EP1208715A1 - Syst me de s curit gsm pour r seaux de donn es en paquet - Google Patents

Syst me de s curit gsm pour r seaux de donn es en paquet

Info

Publication number
EP1208715A1
EP1208715A1 EP00959088A EP00959088A EP1208715A1 EP 1208715 A1 EP1208715 A1 EP 1208715A1 EP 00959088 A EP00959088 A EP 00959088A EP 00959088 A EP00959088 A EP 00959088A EP 1208715 A1 EP1208715 A1 EP 1208715A1
Authority
EP
European Patent Office
Prior art keywords
user
authentication
pdn
server
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00959088A
Other languages
German (de)
English (en)
Inventor
José Luis MARIZ RIOS
José Luis RUIZ SANCHEZ
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Publication of EP1208715A1 publication Critical patent/EP1208715A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • G06F21/43User authentication using separate channels for security data wireless channels
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present invention relates generally to methods and apparatus for providing security for packet data networks and more particularly methods and apparatus that apply GSM security principles to authenticate users who are requesting access to packet data networks.
  • a private network is typically a network in which access to host sites of the private network is limited to authorized users.
  • security procedures including authentication procedures, are carried out to ensure that only authorized users from authorized hosts can gain access to the private network. For example, when a user requests access to a host site of the private network from a remote location, the user must be authenticated before the user is granted access to the host site.
  • Kerberos is a security system for client/server computing.
  • a password may be generated at a remote site, which is requesting access to a host site of the private network.
  • Some systems utilize either symmetric or asymmetric cryptographic techniques to create and authenticate the password, which will be described ' in detail later.
  • the continuous development of PDNs has generated a wide range of computer services.
  • the services are restricted to a number of users.
  • the services are dynamically accessed on a commercial basis, i.e., the users pay to utilize the services.
  • the users must authenticate themselves using a service provision system of a service provider before they can gain access to the desired services.
  • the service provider ensures that only users entitled to access the services can do so.
  • SIM Subscriber Identity Module
  • the SIM contains subscriber information including, for instance, data used to permit the MS to gain access to the network infrastructure of the GSM cellular communication system.
  • the SIM participates in the authentication of the user and in the subsequent encryption, if any, of a radio communication.
  • a user identity authentication operation verifies that service is provided only to a limited and controllable set of users, whereas the authorization operation verifies that a limited and controllable set of resources are provided to the proper users.
  • getting access to a network is similar to getting access to any particular application server in the sense that it requires a client opening a session with a specific server, e.g., the access server.
  • the access session embraces all other possible sessions with different servers, and it is a requirement prior to any interaction with a server in the network.
  • Each server can have its own procedures for authenticating and authorizing users.
  • Weak authentication and strong authentication are two commonly known types of authentication. Both weak and strong authentication may use known authentication security methods such as: a token (e.g., a unique combination of bits), a password (e.g., a secret character string), or biometric information (e.g., fingerprint, voice print, retinal scan, etc.).
  • Weak authentication is referred to as single-factor authentication, because it uses a single method to authenticate a user.
  • Weak authentication also encompasses techniques including traditional static passwords and one-time passwords. Static passwords, however, can be broken by software programs, including keyboard strike monitoring programs, cracking programs for guessing, and network sniffing programs.
  • Static passwords can be protected from the above-mentioned software programs by generating a one-time password (one per session) that can not be calculated from previous passwords, i.e., introducing a pseudo-random sequence as a calculation factor.
  • the one-time password is generated from a "real" password that would never be transmitted over the network (a shared secret between the user and the network). Strong authentication is referred to as two-factor authentication. Strong authentication is safer than weak authentication because it authenticates the user by using two methods, normally a token and a password.
  • Systems that generate one time pass- codes from a token and a password are already available in the market, such as_Security Dynamic's Secure ID, Safeword's Safeword DES Gold Card and Digital Pathway's
  • the token may be a hardware device and the password may be a Personal Identification Number (PEST) code to access the hardware device.
