Security framework for an IP mobility system using variable-based security associations and broker redirection
First Claim
1. A method for securely communicating to a mobile node on a communications system having a home network for the mobile node and at least one foreign network comprising the steps of:
- requiring at least one security association between the home network and the foreign network, wherein the home network has at least one home agent network server;
establishing at least one security association between the mobile node and the foreign network using a registration reply message to transmit a public key, said registration reply message originating at the home agent network server and transmitted to the mobile node to acknowledge registering the mobile node care-of address with the home agent network server;
requiring that an information packet received by the home network be encrypted with an encryption mechanism;
transmitting the information packet from the mobile node using the security associations to support secure communications from the mobile node;
routing the information packet through a secure messaging gateway that includes a firewall and an AAA server performing authentication and accounting functions;
coupling a service level agreement broker to the foreign network, separate from any AAA server on either the home network or the foreign network, to support establishment and maintenance of a plurality of security associations for multiple networks and multiple nodes used in communications on the communications system to include establishing and maintaining a single service level agreement for communications among multiple networks and multiple nodes; and
decoding information from the encrypted information packet at the home network to retrieve the information.
9 Assignments
0 Petitions
Accused Products
Abstract
In an IP-based mobile communications system, the Mobile Node changes its point of attachment to the network while maintaining network connectivity. Security concerns arise in the mobile system because authorized users are subject to the following forms of attack: (1) session stealing where a hostile node hijacks session from mobile node by redirecting packets, (2) spoofing where the identity of an authorized user is utilized in an unauthorized manner to obtain access to the network, and (3) eavesdropping and stealing of data during session with authorized user. No separate secure network exists in the IP-based mobility communications system, and therefore, it is necessary to protect information transmitted in the mobile system from the above-identified security attacks.
The present invention improves the security of communications in a IP mobile communications system by creating variable-based Security Associations between various nodes on the system, a Virtual Private Network supported by an Service Level Agreement between various foreign networks and a home network, and an SLA Broker to promote large-scale roaming among different SLAs supported by the SLA Broker or agreements with other SLA Brokers.
181 Citations
37 Claims
-
1. A method for securely communicating to a mobile node on a communications system having a home network for the mobile node and at least one foreign network comprising the steps of:
-
requiring at least one security association between the home network and the foreign network, wherein the home network has at least one home agent network server; establishing at least one security association between the mobile node and the foreign network using a registration reply message to transmit a public key, said registration reply message originating at the home agent network server and transmitted to the mobile node to acknowledge registering the mobile node care-of address with the home agent network server; requiring that an information packet received by the home network be encrypted with an encryption mechanism; transmitting the information packet from the mobile node using the security associations to support secure communications from the mobile node; routing the information packet through a secure messaging gateway that includes a firewall and an AAA server performing authentication and accounting functions; coupling a service level agreement broker to the foreign network, separate from any AAA server on either the home network or the foreign network, to support establishment and maintenance of a plurality of security associations for multiple networks and multiple nodes used in communications on the communications system to include establishing and maintaining a single service level agreement for communications among multiple networks and multiple nodes; and decoding information from the encrypted information packet at the home network to retrieve the information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for securely communicating to a mobile node on a communications system having a home network for the mobile node and at least one foreign network comprising the steps of:
-
requiring at least one security association between the home network and the mobile node, wherein the home network has at least one home agent network server, and using a service level agreement broker to establish and maintain a plurality of security associations; transmitting a registration message containing a public key, said registration message originating at the home agent network sever and routed to the mobile node to acknowledge registering the mobile node care-of-address with the home network; requiring that an information packet transmitted to the home network be encrypted using an encryption mechanism; transmitting the information packet from the mobile node using the security associations to support secure communications from the mobile node; routing the information packet through a secure messaging gateway comprising a firewall blocking access of unsecured packets and an AAA server, separate from the service level agreement broker, performing authentication and accounting functions, said service level agreement broker operating from any AAA server on either the home or foreign network to support establishment and maintenance of a plurality of security associations from multiple networks and multiple nodes used in communications on the communications system to include establishing and maintaining a single service level agreement for communications among multiple networks and multiple nodes; and decoding information from the encrypted information packet at the home network to retrieve the information. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for securely communicating to a mobile node in a wireless communications network comprising:
-
a home network having a home agent server coupled to a router capable of directing information packets to and from the home network; a foreign network having a foreign agent coupled to a router capable of directing information packets to and from the foreign network and a transceiver capable of performing wireless communications with at least one mobile node in the transmission range of the transceiver for the foreign network; a broker entity separate from any AAA server functioning as a consortium of a plurality of security associations, said broker used to establish security associations that can include a single security level agreement established on multiple nodes among different network to form a virtual private network; said security associations including a security association established between the home network and the foreign network and a security association established between the mobile node and the foreign network using registration messages to transmit a public key, the registration messages used for registering the mobile node care-of address with the home network and addressing to route between the home network and the mobile node, both security associations used to support the secure communication of information packets from the mobile node to the home network; and said information packets routed through a secure messaging gateway comprising a firewall blocking access of unsecured packets and an AAA server performing authentication and accounting functions to track secure communication transmissions, said AAA server separate from the broker. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system for securely communicating to a mobile node in a wireless communications network comprising:
-
a home network having a home agent network server coupled to a router capable of directing information packets to and from the home network; a foreign network having a foreign agent coupled to a router capable of directing information packets to and from the foreign network and a transceiver capable of performing wireless communications with at least one mobile node in the transmission range of the transceiver for the foreign network; a security association established between the home network and the mobile node using a registration message, said registration message used for registering the mobile node care-of address with the home network and addressing to transmit between the home network and the mobile node, the security association used to support the secure communication of information packets from the mobile node to the home network said security association established using a broker supporting a plurality of security associations, said broker existing and functioning separately from any AAA server to support establish and maintain a plurality of security associations from multiple networks and multiple nodes used in communications on the communications system to include establishing and maintaining a single service level agreement for communications among multiple networks and multiple nodes; and a security gateway including a firewall function blocking unsecured packet access to the network and an AAA server performing authentication and accounting functions used to track secure communication transmission using the security association, said AAA server separate from said broker. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37)
-
Specification