Modular authentication and authorization scheme for internet protocol

US 7,900,242 B2
Filed: 07/09/2002
Issued: 03/01/2011
Est. Priority Date: 07/12/2001
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

(a) an authorizer configured to;

determine if a client is authorized to access a resource associated with a request for that resource, said authorizer being configured to receive an identity associated with said client and an indication of the requested resource,generate a challenge based on said identity,send said challenge to the client,receive a response from the client,in response to receiving the response, determine whether the client is authorized to access the resource by comparing the challenge to the response, and if the client is authorized to access the resource, send a key associated with the requested resource to a peer,receive a binding acknowledgment from the peer, andin response to receiving the binding acknowledgment, send a key reply to the client;

(b) the client configured to generate the response to said challenge based on the client identity and the challenge and to send said response to said authorizer, said client comprising a subscriber identity module, said client being configured to have a local subscriber identity module generated session key associated with said resource;

(c) the peer for providing the resource to the client, the peer configured to;

receive the key from the authorizer, andin response to receiving the key, send the binding acknowledgment to the authorizer; and

(d) a local attendant configured to;

receive a solicitation from the client,in response to receiving the solicitation from the client, send a local challenge to the client,in response to receiving a correct response to the local challenge, the identity, and credentials from the client, forward the identity and credentials to the authorizer,receive the identity and a key reply from the authorizer, andin response to receiving the identity and the key reply from the authorizer, send a status of authentication and the key reply to the client.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for three-party authentication and authorization. The system includes an authorizer that authorizes requestors, a client that makes a request, and a local attendant that provides a conduit through which messages between the client and the authorizer pass. The authorizer, the client, and a peer on which the requested resource may be accessed are each in separate domains. A domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by static credentials that are known by each of the two entities. A subscriber identity module (SIM) may be used to generate a copy of a key for the client to be used in accessing a requested resource.

54 Citations

View as Search Results

17 Claims

1. A system comprising:
- (a) an authorizer configured to;
  
  determine if a client is authorized to access a resource associated with a request for that resource, said authorizer being configured to receive an identity associated with said client and an indication of the requested resource,generate a challenge based on said identity,send said challenge to the client,receive a response from the client,in response to receiving the response, determine whether the client is authorized to access the resource by comparing the challenge to the response, and if the client is authorized to access the resource, send a key associated with the requested resource to a peer,receive a binding acknowledgment from the peer, andin response to receiving the binding acknowledgment, send a key reply to the client;
  
  (b) the client configured to generate the response to said challenge based on the client identity and the challenge and to send said response to said authorizer, said client comprising a subscriber identity module, said client being configured to have a local subscriber identity module generated session key associated with said resource;
  
  (c) the peer for providing the resource to the client, the peer configured to;
  
  receive the key from the authorizer, andin response to receiving the key, send the binding acknowledgment to the authorizer; and
  
  (d) a local attendant configured to;
  
  receive a solicitation from the client,in response to receiving the solicitation from the client, send a local challenge to the client,in response to receiving a correct response to the local challenge, the identity, and credentials from the client, forward the identity and credentials to the authorizer,receive the identity and a key reply from the authorizer, andin response to receiving the identity and the key reply from the authorizer, send a status of authentication and the key reply to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 13, 14, 15)
- - 2. The system of claim 1, wherein the peer is arranged to provide access to a network.
  - 3. The system of claim 1, wherein the peer is arranged to provide a service to the client.
  - 4. The system of claim 1, wherein the peer is a home agent of the client.
  - 5. The system of claim 1, wherein the local attendant is an access router.
  - 6. The system of claim 1, wherein the local attendant is an Internet Protocol version 6 (IPv6) router.
  - 7. The system of claim 1, wherein the local attendant is arranged to communicate with at least one AAA server.
  - 13. The system of claim 1, wherein the authorizer is configured to operate in accordance with Internet Protocol version 6 (IPv6).
  - 14. The system of claim 1, further comprising the local attendant that is accessible to the authorizer and the client, the local attendant comprising a server for forwarding messages between the client and the authorizer, wherein the authorizer, local attendant, and the device on which the resource may be accessed are each in separate domains, wherein each domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by said keys, wherein said authorizer is configured to authorize said service.
  - 15. The system of claim 1, wherein said client is an Internet Protocol version 6 (IPv6) host.