  • PEST Personal Identification Number
  • Strong authentication still can be made safer, for example, by introducing explicit authentication, the network generates a random factor as input to the user's password generation operation (this is known as that the network challenges the user).
  • the life cycle of the pass-code can be very short, e.g., 1 minute, therefore implementing a continuous authentication process as the session goes on.
  • more sophisticated keys and algorithms can be used. The most commonly used authentication procedures are based on identity/password methods. Most advanced systems utilize one-time passwords and token-based methods. However, those implementations have limitations. For example, static login/password methods provide weak security. Additionally, strong authentication methods require a user to hold additional devices, i.e., token devices. Some strong authentication mechanisms require specific hardware, e.g., smartcard readers. Furthermore, some strong authentication methods require specific hardware and software configurations that result in an administrative burden. Accordingly, lack of flexibility of the token devices creates further problems with strong authentication methods.
  • GSM security principles to authenticate users in PDNs in order to improve security in accessing private service networks as well as specific services and applications of such private service networks.
  • PLMN Public Land Mobile Network
  • a communication system for authenticating a user requesting access to a PDN comprises a PLMN connected to the PDN.
  • a remote host is connected to the PDN via an access network.
  • a mobile station maybe coupled to the PLMN via a wireless link.
  • the PDN In response to the user requesting access to the PDN, the PDN generates and sends an authentication token over an unsecured or secured communication channel to the user via the access network and the remote host.
  • the user sends the authentication token back to the PDN over a secured channel of the PLMN, wherein the PDN compares the authentication tokens to determine whether to grant the user access to the PDN.
  • a communication system has an e-commerce server that authenticates a user when performing an e-commerce transaction.
  • a user who wishes to perform an e-commerce transaction sends a request to the PDN.
  • the PDN generates an authentication token.
  • a payment server that handles the charging aspect for an e-commerce application is contacted.
  • the authentication token is sent to the user from the PDN via an access network using an unsecured or secured communication line.
  • the user sends the authentication token back to the PDN via a secured communication channel over a PLMN.
  • the authentication token that was sent to the user is compared to the authentication token that is sent by the user to the PDN to determine whether the user is authorized to proceed.
  • the communication system also has an authentication server that communicates with the payment server to charge the user for the e-commerce transaction. Additionally, billing information may be sent to a billing system of the PLMN.
  • FIG. 1 is a block diagram that illustrates a communication system according to an exemplary embodiment of the present invention
  • FIG. 2 is a block diagram that illustrates a mobile station structure according to an exemplary embodiment of the present invention
  • FIG. 3 is a block diagram that illustrates a method of authenticating a user according to an exemplary embodiment of the present invention
  • FIG. 4 is a flow chart that illustrates a method of communicating between Mobile
  • ME Equipment
  • SIM of a MS according to an exemplary embodiment of the present invention
  • FIG. 5 is a block diagram that illustrates a commumcation system for authenticatmg the user when accessing a PDN in a dial-up scenario according to another exemplary embodiment of the present invention
  • FIG. 6 is a message sequence chart illustrating a method of authenticating a user according to another exemplary embodiment of the present invention.
  • FIG. 7 is a block diagram that illustrates a communication system for authenticating the user when performing e-commerce transactions according to an exemplary embodiment of the present invention
  • FIG. 8 is a message sequence chart that illustrates a method of authenticating the user when performing e-commerce transactions according to an exemplary embodiment
  • FIG. 9 is a block diagram that illustrates a communication system that uses Unstructured Supplementary Service Data (USSD) according to an exemplary embodiment of the present invention
  • FIG. 10 is a message sequence chart that illustrates a method of authenticating a user in a network scenario using USSD according to an exemplary embodiment of the present invention
  • FIG. 11 is a block diagram that illustrates a communication system that uses a Wireless Application Protocol (WAP) according to an exemplary embodiment of the present invention.
  • WAP Wireless Application Protocol
  • FIG. 12 illustrates a method of authenticating a user in the communication system shown in FIG. 11.
