Method and arrangement for reliably identifying a user in a computer system

US 6,928,558 B1
Filed: 10/27/2000
Issued: 08/09/2005
Est. Priority Date: 10/29/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method of reliably identifying a user in a computer system, in which method a mobile station is used for communicating with the computer system and a persona identification number is supplied into the mobile station, the method comprising the steps of:

generating a first one-time password in the mobile station without any action by the user by utilizing a known algorithm on the basis of a personal identification number of the user, the personal identification number supplied into the mobile station enables the user to use the mobile station, subscriber-specific identifier read from a subscriber-specific identification module of the mobile station, device-specific identifier of the mobile station and time, encoding the first one-time password and the subscriber-specific identifier of the user at the mobile station, transmitting the encoded password and subscriber-specific identifier to an authentication server of the computer system, identifying the user at the authentication server on the basis of the subscriber-specific identifier, and searching a database for the personal identifier number of the user and the device-specific identifier of the mobile station associated with the user, generating a second one-time password at the authentication server by utilizing the predetermined algorithm on the basis of the personal identification number of the user, subscriber-specific identifier, device-specific identifier of the mobile station and time, comparing the first password and the second password with each other at the authentication server, and if the passwords match, enabling the telecommunication connection between the mobile station of the user and the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to an arrangement and a method for reliably identifying a user in a computer system. The method utilizes a mobile station for communicating with the system. The method comprises generating a first one-time password in the mobile station by utilizing a known algorithm on the basis of the identification number of the user, subscriber-specific identifier, device-specific identifier of the mobile station, and time. The password obtained and the subscriber-specific identifier of the user are encoded and transmitted to an authentication server of the computer system, comprising identifying the user on the basis of the subscriber-specific identifier, searching a database for the personal identifier number of the user and the device-specific identifier of the mobile station associated with the user, generating a second password at the authentication server by utilizing the same predetermined algorithm on the basis of the personal identification number of the user, subscriber-specific identifier, device-specific identifier of the mobile station and time, comparing the first and the second passwords with each other at the authentication server, and if the passwords match, enabling the telecommunication connection between the mobile station and the computer system.

209 Citations

19 Claims

1. A method of reliably identifying a user in a computer system, in which method a mobile station is used for communicating with the computer system and a persona identification number is supplied into the mobile station, the method comprising the steps of:
- generating a first one-time password in the mobile station without any action by the user by utilizing a known algorithm on the basis of a personal identification number of the user, the personal identification number supplied into the mobile station enables the user to use the mobile station, subscriber-specific identifier read from a subscriber-specific identification module of the mobile station, device-specific identifier of the mobile station and time, encoding the first one-time password and the subscriber-specific identifier of the user at the mobile station, transmitting the encoded password and subscriber-specific identifier to an authentication server of the computer system, identifying the user at the authentication server on the basis of the subscriber-specific identifier, and searching a database for the personal identifier number of the user and the device-specific identifier of the mobile station associated with the user, generating a second one-time password at the authentication server by utilizing the predetermined algorithm on the basis of the personal identification number of the user, subscriber-specific identifier, device-specific identifier of the mobile station and time, comparing the first password and the second password with each other at the authentication server, and if the passwords match, enabling the telecommunication connection between the mobile station of the user and the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as claimed in claim 1, wherein the mobile station synchronizes the timing of the mobile station with the timing of the authentication server before the identification procedure is started.
  - 3. A method as claimed in claim 1, wherein the user is identified automatically when the user starts an application utilizing the computer system in the mobile station.
  - 4. A method as claimed in claim 1, wherein the authentication server transmits no information to the mobile station if the first and the second passwords do not match.
  - 5. A method as claimed in claim 1, wherein during the identification, the terminal transmits to the authentication server a message comprising at least a field comprising a SRES value, a field comprising time, a field comprising an international telephone number of the terminal, and a field comprising a device number of the terminal.
  - 6. A method as claimed in claim 1, wherein during the identification, a PPP/CHAP protocol is used in connection with a RADIUS protocol, and the terminal transmits to the authentication server a message comprising at least a field comprising a SRES value, a field comprising a user name to the system, and a field comprising a password generated from a device identifier, subscriber-specific identifier of the user, personal identification number of the user, time and the SRES value.
  - 7. A method as claimed in claim 1, wherein during the identification, a PPP/PAP protocol is used in connection with the RADIUS protocol, and the terminal transmits to the authentication server a message comprising at least a field comprising a password generated from the device identifier, subscriber-specific identifier of the user, personal identification number of the user, time, and SRES value, a field comprising a SRES value, and a field comprising a user number to the system.
  - 8. A method as claimed in claim 1, wherein information necessary for encryption is stored in the terminal in more than one subscriber-specific identification module.
  - 9. A method as claimed in claim 6, wherein the user name to the system is the user'"'"'s MSISDN.

