Modular authentication and authorization scheme for internet protocol
First Claim
1. A system comprising:
- (a) an authorizer configured to;
determine if a client is authorized to access a resource associated with a request for that resource, said authorizer being configured to receive an identity associated with said client and an indication of the requested resource,generate a challenge based on said identity,send said challenge to the client,receive a response from the client,in response to receiving the response, determine whether the client is authorized to access the resource by comparing the challenge to the response, and if the client is authorized to access the resource, send a key associated with the requested resource to a peer,receive a binding acknowledgment from the peer, andin response to receiving the binding acknowledgment, send a key reply to the client;
(b) the client configured to generate the response to said challenge based on the client identity and the challenge and to send said response to said authorizer, said client comprising a subscriber identity module, said client being configured to have a local subscriber identity module generated session key associated with said resource;
(c) the peer for providing the resource to the client, the peer configured to;
receive the key from the authorizer, andin response to receiving the key, send the binding acknowledgment to the authorizer; and
(d) a local attendant configured to;
receive a solicitation from the client,in response to receiving the solicitation from the client, send a local challenge to the client,in response to receiving a correct response to the local challenge, the identity, and credentials from the client, forward the identity and credentials to the authorizer,receive the identity and a key reply from the authorizer, andin response to receiving the identity and the key reply from the authorizer, send a status of authentication and the key reply to the client.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method for three-party authentication and authorization. The system includes an authorizer that authorizes requestors, a client that makes a request, and a local attendant that provides a conduit through which messages between the client and the authorizer pass. The authorizer, the client, and a peer on which the requested resource may be accessed are each in separate domains. A domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by static credentials that are known by each of the two entities. A subscriber identity module (SIM) may be used to generate a copy of a key for the client to be used in accessing a requested resource.
54 Citations
17 Claims
-
1. A system comprising:
-
(a) an authorizer configured to; determine if a client is authorized to access a resource associated with a request for that resource, said authorizer being configured to receive an identity associated with said client and an indication of the requested resource, generate a challenge based on said identity, send said challenge to the client, receive a response from the client, in response to receiving the response, determine whether the client is authorized to access the resource by comparing the challenge to the response, and if the client is authorized to access the resource, send a key associated with the requested resource to a peer, receive a binding acknowledgment from the peer, and in response to receiving the binding acknowledgment, send a key reply to the client; (b) the client configured to generate the response to said challenge based on the client identity and the challenge and to send said response to said authorizer, said client comprising a subscriber identity module, said client being configured to have a local subscriber identity module generated session key associated with said resource; (c) the peer for providing the resource to the client, the peer configured to; receive the key from the authorizer, and in response to receiving the key, send the binding acknowledgment to the authorizer; and (d) a local attendant configured to; receive a solicitation from the client, in response to receiving the solicitation from the client, send a local challenge to the client, in response to receiving a correct response to the local challenge, the identity, and credentials from the client, forward the identity and credentials to the authorizer, receive the identity and a key reply from the authorizer, and in response to receiving the identity and the key reply from the authorizer, send a status of authentication and the key reply to the client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 13, 14, 15)
-
-
8. A method comprising:
-
(a) sending an identity associated with a client and an indication of a requested resource to an authorizer; (b) generating, by the authorizer, a challenge that is calculated using the client identity; (c) sending the challenge to the client; (d) generating, by the client, a response employing the client identity and the challenge; (e) sending the response to the authorizer; (f) comparing, by the authorizer, the challenge to the client response; (g) determining, by the authorizer, whether the client is authorized to access the resource; (h) when it is determined that the client is authorized to access the resource, transferring, by the authorizer, a key associated with the resource to a peer for providing the resource to the client; (i) in response to receiving the key, sending, by the peer, a binding acknowledgment to the authorizer; (j) in response to receiving the binding acknowledgment, sending, by the authorizer, a key reply to the client; (k) receiving a solicitation by a local attendant from the client; (l) in response to receiving the solicitation from the client, sending a local challenge from the local attendant to the client; (m) in response to receiving a correct response to the local challenge, the identity, and credentials from the client, forwarding the identity and credentials from the local attendant to the authorizer; (n) receiving the identity and a key reply by the local attendant from the authorizer; and (o) in response to receiving the identity and the key reply from the authorizer, sending a status of authentication and the key reply from the local attendant to the client; wherein the key is the same as a local subscriber identity module generated session key associated with said resource, which is generated by the client by employing information stored on a subscriber identity module associated with the client. - View Dependent Claims (9, 10, 11)
-
-
12. An apparatus comprising:
-
an authorizer configured to; receive an identity associated with a client and an indication of a requested resource; generate a challenge that is calculated using the identity associated with the client; send the challenge to the client; receive a response from the client based on the identity and the challenge; compare the challenge to the response; determine whether the client is authorized to access the resource; when it is determined that the client is authorized to access the resource, send a key associated with the resource to a peer for providing the resource to the client, wherein the key is the same as a local subscriber identity module generated session key associated with said resource, which is generated by the client employing information stored on a subscriber identity module of the client; receive a binding acknowledgment from the peer; and in response to receiving the binding acknowledgment, send a key reply to the client; and a local attendant configured to; receive a solicitation from the client; in response to receiving the solicitation from the client, send the challenge to the client on behalf of the authorizer; in response to receiving a correct response to the local challenge, the identity, and credentials from the client, forward the identity and credentials to the authorizer; receive the identity and a key reply from the authorizer; and in response to receiving the identity and the key reply from the authorizer, send a status of authentication and the key reply to the client on behalf of the authorizer. - View Dependent Claims (16, 17)
-
Specification