Authentication in communications networks

US 8,484,467 B2
Filed: 12/01/2006
Issued: 07/09/2013
Est. Priority Date: 12/01/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

sending a message from a network entity to an user equipment, wherein the message includes a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity, the set of options including a first option and a second option, wherein the first option represents using a first internet key exchange authentication procedure based on a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture, and wherein the second option represents using a second internet key exchange authentication procedure based on a certificate;

selecting at least one of the first option and the second option from the set of options and, when the first option is selected, the first internet key exchange authentication procedure is implemented between the network entity and the user equipment and a shared secret is generated from the security key established in the generic bootstrapping architecture over a second interface between the user equipment and the bootstrapping service function; and

using the shared secret to compute and verify authentication payloads in the first internet key exchange authentication procedure for the internet protocol communication over the first interface.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method of authenticating a user equipment in a communications network. The method involves sending a message from a network entity to the user equipment. This message includes a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity; said options including a “shared key”-based authentication procedure. The method also involves selecting an option from the set. In the event that the “shared-key”-based authentication procedure is selected, a shared secret from a security key established in a generic bootstrapping architecture (GBA) is generated over a second interface between the user equipment and a bootstrapping service function. The shared secret is then used to compute and verify authentication payloads in the key-based authentication procedure for the communication over the first interface.

17 Citations

View as Search Results

24 Claims

1. A method comprising:
- sending a message from a network entity to an user equipment, wherein the message includes a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity, the set of options including a first option and a second option, wherein the first option represents using a first internet key exchange authentication procedure based on a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture, and wherein the second option represents using a second internet key exchange authentication procedure based on a certificate;
  
  selecting at least one of the first option and the second option from the set of options and, when the first option is selected, the first internet key exchange authentication procedure is implemented between the network entity and the user equipment and a shared secret is generated from the security key established in the generic bootstrapping architecture over a second interface between the user equipment and the bootstrapping service function; and
  
  using the shared secret to compute and verify authentication payloads in the first internet key exchange authentication procedure for the internet protocol communication over the first interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method according to claim 1, wherein when the second option is selected, the second internet key exchange authentication procedure is implemented between the network entity and the user equipment using the certificate rather than the shared secret, wherein the network entity comprises a network application function, wherein the user equipment is a mobile station, and wherein the internet protocol communication is over the first interface and a wireless network.
  - 3. A method according to claim 1, wherein the set of options is in the form of a preference list.
  - 4. A method according to claim 1, wherein the step of selecting is carried out at the user equipment.
  - 5. A method according to claim 1, wherein the set of options includes a certificate based authentication procedure.
  - 6. A method according to claim 1, wherein the communication over the first interface uses the internet key exchange protocol.
  - 7. A method according to claim 1, wherein the first interface is wireless.
  - 8. A method according to claim 1, wherein the second interface is wireless.
  - 9. A method according to claim 1, comprising the step of transmitting a network entity identifier from the network entity to the user equipment, and using the network entity identifier to generate the shared secret from the security key.
  - 10. A method according to claim 1, wherein the step of computing the authentication payload is carried out at the user equipment.
  - 11. A method according to claim 1, wherein the step of verifying the authentication payload using the shared secret is carried out at the network entity.
  - 12. A method according to claim 1, wherein the user equipment transmits a bootstrapping transaction identifier to the network entity as part of said authentication procedure.
  - 13. A method according to claim 12, wherein the network entity uses the bootstrapping transaction identifier to access the shared secret.
  - 14. A method according to claim 1, when used to mutually authenticate the user equipment and the network entity wherein the network entity computes the authentication payload using the shared secret.
  - 15. A method according to claim 14, wherein the user equipment verifies the authentication payload using the shared secret.
  - 16. A method according to claim 15, wherein the message includes at least one certificate for authenticating a digital signature.
  - 17. A method according to claim 1, wherein the network entity sends a message including a digital signature and wherein the user equipment verifies the digital signature.

18. An apparatus comprising:
- a network entity comprising at least one processor configured toestablish an internet protocol communication with a user equipment over an interface;
  
  dispatch a message to the user equipment including a set of options for an authentication procedure, the set of options including a first option of using a shared secret derived based on a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture and a second option of using a certificate;
  
  receive an authentication payload from the user equipment when the first option is selected, the authentication payload having been computed using the shared secret from the user equipment; and
  
  authenticate the received authentication payload using the shared secret from the bootstrapping function.
- View Dependent Claims (19, 20)
- - 19. The apparatus according to claim 18, wherein communication over the interface uses the internet key exchange protocol.
  - 20. The apparatus according to claim 18, wherein the access of the shared secret comprises dispatching a user equipment identifier with a network entity identifier to a bootstrapping service function in the network.

21. An apparatus comprising:
- a user equipment comprising at least one processor configured toestablish a communication channel with a network entity in the communications network;
  
  receive a message which includes a set of options for the authentication procedure, the set of options including a first option of using a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture and a second option of using a certificate;
  
  select one of the set of options;
  
  compute an authentication payload for transmission to a network entity using a shared secret generated from the security key established in the generic bootstrapping architecture, when the first option is selected; and
  
  transmit the authentication payload in a message over the channel according to an internet protocol.
- View Dependent Claims (22, 23)
- - 22. An apparatus according to claim 21, wherein the internet protocol is the internet key exchange protocol.
  - 23. An apparatus according to claim 21 further comprising transmitting a notification indicating that the user equipment supports the first option.

24. A method comprising:
- establishing a communication channel with a network entity in a communications network;
  
  receiving, at a user equipment, a message including a set of options for an authentication procedure, the set of options including a first option and a second option, wherein the first option represents using a first internet key exchange authentication procedure based on a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture, and wherein the second option represents using a second internet key exchange authentication procedure based on a certificate;
  
  selecting one of the set of options;
  
  computing an authentication payload for transmission to a network entity using a shared secret generated from the security key established in the generic bootstrapping architecture, when the first option is selected; and
  
  transmitting the authentication payload in a message over the channel according to an internet protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Conversant Wireless Licensing S.à.r.l. (f/k/a Core Wireless Licensing S.a.r.l.) (MOSAID Technologies Inc. (f/k/a Conversant Intellectual Property Management))
Original Assignee
Conversant Wireless Licensing S.à.r.l. (f/k/a Core Wireless Licensing S.a.r.l.) (MOSAID Technologies Inc. (f/k/a Conversant Intellectual Property Management))
Inventors
Chan, Tat Keung, Bajko, Gabor
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US11/606,910
Publication Number

US 20070204160A1
Time in Patent Office

2,412 Days
Field of Search

713/168, 713/156, 713/170, 713/182, 726/4, 726/5
US Class Current

713/168
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 2463/061   applying further key deriva...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/205   involving negotiation or de...

H04L 9/08   Key distribution or managem...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3247   involving digital signatures

H04L 9/3265   using certificate chains, t...

H04L 9/3271   using challenge-response

H04L 9/50   using hash chains, e.g. blo...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 88/02   Terminal devices

Authentication in communications networks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication in communications networks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links