Authentication and authorization in heterogeneous networks

US 7,461,248 B2
Filed: 04/07/2004
Issued: 12/02/2008
Est. Priority Date: 01/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting a roaming of the mobile terminal;

identifying a combination of network elements involved in the detected roaming;

selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination,wherein a home network has an authentication and authorization home server,wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, andwherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and

performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures,wherein the method, upon attaching of the mobile terminal to the foreign network, further comprisesallocating a temporary local identity to the mobile terminal by the local server, in the domain of which the mobile terminal first attaches to the foreign network;

defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and

allocating the local security information to the mobile terminal by the local server,wherein the performing reuses the allocated local security information to authenticate and authorize in each of said plurality of domains.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and network elements for authentication and authorization of a mobile terminal (MT) roaming to or in a foreign network different from its home network is provided, the home network having an authentication and authorization home server (AAAH), and the foreign network having a plurality of domains each of which comprises at least one local server (AAAL1, AAAL2) for authentication, authorization and accounting, each of which local servers being connected to at least one network access server (NAS) for handling access for mobile terminals roaming to or in the foreign network, wherein an authentication and authorization of the mobile terminal is performed whenever the mobile terminal performs a roaming, wherein the authentication and authorization is performed according to a procedure pursuant to one of a plurality of hierarchy levels, whereby a combination of network elements involved in the roaming determines the hierarchy level to be used.

18 Citations

View as Search Results

29 Claims

1. A method, comprising:
- detecting a roaming of the mobile terminal;
  
  identifying a combination of network elements involved in the detected roaming;
  
  selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination,wherein a home network has an authentication and authorization home server,wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, andwherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and
  
  performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures,wherein the method, upon attaching of the mobile terminal to the foreign network, further comprisesallocating a temporary local identity to the mobile terminal by the local server, in the domain of which the mobile terminal first attaches to the foreign network;
  
  defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and
  
  allocating the local security information to the mobile terminal by the local server,wherein the performing reuses the allocated local security information to authenticate and authorize in each of said plurality of domains.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein the local security information is generated in accordance with a used authentication technique.
  - 3. The method according to claim 2, wherein the authentication and authorization is performed based on a procedure of a first hierarchy level upon the mobile terminal performing an inter-domain roaming from its home server to a local server of the foreign network, when the mobile terminal attaches to the foreign network, wherein the procedure comprises:
    - asking the mobile terminal to provide authentication information by the network access server handling the attachment of the mobile terminal to the foreign network;
      
      transmitting, by the mobile terminal, the mobile terminal'"'"'s authentication information to the asking network access server;
      
      forwarding, by the network access server, the received authentication information of the mobile terminal to the local server which is operationally connected thereto;
      
      requesting, by the local server, identification of the mobile terminal at the home server;
      
      distributing, by the local server, the local security information to the mobile terminal upon receiving of the identification of the mobile terminal from the home server; and
      
      authenticating and authorizing, by the mobile terminal, its identity within the local domain of the foreign network upon receiving of the local security information.
  - 4. The method according to claim 3, wherein the distributing of the local security information from the local server to the mobile terminal is performed in a manner that protects the local security information.
  - 5. The method according to claim 3, wherein the distributing of the local security information comprises:
    - transmitting the local security information from the local server to the network access server using a predetermined security association between the local server and the network access server; and
      
      when a mutual authentication method is used, transmitting of the local security information from the network access server to the mobile terminal using a secure channel which has been established according to a used mutual authentication method.
  - 6. The method according to claim 3, wherein the distributing of the local security information comprises:
    - when an authentication method without a secure channel between the network access server and the mobile terminal is used, transmitting a request for an encryption key from the local server to the home server along with the authentication information of the mobile terminal;
      
      generating an encryption key by the home server using at least the received authentication information of the mobile terminal and transmitting the encryption key to the local server; and
      
      encrypting of the local security information with the encryption key at the local server and transmitting the encrypted local security information from the local server to the mobile terminal,wherein the mobile terminal generates the same encryption key using at least its authentication information, using the same encryption key to decrypt the received encrypted local security information.

