Method and system for transparently authenticating a mobile user to access web services

US 7,954,141 B2
Filed: 09/30/2005
Issued: 05/31/2011
Est. Priority Date: 10/26/2004
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a subscriber of a first network to access an application service through a second network, wherein the second network is a packet data network and the access to the application services is in the form of access-request messages enclosed in a data packet, said data packet comprising an address in said second network allocated to a subscriber'"'"'s address and said access-request message expressed with a syntax that complies with an application-level protocol, comprising the steps of:

a) intercepting an access-request message to the second network;

b) recognising the application-level protocol;

c) providing a mapping between the subscriber'"'"'s address and a first subscriber'"'"'s identifier in the first network;

d) generating a first authentication token including a second subscriber'"'"'s identifier;

e) associating the first authentication token to the access-request message; and

f) transmitting the access-request message with said first associated authentication token to the second network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authenticating a subscriber of a first network to access application services through a second network, wherein the second network is a packet data network. The system includes a mobile station connected to a cellular network and apt to generate access-request messages enclosed in data packets, the access-request messages being expressed with a syntax that complies with an application-level protocol; an allocation server apt to allocate an address in the second network to the subscriber and to provide a mapping between the subscriber'"'"'s address and a first subscriber'"'"'s identifier; a gateway which interfaces the first network to the second network and assigns the subscriber'"'"'s address to the mobile station; a service token injector linked with the gateway and apt to intercept the data packets generated from the endpoint station and directed to the second network through the gateway and to capture in the data packet at least the subscriber'"'"'s address, and an identity authority logical entity linked with the service token injector.

51 Citations

View as Search Results

38 Claims

1. A method for authenticating a subscriber of a first network to access an application service through a second network, wherein the second network is a packet data network and the access to the application services is in the form of access-request messages enclosed in a data packet, said data packet comprising an address in said second network allocated to a subscriber'"'"'s address and said access-request message expressed with a syntax that complies with an application-level protocol, comprising the steps of:
- a) intercepting an access-request message to the second network;
  
  b) recognising the application-level protocol;
  
  c) providing a mapping between the subscriber'"'"'s address and a first subscriber'"'"'s identifier in the first network;
  
  d) generating a first authentication token including a second subscriber'"'"'s identifier;
  
  e) associating the first authentication token to the access-request message; and
  
  f) transmitting the access-request message with said first associated authentication token to the second network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein the second network is an internet protocol network and the subscriber'"'"'s address is the internet-protocol address.
  - 3. The method of claim 1, wherein the first network is a mobile network.
  - 4. The method of claim 3, wherein the mobile network is a packet-switched cellular network.
  - 5. The method of claim 4, wherein the packet-switched cellular network is a general packet radio service network.
  - 6. The method of claim 4, wherein the packet-switched cellular network is an enhanced data rate for global system for mobile communications evolution network or a universal mobile telecommunications service network.
  - 7. The method of claim 4, wherein the first and the second subscriber'"'"'s identifiers are different from one another.
  - 8. The method of claim 7, wherein the first network is a global system for mobile communications network and the first subscriber'"'"'s identifier is a subscriber identity module-based identity.
  - 9. The method of claim 8, wherein the subscriber identity module-based identity is the international mobile subscriber identity associated with the subscriber in the global system for mobile communications network.
  - 10. The method of claim 7, wherein the second subscriber'"'"'s identifier is a pseudonym associated with the first subscriber'"'"'s identifier.
  - 11. The method of claim 1, wherein step e) comprises including the first authentication token in the access-request message.
  - 12. The method of claim 1, further comprising after step d), the step of encrypting the first authentication token with a digital signature.
  - 13. The method of claim 1, wherein said first authentication token is expressed with a syntax that complies with the application-level protocol of the access-request message.
  - 14. The method of claim 1, wherein the application level protocol is selected from the group of session initiation protocol, hypertext transfer protocol, and simple object access protocol over hypertext transfer protocol.
  - 15. The method of claim 1, wherein the application-level protocol is session initiation protocol or hypertext transfer protocol and said first authentication token is specified according to the security assertion markup language standard.
  - 16. The method of claim 1, wherein the first network is a fixed access network.
  - 17. The method of claim 16, wherein the fixed access network uses digital subscriber line access technology.
  - 18. The method of claim 16, wherein the first subscriber'"'"'s identifier is a logon ID.
  - 19. The method of claim 1, further comprising after step f), the steps of:
    - g) receiving at the application service through said second network said access-request with said associated first authentication token;
      
      h) generating a first response message to said received access-request message;
      
      i) generating a second authentication token and including said second authentication token into said first response message;
      
