System and method for secure network roaming

US 7,389,412 B2
Filed: 08/05/2002
Issued: 06/17/2008
Est. Priority Date: 08/10/2001
Status: Active Grant

First Claim

Patent Images

1. A process, comprising:

providing a mobile node (MN) adapted to communicate with a packet gateway node (PGN) via a first network connection of a first network;

establishing an encrypted channel between the MN and the PGN based on an authentication mechanism of the first network connection between the MN and the PGN;

receiving by the MN configuration data from the PGN using the encrypted channel; and

using by the MN the configuration data for secure communication with the PGN via a second network connection of a second network through at least an access point, the first and second networks being different networks.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless data network process and system are provided based on a network with prior network-based authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN). The method and system establish and use an authentication mechanism between the MN and the PGN using the network connection. An encrypted channel is then set up between the MN and the PGN based on authentication established with the authentication mechanism. Configuration data is sent from the PGN to the MN using the encrypted channel. The configuration data may then be used by the MN for communication to and from the MN with the PGN via an access point. Any network connected to the PGN via any access point may then be used.

Citations

32 Claims

1. A process, comprising:
- providing a mobile node (MN) adapted to communicate with a packet gateway node (PGN) via a first network connection of a first network;
  
  establishing an encrypted channel between the MN and the PGN based on an authentication mechanism of the first network connection between the MN and the PGN;
  
  receiving by the MN configuration data from the PGN using the encrypted channel; and
  
  using by the MN the configuration data for secure communication with the PGN via a second network connection of a second network through at least an access point, the first and second networks being different networks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The process according to claim 1, wherein the first network connection is via a serving General Packet Radio Service (GPRS) support node with a radio network connection to the PGN as a GPRS support packet gateway node.
  - 3. The process according to claim 1, wherein the authentication mechanism includes:
    - at the MN generating a public/private key pair and storing the pair;
      
      sending from the MN a message containing at least the MN'"'"'s public key to the PGN via the first network connection;
      
      receiving by the MN a message from the PGN containing at least the PGN'"'"'s public key;
      
      storing the PGN'"'"'s public key at the MN; and
      
      using the stored public key by the MN for authentication of one or more messages from the PGN.
  - 4. The process according to claim 1, wherein said receiving by the MN configuration data from the PGN using the encrypted channel includes providing Mobile Internet Protocol (MIP) configuration data and the IP Security protocol (IPsec) configuration data.
  - 5. The process according to claim 4, further comprising:
    - using the Internet Key Exchange (IKE) protocol with the MN requesting Encapsulated Security Protocol for establishing a security association (SA) with the PGN;
      
      connecting the MN to a non-GPRS wireless local network;
      
      establishing a MIP sessions across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
  - 6. The process according to claim 4, wherein said using the configuration data by the MN for secure communication with the PGN includes:
    - connecting the MN to the first network connection as a radio network connection to a serving General Packet Radio Service (SGSN) support node with a network connection to the PGN as a gateway GPRS support node (GGSN), and the MN to authenticate the PGN to a non-GPRS wireless local network;
      
      establishing Mobile IP sessions across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
  - 7. The process according to claim 6, further comprising obtaining a new Mobile IP session key by the MN, including:
    - prior to expiration of a Mobile IP session key, the MN sending a Mobile IP registration request with a Vendor Specific Extension indicating that a new Mobile IP session key is desired to the PGN, the PGN receiving, validating and authenticating this request;
      
      receiving by the MN a new Mobile IP session key from the PGN encrypted with the MN'"'"'s public key; and
      
      extracting by the MN the encrypted value of the encrypted new Mobile IP session key and decrypting the encrypted value with the private key of the MN.
  - 8. The process according to claim 7, wherein the obtaining of a new Mobile IP session key includes:
    - providing the registration reply with an authentication value based on the previous Mobile IP session key.
  - 9. The process according to claim 1, further comprising:
    - establishing a connection of the MN on a Wireless Local Area Network (WLAN);
      
      requesting a Mobile IP Care-Of-Address (COA) from a dynamic Host configuration protocol server;
      
      receiving the COA at the MN from the dynamic Host configuration protocol server and sending data packets from the MN to a target host via the WLAN connection and receiving data packets from the target host via the WLAN connection.
  - 10. The process according to claim 9, further comprising:
    - the MN roaming into a region of a radio network and sending a message from the MN as a Mobile IP registration request to a Home Agent hosted in the PGN indicating that the MN is on a home network and using an authentication value within the message;
      
      receiving by the MN a Mobile IP registration reply from the PGN using the authentication value.

