System and method for authentication in a mobile communications system

US 7,280,820 B2
Filed: 12/05/2005
Issued: 10/09/2007
Est. Priority Date: 07/07/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method, comprising:

in a network terminal, using a subscriber identity module wherein a response is obtained as a result of a challenge given to the identity module as input, the method being used for authenticating an identity of a subscriber attached to a network;

using a special security server in the network so that when a terminal attaches to the network, a message of a new user is transmitted to the security server;

fetching subscriber authentication information corresponding to the new user from the mobile communications system to the network, the authentication information comprising at least a challenge and a response; and

performing authentication based on the authentication information obtained from the mobile communications system by transmitting the challenge to the terminal through the network for storage on the terminal to ensure by the terminal that the challenge is used once, by checking at the terminal that the challenging is unique from challenges used in previous authentication exchanges wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal, by generating, if the challenge is unique, a response from the challenge in the identity module of the terminal and by comparing the generated response with the response received from the mobile communications system.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides an authentication method and apparatus for authenticating an identity of a subscriber attached to a network. According to the invention, in a network terminal, a subscriber identity module is used so that a response is obtained as a result of a challenge given to the identity module as input. A special security server in the network is also used so that when a terminal attaches to the network, a message of a new user is transmitted to the security server. Subscriber authentication information corresponding to the new user is fetched from the mobile communications system to the network, wherein the authentication information includes at least a challenge and a response. Authentication is performed based on the authentication information obtained from the mobile communications system by transmitting the challenge to the terminal through the network, by checking at the terminal that the challenging is unique from challenges used in previous authentication exchanges, by generating, if the challenge is unique, a response from the challenge in the identity module of the terminal and by comparing the generated response with the response received from the mobile communications system.

Citations

30 Claims

1. A method, comprising:
- in a network terminal, using a subscriber identity module wherein a response is obtained as a result of a challenge given to the identity module as input, the method being used for authenticating an identity of a subscriber attached to a network;
  
  using a special security server in the network so that when a terminal attaches to the network, a message of a new user is transmitted to the security server;
  
  fetching subscriber authentication information corresponding to the new user from the mobile communications system to the network, the authentication information comprising at least a challenge and a response; and
  
  performing authentication based on the authentication information obtained from the mobile communications system by transmitting the challenge to the terminal through the network for storage on the terminal to ensure by the terminal that the challenge is used once, by checking at the terminal that the challenging is unique from challenges used in previous authentication exchanges wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal, by generating, if the challenge is unique, a response from the challenge in the identity module of the terminal and by comparing the generated response with the response received from the mobile communications system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as defined in claim 1, further comprising starting the fetching of the subscribers authentication information from the mobile communications system from the security server in response to the message.
  - 3. The method as defined in claim 1, wherein in response to a successful authentication, the method comprises performing registration of the subscriber as a client of a separate key management system.
  - 4. The method as defined in claim 3, further comprising using a Kerberos system as the key management system.
  - 5. The method as defined in claim 4, further comprising:
    - configuring the subscriber-specific authentication information obtained from the mobile communications system to also include a key; and
      
      registering the subscriber as a client of the Kerberos system so that the key is registered (a) as the clients password and (b) as a password for a service formed for the clients IP address or for a subscriber identity used in the mobile communications system.
  - 6. The method as defined in claim 1, further comprising fetching the subscribers authentication information with the aid of a separate proxy server, which functions as a network element emulating a visitor location register of the mobile communications system and which requests the authentication information from an authentication center located in connection with a subscribers home location register in the same way as the mobile communications system'"'"'s own visitor location register.
  - 7. The method as defined in claim 1, further comprising fetching the subscribers authentication information with the aid of a separate proxy server, which functions as a network element emulating the mobile communications system'"'"'s base station controller and which is in connection with the mobile communications system'"'"'s mobile switching centre for fetching the authentication information from an authentication center located in connection with a subscribers home location register in the same way as the authentication information is fetched to the mobile communications system'"'"'s own base station controller.

