System and method for authentication in a mobile communications system

US 7,003,282 B1
Filed: 06/24/1999
Issued: 02/21/2006
Est. Priority Date: 07/07/1998
Status: Expired due to Term

First Claim

Patent Images

1. Authentication method for telecommunication networks, especially for IP networks, in accordance with which method the identity of a subscriber attached to the network is authenticated,characterized by:

in a network terminal, using a subscriber identity module essentially of the same kind as in a known mobile communications system, which identity module is such that a response is obtained as a result of a challenge given to it as input,using a special security server in the network so that when a terminal attaches to the network, a message of a new user is transmitted to the security server,fetching subscriber authentication information corresponding to the new user from the mobile communications system to the network, which authentication information contains at least a challenge and a response, wherein after the response to the challenge is generated by the network terminal, the challenge is stored on the network terminal to ensure that the challenge is used once, andperforming authentication based on the authentication information obtained from the mobile communications system by transmitting the challenge to the terminal through the network, by checking that the challenge is unique from challenges used in previous authentication exchanges, by generating, if the challenge is unique and is not stored on the network terminal, the response from the challenge in the identity module of the terminal and by comparing the response with the response received from the mobile communications system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention concerns authentication to be performed in a telecommunications network, especially in an IP network. To allow a simple and smooth authentication of users of IP networks in a geographically large area, the IP network'"'"'s terminal (TE1) uses a subscriber identity module (SIM) as used in a separate mobile communications system (MN), whereby a response may be determined from the challenge given to the identity module as input. The IP network also includes a special security server (SS), to which a message about a new user is transmitted when a subscriber attaches to the IP network. The subscriber'"'"'s authentication information containing at least a challenge and a response is fetched from the said mobile communications system to the IP network and authentication is carried out based on the authentication information obtained from the mobile communications system by transmitting the said challenge through the IP network to the terminal, by generating a response from the challenge in the terminal'"'"'s identity module and by comparing the response with the response received from the mobile communications system. Such a database (DB) may also be used in the system, wherein subscriber-specific authentication information is stored in advance, whereby the information in question need not be fetched from the mobile communications system when a subscriber attaches to the network.

102 Citations

View as Search Results

22 Claims

1. Authentication method for telecommunication networks, especially for IP networks, in accordance with which method the identity of a subscriber attached to the network is authenticated,characterized by:
- in a network terminal, using a subscriber identity module essentially of the same kind as in a known mobile communications system, which identity module is such that a response is obtained as a result of a challenge given to it as input,using a special security server in the network so that when a terminal attaches to the network, a message of a new user is transmitted to the security server,fetching subscriber authentication information corresponding to the new user from the mobile communications system to the network, which authentication information contains at least a challenge and a response, wherein after the response to the challenge is generated by the network terminal, the challenge is stored on the network terminal to ensure that the challenge is used once, andperforming authentication based on the authentication information obtained from the mobile communications system by transmitting the challenge to the terminal through the network, by checking that the challenge is unique from challenges used in previous authentication exchanges, by generating, if the challenge is unique and is not stored on the network terminal, the response from the challenge in the identity module of the terminal and by comparing the response with the response received from the mobile communications system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. Method as defined in claim 1, characterized in that fetching of the subscribers authentication information from the mobile communications system is started from the security server in response to the message.
  - 3. Method as defined in claim 1, characterized in that in response to a successful authentication, registration of the subscriber is performed as a client of a separate key management system.
  - 4. Method as defined in claim 3, characterized in that a known Kerberos system is used as the key management system.
  - 5. Method as defined in claim 4, characterized in that the subscriber-specific authentication information obtained from the mobile communications system also includes a key, whereby the subscriber is registered as a client of the Kerberos system so that the key is registered (a) as the clients password and (b) as a password for a service formed for the clients IP address or for a subscriber identity used in the mobile communications system.
  - 6. Method as defined in claim 1, characterized in that the subscribers authentication information is fetched with the aid of a separate proxy server, which functions as a network element emulating a visitor location register of the mobile communications system and which requests the authentication information from an authentication center located in connection with a subscribers home location register in the same way as the mobile communications system'"'"'s own visitor location register.
  - 7. Method as defined in claim 1, characterized in that the subscribers authentication information is fetched with the aid of a separate proxy server, which functions as a network element emulating the mobile communications system'"'"'s base station controller and which is in connection with the mobile communications system'"'"'s mobile switching centre for fetching the authentication information from an authentication center located in connection with a subscribers home location register in the same way as the authentication information is fetched to the mobile communications system'"'"'s own base station controller.

