Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network

US 8,468,353 B2
Filed: 06/14/2011
Issued: 06/18/2013
Est. Priority Date: 01/24/2006
Status: Active Grant

First Claim

Patent Images

1. A method of authentication inquiring, wherein the method is applied to a system comprising a first service entity requesting a service, a second service entity providing the service and an Entity Authentication Centre (EAC), wherein, a mutual authentication between the first service entity and the EAC and that between the second service entity and the EAC are respectively performed, the EAC allocates an Interim Service Request Identifier (ISR-ID) to the first service entity and an Interim Authentication Check Identifier (IAC-ID) to the second service entity and acquires the shared key materials respectively for protecting the communications with the first service entity and the second service entity;

the method comprising;

issuing, by the first service entity, a service request to the second service entity, the service request includes the ISR-ID acquired by the first service entity in the authentication with the EAC;

wherein the service request is used for the second service entity, upon receiving the service request, to search whether there is the ISR-ID of the first service entity stored locally to identify the first service entity, if not, the second service entity sends an authentication inquiring request to the EAC and carries the ISR-ID of the first service entity and the IAC-ID of the second service entity;

generating, by the EAC upon receiving the authentication inquiring request, a derived key for the first service entity and the second service entity when it is decided that the IAC-ID is valid and the second service entity is entitled to provide the service besides the ISR-ID is valid and the first service entity is entitled to request the service;

returning, by the EAC, to the second service entity an authentication inquiring response which carries the derived key which is acquired by enciphering the shared key material of the second entity and the EAC;

wherein the authentication inquiring response is used for the second service entity to acquire the derived key from the authentication inquiring response by decrypting and to return a service request response to the first service entity, and the service request response is used for the first service entity to calculate the same derived key by using an algorithm and parameters used by the EAC;

wherein the service request which is issued from the first service entity to the second service entity further includes a public identity (UID) of the second service entity for contacting with other service entities; and

the authentication inquiring request which is sent from the second service entity to the EAC further carries the UID besides the ISR-ID of the first service entity and the IAC-ID of the second service entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention discloses a method for authenticating in end-to-end communications based on a mobile network, applied to a system including a first service entity requesting a service, a second service entity providing the service and an entity authentication center, EAC; respectively performing a mutual authentication between the first service entity and the EAC and that between the second service entity and the EAC according to the negotiated authentication mode; if the first service entity requests the second service entity to provide the service, the EAC providing authentication inquiring for the first service entity and the second service entity according to the negotiated authentication mode, and generating a shared derived key according to the negotiated authentication mode; and the first service entity and the second service entity authenticating each other according to the shared derived key and the negotiated authentication mode, and generating a session key for protecting the service.

63 Citations

View as Search Results

4 Claims

1. A method of authentication inquiring, wherein the method is applied to a system comprising a first service entity requesting a service, a second service entity providing the service and an Entity Authentication Centre (EAC), wherein, a mutual authentication between the first service entity and the EAC and that between the second service entity and the EAC are respectively performed, the EAC allocates an Interim Service Request Identifier (ISR-ID) to the first service entity and an Interim Authentication Check Identifier (IAC-ID) to the second service entity and acquires the shared key materials respectively for protecting the communications with the first service entity and the second service entity;
- the method comprising;
  
  issuing, by the first service entity, a service request to the second service entity, the service request includes the ISR-ID acquired by the first service entity in the authentication with the EAC;
  
  wherein the service request is used for the second service entity, upon receiving the service request, to search whether there is the ISR-ID of the first service entity stored locally to identify the first service entity, if not, the second service entity sends an authentication inquiring request to the EAC and carries the ISR-ID of the first service entity and the IAC-ID of the second service entity;
  
  generating, by the EAC upon receiving the authentication inquiring request, a derived key for the first service entity and the second service entity when it is decided that the IAC-ID is valid and the second service entity is entitled to provide the service besides the ISR-ID is valid and the first service entity is entitled to request the service;
  
  returning, by the EAC, to the second service entity an authentication inquiring response which carries the derived key which is acquired by enciphering the shared key material of the second entity and the EAC;
  
  wherein the authentication inquiring response is used for the second service entity to acquire the derived key from the authentication inquiring response by decrypting and to return a service request response to the first service entity, and the service request response is used for the first service entity to calculate the same derived key by using an algorithm and parameters used by the EAC;
  
  wherein the service request which is issued from the first service entity to the second service entity further includes a public identity (UID) of the second service entity for contacting with other service entities; and
  
  the authentication inquiring request which is sent from the second service entity to the EAC further carries the UID besides the ISR-ID of the first service entity and the IAC-ID of the second service entity.
- View Dependent Claims (2)
- - 2. The method according to claim 1, wherein the authentication inquiring response further carries a lifetime of the key;
    - the method further comprising;
      
      associating, by the second service entity, the derived key, the lifetime, the ISR-ID of the first service entity and the UID of the second service entity and stores them locally besides acquiring the derived key from the authentication inquiring response by decrypting.

3. A system for authenticating inquiring, wherein the system comprises:
- a first service entity requesting a service, a second service entity providing the service and an EAC, wherein, a mutual authentication between the first service entity and the Entity Authentication Centre (EAC) and that between the second service entity and the EAC are respectively performed, the EAC allocates an Interim Service Request Identifier (ISR-ID) to the first service entity and an Interim Authentication Check Identifier (IAC-ID) to the second service entity and acquires the shared key materials respectively for protecting the communications with the first service entity and the second service entity;
  
  the first service entity is configured to issue a service request to the second service entity, the service request includes the ISR-ID acquired by the first service entity in the authentication with the EAC;
  
  the second service entity is configured to search whether there is the ISR-ID of the first service entity stored locally to identify the first service entity upon receiving the service request, if not, the second service entity sends an authentication inquiring request to the EAC and carries the ISR-ID of the first service entity and the IAC-ID of the second service entity;
  
  the EAC is configured to generate a derived key for the first service entity and the second service entity when it is decided that the IAC-ID is valid and the second service entity is entitled to provide the service besides the ISR-ID is valid and the first service entity is entitled to request the service upon receiving the authentication inquiring request;
  
  the EAC is further configured to return to the second service entity an authentication inquiring response which carries the derived key which is acquired by enciphering the shared key material of the second entity and the EAC;
  
  the second service entity is further configured to acquire the derived key from the authentication inquiring response by decrypting;
  
  the second service entity is further configured to return a service request response to the first service entity;
  
  the first service entity is further configured to calculate the same derived key by using parameters and an algorithm used by the EAC;
  
  wherein the service request which is issued from the first service entity to the second service entity further includes a public identity (UID) of the second service entity for contacting with other service entities; and
  
  the authentication inquiring request which is sent from the second service entity to the EAC further carries the UID besides the ISR-ID of the first service entity and the IAC-ID of the second service entity.
- View Dependent Claims (4)
- - 4. The system according to claim 3, wherein the authentication inquiring response further carries a lifetime of the key;
    - the second service entity is further configured to associate the derived key, the lifetime, the ISR-ID of the first service entity and the UID of the second service entity and stores them locally besides acquiring the derived key from the authentication inquiring response by decrypting.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Fan, Xuyan, Li, Chao, Wei, Jiwei
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US13/160,152
Publication Number

US 20110258447A1
Time in Patent Office

735 Days
Field of Search

713/168, 380/272, 380/273, 380/44
US Class Current

713/171
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0869   for achieving mutual authen...

H04L 63/205   involving negotiation or de...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

4 Claims

Specification

Use Cases

Quick Links

Others

Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

4 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others