Method and system for validating subscriber identities in a communications network
First Claim
1. A system for validating an identity of a subscriber in a communications network, comprising:
- at least one communication server including a database mapping valid communications device identification numbers to respective cryptographic keys, an input including a possible device identification number, and an output including a valid cryptographic key mapped thereto, if the possible device identification number is included in the database; and
at least one authentication server including a first time-varying element for generating a time-varying value, and a processor, said authentication server receiving the valid cryptographic key from said communication server, said processor cryptographically processing the cryptographic key and the time-varying value to generate at least one acceptable, dynamic personal identification number, said processor comparing for identity the at least one acceptable generated personal identification number with a dynamic personal identification number to validate an identity of a subscriber, the dynamic personal identification number being generated independently of said communications server, said authentication server, and elements responsive to the communications network.
10 Assignments
0 Petitions
Accused Products
Abstract
A method and/or system for validating subscribers includes an insecure communications network, such as, an IS-41 wireless telephone network connecting a plurality of telephone switches. A subscriber or user of the system enters a sequence of digits, namely, a random PIN (personal identification number), and a telephone number of whom he wishes to call. The random PIN provides effectively a “digital signature” to the telephone number. A second number is dialed to effect call completion. An authentication center exists which authenticates the user by verifying the digital signature and updating a user profile to permit a call only to the telephone number in the sequence dialed by the user. The profile is sent to the serving switch which permits calls only to the destination in the profile. This technique eliminates fraudulent users from stealing telephone identities, “cloning” phones and placing calls. Calls are optionally completed only to destinations that have been validated.
199 Citations
31 Claims
-
1. A system for validating an identity of a subscriber in a communications network, comprising:
-
at least one communication server including a database mapping valid communications device identification numbers to respective cryptographic keys, an input including a possible device identification number, and an output including a valid cryptographic key mapped thereto, if the possible device identification number is included in the database; and
at least one authentication server including a first time-varying element for generating a time-varying value, and a processor, said authentication server receiving the valid cryptographic key from said communication server, said processor cryptographically processing the cryptographic key and the time-varying value to generate at least one acceptable, dynamic personal identification number, said processor comparing for identity the at least one acceptable generated personal identification number with a dynamic personal identification number to validate an identity of a subscriber, the dynamic personal identification number being generated independently of said communications server, said authentication server, and elements responsive to the communications network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
an interoperability unit translating communication signals between the communications network in which the subscriber is located and at least one other communications network, said interoperability unit communicating with at least one of said communication server and said authentication server.
-
-
3. The system according to claim 2, further comprising at least one protocol analyzer connecting at least one of the communication networks to said interoperability unit, said at least one protocol analyzer converting a data format of received communications messages into a data format readable by said interoperability unit and queuing the converted communications messages for said communications server.
-
4. The system according to claim 1, further comprising at least one password generator cryptographically processing at least two inputs thereto, the at least two inputs comprising a second time-varying element and at least one of the cryptographic keys to generate an output comprising the dynamic personal identification number.
-
5. The system according to claim 4, further comprising at least one communications device communicating with said communications network and with said communications server, said at least one communications device including at least one input element for receiving the dynamic personal identification number from said password generator.
-
6. The system according to claim 5, wherein said password generator includes a display for displaying the dynamic personal identification number, said communication device including a keypad.
-
7. The system according to claim 5, wherein said password generator includes a transmitter for transmitting at least one electromagnetic signal including the dynamic personal identification number to said communications device, said communications device including a receiver for receiving the at least one electromagnetic signal including the dynamic personal identification number from the password generator.
-
8. The system according to claim 7, wherein said transmitter includes a photo-emitter and said receiver includes a photo-detector.
-
9. The system according to claim 7, wherein said password generator includes one of a tone encoder and a pulse encoder operatively connected to said transmitter, said communications device including one of a tone decoder and a pulse decoder, respectively, operatively connected to said receiver.
-
10. A method of validating an identity of a subscriber in a communications network comprising:
-
a) transmitting a dynamic personal identification number, generated independently of an authentication engine and elements responsive to the communications network, from a communications device to the authentication engine remotely located thereto; and
b) comparing for identity at least one acceptable personal identification number to the transmitted dynamic personal identification number for validating the identity of a subscriber at the authentication engine. - View Dependent Claims (11, 12, 13, 14, 15, 16)
providing the subscriber with access to the communications network, if identity of the at least one acceptable personal identification number and the transmitted dynamic personal identification number exists; and
denying the subscriber with access to the communications network, if identity of the at least one acceptable personal identification number and the transmitted dynamic personal identification number does not exist.
