a tone encoder and a pulse encoder operatively connected to said transmitter, said communications device including one of a tone decoder and a pulse decoder, respectively, operatively connected to said receiver.

10. A method of validating an identity of a subscriber in a communications network comprising:
- a) transmitting a dynamic personal identification number, generated independently of an authentication engine and elements responsive to the communications network, from a communications device to the authentication engine remotely located thereto; and
  
  b) comparing for identity at least one acceptable personal identification number to the transmitted dynamic personal identification number for validating the identity of a subscriber at the authentication engine.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method according to claim 10, further comprising the steps of:
12. The method according to claim 10, further comprising the steps of;
- transmitting a device identification from the communications device to the authentication engine prior to said dynamic personal identification number transmitting step a);
  
  generating the dynamic personal identification number by using a password generator, operatively independent of the authentication engine and the elements responsive to the communications network, to process a time-varying input, a cryptographic key input, and a cryptographic algorithm;
  
  determining a cryptographic key corresponding to the transmitted device identification from a database in the authentication engine mapping valid device identifications to respective cryptographic keys; and
  
  cryptographically processing the determined cryptographic key and a time-varying value at the authentication engine to generate the at least one acceptable personal identification number.
13. The method according to claim 10, wherein said step a) of transmitting the dynamic personal identification number includes transmitting the dynamic personal identification number to the authentication engine via a mobile switching center in the communications network.
14. The method according to claim 10, wherein the authentication engine includes a communications server and an authentication server communicating therewith, the communications server, including the mapping database, receiving the device identification number, and performing said step of determining a cryptographic key corresponding to the received device identification number, the authentication server performing said comparing step b).
15. The method according to claim 14, further comprising the step of:
- translating communication signals between the communications network in which the subscriber is located and at least one other communications network by using an interoperability unit communicating with at least one of said communication server and said authentication server.
16. The method according to claim 10, wherein the authentication engine includes a communications and authentication server, which includes the mapping database, the communications and authentication server receiving the device identification number, performing said step of determining a cryptographic key corresponding to the received device identification number, and performing said comparing step b).

17. A system for validating an identity of a subscriber in a communications network, comprising:
- at least one communication server including a database mapping valid communications device identification numbers to respective cryptographic keys, an input including a possible device identification number, and an output including a valid cryptographic key mapped thereto, if the possible device identification number is included in the database;
  
  at least one authentication server including a first time-varying element for generating a time-varying value, and a processor, said authentication server receiving the valid cryptographic key from said communication server, said processor cryptographically processing the cryptographic key and the time-varying value to generate at least one acceptable, dynamic personal identification number, said processor comparing for identity the at least one acceptable generated personal identification number with a dynamic personal identification number to validate an identity of a subscriber, the dynamic personal identification number being generated independently of said communications server, said authentication server, and elements responsive to the communications network; and
  
  an interoperability unit translating communication signals between the communications network in which the subscriber is located and at least one communications network, said interoperability unit communicating with at least one of said communication server and said authentication server, wherein, upon validating the identity of the subscriber, said authentication engine restricts the subscriber to a number of authorized calls to one of a subscriber-desired telephone number and a subscriber-desired communications network address.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The system according to claim 17, wherein said authentication engine obtains a profile of the subscriber upon validating the identity thereof, said authentication engine modifying the profile of the subscriber to restrict the subscriber to the number of authorized calls to the one of a subscriber-desired telephone number and a subscriber-desired communications network address, said authentication engine transmitting the modified profile to a mobile switching center serving the subscriber thereby instructing the mobile switching center to enable subscriber access to the one of a subscriber-desired telephone number and subscriber-desired communications network address for the restricted number of calls.
  - 19. The system according to claim 17, further comprising at least one protocol analyzer connecting at least one of the communication networks to said interoperability unit, said at least one protocol analyzer converting a data format of received communications messages into a data format readable by said interoperability unit and queuing the converted communications messages for said communications server.
  - 20. The system according to claim 17, further comprising at least one password generator cryptographically processing at least two inputs thereto, the at least two inputs comprising a second time-varying element and one of the cryptographic keys to generate an output comprising a personal identification number.
  - 21. The system according to claim 20, further comprising at least one communications device communicating with said communications network and with said communications server, said at least one communications device including at least one input element for receiving the dynamic personal identification number from said password generator.
  - 22. The system according to claim 21, wherein said password generator includes a display for displaying the dynamic personal identification number, said communication device including a keypad.
  - 23. The system according to claim 21, wherein said password generator includes a transmitter for transmitting at least one electromagnetic signal including the dynamic personal identification number to said communications device, said communications device including a receiver for receiving the at least one electromagnetic signal including the dynamic personal identification number from the password generator.
  - 24. The system according to claim 23, wherein said transmitter includes an photo-emitter and said receiver includes a photo-detector.
  - 25. The system according to claim 23, wherein said password generator includes one of a tone encoder and a pulse encoder operatively connected to said transmitter, said communications device including one of a tone decoder and a pulse decoder, respectively, operatively connected to said receiver.

26. A method of validating an identity of a subscriber in a communications network comprising:
- a) transmitting a dynamic personal identification number, generated independently of an authentication engine and elements responsive to the communications network, from a communications device to the authentication engine remotely located thereto;
  
  b) comparing for identity at least one acceptable personal identification number to the transmitted dynamic personal identification number for validating the identity of a subscriber at the authentication engine and c) restricting the subscriber to a number of authorized calls to one of a subscriber-desired telephone number and a subscriber-desired communications network address.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The method according to claim 26, further comprising the steps of:
28. The method according to claim 26, further comprising the steps of;
- transmitting a device identification from the communications device to the authentication engine prior to said dynamic personal identification number transmitting step a);
  
  generating the dynamic personal identification number by using a password generator, operatively independent of the authentication engine and the elements responsive to the communications network, to process a time-varying input, a cryptographic key input, and a cryptographic algorithm;
  
  determining a cryptographic key corresponding to the transmitted device identification from a database in the authentication engine mapping valid device identifications to respective cryptographic keys; and
  
  cryptographically processing the determined cryptographic key and a time-varying value at the authentication engine to generate the at least one acceptable personal identification number.
29. The method according to claim 26, wherein the authentication engine includes a communications server and an authentication server communicating therewith, the communications server, including the mapping database, receiving the device identification number, and performing said step of determining a cryptographic key corresponding to the received device identification number, the authentication server performing said comparing step b).
30. The method according to claim 29, further comprising the step of:
- translating communication signals between the communications network in which the subscriber is located and at least one other communications network by using an interoperability unit communicating with at least one of said communication server and said authentication server.
31. The method according to claim 26, wherein said transmitting step includes transmitting the dynamic personal identification number via one of a time division multiple access transmission protocol and a code division multiple access transmission protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Iridium Satellite Llc (Iridium Communications, Incorporated)
Original Assignee
Iridium Corporation (ACS Actividades de Construcción y Servicios SA)
Inventors
Owens, Leslie D., Davis, Alvah B., Plecity, Mark S., Kiswani, David T., Yu, I-Hsiang
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/198,440
Time in Patent Office

1,141 Days
Field of Search

713/168, 713/171, 713/182, 713/200, 713/201, 380/255, 380/277, 380/281, 380/285, 380/28
US Class Current

713/168
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/0846   using time-dependent-passwo...

H04L 63/0853   using an additional device,...

H04W 12/069   using certificates or pre-s...

H04W 12/08   Access security

Method and system for validating subscriber identities in a communications network

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

199 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for validating subscriber identities in a communications network

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links