10. An arrangement for reliably identifying a user in a compute system, which arrangement comprisesa mobile station used for communicating with the computer system, the mobile station comprising a subscriber-specific identification module comprising a subscriber-specific identifier, a device-specific identifier permanently encoded in the mobile station, means for reading a personal identifier number which is supplied by the user and which enables the device to be used, means for checking the correctness of the identifier number always before the device is put to use, and which arrangement comprises an authentication server comprising memory means for storing the user names of the users in the system and the corresponding personal identifiers and device-specific identifiers, the mobile station further comprising means for generating a first one-time password without any action by the user by utilizing a known algorithm on the basis of the personal identification number of the user, subscriber-specific identifier read from a subscriber-specific identification module of the mobile station, device-specific identifier of the mobile station and time, means for encoding the first one-time password and the subscriber-specific identifier of the user, means for transmitting the encoded password and subscriber-specific identifier to an authentication server of the computer system, and the authentication server is further arranged to identify the user on the basis of the subscriber-specific identifier, and search a database for the personal identifier number of the user and the device-specific identifier of the mobile station associated with the user, generate a second one-time password at the authentication server by utilizing the predetermined algorithm on the basis of the personal identification number of the user, subscriber-specific identifier, device-specific identifier of the mobile station and time, compare the first password and the second password with each other at the authentication server, and if the passwords match, enable the telecommunication connection between the mobile station of the user and the computer system.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. An arrangement as claimed in claim 10, wherein the mobile station is arranged to synchronize the timing of the mobile station with the timing of the timing authentication server before the identification procedure is started.
  - 12. An arrangement as claimed in claim 10, wherein the mobile station is arranged to identify the user automatically when the user starts an application utilizing the computer system in the mobile station.
  - 13. An arrangement as claimed in claim 10, wherein the authentication server is arranged not to transmit any information to the mobile station if the first and the second passwords do not match.
  - 14. An arrangement as claimed in claim 10, wherein the mobile station is arranged to transmit to the authentication server a message comprising at least a field comprising a SRES value, a field comprising time, a field comprising an international telephone number of the terminal, and a field comprising a device number of the terminal.
  - 15. An arrangement as claimed in claim 10, wherein the mobile station and the authentication server are arranged to use a PPP/CHAP protocol in connection with a RADIUS protocol during the identification, and the terminal is arranged to transmit to the authentication server a message comprising at least a field comprising a SRES value, a field comprising a user name to the system, and a field comprising a password generated from a device identifier, subscriber-specific identifier of the user, personal identification number of the user, time and the SRES value.
  - 16. An arrangement as claimed in claim 10, wherein the mobile station and the authentication server are arranged to use a PPP/PAP protocol in connection with the RADIUS protocol during the identification, and the mobile station is arranged to transmit to the authentication server a message comprising at least a field comprising a password generated from the device identifier, subscriber-specific identifier of the user, personal identification number of the user, time, and SRES value, a field comprising a SRES value, and a field comprising a user number to the system.
  - 17. An arrangement as claimed in claim 15, wherein the user name to the system is the user'"'"'s MSISDN.
  - 18. An arrangement as claimed in claim 10, wherein the mobile station is a GPRS system mobile station.
  - 19. An arrangement as claimed in claim 10, wherein the mobile station comprises more than one subscriber-specific identification module, and information necessary for encryption is stored in more than one identification module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Mobile Phones UK Limited (Nokia Corporation)
Original Assignee
Nokia Mobile Phones UK Limited (Nokia Corporation)
Inventors
Allahwerdi, Nouri, Hippeläinen, Lassi
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Tran, Ellen C

Application Number

US09/698,774
Time in Patent Office

1,747 Days
Field of Search

713/202, 713/172, 713/168, 713/185, 713/200, 713/201, 380/25, 380/29, 380/255, 370/352, 370/389, 370/469, 455/567
US Class Current

726/9
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/35   communicating wirelessly

G06F 2221/2151   Time stamp

H04L 63/0838   using one-time-passwords

H04L 9/3228   One-time or temporary data,...

H04W 12/06   Authentication

H04W 12/61   Time-dependent

H04W 12/71   Hardware identity

H04W 12/72   Subscriber identity

Method and arrangement for reliably identifying a user in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

209 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and arrangement for reliably identifying a user in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

209 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links