8. An authentication system comprising an authentication unit, comprising:
- a subscriber identity module connected to a network terminal, wherein, a response can be determined from a challenge given to the identity module as input;
  
  a messaging unit configured to send a message when a terminal attaches to the network;
  
  a special security server for receiving the message;
  
  a requesting unit configured to request authentication information corresponding to a subscriber from the mobile communications system, which information comprises at least a challenge and a response;
  
  on the side of the network, a data transmission unit configured to transmit the challenge through the network to the identity module;
  
  for storage on the terminal to ensure by the terminal that the challenge is used once,a checking unit configured to check, at the terminal, that the challenge is unique from challenges used in previous authentication exchanges, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal and for returning a response generated from the unique challenge from the terminal to the network; and
  
  a comparing unit configured to compare the generated response with the response received from the mobile communications system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system as defined in claim 8, wherein the identity module is the subscriber identity module used in a GSM network.
  - 10. The system as defined in claim 8, wherein the messaging unit is configured into a home agent in accordance with a mobile IP network.
  - 11. The system as defined in claim 8, wherein the requesting unit includes the security server and a proxy server, which is connected to a GSM network.
  - 12. The system as defined in claim 11, wherein the proxy server functions as a network element emulating the visitor location register of the GSM network.
  - 13. The system as defined in claim 11, wherein the proxy server functions as a network element emulating the base station controller of the GSM network.
  - 14. The system as defined in claim 11, wherein the system further includes a Kerberos server, wherein the user of the server the will be registered as a result of a successful authentication.

15. An authentication method, comprising:
- in a network terminal, using a subscriber identity module, wherein a response is obtained as a result of a challenge given to the identity module as input, the authentication method being used for authenticating an identity of a subscriber attached to a network;
  
  storing subscriber-specific authentication information in a database, the information comprising at least a challenge and a response;
  
  using a special security server in the network so that when a terminal attaches to the network, a message about the new user is transmitted to the security server;
  
  in response to the message, retrieving authentication information of the subscriber corresponding to the new user from the database; and
  
  performing authentication based on the authentication information obtained from the database by transmitting the challenge through the network to the terminal for storage on the terminal to ensure by the terminal that the challenge is used once, by checking, in the network terminal, that the challenging is unique from challenges used in previously authentication exchanges, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal, by generating, if the challenge is unique, a response from the challenge in the identity module of the terminal, and by comparing the response with the response obtained from the database.
- View Dependent Claims (16, 17, 18)
- - 16. The method as defined in claim 15, further comprising storing the database in connection with the security server.
  - 17. The method as defined in claim 15, wherein in response to a successful authentication, the method comprises performing registration of the subscriber as the user of a separate key management system.
  - 18. The method as defined in claim 17, further comprising using aKerberos system as the key management system.

19. An authentication system comprising an authentication unit which comprises:
- a subscriber identity module connected to a network terminal, a response can be determined from the challenge given as input to the identity module, the authentication unit being used for authentication of the identity of a subscriber attached to a network;
  
  a messaging unit configured to send a message when a terminal attaches to the network;
  
  a special security server for receiving the message;
  
  a database unit which include a database configured to store subscriber-specific authentication information, the information comprises at least a challenge and a response, and a retrieval unit configure to retrieve subscriber-specific authentication information from the database in response to the message;
  
  on the side of the network, a data transmission unit configured to transmit the challenge through the network to the identity module;
  
  for storage on the terminal to ensure by the terminal that the challenge is used once,at the terminal, a checking unit configured to check that the challenge is unique from challenges used in previous authentication exchanges, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal if the challenge is unique, for returning the response generated from the unique challenge from the terminal to the network; and
  
  a comparing unit configured to compare the received response with the response received from the database.
- View Dependent Claims (20, 21, 22)
- - 20. The system as defined in claim 19, wherein the identity module is a subscriber identity module in a GSM network.
  - 21. The system as defined in claim 19, wherein the messaging unit is configured into a home agent in accordance with the mobile IP network.
  - 22. The system as defined in claim 19, wherein the system further includes a Kerberos server, which is known as such and as the client of which the subscriber is registered as the result of a successful authentication.

23. A method, comprising:
- receiving a challenge through a communication network to which a terminal is attached, the challenge being provided in a subscriber authentication information corresponding to the subscriber and obtained from a mobile communications system, the subscriber authentication information comprises at least the challenge and a response;
  
  storing the challenge on the terminal;
  
  checking that the challenge is unique from challenges used in previous authentication exchanges and that the challenge was not previously stored on the terminal;
  
  generating a response from the challenge, if the challenge is unique and was not previously stored on the terminals wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal; and
  
  transmitting the response generated from the challenge to the communication network for comparing the generated response with the response in the subscriber authentication information received from the mobile communications system.

24. A method, comprising:
- receiving a challenge through a communication network to which a terminal is attached, the challenge being provided in a subscriber authentication information corresponding to the subscriber and obtained from a mobile communications system, the subscriber authentication information comprises at least the challenge and a response;
  
  checking, at the terminal, that the challenge is unique from challenges used in previous authentication exchanges, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal;
  
  generating a response from the challenge, if the challenge is unique; and
  
  transmitting the response generated from the challenge to the communication network for comparing the generated response with the response in the subscriber authentication information received from the mobile communications system.

