Authenticating mobile network provider equipment

US 7,831,237 B2
Filed: 09/05/2006
Issued: 11/09/2010
Est. Priority Date: 02/03/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing mobile network security, comprising:

registering a first mobile network provider equipment using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register, the secret data and an address of the registration entity being embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output, the physical device providing the first mobile network provider equipment with the address of the registration entity to facilitate an initial communication from the first mobile network provider equipment to the registration entity, the initial communication comprising a unique identifier of the first mobile network provider equipment and a first random number;

mutually authenticating between the first mobile network provider equipment and the registration entity via an SSL connection over an IP-protocol-based network;

after mutual authentication, receiving, from the registration entity, encryption data usable to communicate securely with a second mobile network provider equipment over the IP-protocol-based network, the encryption data comprising one or more keys and an IP address of the second mobile network provider equipment, the IP address of the second mobile network provider equipment not being publicly available, the second mobile network provider equipment being coupled to a base station controller via a dedicated line, the second mobile network provider equipment aggregating mobile communications from the first mobile network provider equipment and at least another mobile network provider equipment and sending the aggregated mobile communications to the base station controller via the dedicated line, the second mobile network provider equipment also receiving the one or more keys from the registration entity;

sending voice data from the first mobile network provider equipment to the second mobile network provider equipment using S-RTP via UDP over IP using the one or more keys; and

sending signaling data from the first mobile network provider equipment to the second mobile network provider equipment via SCTP over IP-SEC using the one or more keys,wherein the first mobile network provider equipment, the second mobile network provider equipment and the registration entity are disposed communicatively on a provider network side of an air link that supports voice and data communications with mobile phones, the mobile phones being configured to support GSM and GPRS communications.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing mobile network security is disclosed. A first mobile network provider equipment registers using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register and embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output. An encryption data usable to communicate securely with a second mobile network provider equipment over a packet data network is received from the registration entity.

41 Citations

View as Search Results

31 Claims

1. A method of providing mobile network security, comprising:
- registering a first mobile network provider equipment using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register, the secret data and an address of the registration entity being embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output, the physical device providing the first mobile network provider equipment with the address of the registration entity to facilitate an initial communication from the first mobile network provider equipment to the registration entity, the initial communication comprising a unique identifier of the first mobile network provider equipment and a first random number;
  
  mutually authenticating between the first mobile network provider equipment and the registration entity via an SSL connection over an IP-protocol-based network;
  
  after mutual authentication, receiving, from the registration entity, encryption data usable to communicate securely with a second mobile network provider equipment over the IP-protocol-based network, the encryption data comprising one or more keys and an IP address of the second mobile network provider equipment, the IP address of the second mobile network provider equipment not being publicly available, the second mobile network provider equipment being coupled to a base station controller via a dedicated line, the second mobile network provider equipment aggregating mobile communications from the first mobile network provider equipment and at least another mobile network provider equipment and sending the aggregated mobile communications to the base station controller via the dedicated line, the second mobile network provider equipment also receiving the one or more keys from the registration entity;
  
  sending voice data from the first mobile network provider equipment to the second mobile network provider equipment using S-RTP via UDP over IP using the one or more keys; and
  