11. A wireless data network process, comprising:
- providing a serving GPRS support node with a radio network connection to a Gateway GPRS support packet gateway node (PGN);
  
  at a mobile node client (MN) generating a public/private key pair and storing the pair;
  
  sending from the MN a message containing its public key to the PGN via the radio network connection;
  
  responding from the PGN with a message containing the PGN'"'"'s public key;
  
  receiving the PGN'"'"'s public key at the MN and storing this PGN public key at the MN;
  
  establishing an encrypted channel between the MN and the PGN based on authentication established using one or more of the exchanged public keys;
  
  performing at the MN a secure copy from the PGN to copy a configuration file from a designated directory on the PGN to a designated directory on the MN;
  
  using a configuration application at the MN to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from the configuration file; and
  
  using by the MN the MIP and IPsec configuration data for secure communication with the PGN via a second network connection of a second network through at least an access point, the first and second networks being different networks.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The process according to claim 11, further comprising using the Internet Key Exchange (IKE) protocol with the MN requesting Encapsulated Security Protocol for establishing the security association (SA).
  - 13. The process according to claim 11, further comprising:
    - connecting the MN to a non-GPRS wireless local network; and
      
      establishing a MIP sessions across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
  - 14. The process according to claim 13, further comprising whenever configuration material is required by an initiate, initiating an SSH session by the MN to the PGN with the PGN replying with fresh keying material to the MN using a secured copy between the MN and PGN and with an Internet Key Exchange (IKE) required whenever the IPsec Security Association (SA) expires.
  - 15. The process according to claim 11, further comprising:
    - establishing a connection of the MN on a Wireless LAN;
      
      requesting a Mobile IP Care-Of-Address (COA) from Dynamic Host Configuration Protocol (DHCP) server on the Internet; and
      
      receiving the COA at the MN from across the Wireless LAN and sending data packets from the MN to a target host via the wireless LAN connection and receiving data packets from the target host via the wireless LAN connection.
  - 16. The process according to claim 15, further comprising:
    - terminating the connection with the PGN and detaching from the wireless LAN after the conclusion of a data session of the MN.
  - 17. The process according to claim 15, further comprising:
    - roaming with the MN into a region of the radio network and sending a message from the MN a Mobile IP registration request to the Home Agent hosted in the PGN indicating that the MN is on the home network authenticated using the value obtained; and
      
      sending a Mobile IP registration reply from the PGN to the MN using the authentication value obtained.

18. A wireless network system, comprising:
- a mobile node (MN) with a wireless transceiver;
  
  a serving General Packet Radio Service (GPRS) support node;
  
  a radio access network;
  
  a GPRS gateway,a packet gateway node (PGN) with an internet connection, the PGN being capable of acting as a Mobile IP home agent (HA);
  
  a wireless local area network (WLAN) with a wireless access node and an internet connection;
  
  at least one or both of a connection from the MN to the PGN and a connection between the MN and the WLAN;
  
  a PGN public key;
  
  a MN generated public/private key pair stored at the MN, the MN public key being sent from the MN to the PGN via the radio network connection and the PGN'"'"'s public key being sent in reply to the MN via the radio network;
  
  a configuration file at the MN and sent by the PGN using a secure copy format based on the exchanged public keys;
  
  a configuration application at the MN to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from the configuration file; and
  
  an IPSec Security Association between the MN and the PGN with a security parameters index obtained from the SA for identifying the MN, the IPSec Security association being established between the PGN and the MN using the IP Security protocol (IPsec) configuration data;
  
  wherein the MN is adapted to use the MIP and IPsec configuration data for secure communication with the PGN via a second network connection of a second network through at least an access point, the first and second networks being different networks.