25. An authenticating device being configured to:
- receive a challenge through a communication network to which a terminal is attached, the challenge being provided in a subscriber authentication information corresponding to the subscriber and obtained from a mobile communications system, the subscriber authentication information comprises at least the challenge and a response;
  
  access challenges stored on the terminal, wherein challenges used in previous authentication exchanges are stored on the terminal;
  
  check that the challenge is unique from the challenges used in previous authentication exchanges and that the challenge was not previously stored on the terminal, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal;
  
  generate a response from the challenge, if the challenge is unique and was not previously stored on the terminal; and
  
  transmit the response generated from the challenge to the communication network for comparing the generated response with the response in the subscriber authentication information received from the mobile communications system.

26. An authenticating device being configured to:
- receive a challenge through a communication network to which a terminal is attached, the challenge being provided in a subscriber authentication information corresponding to the subscriber and obtained from a mobile communications system, the subscriber authentication information comprises at least the challenge and a response;
  
  check that the challenge is unique from the challenges used in previous authentication exchanges, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal;
  
  generate a response from the challenge, if the challenge is unique; and
  
  transmit the response generated from the challenge to the communication network for comparing the generated response with the response in the subscriber authentication information received from the mobile communications system.

27. An authenticating apparatus, comprising:
- receiving means for receiving a challenge through a communication network to which a terminal is attached, the challenge being provided in a subscriber authentication information corresponding to the subscriber and obtained from a mobile communications system, the subscriber authentication information comprises at least the challenge and a response;
  
  accessing means for accessing challenges stored on the terminal, wherein challenges used in previous authentication exchanges are stored on the terminal;
  
  checking means for checking that the challenge is unique from the challenges used in previous authentication exchanges and that the challenge was not previously stored on the terminals, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal;
  
  generating means for generating a response from the challenge, if the challenge is unique and was not previously stored on the terminal; and
  
  transmitting means for transmitting the response generated from the challenge to the communication network for comparing the generated response with the response in the subscriber authentication information received from the mobile communications system.

28. An authenticating apparatus, comprising:
- receiving means for receiving a challenge through a communication network to which a terminal is attached, the challenge being provided in a subscriber authentication information corresponding to the subscriber and obtained from a mobile communications system, the subscriber authentication information comprises at least the challenge and a response;
  
  checking means for checking that the challenge is unique from the challenges used in previous authentication exchanges, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal;
  
  generating means for generating a response from the challenge, if the challenge is unique; and
  
  transmitting means for transmitting the response generated from the challenge to the communication network for comparing the generated response with the response in the subscriber authentication information received from the mobile communications system.

29. A terminal configured to:
- receive a challenge through a communication network to which a terminal is attached, the challenge being provided in a subscriber authentication information corresponding to the subscriber and obtained from a mobile communications system, the subscriber authentication information comprises at least the challenge and a response;
  
  access stored challenges, wherein challenges used in previous authentication exchanges are stored on the terminal;
  
  check that the challenge is unique from the challenges used in previous authentication exchanges and that the challenge was not previously stored on the terminal, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal;
  
  generate a response from the challenge, if the challenge is unique and was not previously stored on the terminal; and
  
  transmit the response generated from the challenge to the communication network for comparing the generated response with the response in the subscriber authentication information received from the mobile communications system.

30. A terminal configured to:
- receive a challenge through a communication network to which a terminal is attached, the challenge being provided in a subscriber authentication information corresponding to the subscriber and obtained from a mobile communications system, the subscriber authentication information comprises at least the challenge and a response;
  
  check that the challenge is unique from the challenges used in previous authentication exchanges, wherein the terminal only responds to the challenge if the challenge had not been previously transmitted to the terminal;
  
  generate a response from the challenge, if the challenge is unique; and
  
  transmit the response generated from the challenge to the communication network for comparing the generated response with the response in the subscriber authentication information received from the mobile communications system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Nokia Corporation
Inventors
Ekberg, Jan-Erik
Primary Examiner(s)
Eng; George
Assistant Examiner(s)
Bhattacharya; Sam

Application Number

US11/293,188
Publication Number

US 20060073811A1
Time in Patent Office

673 Days
Field of Search

455/410, 455/411, 455/432.3, 455/433, 380/277, 380/279, 380/255, 380/270, 713/151, 713/152, 713/168, 713/200, 713/201, 713/202
US Class Current

455/411
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/56   Provisioning of proxy servi...

H04W 12/06   Authentication

H04W 80/04   Network layer protocols, e....

System and method for authentication in a mobile communications system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for authentication in a mobile communications system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links