  sending signaling data from the first mobile network provider equipment to the second mobile network provider equipment via SCTP over IP-SEC using the one or more keys,wherein the first mobile network provider equipment, the second mobile network provider equipment and the registration entity are disposed communicatively on a provider network side of an air link that supports voice and data communications with mobile phones, the mobile phones being configured to support GSM and GPRS communications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method according to claim 1, wherein the one or more keys comprise one or more session keys.
  - 3. The method according to claim 1, wherein the IP-protocol-based network is connected to the registration entity via a router/firewall.
  - 4. The method according to claim 1, wherein the one or more keys have a specified lifetime before expiring.
  - 5. The method according to claim 1, wherein the physical device comprises a smart card or an equipment identification module.
  - 6. The method according to claim 1, wherein the first mobile network provider equipment comprises a base transceiver station, wherein the second mobile network provider comprises an aggregated gateway that services a plurality of base transceiver stations including the base transceiver station, and wherein the registration entity comprises a registration server.
  - 7. The method according to claim 1, wherein the IP protocol network is used as a backhaul of a mobile network.
  - 8. The method according to claim 1, further comprising receiving a Uniform Resource Locator (URL) or an Internet Protocol (IP) address that can be used by the first mobile network provider equipment to locate the second mobile network provider equipment.
  - 9. The method according to claim 1, wherein registering the first mobile network provider equipment includes establishing a secure connection between the first network provider equipment and the registration entity.
  - 10. The method according to claim 9, wherein the secure connection comprises Secure Socket Layer (SSL) or other privacy-protected session.
  - 11. The method according to claim 1, wherein the second network provider equipment comprises a base station controller.
  - 12. The method according to claim 1, wherein the second network provider equipment comprises an entity forwarding data received from the first network provider equipment via the packet data network to a base station controller.
  - 13. The method according to claim 1, wherein the second network provider equipment and the registration entity are included in the same physical computing system.
  - 14. The method according to claim 13, wherein the second network provider equipment and the registration entity are both associated with different Internet Protocol (IP) addresses.
  - 15. The method according to claim 1, wherein the secret data is embodied in the physical device at a time the physical device is manufactured.
  - 16. The method according to claim 6, wherein the aggregated gateway that services the plurality of base transceiver stations presents two or more base transceiver stations as a single logical base transceiver station.
  - 17. The method according to claim 1, wherein registering the first mobile network provider equipment using the secret data includes sending to the registration entity a random value, receiving from the registration entity a response to the random value, using the physical device to perform a computation using the secret data and the random value, comparing the result of the computation with the received response, and concluding the registration entity is trustworthy if the received response matches the result of the computation.
  - 18. The method according to claim 1, wherein registering the first mobile network provider equipment using the secret data includes receiving from the registration entity a random value, performing a computation using the physical device and the random value, and sending to the registration entity a result of the computation.
  - 19. The method according to claim 1, wherein the first mobile network provider equipment and the registration entity mutually authenticate using at least a challenge and response method.
  - 20. The method according to claim 1, wherein the second mobile network provider equipment and the registration entity communicate over a secure private connection.
  - 21. The method according to claim 1, wherein encryption data is dynamically generated by the registration sever.

22. A system for providing mobile network security, comprising:
- a physical device of a first base station in which an address of the registration entity and secret data are embodied in a manner that enables the physical device to be used to perform a cryptographic function using the secret data but prevents the physical device from being used to provide the secret data as output, the physical device providing the first base station with the address of the registration entity to facilitate an initial communication from the first base station to the registration entity, the initial communication comprising a unique identifier of the first base station and a first random number;
  
  a processor of the first base station configured to use the physical device to register the first base station with a registration entity that knows the secret data, the processor being configured to perform the cryptographic function using the secret data; and
  
  a communication interface of the first base station configured to receive, from the registration entity after mutual authentication, encryption data usable to communicate securely over an IP-protocol-based network, the encryption data comprising one or more keys and an IP address of a gateway, the IP address of the gateway not being publicly available, the gateway being coupled to a base station controller via a dedicated line, the gateway aggregating mobile communications from the first base station and a second base station and sending the aggregated mobile communications to the base station controller via the dedicated line, the gateway presenting the first base station and the second base station as a single logical base station to the base station controller,wherein the first base station, the gateway, the second base station and the registration entity are disposed communicatively on a provider network side of an air link,wherein the base station and the registration entity mutually authenticate over the IP-protocol-based network, andwherein, after the base station and the registration entity mutually authenticate, then registration entity transmits the one or more keys to the communication interface of the base station and to the gateway so that the base station and the base station controller can communicate securely via the IP-protocol-based network and the dedicated line.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The system according to claim 22, the communication interface is further configured to receive from the registration entity a Uniform Resource Locator (URL) or an Internet Protocol (IP) address that can be to locate the gateway.
  - 24. The system according to claim 22, wherein the physical device comprises a smart card or an equipment identification module.
  - 25. The system according to claim 22, wherein the wherein the one or more keys are characterized by a specified lifetime before expiring.
  - 26. The system according to claim 22, wherein the base station communicates, via a router/firewall, with the gateway and the registration server.

