Certificate based authentication authorization accounting scheme for loose coupling interworking
First Claim
1. A method for providing authentication, authorization, and accounting (AAA) in a first network for a mobile device that is associated with a second network, the first and second networks having respective AAA schemes, comprising the steps of:
- receiving, by the first network and the mobile device, a first key from the second network;
receiving, by the mobile device, a first certificate from the second network, the first certificate includes an identifier (ID) associated with the second network, a public key associated with the mobile device, and a subscription level of the mobile device with the first network, the subscription level indicating whether the mobile device is a subscriber of an interworking service;
receiving, by the first network, from the second network, a second certificate which includes a public key associated with the first network, the second certificate signed with a second key of the second network;
receiving, by the first network, the first certificate from the mobile device;
authenticating, at the first network, the first certificate using the first key, and if the first certificate is authenticated,generating a session key by the first network, the session key having a signature using a private key of the first network,transmitting the session key and the second certificate to the mobile device by the first network,at the mobile device, validating the second certificate using the first key, extracting the public key from the second certificate, and verifying the signature of the session key using the extracted public key, andallowing the mobile device to access the first network using the session key.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of Authentication Authorization and Accounting (AAA) in an interworking between first and second networks that do not belong in the same administrative domain, using certificate based transactions. In the method according to the invention, the second network sends a public key to the first network, and a certificate to a mobile device. The certificate includes information regarding the subscription level of the mobile device and is signed with a private key of the second network. Upon detection of the first network the mobile device transmits the certificate and the first network authenticates the certificate using the public and private keys of the second network, and authorizes access to the network in response. The first network then sends a session key encrypted with a public key of the mobile device. The mobile device decrypts the session key with a private key and access the first network using the session key. In this manner, interworking is implemented without requiring the deployment of a special interworking function to bridge between the two different types of networks.
58 Citations
23 Claims
-
1. A method for providing authentication, authorization, and accounting (AAA) in a first network for a mobile device that is associated with a second network, the first and second networks having respective AAA schemes, comprising the steps of:
-
receiving, by the first network and the mobile device, a first key from the second network; receiving, by the mobile device, a first certificate from the second network, the first certificate includes an identifier (ID) associated with the second network, a public key associated with the mobile device, and a subscription level of the mobile device with the first network, the subscription level indicating whether the mobile device is a subscriber of an interworking service; receiving, by the first network, from the second network, a second certificate which includes a public key associated with the first network, the second certificate signed with a second key of the second network; receiving, by the first network, the first certificate from the mobile device; authenticating, at the first network, the first certificate using the first key, and if the first certificate is authenticated, generating a session key by the first network, the session key having a signature using a private key of the first network, transmitting the session key and the second certificate to the mobile device by the first network, at the mobile device, validating the second certificate using the first key, extracting the public key from the second certificate, and verifying the signature of the session key using the extracted public key, and allowing the mobile device to access the first network using the session key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for accessing a first network using a mobile device associated with a second network, the method comprising the steps of:
-
receiving, by the mobile device, a first certificate from a second network that has an existing interworking relationship with the first network, the first certificate includes an identifier (ID) associated with the second network, a public key associated with the mobile device, and a subscription level associated with the mobile device, the subscription level indicating whether the mobile device is a subscriber of the interworking relationship; in response to detection of the first network by the mobile device, transmitting the first certificate to the first network, whereby authentication, authorization and accounting is performed in response to the first certificate and a first key transmitted from the second network to the first network; receiving, by the mobile device, a session key and a second certificate from the first network upon authentication, the second certificate comprising a public key associated with the first network, the second certificate signed with a private key of the second network; and validating, by the mobile device, the second certificate using a public key of the second network, extracting the public key of the first network from the second certificate, and verifying a signature of the session key using the extracted public key of the first network, and accessing, by the mobile device, the first network using the session key. - View Dependent Claims (8, 9, 10, 11)
-
-
12. An apparatus for accessing a first network, including authentication, authorization, and accounting via a second network, and for associating with the second network, the apparatus comprising:
-
means for receiving, a first certificate from the second network, which has an existing interworking relationship with the first network, the first certificate includes an identifier (ID) associated with the second network, a public key of the apparatus, and a subscription level of the apparatus with the first network, the subscription level indicating the interworking relationship; memory for storing, in the mobile device, the first certificate; means for detecting the presence of the first network, and transmitting the first certificate to the first network in response to the detection of the first network, whereby authentication, authorization and accounting is performed by the first network in response to the first certificate, and a public key provided by the second network; means for receiving, a session key and a second certificate from the first network, the second certificate comprising a public key of the first network, the second certificate signed with a private key of the second network; means for validating, the second certificate using the public key provided the second network, extracting the public key of the first network from the second certificate, and verifying a signature of the session key using the extracted public key of the first network; means for decrypting the session key using a private key associated with the apparatus; and means for accessing the first network, using the session key. - View Dependent Claims (13)
-
-
14. A mobile device, comprising:
-
means for receiving a first certificate from a first network, the first certificate comprising a public key associated with the mobile device, and an identifier (ID) for the first network, and a subscription level of a user of the mobile device with the first network, the subscription level indicating whether the mobile device is a subscriber of an interworking service; memory storage for the first certificate; means for transmitting the first certificate to the second network upon detecting the second network; means for receiving a session key and a second certificate from the second network in response to authentication of the first certificate by the second network, the second certificate comprising a public key of the second network, the second certificate signed with a private key of the first network; a central processor unit for validating the second certificate using a public key of the first network, extracting the public key of the second network from the second certificate, and verifying a signature of the session key using the extracted public key; means for decrypting the session key using a private key of a user of the mobile device; and means for communicating securely with the second network using the session key. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A mobile device, comprising:
-
means for receiving, a public key of a first network; means for receiving, a first certificate from the first network, the first certificate comprising an identifier (ID) for a second network, a public key associated with the mobile device, and a subscription level of the mobile device with the second network, the subscription level indicating whether the mobile device is a subscriber of an interworking service; memory storage for the first certificate; means for transmitting the first certificate to the second network upon detecting the second network; means for receiving a second certificate and a session key generated by the second network in response to authentication of the first certificate by the second network; means for verifying validity of the second certificate using the public key of the first network and if validity is verified, extracting a public key of the second network from the second certificate; means for verifying the session key was transmitted by the second network using the extracted public key of the second network to verify a signature on the session key and if the session key is verified then decrypting the session key with a private key of a user of the mobile device; and means for communicating securely with the second network using the session key. - View Dependent Claims (22, 23)
-
Specification