Certificate based authentication authorization accounting scheme for loose coupling interworking

US 7,735,126 B2
Filed: 03/13/2003
Issued: 06/08/2010
Est. Priority Date: 04/26/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing authentication, authorization, and accounting (AAA) in a first network for a mobile device that is associated with a second network, the first and second networks having respective AAA schemes, comprising the steps of:

receiving, by the first network and the mobile device, a first key from the second network;

receiving, by the mobile device, a first certificate from the second network, the first certificate includes an identifier (ID) associated with the second network, a public key associated with the mobile device, and a subscription level of the mobile device with the first network, the subscription level indicating whether the mobile device is a subscriber of an interworking service;

receiving, by the first network, from the second network, a second certificate which includes a public key associated with the first network, the second certificate signed with a second key of the second network;

receiving, by the first network, the first certificate from the mobile device;

authenticating, at the first network, the first certificate using the first key, and if the first certificate is authenticated,generating a session key by the first network, the session key having a signature using a private key of the first network,transmitting the session key and the second certificate to the mobile device by the first network,at the mobile device, validating the second certificate using the first key, extracting the public key from the second certificate, and verifying the signature of the session key using the extracted public key, andallowing the mobile device to access the first network using the session key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of Authentication Authorization and Accounting (AAA) in an interworking between first and second networks that do not belong in the same administrative domain, using certificate based transactions. In the method according to the invention, the second network sends a public key to the first network, and a certificate to a mobile device. The certificate includes information regarding the subscription level of the mobile device and is signed with a private key of the second network. Upon detection of the first network the mobile device transmits the certificate and the first network authenticates the certificate using the public and private keys of the second network, and authorizes access to the network in response. The first network then sends a session key encrypted with a public key of the mobile device. The mobile device decrypts the session key with a private key and access the first network using the session key. In this manner, interworking is implemented without requiring the deployment of a special interworking function to bridge between the two different types of networks.

58 Citations

View as Search Results

23 Claims

1. A method for providing authentication, authorization, and accounting (AAA) in a first network for a mobile device that is associated with a second network, the first and second networks having respective AAA schemes, comprising the steps of:
- receiving, by the first network and the mobile device, a first key from the second network;
  
  receiving, by the mobile device, a first certificate from the second network, the first certificate includes an identifier (ID) associated with the second network, a public key associated with the mobile device, and a subscription level of the mobile device with the first network, the subscription level indicating whether the mobile device is a subscriber of an interworking service;
  
  receiving, by the first network, from the second network, a second certificate which includes a public key associated with the first network, the second certificate signed with a second key of the second network;
  
  receiving, by the first network, the first certificate from the mobile device;
  
  authenticating, at the first network, the first certificate using the first key, and if the first certificate is authenticated,generating a session key by the first network, the session key having a signature using a private key of the first network,transmitting the session key and the second certificate to the mobile device by the first network,at the mobile device, validating the second certificate using the first key, extracting the public key from the second certificate, and verifying the signature of the session key using the extracted public key, andallowing the mobile device to access the first network using the session key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein the first certificate further includes a signature comprising the second key of the second network.
  - 3. The method according to claim 2, wherein the authenticating step comprises authenticating the first certificate in response to the first and second keys of the second network.
  - 4. The method according to claim 2, wherein the generating step comprises the steps of computing the session key and encrypting the session key using the public key associated with the mobile device.
  - 5. The method according to claim 1, wherein the first certificate includes an expiration time that indicates when the certificate expires, and further comprising the step of checking the certificate to determine whether the certificate has expired.
  - 6. The method according to claim 1, further comprising the step of generating accounting information based on the usage of the first network by the mobile device following the authentication.

7. A method for accessing a first network using a mobile device associated with a second network, the method comprising the steps of:
- receiving, by the mobile device, a first certificate from a second network that has an existing interworking relationship with the first network, the first certificate includes an identifier (ID) associated with the second network, a public key associated with the mobile device, and a subscription level associated with the mobile device, the subscription level indicating whether the mobile device is a subscriber of the interworking relationship;
  
  in response to detection of the first network by the mobile device, transmitting the first certificate to the first network, whereby authentication, authorization and accounting is performed in response to the first certificate and a first key transmitted from the second network to the first network;
  
  receiving, by the mobile device, a session key and a second certificate from the first network upon authentication, the second certificate comprising a public key associated with the first network, the second certificate signed with a private key of the second network; and
  
  validating, by the mobile device, the second certificate using a public key of the second network, extracting the public key of the first network from the second certificate, and verifying a signature of the session key using the extracted public key of the first network, andaccessing, by the mobile device, the first network using the session key.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method according to claim 7, wherein the first certificate further includes a signature comprising the private key of the second network.
  - 9. The method according to claim 8, wherein the receiving step comprises receiving a session key encrypted using a public key of the mobile device, and further comprising the step of decrypting the session key using a private key associated with the mobile device.
  - 10. The method according to claim 7, wherein the first certificate includes an expiration time that indicates when the first certificate expires.
  - 11. The method according to claim 7, wherein the first certificate includes the ID associated with the second network, wherein the second network is associated with the mobile device, whereby accounting information based on the usage of the first network by the mobile device is generated by the first network using the ID associated with the second network.