7. A method, comprising:
- detecting a roaming of the mobile terminal;
  
  identifying a combination of network elements involved in the detected roaming;
  
  selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination,wherein a home network has an authentication and authorization home server,wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account,wherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and
  
  performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures,wherein the method, upon attaching of the mobile terminal to the foreign network, further comprisesallocating a local identity to the mobile terminal by the local server, in the domain of which the mobile terminal attaches to the foreign network;
  
  defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and
  
  allocating the local security information to the mobile terminal by the local server,wherein the performing uses the allocated local security information for authentication and authorization,wherein the local security information is generated in accordance with a used authentication technique,wherein the authentication and authorization is performed based on a procedure of a second hierarchy level upon the mobile terminal performing an inter-domain roaming from a first network access server which is operationally connected to a first local server of a first domain of the foreign network to a second network access server which is connected to a second local server of a second domain of the foreign network, the procedure comprisingsending a request for the local security information of the mobile terminal from the second local server to the first local server;
  
  transmitting of the local security information of the mobile terminal from the first local server to the second local server; and
  
  using the local security information at the second local server for authentication and authorization of the mobile terminal within the local domain.
- View Dependent Claims (8)
- - 8. The method according to claim 7, wherein the using the local security information comprises transmitting the local security information to the second network access server using a predetermined security association between the second local server and the second network access server.

9. A method, comprising:
- detecting a roaming of the mobile terminal;
  
  identifying a combination of network elements involved in the detected roaming;
  
  selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination,wherein a home network has an authentication and authorization home server,wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account,wherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and
  
  performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures,wherein the method, upon attaching of the mobile terminal to the foreign network, further comprisesallocating a local identity to the mobile terminal by the local server, in the domain of which the mobile terminal attaches to the foreign network;
  
  defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and
  
  allocating the local security information to the mobile terminal by the local server,wherein the performing uses the allocated local security information for authentication and authorization,wherein the local security information is generated in accordance with a used authentication technique,wherein the authentication and authorization is performed based on a procedure of a third hierarchy level upon the mobile terminal performing an intra-domain roaming from a first network access server of a domain of the foreign network to a second network access server of the same domain, the procedure comprisingsending a request for the local security information of the mobile terminal from the second network access server to the local server of the domain;
  
  transmitting of the local security information of the mobile terminal from the local server of the domain to the second network access server using a predetermined security association between the local server of the domain and the second network access server; and
  
  using the local security information at the second network access server for authentication and authorization of the mobile terminal within the local domain.

10. A method, comprising:
- detecting a roaming of the mobile terminal;
  
  identifying a combination of network elements involved in the detected roaming;
  
  selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination,wherein a home network has an authentication and authorization home server,wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account,wherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and
  
  performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures,wherein the method, upon attaching of the mobile terminal to the foreign network, further comprisesallocating a local identity to the mobile terminal by the local server, in the domain of which the mobile terminal attaches to the foreign network;
  
  defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and
  
  allocating the local security information to the mobile terminal by the local servers;
  
  wherein the performing uses the allocated local security information for authentication and authorization,wherein the local security information is generated in accordance with a used authentication technique,wherein the authentication and authorization is performed based on a procedure of a fourth hierarchy level upon the mobile terminal performing an intra-domain roaming from a first network access server of an authentication and authorization area of the foreign network to a second network access server of the same authentication and authorization area, wherein the first network access server knows the local security information of the mobile terminal, the procedure comprisingsending a request for the local security information of the mobile terminal from the second network access server to the first network access server;
  
  transmitting of the local security information of the mobile terminal from the first network access server to the second network access server; and
  
  using the local security information at the second network access server for authentication and authorization of the mobile terminal within the local domain.
- View Dependent Claims (11)
- - 11. The method according to claim 10, wherein an authentication and authorization area is an area within a domain of a network, within which area network access servers have a predetermined security association with each other, using the predetermined security association to share authentication and authorization information in a confidential manner.

12. A system, comprising:
- an authentication and authorization home server in a home network;
  
  at least one local server configured to authenticate, authorize, and account in each of a plurality of domains of a foreign network;
  
  at least one network access server configured to handle access of mobile terminals roaming to or in the foreign network, each of which network access servers are operationally connectable to one of the local servers;
  
  a detector configured to detect a roaming of a mobile terminal;
  
  an identifier configured to identify a combination of network elements involved in the roaming being detected by the detector;
  
  a selector configured to select one of a plurality of authentication and authorization procedures to be performed based on the combination being identified by the identifier; and
  
  an authentication and authorization processor configured to perform authentication and authorization of the mobile terminal based on the selected one of the plurality of authentication and authorization procedure,wherein the local server, in the domain of which the mobile terminal first attaches to the foreign network, allocates a temporary local identity to the mobile terminal and allocates a local security information to the mobile terminal, andwherein the authentication and authorization processor is further configured to reuse the local security information for authentication and authorization in each of said plurality of domains.
- View Dependent Claims (13)
- - 13. A system according to claim 12, wherein the home network and the foreign network are either internet protocol (IP)-based, cellular networks or IP-based cellular networks.

