System and method of bootstrapping a temporary public-key infrastructure from a cellular telecommunication authentication and billing infrastructure

US 7,107,248 B1
Filed: 09/11/2000
Issued: 09/12/2006
Est. Priority Date: 09/11/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for ordering, authorizing, and delivering goods and services using a mobile station, comprising:

accessing a gateway by the mobile station and transmitting an identification code for mobile station to the gateway;

verifying the identity of the mobile station by the gateway by accessing an authentication center of a cellular network and comparing mobile station generated variables computed by the mobile station with gateway generated variables computed by the gateway;

verifying the legitimacy of the gateway by the mobile station by comparing the variables computed by the gateway with the variables computed by the mobile station;

requesting a digital certificate by the mobile station from the gateway used to order and authorize a product or service from a service provider;

delivering a digital certificate to the mobile station by the gateway when the identity of the mobile station have been verified;

requesting a product or service from the service provider; and

transmitting a digital signature by the mobile station accompanied by the digital certificate for a signature verification key as authorization to said service provider.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program for ordering, paying for and delivering goods and services through the use of certificates. These certificates insure that the buyer is only billed once for the good or service purchased and only for the correct amount. This system, method and computer program employs the authentication center used to enable access to a telecommunication infrastructure to bootstrap a public-key infrastructure. This system, method and computer program will validate the identity of the mobile station being used utilizing long term keys stored in the mobile station and an authentication center. The system, method and computer program will then utilize these keys and variables to generate digital certificates and signatures which enable the purchase of goods and services using a mobile station. The gateway will then verify the authenticity of any charges made based on the digital certificates and signatures received. Thus, a user of this system, method and computer program can purchase goods and services without fear of fraud or errors. This mobile station may be a cellular phone and when used with this system, method and computer program the cellular phone may be used similarly to a credit card but with the advantage of little possibility of fraud or error.

Citations

22 Claims

1. A method for ordering, authorizing, and delivering goods and services using a mobile station, comprising:
- accessing a gateway by the mobile station and transmitting an identification code for mobile station to the gateway;
  
  verifying the identity of the mobile station by the gateway by accessing an authentication center of a cellular network and comparing mobile station generated variables computed by the mobile station with gateway generated variables computed by the gateway;
  
  verifying the legitimacy of the gateway by the mobile station by comparing the variables computed by the gateway with the variables computed by the mobile station;
  
  requesting a digital certificate by the mobile station from the gateway used to order and authorize a product or service from a service provider;
  
  delivering a digital certificate to the mobile station by the gateway when the identity of the mobile station have been verified;
  
  requesting a product or service from the service provider; and
  
  transmitting a digital signature by the mobile station accompanied by the digital certificate for a signature verification key as authorization to said service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method recited in claim 1, wherein the verifying the legitimacy of the gateway by the mobile station by comparing the variables computed by the gateway with the variables computed by the mobile station, further comprises:
    - transmitting from the mobile station to the gateway a session identification and a mobile subscriber identifier;
      
      transmitting the mobile subscriber identifier from the gateway to the authentication center;
      
      transmitting from the authentication center to the gateway a random number (RAND), a signed response (SRES), and an encryption key;
      
      computing a variable M1 by the gateway and transmitting the variable M1 and the random number to the mobile station;
      
      computing a variable M1′
      
      by the mobile station; and
      
      verifying the legitimacy of the gateway when the variable M1 equals the variable M1′
      
      .
  - 3. The method recited in claim 2, wherein an integrity key (K) is computed by both the mobile station and the authentication center as a function of RAND and Ki, where RAND is a random number issued by the authentication center, and Ki is a secret key contained within the authentication center and the mobile station.
  - 4. The method recited in claim 3, where an integrity key (K) is transmitted by the authentication center to the gateway.
  - 5. The method recited in claim 1, further comprising:
    - computing a digital certificate by the gateway certifying the mobile station'"'"'s public key(PK);
      
      computing a variable M3 by the gateway and transmitting the variable M3 and the digital certificate to the mobile station;
      
      computing a variable M3′
      
      by the mobile station;
      
      verifying the legitimacy of the gateway when the variable M3 equals the variable M3′
      
      .
  - 6. The method recited in claim 5, wherein the variables M3 and M3′
    - are computed using the formula M3=M3′
      
