Prevention of a bidding-down attack in a communication system
First Claim
1. A method for use in a communication system comprising a mobile station, a base station, a gateway and a server, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection between the base station and the server, the method comprising the steps of:
- storing information in the server indicative of at least one established security capability of the mobile station; and
sending at least a portion of said information from the server to the gateway;
the gateway thereby being enabled to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station.
4 Assignments
0 Petitions
Accused Products
Abstract
A communication system includes at least a mobile station, a base station, a gateway and a server, with the base station being configured for wireless communication with the mobile station, and the gateway being configured for connection between the base station and the server. The server stores information indicative of at least one established security capability of the mobile station, and sends at least a portion of that information to the gateway, possibly in conjunction with an authentication process for the mobile station. The gateway uses the information received from the server to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with the established security capability or capabilities of the mobile station. This can advantageously allow the gateway to prevent a bidding-down attack in which an attacker impersonates the mobile station to negotiate an inferior security capability with the base station.
-
Citations
20 Claims
-
1. A method for use in a communication system comprising a mobile station, a base station, a gateway and a server, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection between the base station and the server, the method comprising the steps of:
-
storing information in the server indicative of at least one established security capability of the mobile station; and sending at least a portion of said information from the server to the gateway; the gateway thereby being enabled to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus for use in a communication system comprising a mobile station, a base station, and a gateway, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection to the base station, the apparatus comprising:
-
a server configured for connection to the gateway such that the gateway is arranged between the base station and the server; the server comprising a processor coupled to a memory; wherein the server is operative under control of the processor to store in the memory information indicative of at least one established security capability of the mobile station, and to send at least a portion of said information from the server to the gateway; wherein said information sent from the server to the gateway enables the gateway to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station. - View Dependent Claims (12)
-
-
13. A method for use in a communication system comprising a mobile station, a base station, a gateway and a server, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection between the base station and the server, the server being configured to store information indicative of at least one established security capability of the mobile station, the method including the steps of:
-
the base station negotiating one or more security capabilities with the mobile station; receiving in the base station via the gateway at least a portion of said information indicative of at least one established security capability of the mobile station; and utilizing the received information to facilitate subsequent security negotiations between the base station and the mobile station.
-
-
14. A method for use in a communication system comprising a mobile station, a base station, a gateway and a server, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection between the base station and the server, the server being configured to store information indicative of at least one established security capability of the mobile station, the method including the steps of:
-
receiving in the gateway from the server at least a portion of said information indicative of at least one established security capability of the mobile station; and verifying in the gateway that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station. - View Dependent Claims (15, 16, 17, 18)
-
-
19. An apparatus for use in a communication system comprising a mobile station, a base station, and a server, the base station being configured for wireless communication with the mobile station, the server being configured to store information indicative of at least one established security capability of the mobile station, the apparatus comprising:
-
a gateway configured for connection between the base station and the server; the gateway comprising a processor coupled to a memory; wherein the gateway is operative under control of the processor to receive from the server at least a portion of said information indicative of at least one established security capability of the mobile station, and to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station. - View Dependent Claims (20)
-
Specification