14. An apparatus, comprising:
- an authentication and authorization processor configured to authenticate and authorize a mobile terminal, which processor is operable according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal,wherein the apparatus is a local server of the domain to which the mobile terminal is attachable, which mobile terminal is registered with a home server of its home network,wherein the apparatus is operationally connectable to at least one network access server configured to handle access of mobile terminals roaming to or in the network;
  
  an allocating device configured to allocate a temporary local identity to the mobile terminal, when the mobile terminal first attaches to the network, and to allocate a local security information to the mobile terminal;
  
  a generator configured to define and generate the local security information representing a binding of a user identity of the mobile terminal and the temporary local identity allocated by the allocating device;
  
  a storing device configured to store the temporary local identity and the local security information of the terminal; and
  
  a mapping device configured to map the local security information to a real user account,wherein the authentication and authorization processor is further configured to reuse the local security information for authentication and authorization in each of a plurality of domains of a foreign network.
- View Dependent Claims (15, 16, 17)
- - 15. The apparatus according to claim 14, further comprising:
    - a transceiver configured to transmit and receive the local security information and other information to and from a local serving node and a network access server which is operationally connectable to the apparatus.
  - 16. The apparatus according to claim 15, wherein the transceiver is further configured to transmit and receive information of the mobile terminal to and from the home server of the mobile terminal for identification of the mobile terminal.
  - 17. The apparatus according to claim 14, further comprising:
    - an encrypting device configured to encrypt local security information with an encryption key receivable from the home server; and
      
      a distributing device configured to control a distribution the encrypted local security information to the mobile terminal based on a used authentication method.

18. An apparatus, comprising:
- an accessing device configured to handle access of a mobile terminal to a network; and
  
  a transceiver configured to transmit and receive a local security information of the mobile terminal and other information to and from an operationally connectable local server, another operationally connectable apparatus and an operationally connectable mobile terminal;
  
  an authentication and authorization processor configured to authenticate and authorize according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal,wherein the apparatus is operationally connectable to a local server of a domain of the network,wherein the local server allocates a temporary local identity to the mobile terminal, and allocates the local security information to the mobile terminal, andwherein the authentication and authorization processor is further configured to reuse the local security information for authentication and authorization in each of a plurality of domains of a foreign network.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The apparatus according to claim 18, wherein the authentication and authorization processor is configured to support an authentication and authorization area, which is an area within a domain of a network, within which area network access servers have a predetermined security association with each other, using the predetermined security association to share authentication and authorization information in a confidential manner.
  - 20. The apparatus according to claim 18, wherein the apparatus is operable as an access router of an internet protocol (IP) network.
  - 21. The apparatus according to claim 18, wherein the apparatus is operable as a base station system of a general packet radio service (GPRS) network.
  - 22. The apparatus according to claim 18, wherein the apparatus is operable as a Node B of a universal mobile telecommunications system (UMTS) network.
  - 23. The apparatus according to claim 18, wherein the apparatus is operable as a radio network controller (RNC) of a universal mobile telecommunications system (UMTS) network.

24. An apparatus, comprising:
- a registering device configured to register with a home server in its home network, and is attachable to a foreign network using a network access server of the foreign network,wherein the foreign network comprises a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account,wherein each of the local servers are operationally connectable to at least one of the network access servers;
  
  an authentication and authorization processor configured to perform an authentication and authorization according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the apparatus;
  
  a transceiver configured to transmit and receive information to and from one of the network access servers of the foreign network; and
  
  a storing device configured to keep a list of local security information of each network having been attached to, wherein the local security information is allocable to the apparatus by one of the local servers of the foreign networks,wherein the local server, in the domain of which the apparatus first attaches to the foreign network, allocates a temporary local identity to the apparatus; and
  
  wherein the authentication and authorization processor is further configured to reuse the local security information for authentication and authorization in each of said plurality of domains.
- View Dependent Claims (25)
- - 25. The apparatus according to claim 24, further comprising:
    - a key generating device configured to generate an encryption key using at least its authentication information to communicate with a local server; and
      
      a decrypting device configured to decrypt received encrypted information using the encryption key.

