Local authentication of mobile subscribers outside their home systems

US 7,668,315 B2
Filed: 05/22/2001
Issued: 02/23/2010
Est. Priority Date: 01/05/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A subscriber identification module for providing local authentication of a subscriber in a communication system, comprising:

a memory; and

a processor configured to implement a set of instructions stored in the memory, the set of instructions for;

generating a plurality of keys in response to a received challenge;

generating an initial value based upon a first key from the plurality of keys;

concatenating the initial value with a received signal to form an input value, wherein the received signal is transmitted from a communications unit communicatively coupled to the subscriber identification module, and the received signal is generated by the communications unit using a second key from the plurality of keys, the second key having been communicated from the subscriber identification module to the communications unit;

hashing the input value to form an authentication signal; and

transmitting the authentication signal to the communications system via the communications unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are presented for providing local authentication of subscribers travelling outside their home systems. A subscriber identification token 230 provides authentication support by generating a signature 370 based upon a key that is held secret from a mobile unit 220. A mobile unit 220 that is programmed to wrongfully retain keys from a subscriber identification token 230 after a subscriber has removed his or her token is prevented from subsequently accessing the subscriber'"'"'s account.

56 Citations

View as Search Results

28 Claims

1. A subscriber identification module for providing local authentication of a subscriber in a communication system, comprising:
- a memory; and
  
  a processor configured to implement a set of instructions stored in the memory, the set of instructions for;
  
  generating a plurality of keys in response to a received challenge;
  
  generating an initial value based upon a first key from the plurality of keys;
  
  concatenating the initial value with a received signal to form an input value, wherein the received signal is transmitted from a communications unit communicatively coupled to the subscriber identification module, and the received signal is generated by the communications unit using a second key from the plurality of keys, the second key having been communicated from the subscriber identification module to the communications unit;
  
  hashing the input value to form an authentication signal; and
  
  transmitting the authentication signal to the communications system via the communications unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The subscriber identification module of claim 1, wherein hashing the input value is performed in accordance with the Secure Hashing Algorithm (SHA-1).
  - 3. The subscriber identification module of claim 1, wherein generating the initial value comprises padding the first key.
  - 4. The subscriber identification module of claim 3, wherein generating the initial value further comprises adding the padded first key bit-wise to a constant value.
  - 5. The subscriber identification module of claim 1, wherein the received signal is generated at the communications unit by:
    - receiving the second key from the subscriber identification module;
      
      generating a local initial value based upon the second key;
      
      concatenating the local initial value and a message to form a local input value;
      
      hashing the local input value to form the received signal; and
      
      transmitting the received signal to the subscriber identification module.
  - 6. The subscriber identification module of claim 5, wherein generating the local initial value comprises padding the second key.
  - 7. The subscriber identification module of claim 6, wherein generating the local initial value further comprises adding the padded second key bit-wise to a second constant value.

8. A subscriber identification module, comprising:
- a key generation element; and
  
  a signature generator configured to receive a secret key from the key generation element and information from a mobile unit, and further configured to generate a signature that will be sent to the mobile unit, wherein the signature is generated by concatenating the secret key with the information from the mobile unit and hashing the concatenated secret key and information.
- View Dependent Claims (9, 10)
- - 9. The subscriber identification module of claim 8, wherein the key generation element comprises:
    - a memory; and
      
      a processor configured to execute a set of instructions stored in the memory, wherein the set of instructions performs a cryptographic transformation upon an input value to produce a plurality of temporary keys.
  - 10. The subscriber identification module of claim 9, wherein the cryptographic transformation is performed using a permanent key.

11. An apparatus for providing secure local authentication of a subscriber in a communication system, comprising a subscriber identification module configured to interact with a communications unit, wherein the subscriber identification module comprises:
- a key generator for generating a plurality of keys from a received value and a secret value, wherein at least one communication key from the plurality of keys is delivered to the communications unit and at least one secret key from the plurality of keys is not delivered to the communications unit; and
  
  a signature generator for generating an authorization signal from hashing a version of the at least one secret key together with an authorization message, wherein the authorization message is generated by the communications unit using a version of the at least one communication key.
- View Dependent Claims (12, 13, 14)
- - 12. The apparatus of claim 11, wherein the subscriber identification module is configured to be inserted into the communications unit.
  - 13. The apparatus of claim 11, wherein the at least one communication key comprises an integrity key.
  - 14. The apparatus of claim 11, wherein hashing is performed in accordance with SHA-1.

15. A method for providing authentication of a subscriber using a subscriber identification device, comprising:
- generating a plurality of keys;
  
  transmitting at least one key from the plurality of keys to a communications device communicatively coupled to the subscriber identification device and holding private at least one key from the plurality of keys;
  
  generating a signature at the communications device using both the at least one key transmitted to the communications device and a transmission message, wherein generating is implemented by hashing a concatenated value formed from the at least one key and the transmission message;
  
  transmitting the signature to the subscriber identification device;
  
  receiving the signature at the subscriber identification device;
  
  generating a primary signature from the received signature, wherein the generating is implemented by hashing a concatenated value formed from the at least one private key and the signature received from the communications device; and
  
  conveying the primary signature to a communications system.
- View Dependent Claims (16)
- - 16. The method of claim 15, wherein hashing is implemented in accordance with SHA-1.

