DE102005062061A1 - Method for mobile RF network-based access to public data network, e.g., the internet, involves requesting authorization by provider of contents for user of RF network - Google Patents

Method for mobile RF network-based access to public data network, e.g., the internet, involves requesting authorization by provider of contents for user of RF network Download PDF

Info

Publication number
DE102005062061A1
DE102005062061A1 DE102005062061A DE102005062061A DE102005062061A1 DE 102005062061 A1 DE102005062061 A1 DE 102005062061A1 DE 102005062061 A DE102005062061 A DE 102005062061A DE 102005062061 A DE102005062061 A DE 102005062061A DE 102005062061 A1 DE102005062061 A1 DE 102005062061A1
Authority
DE
Germany
Prior art keywords
content
user
mobile
provider
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
DE102005062061A
Other languages
German (de)
Other versions
DE102005062061B4 (en
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CYBER-DYNAMIX GESELLSCHAFT FUER SYSTEMINTERATI, DE
Original Assignee
CYBER DYNAMIX GES fur DATENSI
Cyber-Dynamix Gesellschaft fur Datensicherheit GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CYBER DYNAMIX GES fur DATENSI, Cyber-Dynamix Gesellschaft fur Datensicherheit GmbH filed Critical CYBER DYNAMIX GES fur DATENSI
Priority to DE102005062061A priority Critical patent/DE102005062061B4/en
Publication of DE102005062061A1 publication Critical patent/DE102005062061A1/en
Application granted granted Critical
Publication of DE102005062061B4 publication Critical patent/DE102005062061B4/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • G06Q20/123Shopping for digital content
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • G06Q20/123Shopping for digital content
    • G06Q20/1235Shopping for digital content with control of digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/383Anonymous user system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0892Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/04Key management, e.g. by generic bootstrapping architecture [GBA]
    • H04W12/0401Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/24Accounting or billing

Abstract

Method for mobile radio network-based access to content provided by a provider and requiring approval in a public data network, in particular the Internet (7), comprising the following steps: DOLLAR A - anonymous request for content from the provider by a user of the mobile radio network via at least one mobile terminal (2), via which a connection to the public network and a provider-side computer device (5) is established, DOLLAR A - depending on the request of the user, generation of an authorization request on the part of the provider of the content for the user of the mobile radio network, which the user's mobile device (2) is transmitted to a computer device (4) of an operator of the mobile radio network, DOLLAR A - depending on a check of the authorization request, creation of confirmation information and transmission to the user's mobile device (2) by the computer device (4 ) de s operator of the mobile radio network and DOLLAR A - provision of the content for the user by the provider as a function of a check of the confirmation information transmitted to the provider by the mobile device (2) of the user.