27. A computer program product for providing mobile network security, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
- registering a first mobile network provider equipment using a secret data that is known to a registration entity with which the first mobile network provider equipment is configured to register, the secret data and an address of the registration entity being embodied in a physical device associated with the first mobile network provider equipment in a manner that enables the physical device to be used to perform a cryptographic function using the secret data, but prevents the physical device from being used to provide the secret data as output, the physical device providing the first mobile network provider equipment with the address of the registration entity to facilitate an initial communication from the first mobile network provider equipment to the registration entity, the initial communication comprising a unique identifier of the first mobile network provider equipment and a first random number; and
  
  after authentication with the registration entity, receiving encryption data from the registration entity and auto-discovering a second mobile network provider equipment, the encryption data comprising an IP address of the second mobile network provider equipment and one or more keys, the one or more keys also being provided by the registration entity to the second mobile network provider equipment so that the first mobile network provider equipment and the second mobile network provider equipment can communicate securely over an IP-protocol-based network, the IP address of the second mobile network provider equipment not being publicly available, the second mobile network provider equipment being coupled to a base station controller via a dedicated line, the second mobile network provider equipment aggregating mobile communications from the first mobile network provider equipment and a third mobile network provider equipment and sending the aggregated mobile communications to the base station controller via the dedicated line,wherein the first mobile network provider equipment, the second mobile network provider equipment, the third mobile network provider equipment and the registration entity are disposed communicatively on a provider network side of an air link, the air link supporting voice and data communications with a mobile wireless communications device.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The computer program product according to claim 27, wherein the mobile wireless communications device is configured to support GSM communications and GPRS communications.
  - 29. The computer program product according to claim 27, wherein the physical device comprises a smart card or an equipment identification module.
  - 30. The computer program product according to claim 27, wherein the first mobile network provider equipment is a base transceiver station, and wherein the base transceiver station communicates, via a router/firewall, with the second mobile network provider equipment and the registration server.
  - 31. The computer program product according to claim 27, wherein the one or more keys comprise one or more session keys that are characterized by a specified lifetime before expiring, and wherein the mutual authentication between the first mobile network provider equipment and the registration entity uses at least a challenge and response method.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Passarella, Rossano, Zhang, Yan, Stevens, William M., Sukumaran, Jayesh, Wahlstrom, Donald P.
Primary Examiner(s)
Afshar; Kamran
Assistant Examiner(s)
Sarwar; Babar

Application Number

US11/516,470
Publication Number

US 20070186108A1
Time in Patent Office

1,526 Days
Field of Search

455/410, 455/411, 455/433, 455/432.2, 455/437, 455/509, 455/424, 455/435, 370/331, 370/508, 380/247, 709/225, 709227-229, 713/153, 713/155, 726 2- 6, 726/12, 726 27- 30
US Class Current

455/411
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 61/5014   using dynamic host configur...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 9/0844   with user authentication or...

H04W 12/02   Protecting privacy or anony...

H04W 12/033   of the user plane, e.g. use...

H04W 12/06   Authentication

H04W 60/00   Affiliation to network, e.g...

H04W 8/26   Network addressing or numbe...

H04W 88/08   Access point devices

H04W 88/12   Access point controller dev...

H04W 92/12   between access points and a...

Authenticating mobile network provider equipment

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticating mobile network provider equipment

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links