12. An apparatus for accessing a first network, including authentication, authorization, and accounting via a second network, and for associating with the second network, the apparatus comprising:
- means for receiving, a first certificate from the second network, which has an existing interworking relationship with the first network, the first certificate includes an identifier (ID) associated with the second network, a public key of the apparatus, and a subscription level of the apparatus with the first network, the subscription level indicating the interworking relationship;
  
  memory for storing, in the mobile device, the first certificate;
  
  means for detecting the presence of the first network, and transmitting the first certificate to the first network in response to the detection of the first network, whereby authentication, authorization and accounting is performed by the first network in response to the first certificate, and a public key provided by the second network;
  
  means for receiving, a session key and a second certificate from the first network, the second certificate comprising a public key of the first network, the second certificate signed with a private key of the second network;
  
  means for validating, the second certificate using the public key provided the second network, extracting the public key of the first network from the second certificate, and verifying a signature of the session key using the extracted public key of the first network;
  
  means for decrypting the session key using a private key associated with the apparatus; and
  
  means for accessing the first network, using the session key.
- View Dependent Claims (13)
- - 13. The apparatus according to claim 12, wherein the first certificate further includes a public key of the apparatus, and a subscription expiration time associated with the apparatus.

14. A mobile device, comprising:
- means for receiving a first certificate from a first network, the first certificate comprising a public key associated with the mobile device, and an identifier (ID) for the first network, and a subscription level of a user of the mobile device with the first network, the subscription level indicating whether the mobile device is a subscriber of an interworking service;
  
  memory storage for the first certificate;
  
  means for transmitting the first certificate to the second network upon detecting the second network;
  
  means for receiving a session key and a second certificate from the second network in response to authentication of the first certificate by the second network, the second certificate comprising a public key of the second network, the second certificate signed with a private key of the first network;
  
  a central processor unit for validating the second certificate using a public key of the first network, extracting the public key of the second network from the second certificate, and verifying a signature of the session key using the extracted public key;
  
  means for decrypting the session key using a private key of a user of the mobile device; and
  
  means for communicating securely with the second network using the session key.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The mobile device according to claim 14, wherein the first network is a cellular network.
  - 16. The mobile device according to claim 14, wherein the first certificate further comprises:
    - an expiration time of the certificate, and a mobile user ID.
  - 17. The mobile device according to claim 14, wherein the first certificate is signed with a private key of the first network.
  - 18. The mobile device according to claim 14, wherein the session key is encrypted with a public key of a user of the mobile device.
  - 19. The mobile device according to claim 14, wherein the session key is a per user wired equivalent privacy key.
  - 20. The mobile device according to claim 14, wherein the second network is a wireless local area network.

21. A mobile device, comprising:
- means for receiving, a public key of a first network;
  
  means for receiving, a first certificate from the first network, the first certificate comprising an identifier (ID) for a second network, a public key associated with the mobile device, and a subscription level of the mobile device with the second network, the subscription level indicating whether the mobile device is a subscriber of an interworking service;
  
  memory storage for the first certificate;
  
  means for transmitting the first certificate to the second network upon detecting the second network;
  
  means for receiving a second certificate and a session key generated by the second network in response to authentication of the first certificate by the second network;
  
  means for verifying validity of the second certificate using the public key of the first network and if validity is verified, extracting a public key of the second network from the second certificate;
  
  means for verifying the session key was transmitted by the second network using the extracted public key of the second network to verify a signature on the session key and if the session key is verified then decrypting the session key with a private key of a user of the mobile device; and
  
  means for communicating securely with the second network using the session key.
- View Dependent Claims (22, 23)
- - 22. The mobile device according to claim 21, wherein the second network is a wireless local area network.
  - 23. The mobile device according to claim 21, wherein the first network is a cellular network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thomson Licensing SA (Vantiva SA)
Original Assignee
Thomson Licensing (Vantiva SA)
Inventors
Li, Jun, Zhang, Junbiao, Wang, Charles Chuanming
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Abedin; Shanto M

Application Number

US10/512,506
Publication Number

US 20050154909A1
Time in Patent Office

2,644 Days
Field of Search

726/1, 726/2, 726/10, 726/27, 713/155, 713/157, 713/175, 713/180, 713/168, 713/170, 709/225, 709/229, 455/411
US Class Current

726/10
CPC Class Codes

G06Q 20/3674   involving authentication

H04L 2209/80   Wireless network architectu...

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/3263   involving certificates, e.g...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 92/02   Inter-networking arrangements

Certificate based authentication authorization accounting scheme for loose coupling interworking

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Certificate based authentication authorization accounting scheme for loose coupling interworking

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links