Description

  • method and apparatus for mobile network based access to in a public Data network provided and a release requiring content The invention relates to a method or a device for mobile radio network-based access to in a public data network, in particular the Internet, provided by a vendor, a release requiring content.
  • in the Internet are different from so-called content providers Content provided, such as news, ringtones, videos, animations or also games and the like that, if a user wants to acquire them, require a release, for example, such that a certain Price to pay.
  • Depending on The type of content may be other types of releases required if, for example, content is only for a specific person or age group, for example the members of a professional association or persons above one of a certain age should be.
  • If a user currently wants to purchase such content, this is only below Disclosure of his anonymity possible, for example, because a credit card number is transmitted over the network to the content provider must be or directly invoice data for a billing indicated Need to become or a personal one Login is required. Alternatively, a calculation is chargeable Content about the mobile bill, in turn, the content provider the necessary data transmitted for this purpose Need to become.
  • Next the problem of lack of anonymity and therefore an occasional not as sufficiently perceived consumer protection, respectively User of public Data network, the problem is that the previous access via a Mobile network at the network operator, so the network operator, a extensive hardware must be kept to the mediation between the different protocols of the mobile network one side and public Data network on the other side. The mobile operator So there must be a considerable infrastructure of gateways for the protocol conversion, for example between the GPRS (General Packet Radio Service), the UMTS (Universal Mobile Telecommunication System) or the CSD standard (Circuit-Switched-Data-Standard) on the one and the world wide Web with the Internet Protocol on the other side ready. This is for the mobile operators with significant costs and a considerable Hardware and maintenance and maintenance costs. Because of these requirements are the user accessible Services restricted to certain content providers.
  • Of the Invention is therefore the object of a method or to provide a device of the type mentioned, or the problem-free and secure access to a variety of enabling content that requires sharing, which also requires the hardware and infrastructure requirements compared to mobile network operators can be kept low with the prior art.
  • To achieve this object, it is provided according to the invention in a method of the type mentioned initially that it has the following steps:
    • Anonymous request of a content from the provider by a user of the mobile radio network via at least one mobile terminal via which a connection to the public network and a provider-side computer device is established,
    • Depending on the request of the user, generation of an authorization request on the part of the provider of the content for the user of the mobile radio network, which is transmitted via the mobile terminal of the user to a computer device of an operator of the mobile radio network,
    • - In response to a review of the authorization request creation of confirmation information and transmission to the mobile terminal of the user by the computing device of the operator of the mobile network and
    • - Providing the content for the user by the provider in response to a review of the provider's mobile terminal of the user transmitted confirmation information.
  • The inventive method thus relates to a very simple regarding the required hardware method for accessing data network content via mobile devices such as mobile phones or the like. Decentralized, as a rule, by several providers, for example, on the Internet content is provided, which may be different formats, such as videos or animations or the like. The method is on the one hand suitable for multimedia content, including graphics, flash programs, music, files in certain portable formats, on the other for subscriptions, event purchasing and pay-per-view concepts. As network structures GPRS, UMTS and WLAN (Wireless Local Area Network) and DSL networks (Digital Subscriber Line Networks) are suitable. From the request of the content from the provider, which takes place via the user's mobile device, to the ultimate acceptance access to the content after the final provision by the provider, the user can remain anonymous in the method according to the invention, since the authentication using the authorization request generated by the content provider is done centrally with the operator of the mobile network without the user of the mobile network to the content Provider must provide personal information. For this purpose, in the form of the authorization request and the confirmation information messages that may possibly be signed, exchanged between the content provider, a consumer, ie a user of the mobile network, and the mobile operator.
  • A Online communication between the content provider and the mobile network operator is for the basic procedure is not required, but may be necessary for one additional Verification be provided.
  • Of the Network operator required no gateway for the network communication, there for him the mediation between the different protocols for the mobile network and the public Data network is eliminated. All that is required is communication between the user, to do this on his mobile device such as a cell phone or PDA or Notebook accesses, and the content provider and between the user and the mobile operator. Access to the Internet or another public Data network is transferred to the user the mobile network of its network operator allows. The user communicates first with the content provider via the internet to talk about the content requiring a release or also other free content to inform. Does he want content that requires sharing? access, the authorization of this request and the Offers of the content provider over a communication between the user and his network operator. For example, even after an earlier registration nonetheless anonymous access to the concrete, content requiring a release is made possible.
  • The Communication between the user and the provider or the mobile network operator via computer facilities when Provider or network operator, for example, as a server or Serververbund, if necessary, with access to various Clients, are trained.
  • Of the Content provider is thus faced with a uniform interface. The expenses for Portal management and special content handling are eliminated as well as platform-related restrictions of content. It will all transmission channels covered, while on the other hand dependencies an operator-side core network, e.g. by Access Point Name strategies.