  • FIG. 1 is a block diagram that illustrates a communication system according to an exemplary embodiment of the present invention.
  • the commumcation system comprises a PLMN 22, a PDN 24, an access network 26, a remote host 32 and a MS 68.
  • the PDN 24 may be connected to access network 26 via communication links (not shown).
  • Access network 26 may be connected to the remote host 32 via a communication link 30.
  • the PLMN 22 comprises a Base Transceiver Station (BTS) 36 connected to a Base Station Controller (BSC) 38 via a communication link 40.
  • BTS Base Transceiver Station
  • BSC Base Station Controller
  • a Mobile Switching Center/Visitor Location Register (MSC/VLR) 42 may be connected to both the BSC 38 and a Short Message Service Center (SMS-C) 44 via communication links 46 and 48, respectively.
  • SMS-C Short Message Service Center
  • a Home Location Register (HLR) 50 may be connected to the MSC/VLR 42 and an Authentication Center (AuC) 52 via communication links 54 and 56, respectively.
  • HLR Home Location Register
  • the PDN 24 comprises an authentication server 58 connected to an authenticating entity 60 via a communication link 62.
  • a WAP server 76 maybe connected to the authentication server 58 via communication link 78.
  • the authentication server 58 may be connected to the SMS-C 44 via communication link 72.
  • the detailed aspects of this connection are not critical to the present invention, and therefore are not shown. However, the connection depends on the type of connection (e.g., X.25, IP) and the security mechanisms in place (e.g., IPsec. tunnel servers, routers, firewalls).
  • the HLR 56 may be connected to the authentication server 58 via communication link 74.
  • the MS 68 communicates with the PLMN 22 via a wireless connection, shown as radio link 70.
  • the PLMN 22 may be constructed according to the Global System for Mobile Communication (GSM) standard described in European Telecommunication Standard Institute (ETSI) documents ETS 300 573, ETS 300 574 and ETS 300 578, which are hereby incorporated by reference.
  • GSM Global System for Mobile Communication
  • ETSI European Telecommunication Standard Institute
  • the BTS 36 receives uplink signals generated by the MS 68 via the radio link 70.
  • the BTS 36 generates downlink signals to transmit to the MS 68 via the radio link 70.
  • the BTS 36 also communicates with the BSC 38, which controls the operation of a group of base stations (not shown).
  • the HLR 50 contains subscription and location information regarding subscribers to the communication system. The HLR 50 is thus used to identify/verify a subscriber. The HLR 50 also contains subscriber data relating to features and services of the communication system available to the subscriber.
  • the AuC 52 handles the security functionality for the PLMN 22. The AuC 52 stores the subscriber's private keys and applies A3 (authentication) and A5 (ciphering/deciphering) security algorithms.
  • the A3 and A5 security algorithms are described in ETSI document ETS 300 929, which is hereby incorporated by reference.
  • the A3 and A5 algorithms are also specified in appendix C of ETS 300 534, which is hereby incorporated by reference.
  • the SMS-C 44 receive messages generated at the PDN 24 via the communication link 72.
  • the SMS-C 44 packs the received messages into Short Message Service (SMS) messages.
  • SMS messages are transmitted as defined in the corresponding GSM standard specification and thus will not be further described herein.
  • the remote host 32 e.g., a personal computer or laptop computer, contains conventional client software for remote access to the PDN 24, such as, Microsoft's Internet Explorer, America On-Line's Netscape Navigator, etc.
  • the PDN 24 comprises many hosts (all not shown).
  • the authenticating entity 60 is responsible for ensuring that only authorized users are given access to resources in the PDN 24. These resources may include applications or content within applications.
  • the PDN 24 and the access network 26 may be connected through intermediate PDNs, e.g., ISP, Intranets.
  • the access network 26 may be a cellular network, and thus would link the remote host 26 to the NAS/Router 64 via conventional wireless methods.
  • the authentication server 58 may be connected to the PLMN 22 via an intermediate gateway system.