      =MAC (K, C), where MAC is a message authentication code function, K is an integrity key and C is the digital certificate created by the gateway to certify PK.
  - 7. The method recited in claim 1, wherein verifying the identity of the mobile station by the gateway accessing an authentication center and comparing variables computed by the mobile station and variables computed by the gateway, further comprises:
    - transmitting in at least one message a signed response, a public key and a variable M2 computed by the mobile station to the gateway;
      
      computing a variable M2′
      
      by the gateway;
      
      comparing the variable M2 and the variable M2′
      
      ; and
      
      verifying the identity of the mobile station when variable M2 is equal to variable M2′
      
      .
  - 8. The method recited in claim 7, wherein variables M2 and M2′
    - are computed using the formula M2=M2′
      
      =MAC (K, {SRES}, PK, [{restrictions}], [alias]), wherein MAC is a message authentication code function, SRES is a signed response, K is an integrity key, PK is a public key, restrictions are limits on the certificate and alias is an alternate identification for the mobile station.
  - 9. The method recited in claim 1, wherein transmitting the digital signature, accompanied by the digital certificate for the signature verification key to said service provider, further comprises:
    - transmitting the certificate with a request for a product or service;
      
      receiving an invoice from the service provider indicating a price for the product or service;
      
      computing a digital signature on the invoice;
      
      approving the invoice by transmitting the digital signature to the service provider; and
      
      accepting delivery of the product or service by a buyer.
  - 10. The method recited in claim 9, wherein the service provider upon transmission of the digital signature, further comprises:
    - verifying the digital signature;
      
      verifying that restrictions associated with the digital certificate are not violated; and
      
      creating an accounting record for the product or service sold.
  - 11. The method recited in claim 10, further comprising:
    - transmitting from the service provider to the gateway the accounting record having an invoice and digital signature of a customer of a home network operator service;
      
      determining by the gateway that a corresponding record exists in a local database and the validity of the digital signature;
      
      determining whether the invoice violates any restrictions contained in the corresponding record;
      
      crediting the service provider with an amount equal to that in the invoice; and
      
      billing the buyer with the amount of the invoice.

12. A system for ordering, authorizing and delivering goods and services using a mobile station, comprising:
- a cellular network authentication module to verify that the mobile station is permitted to access a telecom infrastructure;
  
  a mobile station certificate acquisition module to request a digital certificate for the mobile station from a gateway; and
  
  a gateway certificate generation module to verify that the mobile station is authorized to receive the digital certificate by transmitting a mobile subscriber identifier received from the mobile station to an authentication center, calculate variables based on information received from the authentication center and compare them to variables computed by the mobile station, and issue the digital certificate to the mobile station when the variables match,wherein the mobile station verifies the legitimacy of the gateway by comparing the variables calculated by the gateway with the variables computed by the mobile station, the mobile station requesting a product or service from a service provider and transmitting a digital signature accompanied by the digital certificate for a signature verification key as authorization to the service provider.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system recited in claim 12, wherein the mobile station certificate acquisition module verifies that the gateway is authorized to issue the digital certificate through the use of comparing variables computed by the gateway and the mobile station.
  - 14. The system recited in claim 13, further comprising:
    - a purchase module to request the purchase of a good or service from a service provider, present the digital certificate to the service provider, receive an invoice and provide the service provider with a digital signature approving the purchase of the good or service;
      
      a sales module to verify the validity of the digital certificate and the validity of the digital signature, issue an invoice, generate an accounting record and deliver a product or service;
      
      a billing module to transmit to the gateway the accounting record and receive a response indicating if the accounting record has been approved for payment; and
      
      a gateway billing module to verify the accounting record and an accompanying signature, and issue a credit to the service provider and debit to a buyer when the accounting record and the accompanying signature are verified.
  - 15. The system recited in claim 14, wherein the gateway certificate generation module transmits a mobile subscriber identifier to the authentication center, receives a random number, a signed response and an encryption key from the authentication center, computes a variable M1, M2′
    - , and M3 and verifies the validity of the mobile station by comparing variable M2 received from the mobile station with variable M2′
      
      .
  - 16. The system recited in claim 12, wherein the mobile station further comprises:
    - a subscriber identification module (SIM) used to compute a signed response and a ciphering key based on a secret key, installed by a home network operator service in the subscriber identification module upon signing up for a service plan, and a random number obtained from an authentication center in the home network operator service;
      
      an A3 algorithm module, contained in the SIM, is used to compute the signed response; and
      
      an A8 algorithm module, contained in the SIM, is used to compute the ciphering key, wherein through the transmission of signed responses to and from the mobile station a telecommunication infrastructure is able to verify that the mobile station is authorized to access the telecommunication infrastructure and the gateway.