  • When content requiring a release may be paid content offered by the provider, with a user-acquired content by the provider over the operator of the mobile network is billed. The billing is done by the content provider with the Netwok operator, so that the user despite the acquisition of a paid content across from the content provider remains anonymous. So the user does not have to Have security concerns when it comes to buying content, since it is not necessary, for example, a credit card number to submit to a content provider, with which the user has no experience and in which transmission There is always the risk that the number will be intercepted. For this the user can have a contract with the mobile network operator, the for the final bill over the network operator a cyclical invoicing (so-called post-paid contract) or an advance payment of credit (so-called pre-paid contract) provides.
  • Of the Users may, especially after the generation of the authorization request, explain the acceptance of access to the content of the provider, in particular on an acceptance page sent by the mobile network operator. The mobile user asks with the help of his notebook or a laptop other mobile device the content provider to certain content, whereupon this the Customer through an authorization request offers the content. This can be over, for example the definition of a parameter set directed to the network operator respectively. As a result, the network operator creates an "acceptance page ", with their Accepting the user's desired, requiring a release Access confirmed. Thus, the user may be given the opportunity, the initiated Check process again. Of the Users can be notified of the consequences as certain costs.
  • The provider of the contents advantageously has a public key and / or an identification code provided by the operator of the mobile radio network, in particular a public key and / or identification code transmitted by means of a data connection and / or a data medium. For example, a collaboration between a particular content provider and a network operator is initiated by the network operator generating a key pair using, for example, the asymmetric RSA crypto process named after the mathematician Rivest, Shamir and Adleman, whereupon the Public keys are distributed to the content providers with whom collaboration is planned. This allows the appropriate content providers to encrypt messages with the public key of the network operator. Alternatively or additionally, certain identification codes can be distributed to a number of providers, for example via secure data connections or also storage media such as CD-ROMS.
  • According to the invention of Provider of content in dependence from the request of the content by the user of the mobile network create a session and / or the user's device parameters such as a session identifier and / or a content identifier and / or a price for a paid content and / or a timestamp and / or a reference to an authorization object of the operator of the mobile radio network, especially a content-related URL, in particular as part of the authorization request. The content provider creates his offer for example about the definition of a parameter set within an HTTP post-action (Hypertext Transfer Protocol Post-Action), which, for example, to a Authorization object in the form of a Uniform Resource Locator (URL) of the Network Operator shows. This can be done by the content provider in an HTML page insert a corresponding section of code. Here can more Information such as a price for a paid content, the associated Advertising, a timestamp, a validity as well as a session ID or a service ID, a content ID as well as more for the release of the content as well as for the backup of this release required or helpful information be included.
  • The Parameters can from the provider at least partially in the session context and / or in stored in a database. This will be available to all Types of storage reference, for example, to the Storage on certain media, if sufficient for a new retrieval can be provided quickly. It is crucial that the parameters can be called up immediately, if the confirmation information of the network operator.
  • Of the Provider of the content or the content can at least a parameter for the review of from the mobile device submitted by the user confirmation information use. Optionally, the entire parameter set may be from the content provider even stored in the session context or a database be and complete for one latter Validation of the authorization response of the network operator. If necessary, this can be validated with a signature and thus the answer will be checked. So For example, the content provider can check afterwards the confirmation information, him over the user of the mobile terminal from the network operator, his identification code is correct reproduce the identification code of the service respectively the name of the desired Service or a URL or the price, the currency, one Timestamp as well as an ISO-compliant date and time stamp Time for contain the course of service usage in the correct form. As well a session identifier (session ID) can be checked.
  • Of the Operator of the mobile network may depend on the transmission the authorization request to create a session and / or verify the authenticity of the user, in particular by Determination of the number of the mobile terminal, if necessary via the Internet Protocol based on the IP address, and / or a content identifier and / or store a price and / or a timestamp and / or an authorization object, in particular a content-related URL, to include in the session context and / or an acceptance request for the user for the one Generate release requiring access. The mobile network operator So establishes a session with the user, determined for example via the Internet Protocol IP the phone number of the user, the MSISDN (Mobile Subscriber Integrated Services Digital Network Number) stores For example, the content ID, the price for the user desired Service and the like. In addition to an acceptance page ("acceptance beyond that ") a confirmation page as an explanation request ( "Confirmation page ") for the user be generated. The content URL can be included in the session context and after a confirmation of acceptance on the part of the user, the session re-checked and the session context be retrieved.
  • About the Query the IP address of the client using the RADIUS database (Remote Authentication Dial In User Service) is used before the authorization of the desired by the user Service by the network operator verifies the authenticity of the user. In the RADIUS database is the MSISDN of the mobile user and his currently assigned IP address.
  • After the authentication has been successfully completed, the authorization object of the network operator checks the transmitted parameters of the service of the provider for plausibility and validity and holds these for later processing in the session context. A content repository is used to reconcile the information. Existence deviations between the received information and those with the network operator for the Content providers or users deposited, so the authorization process is terminated with an error message to the user. Another task of the operator of the mobile network is to check whether the credit of the mobile user or the agreed payment method sufficient to use the requested content service can. If the result of the check is positive, for example, an HTML page is generated based on the transmitted parameters, which informs the user about the details of the content or service requiring the release and asks him to explain the acceptance.
