Measures for enhancing security in communication systems

US 20060225128A1
Filed: 06/20/2005
Published: 10/05/2006
Est. Priority Date: 04/12/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing security of operations on a connection between a first peer entity and a second peer entity in a communication system, the peer entities each having an identity and a transport address, wherein the first peer entity requests an operation from the second peer entity using an identity and the second peer entity checks a permission of the first peer entity to be granted the requested operation using said identity by means of a pre-configured permissions list, said method comprising a step of:

validating the identity used by the first peer entity at the second peer entity, wherein the step of validating is performed prior to checking of the permission.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, communication device, intermediary device, system, and computer program product for providing security of operations on a connection between a first peer entity and a second peer entity in a communication system, the peer entities each having an identity and a transport address, wherein the first peer entity requests an operation from the second peer entity using an identity and the second peer entity checks the permission of the first peer entity to be granted the requested operation using said identity by means of a pre-configured permissions list, said method comprising a step of validating the identity used by the first peer entity at the second peer entity, wherein the step of validating is performed prior to checking of the permission.

40 Citations

View as Search Results

55 Claims

1. A method for providing security of operations on a connection between a first peer entity and a second peer entity in a communication system, the peer entities each having an identity and a transport address, wherein the first peer entity requests an operation from the second peer entity using an identity and the second peer entity checks a permission of the first peer entity to be granted the requested operation using said identity by means of a pre-configured permissions list, said method comprising a step of:
- validating the identity used by the first peer entity at the second peer entity, wherein the step of validating is performed prior to checking of the permission.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method according to claim 1, wherein the step of validating the identity used by the first peer entity comprises a step of:
    - determining whether said identity is a valid identity according to a security association between the first peer entity and the second peer entity, wherein a negative validation result is yielded, when it is determined that said identity is not valid.
  - 3. The method according to claim 2, wherein the step of determining is performed on a basis of a security configuration table being maintained at the second peer entity, said security configuration table comprising valid pairs of identities and at least one parameter of said security association.
  - 4. The method according to claim 3, wherein the at least one parameter of said security association comprises the transport address of the first peer entity.
  - 5. The method according to claim 1, wherein the step of validating the identity used by the first peer entity comprises a step of:
    - detecting whether said identity has changed during an ongoing connection, wherein a negative validation result is yielded, when it is detected that said identity has changed.
  - 6. The method according to claim 5, further comprising a step of:
    - storing an identity originally used by the first peer entity in the ongoing connection at the second peer entity.
  - 7. The method according to claim 1, further comprising a step of:
    - transmitting a response of denial of the requested operation from the second peer entity to the first peer entity, when the step of validating yields a negative validation result.
  - 8. The method according to claim 7, wherein the response indicates a security problem to the first peer entity.
  - 9. The method according to claim 1, wherein an intermediary device is located on the connection in-between the first peer entity and the second peer entity, further comprising a step of:
    - validating the identity used by the first peer entity at the intermediary device.
  - 10. The method according to claim 9, wherein the step of validating at the intermediary device comprises a step of:
    - determining whether said identity is a valid identity according to a security association between the first peer entity and the intermediary device, wherein a negative validation result is yielded, when it is determined that said identity is not valid.
  - 11. The method according to claim 9, wherein the step of validating at the intermediary device comprises a step of:
    - detecting whether said identity has changed during an ongoing connection, wherein a negative validation result is yielded, when it is detected that said identity has changed.
  - 12. The method according to claim 9, further comprising a step of:
    - transmitting a response of denial of the requested operation from the intermediary device to the first peer entity, when the step of validating at the intermediary device yields a negative validation result.
  - 13. The method according to claim 9, further comprising a step of:
    - forwarding a request from the first peer entity to the second peer entity, when the step of validating at the intermediary device yields a positive validation result.
  - 14. The method according to claim 9, wherein the step of validating comprises validating the identity used by the first peer entity at a proxy node.
  - 15. The method according to claim 9, wherein the step of validating comprises validating the identity used by the first peer entity at a relay agent.
  - 16. The method according to claim 1, wherein the step of validating comprises validating the identity used by an application server at the second peer entity.
  - 17. The method according to claim 1, wherein the step of validating comprises validating the identity used by the first peer entity at a home subscriber server.
  - 18. The method according to claim 1, wherein the method is based on a protocol associated with authorization, authentication and accounting functions.
  - 19. The method according to claim 18, wherein the protocol is a Diameter base protocol.
  - 20. The method according to claim 19, wherein the identity used by the first peer entity is an identity in accordance with a Diameter base protocol.
  - 21. The method according to claim 18, wherein the protocol is a Remote Access Dial-In User Services (RADIUS) protocol.
  - 22. The method according to claim 21, wherein the identity used by the first peer entity is an identity in accordance with a RADIUS protocol.
  - 23. The method according to claim 1, wherein the transport address is based on an Internet protocol.
  - 24. The method according to claim 1, wherein the connection between the first peer entity and the second peer entity comprises an Sh reference point in accordance with Third Generation Partnership Project (3GPP) specifications.

