Prevention of a bidding-down attack in a communication system

US 8,255,976 B2
Filed: 11/26/2008
Issued: 08/28/2012
Est. Priority Date: 11/26/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A method for use in a communication system comprising a mobile station, a base station, a gateway and a server, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection between the base station and the server, the method comprising the steps of:

storing information in the server indicative of at least one established security capability of the mobile station; and

sending at least a portion of said information from the server to the gateway;

the gateway thereby being enabled to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication system includes at least a mobile station, a base station, a gateway and a server, with the base station being configured for wireless communication with the mobile station, and the gateway being configured for connection between the base station and the server. The server stores information indicative of at least one established security capability of the mobile station, and sends at least a portion of that information to the gateway, possibly in conjunction with an authentication process for the mobile station. The gateway uses the information received from the server to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with the established security capability or capabilities of the mobile station. This can advantageously allow the gateway to prevent a bidding-down attack in which an attacker impersonates the mobile station to negotiate an inferior security capability with the base station.

Citations

20 Claims

1. A method for use in a communication system comprising a mobile station, a base station, a gateway and a server, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection between the base station and the server, the method comprising the steps of:
- storing information in the server indicative of at least one established security capability of the mobile station; and
  
  sending at least a portion of said information from the server to the gateway;
  
  the gateway thereby being enabled to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein said information stored in the server is configured to enable the gateway to prevent a bidding-down attack in which an attacker impersonates the mobile station to negotiate an inferior security capability with the base station.
  - 3. The method of claim 1 wherein the step of sending at least a portion of said information from the server to the gateway comprises sending at least a portion of said information in conjunction with an authentication process for the mobile station.
  - 4. The method of claim 3 wherein the step of sending at least a portion of said information from the server to the gateway in conjunction with an authentication process for the mobile station further comprises sending said information after said authentication process is completed.
  - 5. The method of claim 1 wherein the step of storing information in the server further comprises creating a subscription record in the server in conjunction with establishment of a subscription between the mobile station and the server and further wherein the subscription record identifies a plurality of security capabilities of the mobile station.
  - 6. The method of claim 1 wherein the information indicative of at least one established security capability of the mobile station comprises a PKM version support indicator.
  - 7. The method of claim 1 wherein the information indicative of at least one established security capability of the mobile station comprises an authorization policy support indicator.
  - 8. The method of claim 1 wherein the information indicative of at least one established security capability of the mobile station comprises a message authentication code type support indicator.
  - 9. The method of claim 1 wherein the information indicative of at least one established security capability of the mobile station comprises an EAP authentication type indicator.
  - 10. A non-transitory computer-readable storage medium having embodied therein executable program code that when executed by a processor of the server implements the steps of the method of claim 1.

11. An apparatus for use in a communication system comprising a mobile station, a base station, and a gateway, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection to the base station, the apparatus comprising:
- a server configured for connection to the gateway such that the gateway is arranged between the base station and the server;
  
  the server comprising a processor coupled to a memory;
  
  wherein the server is operative under control of the processor to store in the memory information indicative of at least one established security capability of the mobile station, and to send at least a portion of said information from the server to the gateway;
  
  wherein said information sent from the server to the gateway enables the gateway to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station.
- View Dependent Claims (12)
- - 12. The apparatus of claim 11 wherein the server comprises a home authentication, authorization and accounting server in a connectivity service network of a WiMAX communication system.

13. A method for use in a communication system comprising a mobile station, a base station, a gateway and a server, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection between the base station and the server, the server being configured to store information indicative of at least one established security capability of the mobile station, the method including the steps of:
- the base station negotiating one or more security capabilities with the mobile station;
  
  receiving in the base station via the gateway at least a portion of said information indicative of at least one established security capability of the mobile station; and
  
  utilizing the received information to facilitate subsequent security negotiations between the base station and the mobile station.

14. A method for use in a communication system comprising a mobile station, a base station, a gateway and a server, the base station being configured for wireless communication with the mobile station, the gateway being configured for connection between the base station and the server, the server being configured to store information indicative of at least one established security capability of the mobile station, the method including the steps of:
- receiving in the gateway from the server at least a portion of said information indicative of at least one established security capability of the mobile station; and
  
  verifying in the gateway that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14 wherein the verifying step enables the gateway to prevent a bidding-down attack in which an attacker impersonates the mobile station to negotiate an inferior security capability with the base station.
  - 16. The method of claim 14 further comprising the step of sending from the gateway to the base station a message indicating a result of the verifying step.
  - 17. The method of claim 14 further comprising the step of sending from the gateway to the base station a message comprising at least a portion of said information indicative of at least one established security capability of the mobile station for use by the base station in subsequent security negotiations with the mobile station.
  - 18. A non-transitory computer-readable storage medium having embodied therein executable program code that when executed by a processor of the gateway implements the steps of the method of claim 14.

19. An apparatus for use in a communication system comprising a mobile station, a base station, and a server, the base station being configured for wireless communication with the mobile station, the server being configured to store information indicative of at least one established security capability of the mobile station, the apparatus comprising:
- a gateway configured for connection between the base station and the server;
  
  the gateway comprising a processor coupled to a memory;
  
  wherein the gateway is operative under control of the processor to receive from the server at least a portion of said information indicative of at least one established security capability of the mobile station, and to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with said at least one established security capability of the mobile station.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19 wherein the gateway comprises an access service network gateway in an access service network of a WiMAX communication system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Mizikovsky, Semyon B.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US12/323,615
Publication Number

US 20100130168A1
Time in Patent Office

1,371 Days
Field of Search

726 1- 3, 726 11- 15, 726/22, 726/26, 726/27, 713168-170
US Class Current

726/3
CPC Class Codes

H04L 63/1441   Countermeasures against mal...

H04L 63/205   involving negotiation or de...

H04L 67/303   Terminal profiles

H04W 12/06   Authentication

H04W 12/122   Counter-measures against at...

Prevention of a bidding-down attack in a communication system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Prevention of a bidding-down attack in a communication system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links