  • the authentication server 58 provides authentication service to the PDN 24.
  • the authentication server 58 generates an authentication token for each access request and handles the dialogue with the authentication application in a processing device (not shown) of the MS 68.
  • the processing device will be described in detail later with the description of FIG. 2.
  • the authentication server 58 validates the response from the processing device.
  • the authentication server 58 communicates the result of the authentication process to the authenticating entity 60. Any possible encryption of communication between the processing device and the authentication server 58 requires that the corresponding algorithms and key values be stored in the authentication server 58. If the GSM security scheme is re-used, the authentication server 58 will neither store the keys itself nor calculate the authentication algorithms, rather it will obtain the necessary values from the corresponding AuC 52 in the GSM network.
  • the authentication server 58 is responsible for establishing the corresponding dialogue with a payment server (not shown) and forwarding the necessary information (e.g., prices) from the authenticating entity to the payment server.
  • the authenticating entity 60 invokes the appropriate mechanisms, e.g., protocols application programming interfaces, to request authentication from the authentication server 58.
  • the authenticating entity 60 forwards an authentication token to the remote host 32 and processes the outcome of the authentication process.
  • the authenticating entity 60 requests user authentication via the authentication server 58.
  • the authentication request includes the additional information.
  • the authenticating entity 60 and the authentication server 58 may be located in different PDNs, provided they are linked by a secure data channel, e.g., IPsec. tunnel.
  • a secure data channel e.g., IPsec. tunnel.
  • FIG. 2 is a block diagram of a mobile station structure and the network environment interacting with it in a scenario using SMS, according to an exemplary embodiment of the present invention.
  • the mobile station structure (MS) 80 comprises a SIM 90 and ME 92.
  • the network environment comprises a PLMN 82, and an authentication server 84.
  • the PLMN 82 in turn, comprises a SMS-C 86 that may be connected to the authentication server 84 via communication link 88.
  • the ME 92 comprises a keypad 102 and a display 104.
  • the SIM 90 comprises a
  • SIM OS SIM operating system
  • GSM part a GSM part 98
  • SIM Application Toolkit STK
  • AUTH-APP a processing device
  • the ME 92 and the SIM 90 communicate with each other via a communication link
  • the SIM 90 may be a "smart" card installed into the MS 80 and contains subscriber information including, for instance, data used to permit the MS 80 to gain access to the network infrastructure of the GSM communication system.
  • the SIM 90 participates in the authentication of the user and in the subsequent encryption of the radio communication, if any.
  • the MS 80 communicates with the PLMN 82 via a wireless communication link, shown as radio link 106.
  • the SIM 90 is compliant with the standards of the ISO/EEC/7816 and GSM 11.14
  • GSM 11.14 defines the interface between the SIM 90 and the
  • the AUTH-APP 108 is a framework for enabling the applications existing in the SIM 90 to interact and operate with the ME 92. For example, interactions include displaying messages on the display 104, obtaining a user's input from the keypad 102 and sending and receiving short messages via the radio link 106.
  • the SIM OS 96 provides for the execution and management framework for the GSM application that handles the conventional GSM functionality. Together with it, the STK 100 provides the environment for all kinds of applications like the AUTH-APP 108.
  • the AUTH-APP 108 handles the communication with the authentication server 84 through a secure channel (not shown). When the AUTH-APP 108 receives an authentication request from the authentication server 84 via the PLMN 82, it instructs the MS 80 to request an authentication token.
  • the AUTH-APP 108 sends the authentication response containing the authentication token back to the authentication server 84 via the PLMN 82.
  • the execution of the authentication application performed by the AUTH-APP 108 may be protected by a PIN code. Any possible encryption of the communication between the AUTH-APP 108 and the authentication server 84 requires that the corresponding algorithms and key values be stored in the AUTH-APP 108.
  • a higher security level can be achieved by the use of end- to-end encryption in the communication path between the MS 80 and an authentication server 84. Encryption takes place at the application level between the AUTH-APP 108 of the MS 80 and at the authentication server 84.