  • In addition can on the part of the network operator a PIN (Personal Identification Number) queried become. When the mobile user declares the acceptance, the authorization process becomes content at the network operator. This can be, for example be done by the user a corresponding "Submit" button, if necessary with a customized text, presses.
  • Then you can the operator of the mobile network depending on the acceptance of the one Release requiring access by the user review the session and / or access the session context and / or the and / or other confirmation information generate and / or transmit in particular an authorization token and / or a signed authorization token and / or a confirmation page. So it's possible, for example, that after the mobile user the service offer of the content provider for one paid service through the authorization object the network operator a digital signature is generated. These can be used together with the parameters already stored in the session context and optionally the MSISDN of the mobile user as a record permanently stored with the mobile network operator.
  • At the mobile user or his mobile terminal can a Confirmation page, one so-called "confirmation page " for example, the original one Session ID of the content provider, a token and the operator ID, So the name of the authorizing mobile operator contains. If a digital signature is used, a so-called signed "trusted Token ", so one defined and related Transmit set of information, which is considered trustworthy in terms of the signature. In the the original one Authorization request recorded parameters are digitally signed, this being by the non-public RSA key the mobile network operator or another encryption mechanism can happen. Such a signature can be the hash value of the transfer parameters contained subsequently by the Content Provider by means of the data stored by its site with the public key can be validated. The confirmation page For example, the mobile user will again use a "Submit" button to do this can be provided with a suitable text, confirmed. thereupon the session ID, the trusted token and the operator ID become the Content provider. To do this, the URL to the requested content is called. The parameter transfer is URL encoded.
  • Of the Provider may submit the review as part of the review confirmation information verify an authorization token. For example, the content provider receives an HTTP request containing the session ID and a "trusted token" as the POST body of the corresponding HTTP request method. This session ID allows it's the content provider, the initial parameters of the beginning completed request of the mobile user from the session context, the associated with this session ID. After that you can he based on the "trusted Token "the authenticity and thus the validity determine the request. This is preferably done by using a public key of the network operator the digital signature in the form of the "trusted token" together with the or against the original ones Parameter is validated or verified.
  • Of Furthermore, it is possible with the inventive method, subscription to realize content, such that after a successful one Authorization of a service for a defined period of time the authorization object of the network operator directly with the confirmation page responds, where the value of the token is determined from the repository and this is re-signed. The session ID corresponds to this Case of the current session of the content provider, which gives the user the Tendered. The authorization object then checks whether a particular, for the end of the usage period already set date (Validity) reached or exceeded is. If the request is outside the validity period, so it is treated as new as described above.
  • The Length of in the method according to the invention used keys should not be under 2048 bits, with the public and private keys conveniently separated and kept separately. Only the public Key becomes usually distributed to the multiple content providers.
  • The content provider has the ability to create billing lists for paid content based on authorization responses assign to a network operator. The lists preferably contain at least a timestamp, the session ID used, a content ID and the price. This makes it possible for the mobile network operator to allocate to database entries or repository entries, which form the basis of billing based on their own entries. An assignment to the individual customers or users is possible via the MSISDN. Advantageously, the data sets of the mobile network operator form the basis for billing with the content provider. The user remains anonymous to the content provider.
  • The Communication between the user's mobile device and the provider the content and / or communication between the user's mobile device and the operator of the mobile network can be HTTP based on the WWW protocol. So it will be convenient that is available on the World Wide Web Standing hypertext transfer protocol used. But it is also possible, others Use protocols, with protocols that are widely used be, are to be preferred.
  • For the transmission of information between the mobile device the user and the provider of the content and / or the transmission of information between the mobile terminal the user and the operator of the mobile network can Language HTML, especially in the form of parameters in HTML and / or as a web service call from an HTML page, and / or on the log SOAP based web service calls, especially from one application and / or an API and / or HTML pages. The information transfer So, for example, about Parameters in the Hypertext Markup Language (HTML) are made, the to be embedded accordingly. Also conceivable are web service calls according to the Simple Object Access Protocol (SOAP). Such calls can be made an application or an application programming interface (Application Programming Interface - API) as well as HTML pages. Other types of information transmission are conceivable, in particular a use is further developed Hypertext languages possible.
  • According to the invention can as mobile terminal a mobile phone and / or a PDA and / or a notebook used become. A PDA refers to a so-called personal digital Assistant, so a small handheld computer. The collection of mobile terminals is not as final to understand, the only crucial factor is that access to one Mobile network of the mobile network operator is such that a Access to a public data network for the retrieval of internet-based offers or mobile network-based and other data network offers is possible. The mobile terminal can also as a combination of a notebook or laptop with a mobile phone, which makes the connection to the mobile network, be trained.
  • All in all is so with the inventive method a log available provided access to or acquisition of content requiring content with mobile devices and devices like cell phones and the like allows. This method may involve elaborate hardware structures mobile network operators, in particular complex gateways, be waived. In addition, there is a high level of security through the described authentication procedures. For example, like this called man-in-the-middle attacks through the use of protected connections like SSL / TLS connections (SSL - Secure Sockets Layer, TLS - Transport Layer Security) are prevented. Replay attacks are through the temporary one Generation of the session ID and the coupling of the access information virtually impossible for this ID. The respective session becomes irrevocably destroyed after the delivery of the content.