19. A process, comprising:
- providing a packet gateway node (PGN) adapted to communicate with a mobile node (MN) via first network connection of a first network;
  
  establishing an encrypted channel between the PGN and the MN based on an authentication mechanism of the first network connection between the PGN and the MN; and
  
  sending by the PGN to the MN configuration data using the encrypted channel, the configuration data for secure communication between the MN and the PGN via second network connection of a second network through at least an access point, the first and second networks being different networks.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The process of claim 19, further comprising communication by the PGN with the MN based at least in part on the configuration data sent to the MN.
  - 21. The process of claim 19, wherein the first network connection is via a serving General Packet Radio Service (GPRS) support node with a radio network connection to the PGN as a GPRS support packet gateway node.
  - 22. The process of claim 19, wherein the authentication mechanism includes:
    - receiving by the PGN from the MN a message containing at least the MN'"'"'s public key via the first network connection;
      
      sending by the PGN to the MN a message containing at least the PGN'"'"'s public key; and
      
      the PGN using the public key received from the MN for authentication of one or more messages from the MN.
  - 23. The process of claim 19, wherein said sending by the PGN to the MN configuration data using the encrypted channel includes providing Mobile Internet Protocol (MIP) configuration data and the IP Security protocol (IPsec) configuration data.

24. A mobile node (MN), comprising:
- a transceiver adapted to transmit and receive signals to and from a packet gateway node (PGN) via a first network connection of a first network;
  
  storage coupled to the transceiver and adapted to store at least data to facilitate establishment of an encrypted channel between the MN and the PGN; and
  
  wherein the MN is adapted to cooperate with the PGN to establish the encrypted channel between the PGN and the MN based on an authentication mechanism of the first network connection between the MN and the PGN, the MN further adapted to receive configuration data from the PGN using the encrypted channel, the configuration data including at least information that facilitates the MN to securely communicate with the PGN via a second network connection of a second network through at least an access point, the first and second networks being different networks.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
- - 25. The mobile node (MN) of claim 24, wherein said MN is adapted to receive a message containing at least the PGN'"'"'s public key via the first network connection to facilitate the establishment of the encrypted channel.
  - 26. The mobile node (MN) of claim 24, wherein said MN is adapted to use the public key to facilitate the establishment of the encrypted channel.
  - 27. The mobile node (MN) of claim 24, wherein said MN is adapted to generate a public/private key pair, the MN is further adapted to send a message containing at least the generated public key to the PGN via the first network connection as part of the authentication mechanism.
  - 28. The mobile node (MN) of claim 27, wherein said MN adapted to receive PGN'"'"'s public key, the exchanged public keys to be used for mutual authentication of the MN and the PGN to facilitate the establishment of the encrypted channel.
  - 29. The mobile node (MN) of claim 24, wherein said MN is adapted to receive from the PGN via the encrypted channel Mobile Internet Protocol (MIP) and IP Security Protocol (IPsec) configuration data.
  - 30. The mobile node (MN) of claim 24, wherein said first network connection is via a serving General Packet Radio Service (GPRS) support node with a radio network connection to the PGN as a GPRS support packet gateway node.
  - 31. The mobile node (MN) of claim 30, wherein said MN adapted to securely communicate with the PGN via a second network connection of a wireless local area network (WLAN) based at least on the configuration data.
  - 32. The mobile node (MN) of claim 24, wherein said MN is adapted to couple with a wireless local area network (WLAN) that is coupled to the PGN, to communicate with an IP based network via the WLAN and via the PGN based at least in part on the configuration data provided by the PGN to the MN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Syniverse Technologies LLC (Syniverse Corp.)
Original Assignee
Interactive Technology Limited of HK
Inventors
Sharma, Mukesh, Sanchez, Luis, Roberts, Philip, Skiscim, Christopher
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US10/224,226
Publication Number

US 20030039234A1
Time in Patent Office

2,143 Days
Field of Search

713/153, 713/169, 713/171, 380/270
US Class Current

713/153
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/164   at the network layer

H04L 9/0844   with user authentication or...

H04L 9/3273   for mutual authentication n...

H04W 12/041   Key generation or derivation

H04W 12/0471   Key exchange

H04W 12/069   using certificates or pre-s...

H04W 60/00   Affiliation to network, e.g...

H04W 76/20   Manipulation of established...

H04W 80/04   Network layer protocols, e....

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/16   Gateway arrangements

H04W 92/02   Inter-networking arrangements

System and method for secure network roaming

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure network roaming

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links