  • Encryption of the data contents exchanged by the MS 80 and the authentication server 84 can be achieved according to either symmetric encryption or asymmetric encryption.
  • a secret key is shared between the AUTH-APP 108 of the SIM 90 and the authentication server 84.
  • the secret key is used to encrypt the data at the MS 80 and the authentication server 84.
  • secret key for channel encryption also called ciphering key
  • Each user is assigned an individual secret key when the user signs up for the services. The user keeps the same key, unless the secret key has to be updated.
  • the user authentication is enhanced by challenging the user's individual secret key stored in the SIM 90. This is done by standard GSM authentication methods, from the authentication server 84 and thus will not be described further herein.
  • the authentication server 84 is connected to the GSM core network to access the security information from an AuC (not shown) of the PLMN 82.
  • the authentication server 84 does not need to run the GSM encryption algorithm or store the user's secret key.
  • the authentication server 84 may retrieve a random number (RAND) and SRES pairs for the user from the AuC
  • RAND random number
  • SRES pairs for the user from the AuC
  • the AUTH-APP 108 in the SIM 90 can re-use the GSM security information (key and algorithm); it will use the A3 algorithm to obtain the SRES from the RAND and the individual secret key stored in the SIM 90.
  • FIG. 3 illustrates a method of authenticating a user according to an exemplary embodiment of the present invention.
  • a communication system comprises a remote host 116, an access network 118, a PLMN 120, MS 122, and a PDN 110, which comprises an authenticating entity 112 and an authentication server 114.
  • the method begins at step 124 where a user initiates an operation request to connect the remote host 116 to the PDN 110 via the access network 118.
  • authenticating entity 112 communicates with the authentication server 114 via a secure packet data connection (not shown) and requests the authentication of the user trying to gain access to the PDN 110.
  • the authentication server 114 provides the authenticating entity 112 with an authentication token (not shown).
  • the authenticating entity 112 transmits the authentication token to the remote host 116 via the access network 118.
  • the authentication server 114 contacts the MS 122 via the PLMN
  • the 120 uses conventional wireless methods, and requests the user to transmit via the MS 122 the authentication token that was sent to the remote host 116 in step 127 back to the authentication server 114 via the MS 122 and the PLMN 120.
  • the MS 122 may request the user to input a PIN code before the user can input the authentication token into the MS 122 using an input device such as for example, a keypad.
  • the user inputs the PIN code using the keypad of the MS 122.
  • an application in the SIM within the MS 122 communicates with the MS 122 to prompt the user to input the authentication token received by the remote host 116 in step 127.
  • the user inputs the authentication token using an input device such as the keypad of the MS 122.
  • the application of the SIM instructs the MS 122 to send the authentication token back to the authentication server 114 via the PLMN 120.
  • the authentication server 114 determines if the authentication token received via the PLMN 120 matches the authentication token that was transmitted to the remote host 116 in step 127. If the authentication tokens match, the authentication server 114 instructs the authentication entity 112 to grant the user access to the requested service. If the authentication tokens do not match, an appropriate error condition will be sent to the authenticating entity 112. Thus, the user is denied access to the requested service.
  • the MS 122 and the remote host 116 may be linked via a wireless, wireline, or infrared connection (not shown) to achieve a faster authentication process.
  • the application in the SIM can retrieve the authentication token from the remote host 116 without user intervention as described below.
  • the user may input the PIN code in the remote host 116 instead of the MS 122.
  • the remote host 116 may then automatically forward the PIN code to the MS 122 via a wireless, wireline, or infrared connection between the MS 122 and the remote host 116.
  • the PIN code could be stored in the remote host 116 where the remote host 116 may automatically transfer the PIN code to the MS 122 via the wireless, wireline, or infrared connection, once the remote host 116 receives the authentication token as described in step 127.
  • the MS 122 may automatically retrieve the authentication token from the remote host 116 via the wireless, wireline, or infrared connection.