  • A Tokens reproduction is only possible with the asynchronous RSA method if the attacker gains possession of the secret, non-public key. However, this is usually done by adhering to the retention rules effectively avoided.
  • Of the User of the content remains for the content provider anonymously. An identification is not possible because there will be no personal information, such as the MSISDN, or recurring information such as fixed IDs or the like, transmitted to the content provider.
  • Around For example, a settlement and successful release to perform can, is a registration of the content provider with the network operator required. This makes a plausibility check of the transmitted data possible, whereby Manipulations detected immediately and subsequently the authorization process can be canceled. However, the content provider is only capable of belonging identify the user to a particular network operator; the anonymity however, it continues to exist.
  • The information relevant for the content is held by the provider of the content and is not bound to the optionally transmitted "trusted token", so that the content provider can detect manipulations and if necessary prevent the delivery of the content In addition, the billing data of the content provider is compared with the authorization records of the mobile network operator, so that false data can be detected and sorted out.
  • So lies with the method according to the invention a very safe procedure before using a public data network with the help of a mobile network.
  • The Data management is largely decentralized, with the possibility leads to parameter matching, that manipulations usually stand out. authorization token and further confirmation information can for example about a signature process to be matched.
  • The Authorization system of the mobile network operator is only within the GPRS or UMTS network thereof accessible and owns itself no access from the Internet, so that attacks are unlikely.
  • Should indeed Manipulations against the authorization system occur, so are These are bound to a user and thus to a specific SIM card (SIM Subscriber Identity module). Accordingly, over the affected customers are imposed a lock. A lock is also possible in the case that SIM cards have been lost or stolen were.
  • Furthermore The invention relates to a device for mobile radio network based Access to in a public Data network, in particular the Internet, provided by a provider, Content requiring release and, if applicable, billing of access, comprising at least one mobile terminal of a User of the mobile network and each computer facilities Pages of the provider of the content and the operator of the mobile network, designed for implementation of the above-described method.
  • With the device according to the invention is it possible To receive or to acquire contents, which to a payment or their acquisition to certain groups of people limited or requires, for example, registration without Content Provider concrete retrieval of the content to a certain Could assign users. A transmission of Credit card information and the like is not required about that In addition, the previously required gateways to mediate between the core system of the mobile operator and the World Wide Web no longer necessary are.
  • The basic components of the device, so the mobile device and the Computer facilities as well as the communication and information paths are designed so that the protocol described above can run with this hardware. The content provider offers about his Computer device, for example, Internet content such as news, ringtones and the like. The user has a mobile terminal with access to the mobile network of the mobile network operator and consumes mobile network related Internet-based offers, where in the event that a payment required, prepaid deposits or billing contracts exist. The mobile network operator has the infrastructure for the authentication, authorization and billing of mobile services across from the customer and to provide additional services such as geo-position data, messaging services and various media services, etc. The computing device of Mobile network operator also has a connection to the RADIUS database on, which allows the identification of the user. With the help of Device according to the invention is a technically simple and very secure access to Content in public Data networks such as the Internet over a mobile network possible.
  • in the Detail are as further components of the device according to the invention, As is clear from the description of the procedure, a Authorization Handler, logging and reporting, a service handler, if necessary Statistics handler, the administration, a security handler, a Error handler, a presentation handler, the customer service, if necessary a revenue handler as well as a monitoring and, if necessary, a Call or possible business process handler.
  • Further Advantages, features and details of the invention will become apparent the following embodiments as well as from the drawings. Showing:
  • 1 a sketch of the construction of a device according to the invention,
  • 2 the communication relationships in a method according to the invention,
  • 3 a flowchart of the authorization of a user,
  • 4 a flowchart of the authorization of a content, and
  • 5 a flowchart of the validation of a digital signature in a method according to the invention.
  • 1 represents a sketch of the construction of a Device according to the invention 1 dar. Next to the mobile device 2 a user 3 here are computing devices 4 and 5 provided, the computer device 4 the computer device of the operator of the mobile network is while the computer device 5 associated with a content provider. The representation of the device according to the invention 1 shows each a mobile device 2 , a computer device 4 and another computer device 5 , Of course, as a rule, further, not shown here, mobile devices 2 , the other users 3 belonging to the mobile network, existing, the users 3 have the ability to access content from other content providers, each with their own computing facilities 5 access. Of course, the mobile devices 2 Likewise be approved for different mobile network operators or some terminals are operated in other mobile networks, so that in this case several computing devices 4 available. The communication between the mobile terminal 2 and the computer device 4 the operator of the mobile network is via the mobile network 6 , only for the communication between the mobile terminal 2 and the computing device 5 the content provider will be on the internet 7 accessed as a public data network.
  • The communication between the mobile terminal 2 and the operator of the mobile network with the computer device 4 takes place in the embodiment optionally via HTTP or as a web service call. The communication between the content provider and the user 3 takes place via the computer device 5 and the mobile device 2 via HTTP, whereby the information is transmitted via parameters in HTML.
