Security of data connections
First Claim
1. A method, comprising:
- providing security of data connections in an arrangement comprisinga telecommunication network comprising subscribers,a first private data network connected to the telecommunication network,a second private data network connected to the telecommunication network via the first private network, the second private data network comprising a server providing data services;
authenticating the subscriber between the telecommunication network and the first private data network using an authentication procedure provided by the telecommunication network;
forming, in the first private network, a message comprising the identification of the subscriber received from the telecommunication network and an authenticity code of the message;
determining, in the first private data network, the identity of the server of the second private data network based on the received identification of the subscriber;
sending said message to the server of the second private data network; and
in response to having received the message in the second private data network;
verifying the authenticity code,checking the identified user'"'"'s right to the requested service, andwhen the user is entitled to the requested service, generating and sending a reply to the first private data network.
4 Assignments
0 Petitions
Accused Products
Abstract
The invention concerns the security of the data connections of a telephone user. The basic idea of the invention is to forward the authentication of a telephone system to the leg between two private data networks connected via an arbitrating network. When establishing the connection, the private network connected to the telephone system forwards the authenticated subscriber identity to the other private network. To provide the identity forwarded with authenticity, the message containing the identity is signed. To provide encryption of the subscriber identity, the message is encrypted using a public key method. In response the second private network generates a session key to be used in the connection. This key is signed and encrypted using a public key method and sent to the first private network. During the connection, a symmetrical encryption method with the session key is used.
37 Citations
29 Claims
-
1. A method, comprising:
-
providing security of data connections in an arrangement comprising a telecommunication network comprising subscribers, a first private data network connected to the telecommunication network, a second private data network connected to the telecommunication network via the first private network, the second private data network comprising a server providing data services; authenticating the subscriber between the telecommunication network and the first private data network using an authentication procedure provided by the telecommunication network; forming, in the first private network, a message comprising the identification of the subscriber received from the telecommunication network and an authenticity code of the message; determining, in the first private data network, the identity of the server of the second private data network based on the received identification of the subscriber; sending said message to the server of the second private data network; and in response to having received the message in the second private data network; verifying the authenticity code, checking the identified user'"'"'s right to the requested service, and when the user is entitled to the requested service, generating and sending a reply to the first private data network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An authentication server, comprising:
-
a receiver unit configured to receive a subscriber identity from a telecommunication network connected to a data network for which the authentication service is provided; a determination unit configured, responsive to the receiver unit, to determine the identity of a second authentication server in a second data network based on the identity of the subscriber, wherein the second data network is connected to the telecommunication network via the data network; a signer unit configured, responsive to the receiver unit, to generate a digital signature; and a sender unit configured, responsive to the receiver unit, the determination unit, and the signer unit, to send the identity and the signature to the second authentication server. - View Dependent Claims (22, 23, 24)
-
-
25. An authentication server, comprising:
-
a receiver unit configured to receive a subscriber identity, an identification of a service request by the subscriber, and a digital signature calculated by another authentication server from the subscriber identity and the identification of the service requested by the subscriber; a verification unit configured, responsive to the receiver unit, to verify the digital signature; a checker unit configured, responsive to the receiver unit, to check the subscriber'"'"'s right to the requested service; a generation unit configured, responsive to the checker unit, to generate a session key; an encryption unit configured, responsive to the generation unit, to encrypt the session key; and a sender unit configured, responsive to the encryption unit, to send an encrypted message comprising the session key to the another authentication server. - View Dependent Claims (26, 27)
-
-
28. An authentication server, comprising:
-
receiving means for receiving a subscriber identity from a telecommunication network connected to a data network for which the authentication service is provided; determining means responsive to the receiving means for determining the identity of a second authentication server in a second data network based on the identity of the subscriber, wherein the second data network is connected to the telecommunication network via the data network; signing means responsive to the receiving means for generating a digital signature; and sending means, responsive to the receiving means, the determining means, and the signing means, for sending the identity and the signature to the second authentication server.
-
-
29. An authentication server, comprising:
-
receiving means for receiving a subscriber identity, an identification of a service request by the subscriber, and a digital signature calculated by another authentication server from the subscriber identity and the identification of the service requested by the subscriber; verification means responsive to the receiving means for verifying the digital signature; checking means responsive to the receiving means for checking the subscriber'"'"'s right to the requested service; generation means responsive to the checking means for generating a session key; encryption means responsive to the generation means for encrypting the session key; and sending means responsive to the encryption means for sending an encrypted message comprising the session key to the another authentication server.
-
Specification