17. A computer program embodied on a computer readable medium and executable by a computer for ordering, authorizing and delivering goods and services using a mobile station, comprising:
- a cellular network authentication code segment to verify that the mobile station is permitted to access a telecom infrastructure;
  
  a mobile station certificate acquisition code segment to request a digital certificate for the mobile station from a gateway; and
  
  a gateway certificate generation code segment to verify that the mobile station is authorized to receive the digital certificate by transmitting a mobile subscriber identifier received from the mobile station to an authentication center, calculate variables based on information received from the authentication center and compare them to variables computed by the mobile station, and issue the digital certificate to the mobile station when the variables match;
  
  wherein the mobile station verifies the legitimacy of the gateway by comparing the variables calculated by the gateway with the variables computed by the mobile station, the mobile station requesting a product or service from a service provider and transmitting a digital signature accompanied by the digital certificate for a signature verification key as authorization to the service provider.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system recited in claim 17, wherein the mobile station certificate acquisition code segment verifies that the gateway is authorized to issue the digital certificate through the use of comparing variables computed by the gateway and the mobile station.
  - 19. The computer program recited in claim 18, wherein the mobile station certificate acquisition code segment transmits a session identification and a mobile subscriber identifier to the gateway, receives a random number and a variable M1 from the gateway and verifies that the gateway is authentic by computing and comparing the variable M1′
    - with M1.
  - 20. The computer program recited in claim 17, further comprising:
    - a purchase code segment to request the purchase of a good or service from a service provider, present the digital certificate to the service provider, receive an invoice and provide the service provider with a digital signature approval the purchase of the good or service;
      
      a sales code segment to verify the validity of the digital certificate and the validity of the digital signature, issue an invoice, generate an accounting record and deliver a product or service;
      
      a billing code segment to transmit to the gateway the accounting record and receive a response indicating if the accounting record has been approved for payment; and
      
      a gateway billing code segment to verify the accounting record and an accompanying signature, and issue a credit to the service provider and debit to a buyer when the accounting record and the accompanying signature are verified.
  - 21. The computer program recited in claim 17, wherein the gateway certificate generation code segment transmits a mobile subscriber identifier to the authentication center, receives a random number, a signed response and an encryption key from the authentication center, computes a variable M1, M2′
    - , and M3 and verifies the validity of the mobile station by comparing variable M2 received from the mobile station with variable M2′
      
      .

22. A system for ordering, authorizing and delivering goods and services using a mobile station, comprising:
- a mobile station;
  
  a gateway, the mobile station accessing the gateway and transmitting an identification code for the mobile station to the gateway;
  
  an authentication center, the authentication center being part of a cellular network, the gateway verifying the identity of the mobile station by accessing the authentication center and comparing mobile station generated variables computed by the mobile station with gateway generated variables computed by the gateway,wherein the gateway delivers a digital certificate to the mobile station when the identity of the mobile station has been verified, the mobile station verifying the legitimacy of the gateway by comparing the variables computed by the gateway with the variables computed by the mobile station and requesting a digital certificate from the gateway to be used to order and authorize a product or service from a service provider, the mobile station requesting a product or service from the service provider and transmitting a digital signature and the digital certificate for a signature verification key as authorization to the service provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Asokan, Nadarajah, Ginzboorg, Philip
Primary Examiner(s)
Hayes, John W.
Assistant Examiner(s)
Worjloh, Jalatee

Application Number

US09/659,781
Time in Patent Office

2,192 Days
Field of Search

705 64- 79, 380/277, 380/44, 380/279, 380/282, 380/382, 713/175, 713/150, 713/156, 713/200, 713/155
US Class Current

705/67
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/04   Payment circuits

G06Q 20/12   specially adapted for elect...

G06Q 20/14   specially adapted for billi...

G06Q 20/32   using wireless devices

G06Q 20/322   Aspects of commerce using m...

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/38215   Use of certificates or encr...

G06Q 20/3829   involving key management

G07F 17/16   for devices exhibiting adve...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/12   Applying verification of th...

H04W 12/069   using certificates or pre-s...

System and method of bootstrapping a temporary public-key infrastructure from a cellular telecommunication authentication and billing infrastructure

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of bootstrapping a temporary public-key infrastructure from a cellular telecommunication authentication and billing infrastructure

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links