  • An authorization of the requests of the user of the mobile terminal 2 takes place with the help of tokens, which are provided by the computer device 4 be signed digitally by the mobile network operator and via the mobile terminal 2 be transmitted to the content provider, so that its computer device 5 has the ability to validate the signature. This enables secure content delivery and later secure billing.
  • In the 2 the communication relationships are shown in a method according to the invention. The box 8th symbolizes a user, the box 9 the content provider and the box 10 the mobile network operator. In the run-up to the query of the content by the box 8th represented user is the mobile network operator a public key to the content provider with the box 9 distributed.
  • After that the mobile user asks 8th content from the provider using his mobile device. The query of the content remains anonymous. Then he puts the content provider, as here through the box 11 indicated a session, delivers a content ID and transmits further parameters such as the price, a timestamp and a content URL to offer the user the content secured via an authorization request. The corresponding data is transmitted as part of the authorization request to the mobile terminal of the user, here through the box 12 shown. Through the mobile terminal, the authorization request is forwarded to the mobile network operator, such as through the box 13 shown. The mobile network operator generates a session and checks the authenticity of the mobile user based on the client ID address using a query from a database in which the MSISDN is stored for the mobile user and his currently assigned IP address. In addition, the mobile network operator stores the content ID, the price and the URL and, if necessary, further parameters. Finally, in a box 13 To be assigned step generates an acceptance page, which is transmitted to the mobile user.
  • On this acceptance page, the mobile user, if he wants to buy or receive the content on the specified conditions, declares his acceptance, which in turn is forwarded to the mobile network operator, who, as here by the box 14 represented, receives. The mobile network operator then checks the session and accesses the session context. The mobile network operator also creates a token that serves the content authorization process. The token is digitally signed to become a "trusted token." A confirmation page is also created for the user, followed by the user with the associated box 12 a query of the content at the content provider, represented by the box 15 , With the query of the content according to the box 15 the content provider receives the signed token, which he then validates with the help of his public key. After a successful validation, the content provider delivers the content to the user.
  • Finally, with fee-based content, like here through the boxes 16 and 17 illustrated billing of the content between the content provider and the mobile network operator instead, for which the mobile user with the mobile network operator has a balance or a contractual billing that allows this type of billing. For the content provider, the user is anonymous throughout the process, so there is a high level of security.
  • In the 3 a flowchart of the authorization of a user is shown. In step N1 goes First, a request to the operator of the mobile network, with the required before the authorization of a service authenticity verification of the user is triggered. For this purpose, the mobile network operator determines in step N2 the phone number of the mobile user (MSISDN) from the RADIUS database. Finally, in step N3, after determining the MSISDN using the IP address, the parameters of the authorization request forwarded by the content provider are determined. These parameters are checked for plausibility and validity in step N4, after the authentication has been successfully completed in step N2. The parameters are also kept for later processing in the session context. There is a comparison of this data with a content repository, wherein in the event that the data differ from those deposited with the operator of the mobile network, the authorization process with an error message, here generating an error page according to step N5, is aborted.
  • in the Step N6 becomes a credit check for the Users of the mobile network performed, in which case that the user only about has insufficient credit, that does not allow it to the wished, In this case, to access paid content, according to the step N5 an error page is generated, which indicates the credit problem. Insufficient credit will cause the authorization process also canceled.
  • in the Step N7, the parameters are stored in the session context, then, in step N8, creating an acceptance page for the user takes place, on which this again the important information concerning the wished Get content access in a presentation and confirm it. So Authentication ends with information about the user Details of the desired service and obtaining the consent of the User concerning the subsequent content acquisition to be carried out.
  • The 4 shows a flowchart of the authorization of a content. The authorization of the content is initiated with a request in step C1, this being done by an operation, for example, of a "submit" button in an acceptance page presented to the user. In step C2, the user's acceptance is checked, in which case that an abort is detected by the user, according to the step C3 a page is created, which indicates this abort, after which the method is aborted.
  • Becomes acceptance by the user according to the step C2 positively checks, so will after step C4 creates a signature and done in step C5 a data storage such that the digital signature used in the Step C4 was created, along with those held in the session context Parameters and the MSISDN as a record permanently at the operator the mobile network is stored. Finally, in step C6, a Confirmation page for the user created. The confirmation page according to the step Contains C6 the session information of the content provider and the signature of the Parameters of the content provider.
  • In the 5 a flowchart of the validation of a digital signature in a method according to the invention is shown. For this purpose, the content provider receives a request in accordance with step V1, which is transmitted via the mobile terminal of the user and contains the session ID and a "trusted token." The request according to step V1 is configured as an HTTP request the content provider in step V2, the session ID, from which it can use the session context to find the parameters of the original request from its stored data.This is done in step V. 3. The content provider takes the "trusted token" of the operator according to step V4 of the mobile network and performs a verification of the signature in step V5, using the public key of the network operator is used. If the validation of the "trusted token" with the original parameters results in an error, then a corresponding information page is created for the user in step V6, which indicates that the delivery of the content is not possible due to the error that has occurred On the other hand, in accordance with step V7, the content is delivered.
  • In order to receives the user with a very secure procedure without abandoning possibly one Security risk data representing the desired content.