-
-
12. The method according to claim 10, further comprising the steps of;
-
transmitting a device identification from the communications device to the authentication engine prior to said dynamic personal identification number transmitting step a);
generating the dynamic personal identification number by using a password generator, operatively independent of the authentication engine and the elements responsive to the communications network, to process a time-varying input, a cryptographic key input, and a cryptographic algorithm;
determining a cryptographic key corresponding to the transmitted device identification from a database in the authentication engine mapping valid device identifications to respective cryptographic keys; and
cryptographically processing the determined cryptographic key and a time-varying value at the authentication engine to generate the at least one acceptable personal identification number.
-
-
13. The method according to claim 10, wherein said step a) of transmitting the dynamic personal identification number includes transmitting the dynamic personal identification number to the authentication engine via a mobile switching center in the communications network.
-
14. The method according to claim 10, wherein the authentication engine includes a communications server and an authentication server communicating therewith, the communications server, including the mapping database, receiving the device identification number, and performing said step of determining a cryptographic key corresponding to the received device identification number, the authentication server performing said comparing step b).
-
15. The method according to claim 14, further comprising the step of:
translating communication signals between the communications network in which the subscriber is located and at least one other communications network by using an interoperability unit communicating with at least one of said communication server and said authentication server.
-
16. The method according to claim 10, wherein the authentication engine includes a communications and authentication server, which includes the mapping database, the communications and authentication server receiving the device identification number, performing said step of determining a cryptographic key corresponding to the received device identification number, and performing said comparing step b).
-
17. A system for validating an identity of a subscriber in a communications network, comprising:
-
at least one communication server including a database mapping valid communications device identification numbers to respective cryptographic keys, an input including a possible device identification number, and an output including a valid cryptographic key mapped thereto, if the possible device identification number is included in the database;
at least one authentication server including a first time-varying element for generating a time-varying value, and a processor, said authentication server receiving the valid cryptographic key from said communication server, said processor cryptographically processing the cryptographic key and the time-varying value to generate at least one acceptable, dynamic personal identification number, said processor comparing for identity the at least one acceptable generated personal identification number with a dynamic personal identification number to validate an identity of a subscriber, the dynamic personal identification number being generated independently of said communications server, said authentication server, and elements responsive to the communications network; and
an interoperability unit translating communication signals between the communications network in which the subscriber is located and at least one communications network, said interoperability unit communicating with at least one of said communication server and said authentication server, wherein, upon validating the identity of the subscriber, said authentication engine restricts the subscriber to a number of authorized calls to one of a subscriber-desired telephone number and a subscriber-desired communications network address. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method of validating an identity of a subscriber in a communications network comprising:
-
a) transmitting a dynamic personal identification number, generated independently of an authentication engine and elements responsive to the communications network, from a communications device to the authentication engine remotely located thereto;
b) comparing for identity at least one acceptable personal identification number to the transmitted dynamic personal identification number for validating the identity of a subscriber at the authentication engine and c) restricting the subscriber to a number of authorized calls to one of a subscriber-desired telephone number and a subscriber-desired communications network address. - View Dependent Claims (27, 28, 29, 30, 31)
providing the subscriber with access to the communications network, if identity of the at least one acceptable personal identification number and the transmitted dynamic personal identification number exists; and
denying the subscriber with access to the communications network, if identity of the at least one acceptable personal identification number and the transmitted dynamic personal identification number does not exist.
-
-
28. The method according to claim 26, further comprising the steps of;
-
transmitting a device identification from the communications device to the authentication engine prior to said dynamic personal identification number transmitting step a);
generating the dynamic personal identification number by using a password generator, operatively independent of the authentication engine and the elements responsive to the communications network, to process a time-varying input, a cryptographic key input, and a cryptographic algorithm;
determining a cryptographic key corresponding to the transmitted device identification from a database in the authentication engine mapping valid device identifications to respective cryptographic keys; and
cryptographically processing the determined cryptographic key and a time-varying value at the authentication engine to generate the at least one acceptable personal identification number.
-
-
29. The method according to claim 26, wherein the authentication engine includes a communications server and an authentication server communicating therewith, the communications server, including the mapping database, receiving the device identification number, and performing said step of determining a cryptographic key corresponding to the received device identification number, the authentication server performing said comparing step b).
-
30. The method according to claim 29, further comprising the step of:
translating communication signals between the communications network in which the subscriber is located and at least one other communications network by using an interoperability unit communicating with at least one of said communication server and said authentication server.
-
31. The method according to claim 26, wherein said transmitting step includes transmitting the dynamic personal identification number via one of a time division multiple access transmission protocol and a code division multiple access transmission protocol.
Specification