8. A method comprising:
- (a) sending an identity associated with a client and an indication of a requested resource to an authorizer;
  
  (b) generating, by the authorizer, a challenge that is calculated using the client identity;
  
  (c) sending the challenge to the client;
  
  (d) generating, by the client, a response employing the client identity and the challenge;
  
  (e) sending the response to the authorizer;
  
  (f) comparing, by the authorizer, the challenge to the client response;
  
  (g) determining, by the authorizer, whether the client is authorized to access the resource;
  
  (h) when it is determined that the client is authorized to access the resource, transferring, by the authorizer, a key associated with the resource to a peer for providing the resource to the client;
  
  (i) in response to receiving the key, sending, by the peer, a binding acknowledgment to the authorizer;
  
  (j) in response to receiving the binding acknowledgment, sending, by the authorizer, a key reply to the client;
  
  (k) receiving a solicitation by a local attendant from the client;
  
  (l) in response to receiving the solicitation from the client, sending a local challenge from the local attendant to the client;
  
  (m) in response to receiving a correct response to the local challenge, the identity, and credentials from the client, forwarding the identity and credentials from the local attendant to the authorizer;
  
  (n) receiving the identity and a key reply by the local attendant from the authorizer; and
  
  (o) in response to receiving the identity and the key reply from the authorizer, sending a status of authentication and the key reply from the local attendant to the client;
  
  wherein the key is the same as a local subscriber identity module generated session key associated with said resource, which is generated by the client by employing information stored on a subscriber identity module associated with the client.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, wherein each message between the authorizer and the client passes through the local attendant.
  - 10. The method of claim 9, wherein the authorizer, the client, and said peer are each in separate domains, wherein each domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by said keys.
  - 11. The method of claim 8, wherein the sending the identity includes sending the identity associated with the client to the authorizer using Internet Protocol version 6 (IPv6).

12. An apparatus comprising:
- an authorizer configured to;
  
  receive an identity associated with a client and an indication of a requested resource;
  
  generate a challenge that is calculated using the identity associated with the client;
  
  send the challenge to the client;
  
  receive a response from the client based on the identity and the challenge;
  
  compare the challenge to the response;
  
  determine whether the client is authorized to access the resource;
  
  when it is determined that the client is authorized to access the resource, send a key associated with the resource to a peer for providing the resource to the client, wherein the key is the same as a local subscriber identity module generated session key associated with said resource, which is generated by the client employing information stored on a subscriber identity module of the client;
  
  receive a binding acknowledgment from the peer; and
  
  in response to receiving the binding acknowledgment, send a key reply to the client; and
  
  a local attendant configured to;
  
  receive a solicitation from the client;
  
  in response to receiving the solicitation from the client, send the challenge to the client on behalf of the authorizer;
  
  in response to receiving a correct response to the local challenge, the identity, and credentials from the client, forward the identity and credentials to the authorizer;
  
  receive the identity and a key reply from the authorizer; and
  
  in response to receiving the identity and the key reply from the authorizer, send a status of authentication and the key reply to the client on behalf of the authorizer.
- View Dependent Claims (16, 17)
- - 16. The apparatus of claim 12, wherein the apparatus is configured to acknowledge that the sending of said key is complete.
  - 17. The apparatus of claim 12, wherein the apparatus is configured to receive an identity associated with the client in accordance with Internet Protocol version 6 (IPv6).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
INVT SPE LLC (SoftBank Group Corp.)
Original Assignee
Nokia Corporation
Inventors
Malinen, Jari T., Kniveton, Timothy J., Haverinen, Henry
Primary Examiner(s)
ZIA, SYED

Application Number

US10/192,753
Publication Number

US 20030028763A1
Time in Patent Office

3,157 Days
Field of Search

None
US Class Current

726/6
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless network architectu...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0853   using an additional device,...

H04L 63/0892   by using authentication-aut...

H04L 69/16   Implementation or adaptatio...

H04L 69/167   Adaptation for transition b...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 80/04   Network layer protocols, e....

Modular authentication and authorization scheme for internet protocol

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Modular authentication and authorization scheme for internet protocol

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others