17. A method operational on a subscriber identification device for providing local authentication of a subscriber, comprising:
- generating a plurality of keys in response to a received challenge;
  
  generating an initial value based on a first key from the plurality of keys;
  
  concatenating the initial value with a received signal to form an input value, wherein the received signal is transmitted from a communications unit communicatively coupled to the subscriber identification module, and the received signal is generated by the communications unit using a second key from the plurality of keys, the second key having been communicated from the subscriber identification module to the communications unit;
  
  hashing the input value to form an authentication signal; and
  
  transmitting the authentication signal to the communications system via the communications unit.

18. A subscriber identification module for providing local authentication of a subscriber in a communication system, comprising:
- means for generating a plurality of keys in response to a received challenge;
  
  means for generating an initial value based on a first key from the plurality of keys;
  
  means for concatenating the initial value with a received signal to form an input value, wherein the received signal is transmitted from a communications unit communicatively coupled to the subscriber identification module, and the received signal is generated by the communications unit using a second key from the plurality of keys, the second key having been communicated from the subscriber identification module to the communications unit;
  
  means for hashing the input value to form an authentication signal; and
  
  means for transmitting the authentication signal to the communications system via the communications unit.

19. A machine-readable medium having one or more instructions for authenticating a subscriber using a subscriber identification device, which when executed by a processor causes the processor to:
- generate a plurality of keys in response to a received challenge;
  
  generate an initial value based on a first key from the plurality of keys;
  
  concatenate the initial value with a received signal to form an input value, wherein the received signal is transmitted from a communications unit communicatively coupled to the subscriber identification module, and the received signal is generated by the communications unit using a second key from the plurality of keys, the second key having been communicated from the subscriber identification module to the communications unit;
  
  hash the input value to form an authentication signal; and
  
  transmit the authentication signal to the communications system via the communications unit.

20. A method operational on a subscriber identification device, comprising:
- receiving a secret key from a key generation element and information from a mobile unit;
  
  concatenating the secret key with the information from the mobile unit;
  
  hashing the concatenated secret key and information to generate a signature; and
  
  sending the signature to the mobile unit.
- View Dependent Claims (21)
- - 21. The method of claim 20 further comprising:
    - performing a cryptographic transformation on an input value to produce a plurality of temporary keys.

22. A subscriber identification device, comprising:
- means for receiving a secret key from a key generation element and information from a mobile unit;
  
  means for concatenating the secret key with the information from the mobile unit;
  
  means for hashing the concatenated secret key and information to generate a signature; and
  
  means for sending the signature to the mobile unit.
- View Dependent Claims (23)
- - 23. The subscriber identification module of claim 22 further comprising:
    - means for performing a cryptographic transformation on an input value to produce a plurality of temporary keys.

24. A machine-readable medium having one or more instructions operational on a subscriber identification device for authenticating a subscriber, which when executed by a processor causes the processor to:
- receive a secret key from a key generation element and information from a mobile unit;
  
  concatenate the secret key with the information from the mobile unit;
  
  hash the concatenated secret key and information to generate a signature; and
  
  send the signature to the mobile unit.
- View Dependent Claims (25)
- - 25. The machine-readable medium of claim 24 further having one or more instructions which when executed by a processor causes the processor to:
    - perform a cryptographic transformation on an input value to produce a plurality of temporary keys.

26. A method operational on a subscriber identification module for providing secure local authentication of a subscriber in a communication system, comprising:
- generating a plurality of keys from a received value and a secret value;
  
  delivering at least one communication key from the plurality of keys to a communication unit configured to interact with the subscriber identification module;
  
  withholding at least one secret key from the plurality of keys from the communication unit; and
  
  hashing a version of the at least one secret key together with an authorization message to generate an authorization signal, wherein the authorization message is generated by the communications unit using a version of the at least one communication key.

27. A subscriber identification module for providing secure local authentication of a subscriber in a communication system, comprising:
- means for generating a plurality of keys from a received value and a secret value;
  
  means for delivering at least one communication key from the plurality of keys to a communication unit configured to interact with the subscriber identification module;
  
  means for withholding at least one secret key from the plurality of keys from the communication unit; and
  
  means for hashing a version of the at least one secret key together with an authorization message to generate an authorization signal, wherein the authorization message is generated by the communications unit using a version of the at least one communication key.

28. A machine-readable medium having one or more instructions operational on a subscriber identification device for providing secure local authentication of a subscriber in a communication system, which when executed by a processor causes the processor to:
- generate a plurality of keys from a received value and a secret value;
  
  deliver at least one communication key from the plurality of keys to a communication unit configured to interact with the subscriber identification module;
  
  withhold at least one secret key from the plurality of keys from the communication unit; and
  
  hash a version of the at least one secret key together with an authorization message to generate an authorization signal, wherein the authorization message is generated by the communications unit using a version of the at least one communication key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Rose, Gregory G., Quick, Roy F. Jr.
Primary Examiner(s)
Revak; Christopher A
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US09/863,139
Publication Number

US 20020091933A1
Time in Patent Office

3,199 Days
Field of Search

380/264, 380/277, 301/49
US Class Current

380/264
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0853   using an additional device,...

H04L 63/12   Applying verification of th...

H04L 9/14   using a plurality of keys o...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

H04W 12/06   Authentication

H04W 12/10   Integrity

H04W 12/128   Anti-malware arrangements, ...

H04W 88/02   Terminal devices

Local authentication of mobile subscribers outside their home systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Local authentication of mobile subscribers outside their home systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links