Claims (14)

  1. A method for mobile radio network-based access to content that is required by a provider in a public data network, in particular the Internet, and which comprises the following steps: - anonymous request of a content from the provider by a user of the mobile network via at least one mobile terminal via which a connection to the public network and a provider-side computer device is produced, depending on the request of the user generation of an authorization request by the provider of the content for the user of the mobile network, which transmits via the mobile terminal of the user to a computer device of an operator of the mobile network becomes, - In response to a review of the authorization request creation of confirmation information and transmission to the mobile terminal of the user by the computing device of the operator of the mobile network and - Provision of the content for the user by the provider in response to a review of the provider from the mobile terminal of the user confirmation information.
  2. Method according to claim 1, characterized in that content required as a share is paid content offered by the provider, with a user-acquired content through the provider about the operator of the mobile network is billed.
  3. Method according to one of the preceding claims, characterized characterized in that the user, in particular after the generation the authorization request, the acceptance of access to the content explained by the provider, in particular on an acceptance page transmitted by the mobile network operator.
  4. Method according to one of the preceding claims, characterized characterized in that the provider of the content is an operator provided by the mobile network public key and / or an identification code is present, in particular one by means of a Data connection and / or a data medium transmitted public key and / or identification code.
  5. Method according to one of the preceding claims, characterized characterized in that the provider of the content is dependent from the request of the content by the user of the mobile network generates a session and / or the user's terminal parameters such as a session identifier and / or a content identifier and / or a price for a paid content and / or a timestamp and / or a reference to an authorization object of the operator of the mobile radio network, in particular a content-related URL, in particular in the Framework of the authorization request.
  6. Method according to claim 5, characterized in that that the parameters from the provider at least partially in the session context and / or stored in a database.
  7. Method according to one of claims 5 or 6, characterized the provider has at least one parameter for checking the transmission of the user's mobile terminal confirmation information used.
  8. Method according to one of the preceding claims, characterized characterized in that the operator of the mobile network in dependence from the transmission the authorization request generates a session and / or verifies the authenticity of the user, in particular by determining the number of the mobile terminal, if necessary via the Internet Protocol by IP address, and / or a content identifier and / or a price and / or a timestamp stores and / or an authorization object, in particular a content-related URL that includes session context and / or acceptance request for the Users for generates the access requiring a release.
  9. Method according to one of the preceding claims, characterized characterized in that the operator of the mobile network in dependence from the acceptance of the access requiring access by the Users review the session and / or accesses the session context and / or the and / or further confirmation information generated and / or transmitted, in particular an authorization token and / or a signed authorization token and / or a confirmation page.
  10. Method according to one of the preceding claims, characterized in that the provider as part of the verification of the submitted confirmation information verified an authorization token.
  11. Method according to one of the preceding claims, characterized marked that for the communication between the user's mobile device and the provider the content and / or communication between the user's mobile device and the operator of the mobile network uses the WWW protocol HTTP becomes.
  12. Method according to one of the preceding claims, characterized marked that for the transmission of information between the mobile device the user and the provider of the content and / or the transmission of information between the mobile device the user and the operator of the mobile network the language HTML, especially in the form of parameters in HTML and / or as a web service call from an HTML page, and / or based on the SOAP protocol Web service calls, in particular from an application and / or a API and / or HTML pages.
  13. Method according to one of the preceding claims, characterized in that the mobile terminal is a mobile telephone and / or a PDA and / or a notebook can be used.
  14. Contraption ( 1 ) for mobile radio network-based access to in a public data network, in particular the Internet, provided by a provider, requiring a release content and gege if applicable for billing access, comprising at least one mobile terminal ( 2 ) of a user ( 3 ) of the mobile network and computer equipment ( 4 . 5 ) on the part of the provider of the content and the operator of the mobile network, trained for carrying out the method according to any one of the preceding claims.
DE102005062061A 2005-12-22 2005-12-22 Method and apparatus for mobile radio network-based access to content provided in a public data network and requiring a release Expired - Fee Related DE102005062061B4 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
DE102005062061A DE102005062061B4 (en) 2005-12-22 2005-12-22 Method and apparatus for mobile radio network-based access to content provided in a public data network and requiring a release

