Method and system for managing network identity

US 8,694,772 B2
Filed: 10/20/2008
Issued: 04/08/2014
Est. Priority Date: 08/04/2008
Status: Active Grant

First Claim

Patent Images

1. A method for managing network identity (ID), comprising:

a mobile device applying for a first short-term certificate from an ID management server, wherein the first short-term certificate includes a temporary ID of a user of the mobile device;

the mobile device using the temporary ID to log into a visited network to which an authentication device belongs and using the first short-term certificate to establish a secure channel with the authentication device; and

the mobile device using the visited network through the secure channel, wherein all network packets sent from the mobile device are relayed by the authentication device, and wherein the first short-term certificate is discarded after use and is re-applied every time before the mobile device uses the visited network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system for managing network identity are provided. The method and the system realize a management mechanism of temporary identification (ID) and real ID, which simultaneously achieves functionalities such as anonymity, accounting, and authorization. A short-term certificate and a corresponding public/private key pair are used to protect a temporary ID usable for accounting. This protection prevents the temporary ID from theft. The user generates a digital signature in the reply to a charge schedule statement from the visited network. This procedure is incorporated into an existing authentication framework based on Transport Layer Security (TLS) in order to provide an undeniable payment mechanism. The payment mechanism is applicable in an environment of multiple network operators and reduces the difficulty of integrating network operators. The method and the system do not have to consult a certificate revocation list (CRL) for authentication and thus are able to shorten authentication time.

165 Citations

24 Claims

1. A method for managing network identity (ID), comprising:
- a mobile device applying for a first short-term certificate from an ID management server, wherein the first short-term certificate includes a temporary ID of a user of the mobile device;
  
  the mobile device using the temporary ID to log into a visited network to which an authentication device belongs and using the first short-term certificate to establish a secure channel with the authentication device; and
  
  the mobile device using the visited network through the secure channel, wherein all network packets sent from the mobile device are relayed by the authentication device, and wherein the first short-term certificate is discarded after use and is re-applied every time before the mobile device uses the visited network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method for managing network identity according to claim 1, wherein the mobile device uses a long-term certificate to apply for the first short-term certificate from the ID management server, a valid period of the long-term certificate is longer than a valid period of the first short-term certificate, authentication of the long-tern certificate requires looking up a certificate revocation list, and authentication of the first short-term certificate does not require looking up the certificate revocation list.
  - 3. The method for managing network identity according to claim 1, wherein the mobile device uses a real ID of the user and a password to apply for the first short-term certificate from the ID management server.
  - 4. The method for managing network identity according to claim 1, wherein when establishing the secure channel, the authentication device authenticates the mobile device through the first short-term certificate, and the mobile device authenticates the authentication device through a second short-term certificate of the authentication device.
  - 5. The method for managing network identity according to claim 4, wherein the second short-term certificate of the authentication device is periodically issued to the authentication device by a first accounting server or is applied periodically by the authentication device from the first accounting server.
  - 6. The method for managing network identity according to claim 1, wherein the mobile device and the authentication device use Extensible Authentication Protocol-Transport Layer Security to establish the secure channel.
  - 7. The method for managing network identity according to claim 1, further comprising:
    - after establishing the secure channel, the mobile device transmitting a usage message to the authentication device, wherein the usage message includes the first short-term certificate and a digital signature of the user;
      
      the authentication device transmitting the usage message to a first accounting server after authenticating the digital signature; and
      
      the first accounting server receiving the usage message, authenticating the digital signature, and establishing a first usage record based on the usage message.
  - 8. The method for managing network identity according to claim 7, wherein the step of the mobile device transmitting the usage message comprises:
    - the authentication device transmitting a charge message to the mobile device to inform the user of a charge calculation schedule of the visited network; and
      
      the mobile device transmitting the usage message to the authentication device to indicate acceptance of the charge calculation schedule.
  - 9. The method for managing network identity according to claim 7, further comprising:
    - the first accounting server transmitting the usage message to a second accounting server;
      
      the second accounting server receiving the usage message and using the first short-term certificate to authenticate the digital signature;
      
      the second accounting server returning a failure message to the first accounting server if the digital signature does not pass authentication; and
      
      the second accounting server establishing a second usage record based on the usage message and returning a success message to the first accounting server if the digital signature passes authentication.
  - 10. The method for managing network identity according to claim 9, wherein the step of the second accounting server authenticating the digital signature, the step of the second accounting server returning the failure message, the step of the second accounting server establishing the second usage record, and the step of the second accounting server returning the success message are all performed offline.
  - 11. The method for managing network identity according to claim 9, further comprising:
    - the ID management server storing the temporary ID and a real ID of the user in an ID recorder after the mobile device applies for the first short-term certificate; and
      
      the second accounting server inquiring about the real ID from the ID recorder based on the temporary ID and establishing the second usage record using the real ID after receiving the usage message.
  - 12. The method for managing network identity according to claim 9, further comprising:
    - the authentication device recording a time that the user uses the visited network based on the usage message; and
      
      the first accounting server obtaining the temporary ID and the time and charge of the user using the visited network from the authentication device so as to charge the second accounting server,wherein the second accounting server, the ID management server, and the ID recorder belong to a home network of the user, the authentication device and the first accounting server belong to the visited network, and the home network and the visited network are operated by different network providers.