25. A communication device configured for use in a method of providing security of operations on a connection between a first peer entity and the communication device as a second peer entity in a communication system, the peer entities each having an identity and a transport address, wherein the first peer entity requests an operation from the second peer entity using an identity, said communication device comprising:
- receiver devices configured to receive a request from the first peer entity;
  
  checker devices configured to check a permission of the first peer entity to be granted the requested operation using said identity by means of a pre-configured permissions list;
  
  first memory devices configured to store the pre-configured permissions list; and
  
  validator devices configured to validate the identity used by the first peer entity, wherein the validator devices are further configured to perform validating prior to the checker devices performing checking of the permission.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 26. The communication device according to claim 25, wherein the validator devices comprise:
    - determinator devices configured to determine whether the identity used by the first peer entity is a valid identity according to a security association between the first peer entity and the second peer entity, wherein the determinator devices are further configured to yield a negative validation result, when it is determined that said identity is not valid.
  - 27. The communication device according to claim 26, wherein the determinator devices are further configured to perform validating on a basis of a security configuration table being maintained at the second peer entity, said security configuration table comprising valid pairs of identities and at least one parameter of said security association.
  - 28. The communication device according to claim 27, further comprising second memory devices configured to store said security configuration table.
  - 29. The communication device according to claim 27, wherein the at least one parameter of said security association comprises the transport address of the first peer entity.
  - 30. The communication device according to claim 25, wherein the validator devices comprise:
    - detector devices configured to detect whether the identity used by the first peer entity has changed during an ongoing connection, wherein the detector devices are further configured to yield a negative validation result, when it is detected that said identity has changed.
  - 31. The communication device according to claim 30, further comprising third memory devices configured to store an identity originally used by the first peer entity in the ongoing connection.
  - 32. The communication device according to claim 25, further comprising:
    - transmitter devices configured to transmit a response of denial of the requested operation to the first peer entity, when the validator devices yield a negative validation result.
  - 33. The communication device according to claim 32, wherein the response indicates a security problem to the first peer entity.
  - 34. The communication device according to claim 25, wherein the communication device is a home subscriber server.
  - 35. The communication device according to claim 25, wherein the communication device operates on a basis of a protocol associated with authorization, authentication and accounting functions.
  - 36. The communication device according to claim 25, wherein the identity used by the first peer entity is an identity in accordance with a Diameter base protocol.
  - 37. The communication device according to claim 25, wherein the identity used by the first peer entity is an identity in accordance with a Remote Access Dial-In User Services (RADIUS) protocol.
  - 38. The communication device according to claim 25, wherein the transport address is based on an Internet protocol.
  - 39. The communication device according to claim 25, wherein the connection between the first peer entity and the second peer entity comprises an Sh reference point in accordance with Third Generation Partnership Project (3GPP) specifications.