  • FIG. 4 is a flow chart illustrating an exemplary embodiment of the method of communicating between the ME 92 and the SIM 90 of the MS 80 shown in FIG. 2.
  • the ME 92 receives a short message from a PLMN 82 (FIG. 2).
  • the short message may be a message requesting the ME 92 to send an authentication token to the PLMN 82.
  • the ME 92 sends an authentication request (SMS-PP Download) to the SIM 90.
  • the SIM 90 activates its authentication application, reads the authentication request and obtain a RAND.
  • the SIM 90 sends a PIN code request to the ME 90.
  • a user responds to the PEN code request by inputting a PIN code using an input device such as the keypad 102 (FIG. 2) of the ME 92.
  • the ME 92 may display the inputted PIN code on the display 104.
  • the ME 92 reads the PIN code from the keypad 104.
  • the ME 92 sends the PIN code to the SIM 90.
  • the SIM 90 checks the PIN code to verify that it is an authorized PIN code for the ME 92.
  • the SIM 90 then at step 148, sends an authentication token request to the ME 92.
  • the user responds by inputting the authentication token using an input device such as the keypad 108.
  • the ME 92 may display the inputted authentication token on the display 104 and reads the authentication token from the keypad 102.
  • the ME 92 at step 150, sends the authentication token to the SIM 90.
  • the SIM 90 calculates the SRES applying the A3 security algorithm to the RAND and private key.
  • the SIM 90 prepares a response using SRES and the authentication token.
  • the SIM 90 sends an authentication response to the ME 92.
  • the ME 92 sends a short message, which contains the authentication token, to the PLMN 82.
  • the application within the SIM in the MS 122 may securely store an authentication key, as well as the authentication server 114.
  • keys can be generated and/or stored within the authentication server 114.
  • the keys may also be obtained from an external node providing suitable generation and/or storage functionality.
  • a session key could be used in the encryption of the subsequent communications between a remote host and an authenticating entity in a PDN.
  • a session key could be obtained applying an appropriate algorithm to the RAND and using the private key. This is done, for instance in the GSM system during the calculation of the ciphering key (Kc), where an A8 security algorithm is applied to RAND using the subscriber's private key.
  • the Kc generating algorithm is called the A8 security algorithm and is used to compute the Kc from the RAND sent during the authentication procedure.
  • the A8 algorithm is operator specific.
  • the A8 is applied at the PLMN 120 by the AuC (not shown) and at the user side by the SIM (not shown) in the MS 122.
  • the Kc does not have to be transmitted, since it is calculated at both ends of the encrypted channel.
  • the specification for the A8 algorithm is described in appendix C of the ETS 300 534, which has previously been incorporated by reference.
  • the application in the SIM (not shown) of the MS 122 could apply the appropriated algorithm to obtain a session key on reception of the authentication token. Then it would send the resulting session key to the dial-up client in the remote host 116 via the MS 122.
  • the dial-up client may apply the received key for the encryption/decryption of the subsequent communications with the PDN 110.
  • the authentication server 114 would also obtain the session key applying the same algorithm that the application in the SIM of the MS 122 used to calculate the session key.
  • the authentication server 114 may also include the session key in the authentication response sent to the authenticating entity 112.
  • asymmetric encryption is used to generate the session key at the authentication server 114, it is encrypted with the subscriber's public key, and sent along with the RAND in the message to the application in the SIM of the MS 122.
  • the application in the SIM of the MS 122 may obtain the session key value using its private key. Then it may send the resulting session key to the dial-up chent in the remote host 116 via the MS 122.
  • the dial-up chent may apply the received key for the encryption/decryption of the subsequent communications with the PDN 110.
  • the SIM in the MS 122 will store its own private key and the public key of the authentication server 114.
  • the authentication server 114 will store its own private key and the public keys of each user.
  • the authentication server 114 could retrieve those keys from an external node (not shown).
  • the user initiates connection by means of a remote host 116 to an access server in a PDN 110.
  • the access network provides the communication path between the remote host 116 and to the PDN 110.