13. A system for managing network identity (ID), comprising:
- a mobile device;
  
  an authentication device; and
  
  an ID management server, whereinthe mobile device applies for a first short-term certificate from the ID management server, the first short-term certificate includes a temporary ID of a user of the mobile device,the mobile device uses the temporary ID to log into a visited network to which the authentication device belongs and uses the first short-term certificate to establish a secure channel with the authentication device,the mobile device uses the visited network through the secure channel, and all network packets sent from the mobile device are relayed by the authentication device, wherein the first short-term certificate is discarded after use and is re-applied every time before the mobile device uses the visited network.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system for managing network identity according to claim 13, wherein the mobile device uses a long-term certificate to apply for the first short-term certificate from the ID management server, a valid period of the long-term certificate is longer than a valid period of the first short-term certificate, authentication of the long-term certificate requires looking up a certificate revocation list, and authentication of the first short-term certificate does not require looking up the certificate revocation list.
  - 15. The system for managing network identity according to claim 13, wherein the mobile device uses a real ID of the user and a password to apply for the first short-term certificate from the ID management server.
  - 16. The system for managing network identity according to claim 13, wherein when establishing the secure channel, the authentication device authenticates the mobile device through the first short-tee in certificate, and the mobile device authenticates the authentication device through a second short-term certificate of the authentication device.
  - 17. The system for managing network identity according to claim 16, wherein the second short-term certificate of the authentication device is periodically issued to the authentication device by a first accounting server or is periodically applied by the authentication device from the first accounting server.
  - 18. The system for managing network identity according to claim 13, wherein the mobile device and the authentication device use Extensible Authentication Protocol-Transport Layer Security to establish the secure channel.
  - 19. The system for managing network identity according to claim 13, further comprising a first accounting server, wherein after establishing the secure channel, the mobile device transmits a usage message to the authentication device, the usage message includes the first short-term certificate and a digital signature of the user, the authentication device transmits the usage message to the first accounting server after authenticating the digital signature, and the first accounting server receives the usage message, authenticates the digital signature, and establishes a first usage record based on the usage message.
  - 20. The system for managing network identity according to claim 19, wherein the authentication device transmits a charge message to the mobile device to inform about the charge calculation schedule of the visited network, and then the mobile device transmits the usage message to the authentication device to indicate acceptance of the charge calculation schedule.
  - 21. The system for managing network identity according to claim 19, further comprising a second accounting server, wherein the first accounting server transmits the usage message to the second accounting server, the second accounting server receives the usage message and uses the first short-term certificate to authenticate the digital signature, the second accounting server returns a failure message to the first accounting server if the digital signature does not pass authentication, the second accounting server establishes a second usage record based on the usage message and returns a success message to the first accounting server if the digital signature passes authentication.
  - 22. The system for managing network identity according to claim 21, wherein the second accounting server authenticates the digital signature, returns the failure message or the success message, and establishes the second usage record offline.
  - 23. The system for managing network identity according to claim 21, further comprising an ID recorder, wherein after the mobile device applies for the first short-term certificate, the ID management server stores the temporary ID and a real ID of the user in the ID recorder, and the second accounting server inquires the ID recorder about the real ID based on the temporary ID and uses the real ID to establish the second usage record after receiving the usage message.
  - 24. The system for managing network identity according to claim 21, wherein the authentication device records a time the user uses the visited network based on the usage message, the first accounting server obtains from the authentication device the temporary ID and the time and charge the user uses the visited network so as to charge the second accounting server;
    - the second accounting server, the ID management server, and the ID recorder all belong to a home network of the user;
      
      the authentication device and the first accounting server belong to the visited network;
      
      the home network and the visited network are operated by different network operators.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Industrial Technology Research Institute
Original Assignee
Industrial Technology Research Institute
Inventors
Kao, Min-Chih, Lee, Ya-Wen
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US12/254,817
Publication Number

US 20100031030A1
Time in Patent Office

1,996 Days
Field of Search

713/155, 713/156, 713/158, 713/160
US Class Current

713/156
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/80   Wireless network architectu...

H04L 63/0823   using certificates cryptogr...

H04L 63/0892   by using authentication-aut...

H04L 63/166   at the transport layer

H04L 9/3247   involving digital signatures

H04L 9/3268   using certificate validatio...

H04W 12/069   using certificates or pre-s...

Method and system for managing network identity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

165 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing network identity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

165 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links