Method and apparatus for providing authentication, authorization and accounting to roaming nodes

US 7,882,346 B2
Filed: 05/09/2003
Issued: 02/01/2011
Est. Priority Date: 10/15/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A communications method for use in a communications network including a mobile node, a first security device and a second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the method comprising:

operating the second security device to;

transmit a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region;

receive a first secret in response to said transmitted signal including said first identifier;

generate a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and

associate said second identifier with said first secret.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention proposes an integrated process for AAA (Authentication, Authorisation, and Accounting) with the order reversed whereby L2 follows L3. The L3 process treats the wireless link as any normal IP access link, and the L3 authorisation provides L3 processing, but also includes the L2 terminal authentication identifiers so that the L2 security parameters can also be returned. This means that the wireless link and the IP layer are not secured until after the L3 authorisation has completed and therefore the first IP messages that trigger authorisation are sent insecurely. This invention also provides methods to avoid these insecure messages presenting any opportunities to an attacker. Finally, the inventions include methods to enable L3 before L2 authorisation when a user is roaming in a foreign network.

175 Citations

50 Claims

1. A communications method for use in a communications network including a mobile node, a first security device and a second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the method comprising:
- operating the second security device to;
  
  transmit a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region;
  
  receive a first secret in response to said transmitted signal including said first identifier;
  
  generate a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and
  
  associate said second identifier with said first secret.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 36)
- - 2. The communications method of claim 1, wherein associating the second identifier with said first secret includes storing said second identifier in a database with said first secret.
  - 3. The method of claim 2, further comprising:
    - operating the second security device to store user profile information associated with said second identifier.
  - 4. The method of claim 3, further comprising:
    - operating the second security device to store said first identifier in association with said second identifier and said user profile information.
  - 5. The method of claim 4, wherein said first and second identifiers are network access identifiers (NAI) and wherein said first and second security devices are servers which perform authentication operations.
  - 6. The method of claim 3 wherein the first security device is located in said home region, the method further comprising operating the first security device to:
    - access a second secret associated with said first identifier; and
      
      generate said first secret from said second secret.
  - 7. The method of claim 6, wherein said generation of said first secret from said second secret is part of a mutual authentication operation between said mobile node and said first security device.
  - 8. The method of claim 6, further comprising:
    - operating the first security device to transmit said first secret along with user profile information to said second security device.
  - 9. The method of claim 8, further comprising:
    - operating the first security device to transmit first secret lifetime information along with said first secret.
  - 10. The method of claim 9, further comprising operating the second security device, prior to expiration of the first secret lifetime indicated by said first secret lifetime information, to:
    - transmit another signal including said first identifier to the first security device;
      
      receive a third secret in response to said transmitted another signal; and
      
      associate said second identifier with said third secret.
  - 11. The method of claim 2, further comprising:
    - operating said second security device to generate said second identifier prior to associating said second identifier with said first secret.
  - 12. The method of claim 11, further comprising:
    - operating said second security device to communicate said second identifier to said mobile node.
  - 13. The method of claim 12, further comprising:
    - operating said second security device to communicate lifetime information associated with said second identifier to said mobile node.
  - 14. The method of claim 11, further comprising:
    - operating said mobile node to generate said second identifier.
  - 15. The method of claim 14, further comprising the generation of said second identifier out of an operation that involves the said first secret and a random number information sent by second security device to the mobile node.
  - 16. The method of claim 15, wherein said operation is a keyed one-way hash function.
  - 17. The method of claim 2, further comprising:
    - operating said mobile node, while located in said foreign region, to transmit a first signal including said first identifier, said second security device transmitting said first identifier to said first security device in response to the transmission of said first signal by said mobile node.
  - 18. The method of claim 17, further comprising:
    - operating said mobile node to transmit a second signal, the second signal including said second identifier; and
      
      operating the second security device to perform an authentication operation using said first secret in response to said second signal.
  - 19. The method of claim 18, further comprising, as part of said authentication operation, operating the second security device to generate at least one additional secret from said first secret;
    - andsubsequently using said additional secret to authorize a communications service provided to said mobile node.
  - 20. The method of claim 1, wherein said first secret is a key, the method further comprising:
    - operating said second security device to transmit information specifying the format of at least a portion of said key to said first security device.
  - 21. The method of claim 20, wherein said information specifying the format also specifies the length of said key.
  - 22. The method of claim 20, further comprising:
    - operating the second security device to transmit information to said first security device, said information specifying the manner in which said key is to be generated.
  - 23. The communications method of claim 1, wherein the second realm consists of the “
    - @”
      
      symbol concatenated with a domain name associated with the second security device.
  - 36. The computer readable medium of claim 22, wherein the second realm consists of the “
    - @”
      
      symbol concatenated with a domain name associated with the second security device.

24. A communications network for use with a mobile node, the communications network comprising:
- a home region including a first security system, said mobile node being associated with said home region and being identified in said home region by a first identifier including a first realm associated only with said home region, said first security system storing said first identifier and a first secret known to both said mobile node and said first security system; and
  
  a foreign region including a second security system, said mobile node being located in said foreign region for a period of time, the second security system being coupled to said first security system, said second security system including;
  
  said first identifier, a second secret generated from said first secret by said first security system and supplied to said second security system, and a second identifier, generated by said second security system, to identify said mobile node to said second security system, the second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The communications network of claim 24, wherein said home region includes a home agent, wherein said foreign region includes a visited network, wherein said second security system is a security server in the visited network and wherein said first security system is a first security server in the home region.
  - 26. The communications network of claim 25, wherein said second security system includes:
    - means for communicating said second identifier to said mobile node.
  - 27. The communications network of claim 26, wherein said mobile node includes:
    - means for initiating an access request using said second identifier in said foreign domain following receipt of said second identifier.
  - 28. The communications network of claim 24, wherein said first and second identifiers are network access identifiers.
  - 29. The communications network of claim 24, wherein said first security system includes means for generating said second secret in response to a message from said second security system including said first identifier.
  - 30. The communications network of claim 24, wherein the second realm consists of the “
    - @”
      
      symbol concatenated with a domain name associated with the second security system.