      j) intercepting said first response message including said second authentication token;
      
      k) extracting said second authentication token from said first response message; and
      
      l) verifying said second authentication token and, if the verification is positive, transmitting a second response message to the first network.
  - 20. The method of claim 19, further comprising after step g), the step of verifying said first authentication token.
  - 21. A method for authenticating a subscriber of a plurality of first networks to access an application service, wherein authentication of the subscriber from each first network is carried out by the method of claim 1.
  - 22. The method of claim 1, further comprising the step of providing a mapping between the first authentication token and the requested application service.
  - 23. The method of claim 22, wherein the mapping between the first authentication token and the requested application service comprises extracting the universal resource identifier of the requested service from the access-request message.
  - 24. The method of claim 22, wherein the second subscriber'"'"'s identifier is a pseudonym associated with the first subscriber'"'"'s identifier and with the requested application service.

25. A system for authenticating a subscriber of a first network to access application services through a second network, wherein the second network is a packet data network, comprising:
- a subscriber station coupled to the first network and capable of generating access-request messages enclosed in data packets, said access-request messages being expressed with a syntax that complies with an application-level protocol;
  
  an allocation server capable of allocating an address in said second network to a subscriber'"'"'s address and to provide a mapping between the subscriber'"'"'s address and a first subscriber'"'"'s identifier in the first network;
  
  a gateway capable of performing the following functions;
  
  to receive the access-request messages from the subscriber station, to interface the first network to the second network, and to assign the subscriber'"'"'s address to the subscriber station;
  
  a first logical entity linked with the gateway and capable of intercepting the data packets generated from the subscriber station and directed to the second network through the gateway and to capture in the data packet at least the subscriber'"'"'s address; and
  
  a second logical entity linked with the first logical entity and capable of performing the following functions;
  
  to receive the subscriber'"'"'s address and the access-request message from the first logical entity,to recognize the application-level protocol of the access-request message,to request the first subscriber'"'"'s identifier to the allocation server, andto generate a first authentication token according to the application-level protocol, said token including a second subscriber'"'"'s identifier,wherein the first logical entity or the second logical entity is capable of associating said first authentication token with the access-request message.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 26. The system of claim 25, wherein the allocation server and the gateway are in the first network.
  - 27. The system of claim 25, wherein the first logical entity and the second logical entity are in the first network.
  - 28. The system of claim 25, wherein the first network is a mobile network and the subscriber station is a mobile station coupled to the first network via a wireless link.
  - 29. The system of claim 28, wherein the first network is a packet-switched cellular network.
  - 30. The system of claim 28, wherein the gateway is a gateway general packet radio service network support note.
  - 31. The system of claim 25, wherein the allocation server is an authentication-authorization-accounting server.
  - 32. The system of claim 25, wherein the second network is an internet protocol network.
  - 33. The system of claim 25, further comprising a certifying logical entity logically linked to the second logical entity and capable of encrypting the first authentication token.
  - 34. The system of claim 25, wherein the first logical entity is an application-level firewall.
  - 35. The system of claim 25, wherein the first network is a fixed access network and the subscriber station is a customer premises equipment coupled to the first network via a wired link.
  - 36. The system of claim 35, wherein the first subscriber'"'"'s identifier is a logon ID.
  - 37. The system of claim 25, wherein said first logical entity is also capable of intercepting response messages transmitted through the second network and directed to said subscriber station through the gateway.
  - 38. The system of claim 37, wherein said response messages include a second authentication token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telecom Italia S.p.A.
Original Assignee
Telecom Italia S.p.A.
Inventors
De Lutiis, Paolo, Moiso, Corrado, Di Caprio, Gaetano
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
SIMS, JING F

Application Number

US11/666,125
Publication Number

US 20080127320A1
Time in Patent Office

2,069 Days
Field of Search

713/168, 380247-250, 455/411, 379/142.05, 726 2- 4, 726 9- 10
US Class Current

726/9
CPC Class Codes

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5084   Providing for device mobili...

H04L 63/0407   wherein the identity of one...

H04L 63/0815   providing single-sign-on or...

H04W 12/00   Security arrangements; Auth...

H04W 12/02   Protecting privacy or anony...

H04W 12/06   Authentication

H04W 12/72   Subscriber identity

H04W 4/18   Information format or conte...

H04W 74/00   Wireless channel access

H04W 8/26   Network addressing or numbe...

H04W 88/06   adapted for operation in mu...

H04W 88/16   Gateway arrangements

Method and system for transparently authenticating a mobile user to access web services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for transparently authenticating a mobile user to access web services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links