26. A system comprising:
- an authentication and authorization home server in a home network;
  
  at least one local server for authentication, authorization and accounting in each of a plurality of domains of a foreign network;
  
  at least one network access server for handling access of mobile terminals roaming to or in the foreign network, each of which network access servers are operationally connectable to one of the local servers;
  
  detecting means for detecting a roaming of a mobile terminal;
  
  identifying means for identifying a combination of network elements involved in the roaming being detected by the detecting means;
  
  selecting means for selecting one of a plurality of authentication and authorization procedures to be performed based on the combination being identified by the identifier; and
  
  authentication and authorization means for authenticating and authorizing of the mobile terminal based on the selected one of the plurality of authentication and authorization procedure,wherein the local server, in the domain of which the mobile terminal first attaches to the foreign network, allocates a temporary local identity to the mobile terminal and allocates a local security information to the mobile terminal, andwherein the authentication and authorization means reuses the local security information for authentication and authorization in each of said plurality of domains.

27. An apparatus, comprising:
- authentication and authorization means for authenticating and authorizing a mobile terminal, which is operable according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal,wherein the apparatus is a local server of the domain to which the mobile terminal is attachable, which mobile terminal is registered with a home server of its home network, andwherein the apparatus is operationally connectable to at least one network access server for handling access of mobile terminals roaming to or in a network;
  
  allocating means for allocating a temporary local identity to the mobile terminal, when the mobile terminal first attaches to the network, and for allocating a local security information to the mobile terminal;
  
  defining and generating means for defining and generating the local security information representing a binding of a user identity of the mobile terminal and the temporary local identity allocated by the allocating device;
  
  storing means for storing the temporary local identity and the local security information of the terminal; and
  
  mapping means for mapping the local security information to a real user account,wherein the authentication and authorization means reuses the local security information for authentication and authorization in each of a plurality of domains of a foreign network.

28. An apparatus, comprising:
- accessing means for handling access of a mobile terminal to a network; and
  
  transmitting and receiving means for transmitting and receiving a local security information of the mobile terminal and other information to and from an operationally connectable local server, another operationally connectable apparatus and an operationally connectable mobile terminal,wherein the apparatus comprises authentication and authorization means for authenticating and authorizing according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal,wherein the apparatus is connectable to a local server of a domain of the network,wherein the local server allocates a temporary local identity to the mobile terminal, and allocates the local security information to the mobile terminal, andwherein the authentication and authorization means reuses the local security information for authentication and authorization in each of a plurality of domains of a foreign network.

29. A computer program, embodied on a computer readable medium, configured to control a processor to implement a method, the method comprising:
- detecting a roaming of the mobile terminal;
  
  identifying a combination of network elements involved in the detected roaming;
  
  selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination,wherein a home network has an authentication and authorization home server,wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, andwherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and
  
  performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures,wherein the method, upon attaching of the mobile terminal to the foreign network, further comprisesallocating a temporary local identity to the mobile terminal in the domain of which the mobile terminal first attaches to the foreign network;
  
  defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity; and
  
  allocating the local security information to the mobile terminal,wherein the performing reuses the allocated local security information to authenticate and authorize in each of said plurality of domains.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Zhang, Hong, Zhang, Dajiang, Jiang, Luliang
Primary Examiner(s)
Nalven; Andrew L

Application Number

US10/819,151
Publication Number

US 20050166043A1
Time in Patent Office

1,700 Days
Field of Search

713/155
US Class Current

713/155
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/205   involving negotiation or de...

H04Q 2213/13095   PIN / Access code, authenti...

H04Q 2213/13096   Digital apparatus individua...

H04Q 2213/13098   Mobile subscriber

H04Q 2213/1329   Asynchronous transfer mode,...

H04Q 2213/13389   LAN, internet

H04W 12/03   Protecting confidentiality,...

H04W 12/06   Authentication

H04W 12/75   Temporary identity

Authentication and authorization in heterogeneous networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication and authorization in heterogeneous networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links