8. Authentication system for telecommunications networks, especially for IP networks, which system includes authentication means for authenticating the identity of a subscriber who has attached to the network,characterized in that the authentication means includes:
- a subscriber identity module connected to the network'"'"'s terminal, the module being essentially similar to the subscriber identity module used in a separate mobile communications system, whereby a response can be determined from a challenge given to the identity module as input,messaging means for sending a message when a terminal attaches to the network,a special security server for receiving the message,means for requesting authentication information corresponding to a subscriber from the mobile communications system, which information contains at least a challenge and a response, wherein after the response to the challenge is generated by the network terminal, the challenge is stored on the network terminal to ensure that the challenge is used once, andon the side of the network, data transmission and checking means for transmitting the challenge through the network to the identity module and for checking that the challenge is unique from challenges used in previous authentication exchanges, for returning the response from the terminal to the network, if the challenge is unique and is not stored on the network terminal, and for comparing the received response with the response received from the mobile communications system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. System as defined in claim 8, characterized in that the identity module is the subscriber identity module used in the GSM network.
  - 10. System as defined in claim 8, characterized in that the messaging means are adapted into a home agent in accordance with the mobile IP network.
  - 11. System as defined in claim 8, characterized in that the means for requesting authentication information include the security server and a proxy server, which is connected to the GSM network.
  - 12. System as defined in claim 11, characterized in that the proxy server functions as a network element emulating the visitor location register of the GSM network.
  - 13. System as defined in claim 11, characterized in that the proxy server functions as a network element emulating the base station controller of the GSM network.
  - 14. System as defined in claim 11, characterized in that the system further includes a Kerberos server which is known as such and as the user of which the subscriber will be registered as a result of a successful authentication.

15. Authentication method for telecommunications networks, especially for IP networks, in accordance with which method the identity of a subscriber attached to the network is authenticated,characterized by:
- in a network terminal, using a subscriber identity module essentially similar to the one used in a known mobile communications system, which identity module is such that a response is obtained as a result of a challenge given to it as input,storing subscriber-specific authentication information in a database, the information being in that way essentially similar to the information used for authentication in the mobile communications system that it contains at least a challenge and a response, wherein after the response to the challenge is generated by the network terminal, the challenge is stored on the network terminal to ensure that the challenge is used once,using a special security server in the network so that when a terminal attaches to the network, a message about the new user is transmitted to the security server,in response to the message, retrieving authentication information of the subscriber corresponding to the new user from the database, andperforming authentication based on the authentication information obtained from the database by transmitting the challenge through the network to the terminal, by checking that the challenging is unique from challenges used in previously authentication exchanges and is not stored in the network terminal, by generating, if the challenge is unique, a response from the challenge in the identity module of the terminal, and by comparing the response with the response obtained from the database.
- View Dependent Claims (16, 17, 18)
- - 16. Method as defined in claim 15, characterized in that the database is stored in connection with the security server.
  - 17. Method as defined in claim 15, characterized in that in response to a successful authentication, registration of the subscriber is performed as the user of a separate key management system.
  - 18. Method as defined in claim 17, characterized in that a known Kerberos system is used as the key management system.

19. Authentication system for telecommunications networks, especially for IP networks, which system includes authentication means for authentication of the identity of a subscriber attached to the network,characterized in that the authentication means includes:
- a subscriber identity module, which is connected to a network terminal and which is essentially similar to the subscriber identity module used in a separate mobile communications system, whereby a response can be determined from the challenge given as input to the identity module,messaging means for sending a message when a terminal attaches to the network,a special security server for receiving the message,database means which include a database, wherein subscriber-specific authentication information is stored, which is in such a way essentially similar to the information used for authentication in the mobile communications system that it includes at least a challenge and a response, and retrieval means for retrieving subscriber-specific authentication information from the database in response to the message, wherein after the response to the challenge is generated by the network terminal, the challenge is stored on the network terminal to ensure that the challenge is used once, andon the side of the network, data transmission and checking means for transmitting the challenge through the network to the identity module and for checking that the challenge is unique from challenges used in previous authentication exchanges, if the challenge is unique and is not stored on the network terminal, for returning the response from the terminal to the network, and for comparing the received response with the response received from the database.
- View Dependent Claims (20, 21, 22)
- - 20. System as defined in claim 19, characterized in that the identity module is a subscriber identity module sed in the GSM network.
  - 21. System as defined in claim 19, characterized in that the messaging means are adapted into a home agent in accordance with the mobile IP network.
  - 22. System as defined in claim 19, characterized in that the system further includes a Kerberos server, which is known as such and as the client of which the subscriber is registered as the result of a successful authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Ekberg, Jan-Erik
Primary Examiner(s)
Trinh, Sonny
Assistant Examiner(s)
Bhattacharya, Sam

Application Number

US09/743,302
Time in Patent Office

2,434 Days
Field of Search

455/410, 455/411, 455/433, 455/432.3, 455/313, 455/325, 455/326, 455/327, 455/330, 380/270, 380/277, 380/279, 713/151, 713/152, 713/168, 713/200, 713/201, 713/202, 716 1- 18, 326/101, 326/102, 326/103
US Class Current

455/411
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/56   Provisioning of proxy servi...

H04W 12/06   Authentication

H04W 80/04   Network layer protocols, e....

System and method for authentication in a mobile communications system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for authentication in a mobile communications system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links