40. An intermediary device configured for use in a method of providing security of operations on a connection between a first peer entity and a second peer entity in a communication system, wherein the intermediary device is located on the connection in-between the first peer entity and the second peer entity, the peer entities each having an identity and a transport address, wherein the first peer entity requests an operation from the second peer entity using an identity, said intermediary device comprising:
- receiver devices configured to receive a request from the first peer entity and a response from the second peer entity; and
  
  validator devices configured to validate the identity used by the first peer entity.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 41. The intermediary device according to claim 40, wherein the validator devices comprise:
    - determinator devices configured to determine whether the identity used by the first peer entity is a valid identity according to a security association between the first peer entity and the intermediary device, wherein the determinator devices are further configured to yield a negative validation result, when it is determined that said identity is not valid.
  - 42. The intermediary device according to claim 41, further comprising first memory devices configured to store a security configuration table.
  - 43. The intermediary device according to claim 40, wherein the validator devices comprise:
    - detector devices configured to detect whether the identity used by the first peer entity has changed during an ongoing connection, wherein the detector devices are further configured to yield a negative validation result, when it is detected that said identity has changed.
  - 44. The intermediary device according to claim 43, further comprising second memory devices configured to store an identity originally used by the first peer entity in the ongoing connection.
  - 45. The intermediary device according to claim 40, further comprising:
    - transmitter devices configured to forward a request from the first peer entity to the second peer entity, when the validator devices of the intermediary device yield a positive validation result.
  - 46. The intermediary device according to claim 40, further comprising:
    - transmitter devices configured to transmit a response of denial to the first peer entity, when the validator devices of the intermediary device yield a negative validation result.
  - 47. The intermediary device according to claim 40, wherein the intermediary device operates on a basis of a protocol associated with authorization, authentication and accounting functions.
  - 48. The intermediary device according to claim 47, wherein the intermediary device is a Diameter proxy node.
  - 49. The intermediary device according to claim 47, wherein the intermediary device is a Diameter relay agent.

50. A system for providing security of operations on a connection between a first peer entity and a second peer entities in a communication system, the peer entities each having an identity and a transport address, wherein the first peer entity requests an operation from the second peer entity using an identity and the second peer entity checks a permission of the first peer entity to be granted the requested operation using said identity by means of a pre-configured permissions list, said system comprising:
- at least one first peer entity comprising transmitter devices configured to transmit a request for an operation to at least one second peer entity; and
  
  the at least one second peer entity comprising receiver devices configured to receive a request from the at least one first peer entity;
  
  checker devices configured to check the permission of the at least one first peer entity to be granted the requested operation using said identity by means of a pre-configured permissions list;
  
  first memory devices configured to store the pre-configured permissions list; and
  
  validator devices configured to validate the identity used by the at least one first peer entity, wherein the validator devices are further configured to perform validating prior to the checker devices performing checking of the permission.
- View Dependent Claims (51, 52, 53, 54)
- - 51. The system according to claim 50, further comprising at least one intermediary device being located on the connection in-between the first peer entity and the second peer entity, said intermediary device comprising:
    - receiver devices configured to receive a request from the at least one first peer entity and a response from the at least one second peer entity; and
      
      validator devices configured to validate the identity used by the at least one first peer entity.
  - 52. The system according to claim 50, wherein the at least one first peer entity is an application server.
  - 53. The system according to claim 50, wherein the at least one second peer entity is a home subscriber server.
  - 54. The system according to claim 50, wherein the connection between the first peer entity and the second peer entity comprises an Sh reference point in accordance with Third Generation Partnership Project (3GPP) specifications.

55. A computer program, embodied on a computer readable medium, the computer program controlling a digital-processing device to perform the step of:
- validating an identity used by a first peer entity to request an operation from a second peer entity at the second peer entity, wherein the step of validating is performed prior to a checking of a permission of the first peer entity to be granted the requested operation by means of a pre-configured permissions list by the second peer entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Nokia Corporation
Inventors
Lahtinen, Lauri, Tammi, Kalle, Aittola, Mikko

Application Number

US11/155,765
Publication Number

US 20060225128A1
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 61/4588   containing mobile subscribe...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/101   Access control lists [ACL]

Measures for enhancing security in communication systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Measures for enhancing security in communication systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links