Automated negotiation and selection of authentication protocols

US 8,914,636 B2
Filed: 06/28/2012
Issued: 12/16/2014
Est. Priority Date: 06/28/2011
Status: Active Grant

First Claim

Patent Images

1. In a system comprising a user equipment (UE), a service provider (SP) that comprises a Network Access Function (NAF), and an authentication end point (AEP) that comprises a Bootstrapping Server Function (BSF) which communicate via a network that implements a Generic Bootstrapping Architecture, a method of authenticating the UE by the AEP, comprising, at the AEP:

receiving a request from the UE for access to a service provided by the SP;

determining one or more authentication protocols that are supported by the UE;

negotiating with the UE to select one of the authentication protocols that are acceptable to the SP and that are supported by the UE;

and authenticating the UE using the selected authentication protocol, wherein based on the received request, an association of a shared secret key may be established.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Wireless telecommunications networks may implement various forms of authentication. There are a variety of different user and device authentication protocols that follow a similar network architecture, involving various network entities such as a user equipment (UE), a service provider (SP), and an authentication endpoint (AEP). To select an acceptable authentication protocol or credential for authenticating a user or UE, authentication protocol negotiations may take place between various network entities. For example, negotiations may take place in networks implementing a single-sign on (SSO) architecture and/or networks implementing a Generic Bootstrapping Architecture (GBA).

Citations

18 Claims

1. In a system comprising a user equipment (UE), a service provider (SP) that comprises a Network Access Function (NAF), and an authentication end point (AEP) that comprises a Bootstrapping Server Function (BSF) which communicate via a network that implements a Generic Bootstrapping Architecture, a method of authenticating the UE by the AEP, comprising, at the AEP:
- receiving a request from the UE for access to a service provided by the SP;
  
  determining one or more authentication protocols that are supported by the UE;
  
  negotiating with the UE to select one of the authentication protocols that are acceptable to the SP and that are supported by the UE;
  
  and authenticating the UE using the selected authentication protocol, wherein based on the received request, an association of a shared secret key may be established.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method recited in claim 1, further comprising:
    - determining one or more authentication protocols and that are acceptable to the SP, wherein determining the one or more authentication protocols acceptable to the SP comprises negotiating with the SP to determine the one or more acceptable authentication protocols.
  - 3. The method recited in claim 2, wherein determining one or more authentication protocols acceptable to the SP comprises:
    - receiving one or more characteristics from the SP; and
      
      determining the acceptable protocols that comprise the one or more characteristics.
  - 4. The method recited in claim 2, wherein determining one or more authentication protocols acceptable to the SP comprises retrieving the one or more acceptable authentication protocols from a database accessible to the AEP that stores information concerning acceptable authentication protocols for one or more service providers.
  - 5. The method recited in claim 1, further comprising:
    - receiving from the UE an identification of one or more authentication protocols or credentials supported by the UE.
  - 6. The method recited in claim 1, the method further comprising, at the BSF:
    - receiving, from the UE, a request to run a GBA digest protocol; and
      
      in response to the request, requesting and retrieving an authentication vector from a policy server.
  - 7. The method recited in claim 6, wherein the NAF comprises a policy indicating whether to accept subscribers using SIP Digest credentials.
  - 8. The method recited in claim 1, wherein the network further implements an OpenID federated identity management architecture, and wherein the AEP further comprises an Identity Provider (IdP).

9. In a system comprising a user equipment (UE), a service provider (SP) that comprises a Network Access Function (NAF), and an authentication end point (AEP) that comprises a Bootstrapping Server Function (BSF) which communicate via a network that implements a Generic Bootstrapping Architecture (GBA), a method of authenticating the UE by the AEP, comprising, at the SP:
- receiving a request from the UE to access a service provided by the SP;
  
  determining one or more authentication protocols supported by the UE such that the one or more authentication protocols can be used to authenticate the UE;
  
  providing, to the AEP, information concerning authentication protocols acceptable to the SP;
  
  and receiving from the UE a signed assertion message indicating authentication of the UE in accordance with a selected authentication protocol, wherein based on the received request, an association of a shared secret key may be established.

10. In a system comprising a user equipment (UE), a service provider (SP) that comprises a Network Access Function (NAF), and an authentication end point (AEP) that comprises a Bootstrapping Server Function (BSF) which communicate via a network that implements a Generic Bootstrapping Architecture (GBA), a method of authenticating the UE, comprising, at the UE:
- sending a request to the SP for access to a service provided by the SP;
  
  negotiating with the AEP to select one of a plurality of authentication protocols that are acceptable to the SP and that are supported by the UE, and receiving from the AEP an indication of the result of authentication of the UE in accordance with the selected authentication protocol, wherein based on the received request, an association of a shared secret key may be established.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method recited in claim 10, wherein the indication comprises a signed assertion message comprising the result of authentication of the UE in accordance with the selected authentication protocol, the method further comprising:
    - forwarding, by the UE, the signed assertion message to the SP.
  - 12. The method recited in claim 10, wherein the indication from the AEP comprises a key that results from an authentication of the UE in accordance with the selected authentication protocol.
  - 13. The method recited in claim 10, wherein the network further implements an OpenID federated identity management architecture, and wherein the AEP further comprises an Identity Provider (IdP).
  - 14. The method recited in claim 10, further comprising:
    - receiving, via the NAF, a bootstrapping initiation message comprising a realm attribute to trigger the UE to run a bootstrapping protocol using the selected authentication protocol.
  - 15. The method recited in claim 10, further comprising, at the UE:
    - providing an indication to the NAF that one or more GBA authentication protocols are supported by the UE; and
      
      receiving an indication, from the NAF, that one of the one or more GBA authentication protocols are acceptable, wherein the acceptable GBA authentication protocol comprises a SIP Digest-based GBA security association.
  - 16. The method recited in claim 14, further comprising:
    - if none of the one or more GBA authentication protocols that are supported by the UE are acceptable to the NAF, receiving, at the UE, an error message, thereby terminating GBA bootstrapping.
  - 17. The method of claim 15, wherein the request for access to a service comprises a product token in a user agent header, wherein the product token indicates that the UE requests the use of a GBA Digest protocol.
  - 18. The method of claim 17, wherein, in response to the request for access,receiving a code 401 response, wherein the code 401 response comprises a prefix in a header, wherein the prefix indicates that the UE is allowed to perform the GBA Digest protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Original Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Inventors
Cha, Inhyok, Leicher, Andreas, Schmidt, Andreas, Guccione, Louis J., Shah, Yogendra C., Targali, Yousif
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US13/535,563
Publication Number

US 20130174241A1
Time in Patent Office

901 Days
Field of Search

726/7
US Class Current

713/171
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

H04L 63/205   involving negotiation or de...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/32   including means for verifyi...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

Automated negotiation and selection of authentication protocols

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Automated negotiation and selection of authentication protocols

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links