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102005062061A DE102005062061B4 (en) 2005-12-22 2005-12-22 Method and apparatus for mobile radio network-based access to content provided in a public data network and requiring a release
PCT/EP2006/008871 WO2007079792A1 (en) 2005-12-22 2006-09-12 Method and device for mobile radio network-based access to content that requires release and is provided in a public data network

Publications (2)

Publication Number Publication Date
DE102005062061A1 true DE102005062061A1 (en) 2007-06-28
DE102005062061B4 DE102005062061B4 (en) 2008-01-10

Family

ID=37730383

Family Applications (1)

Application Number Title Priority Date Filing Date
DE102005062061A Expired - Fee Related DE102005062061B4 (en) 2005-12-22 2005-12-22 Method and apparatus for mobile radio network-based access to content provided in a public data network and requiring a release

Country Status (2)

Country Link
DE (1) DE102005062061B4 (en)
WO (1) WO2007079792A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572714B (en) * 2009-05-23 2012-11-21 华为终端有限公司 Content assessment method, device and system therefor
AT517151B1 (en) * 2015-04-24 2017-11-15 Alexandra Hermann Ba Method for authorizing access to anonymously stored data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000065493A2 (en) * 1999-04-22 2000-11-02 Cloakware Corporation Delegation billing
US20040098625A1 (en) * 2001-05-11 2004-05-20 Roger Lagadec Method for transmitting an anonymous request from a consumer to a content or service provider through a telecommunication network
US20040230649A1 (en) * 2002-09-24 2004-11-18 Jean-Philippe Wary Method for the production of a first identifier isolating a user connecting to a telematics network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2372344A (en) * 2001-02-17 2002-08-21 Hewlett Packard Co System for the anonymous purchase of products or services online
EP1256864A1 (en) * 2001-05-09 2002-11-13 IP-Control GmbH Clearing network for controlling premium anonymous internet sessions
ES2242499B1 (en) * 2003-06-26 2006-10-01 Vodafone España, S.A. System and method for anonymous access to a service offered at a determined internet address (url) and module for the system.

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000065493A2 (en) * 1999-04-22 2000-11-02 Cloakware Corporation Delegation billing
US20040098625A1 (en) * 2001-05-11 2004-05-20 Roger Lagadec Method for transmitting an anonymous request from a consumer to a content or service provider through a telecommunication network
US20040230649A1 (en) * 2002-09-24 2004-11-18 Jean-Philippe Wary Method for the production of a first identifier isolating a user connecting to a telematics network

Also Published As

Publication number Publication date
DE102005062061B4 (en) 2008-01-10
WO2007079792A1 (en) 2007-07-19

Similar Documents

Publication Publication Date Title
US10594498B2 (en) Method and service-providing server for secure transmission of user-authenticating information
US7275260B2 (en) Enhanced privacy protection in identification in a data communications network
US7496751B2 (en) Privacy and identification in a data communications network
US7596530B1 (en) Method for internet payments for content
JP4518942B2 (en) System and method for secure authentication and billing of goods and services using cellular telecommunication and authorization infrastructure
RU2292589C2 (en) Authentified payment
JP4109548B2 (en) Terminal communication system
TW578417B (en) Unique on-line provisioning of user terminals allowing user authentication
US8737964B2 (en) Facilitating and authenticating transactions
CN102573112B (en) Telecommunication network capability opening method, system and alliance support platform
AU2006298507B2 (en) Method and arrangement for secure autentication
US8677467B2 (en) Method and apparatus in combination with a storage means for carrying out an authentication process for authenticating a subsequent transaction
CN101809584B (en) Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program
CN1345494B (en) Wireless electronic authentication system and method for operating same
CN101350717B (en) Method and system for logging on third party server through instant communication software
US20130227713A1 (en) Method for encrypting and embedding information in a url for content delivery
ES2356990T3 (en) Monitoring of digital content provided by a supplier of contents on a network.
EP2005643B1 (en) Authentication service for facilitating access to services
US8024567B2 (en) Instant log-in method for authentificating a user and settling bills by using two different communication channels and a system thereof
CN101202753B (en) Method and device for accessing plug-in connector applied system by client terminal
US20140101057A1 (en) System for management of alternatively priced transactions
FI112286B (en) Payment service hardware and secure payment method
US9077691B2 (en) System and method for authorized digital content distribution
US7873716B2 (en) Method and apparatus for supporting service enablers via service request composition
CN108476227A (en) System and method for equipment push supply

Legal Events

Date Code Title Description
OP8 Request for examination as to paragraph 44 patent law
8327 Change in the person/name/address of the patent owner

Owner name: CYBER-DYNAMIX GESELLSCHAFT FUER SYSTEMINTERATI, DE

8364 No opposition during term of opposition
R119 Application deemed withdrawn, or ip right lapsed, due to non-payment of renewal fee