31. A non-transitory computer readable medium including machine executable instructions for controlling a second security device to implement a communications method in a communications network including a mobile node, a first security device and said second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the computer readable medium comprising:
- instructions for causing the second security device to transmit a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region;
  
  instructions for causing the second security device to receive a first secret in response to said transmitted signal including said first identifier;
  
  instructions for causing the second security device to generate a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and
  
  instructions for causing the second security device to associate said second identifier with said first secret.
- View Dependent Claims (32, 33, 34, 35)
- - 32. The computer readable medium of claim 31, wherein said instructions for causing the second security device to associate the second identifier with said first secret further causes storing said second identifier in a database with said first secret.
  - 33. The computer readable medium of claim 32, further comprising machine executable instructions for causing said second security device to store user profile information and to associate the stored user profile information with said second identifier.
  - 34. The computer readable medium of claim 33, wherein the computer readable medium further includes machine executable instructions for causing said second security device to:
    - store said first identifier in association with said second identifier and said user profile information.
  - 35. The computer readable medium of claim 34, wherein said first and second identifiers are network access identifiers (NAI) and wherein said first security device and said second security device are servers which perform authentication operations.

37. A second security device including a processor configured to control said second security device to implement a communications method in a communications network including a mobile node, a first security device and said second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the processor being configured to:
- transmit a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region;
  
  receive a first secret in response to said transmitted signal including said first identifier;
  
  generate a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and
  
  associate said second identifier with said first secret.
- View Dependent Claims (38, 39, 40, 41, 42)
- - 38. The second security device of claim 37, wherein associating the second identifier with said first secret includes storing said second identifier in a database with said first secret.
  - 39. The second security device of claim 38, wherein the processor is further configured to:
    - store user profile information and associate the stored user profile information with said second identifier.
  - 40. The second security device of claim 39, wherein the processor is further configured to:
    - store said first identifier in association with said second identifier and said user profile information.
  - 41. The second security device of claim 40, wherein said first and second identifiers are network access identifiers (NAI) and wherein said first security device and said second security device are servers which perform authentication operations.
  - 42. The second security device of claim 37, wherein the second realm consists of the “
    - @”
      
      symbol concatenated with a domain name associated with the second security device.

43. A second security device for use in a communications network including a mobile node, a first security device and said second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the second security device comprising:
- means for transmitting a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region;
  
  means for receiving a first secret in response to said transmitted signal including said first identifier;
  
  means for generating a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and
  
  means for associating said second identifier with said first secret.
- View Dependent Claims (44, 45, 46, 47)
- - 44. The second security device of claim 43, further comprising:
    - database means for storing information; and
      
      wherein said means for associating the second identifier with said first secret stores said second identifier in said database with said first secret.
  - 45. The second security device of claim 44, further comprising:
    - means for storing user profile information and associating the stored user profile information with said second identifier.
  - 46. The second security device of claim 45, wherein said first and second identifiers are network access identifiers and wherein said first security device and said second security device are servers which perform authentication operations.
  - 47. The second security device of claim 43, wherein the second realm consists of the “
    - @”
      
      symbol concatenated with a domain name associated with the second security device.

48. A second security device for use in a communications network including a mobile node, a first security device and said second security device, said mobile node being identified in a home region of said communications network by a first identifier, said second security device being in a foreign region of said communications network, the second security device comprising:
- a transmitter module for transmitting a signal including said first identifier to the first security device, said first identifier including a first realm associated only with said home region;
  
  an interface module for receiving a first secret in response to said transmitted signal including said first identifier;
  
  a processor module for generating a second identifier to identify said mobile node in said foreign region, said second identifier including a second realm associated only with said foreign region, wherein the second identifier further includes a username of the first identifier, and further includes the first realm; and
  
  an authentication module for associating said second identifier with said first secret.
- View Dependent Claims (49, 50)
- - 49. The second security device of claim 48, further comprising:
    - memory for storing information; and
      
      wherein said second identifier is stored in a record with said first secret in said memory.
  - 50. The second security device of claim 48, wherein the second realm consists of the “
    - @”
      
      symbol concatenated with a domain name associated with the second security device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Park, Vincent, Vanderveen, Michaela, O'Neill, Alan, Tsirtsis, George
Primary Examiner(s)
Davis; Zachary A

Application Number

US10/435,622
Publication Number

US 20040073786A1
Time in Patent Office

2,825 Days
Field of Search

713/153, 713/155, 713/169, 713/168, 713/171, 726/3, 726/4, 726/7, 380/277, 380/247, 380/248, 709/225, 709/229, 455/432.1, 455/436, 455/411, 455/433
US Class Current

713/153
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0869   for achieving mutual authen...

H04L 63/0892   by using authentication-aut...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

Method and apparatus for providing authentication, authorization and accounting to roaming nodes

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

175 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing authentication, authorization and accounting to roaming nodes

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links