  • the authentication entity 112 contacts the authentication server 114 via a secure packet data connection and requests the authentication of the user trying to gain access.
  • the authentication server 114 generates a RAND. Then, it contacts the MS 122 using a wireless network infrastructure.
  • the message includes the RAND.
  • the authentication server 114 provides the authentication entity 112 with an authentication token that is forwarded to the remote host 116 via the access network 148.
  • the application in the SIM of MS 122 receives the message from the authentication server 114 according to the usual wireless procedures.
  • the application in the SUM of MS 122 optionally communicates with the MS 122 to require the user to introduce a PIN code. Once the PIN code has been validated, the application communicates with the MS 122 to request the user to introduce the authentication token received by the remote host 116. The application constructs the authentication response message including the signature corresponding to the received RAND applying the algorithm (symmetric or asymmetric) to RAND using the key stored in the SIM in the MS 122. The signature may optionally include the authentication token.
  • the application in the SIM of MS 122 instructs the wireless terminal to send the response back to the authentication server 114 using standard wireless procedures.
  • the authentication server 114 determines if the response received via the wireless network is correct and includes the authentication token. The authentication server 114 will apply the algorithm (symmetric or asymmetric) to the received signature using the key for that user. If the resultant information matches the RAND and authentication token values, the authentication server 114 instructs the authentication entity 112 to grant the user access to the requested service. Otherwise, an appropriate error condition is sent to the authenticating host.
  • FIG. 5 is a diagram of a communication system according to another exemplary embodiment of the present invention.
  • the communication system comprises a PLMN 160, a PDN 162, a remote access network 164, a modem 166, a remote host 170 and a MS 208.
  • the MS 208 communicates with the PLMN 160 via a wireless link shown as radio link 210.
  • the PLMN 160 comprises a BTS 172, BSC 174, a MSC/VLR 178, a SMS-C 180, a HLR 186 and an AuC 188.
  • the PDN 162 comprises an authentication server 194, an authentication, authorization and accounting (AAA) server 196, and a NAS 200.
  • the communication system of FIG. 5 is substantially similar to the communication system of FIG. 1, except the authentication entity 60 of FIG. 1 is replaced with the AAA server 196 of FIG. 5.
  • the NAS 200 communicates with the AAA server 196 using a suitable protocol, e.g., RADIUS.
  • the authentication server 194 acts as a back-end server for the AAA server 196.
  • the AAA server 196 receives an authentication request from the NAS 200 for a user who is configured to use the communication system.
  • the components of FIG. 5 perform the same function as their corresponding components of FIG. 1, and thus will not be described further herein.
  • FIG. 6 is a message sequence chart illustrating a dial-up scenario of the communication system of FIG. 5 according to an exemplary embodiment of the present invention.
  • the protocols used in FIG. 6 are solely for illustrative purposes and thus do not limit the applicability of the present invention.
  • the user starts the communication from the User PC 170, which serves as the user's remote access, to the ISP/Intranet (not shown) using a conventional dial-up chent application.
  • the set- up process begins.
  • the NAS 200 sends an identity request to the User PC 170, requesting the User PC 170 to identify the user.
  • the User PC 170 responds to the identity request by sending a response containing the user's identity to the NAS 200.
  • an access-request (identity) is sent to the AAA server 196.
  • the AAA server 196 checks the identity of the user and forwards the access-request to the authentication server 194 (step 226).
  • the authentication server 194 obtains a RAND and SRES pair from the AuC 188 in the PLMN 160 (FIG. 5). Then, at step 230 the authentication server 194 requests that the SMS-C 180 generate a SMS message, which requests the application in the SIM (not shown) of the MS 208 to authenticate the user. The request contains the RAND obtained from the AuC 188.
  • the authentication server 194 checks the user identity it received in step 226 and generates an authentication token.
  • the authentication token is sent to the AAA server 196.
  • the AAA server 196 forwards the authentication token to the User PC 170 via the NAS 200, shown as steps 234 and 236.
  • the authentication token is displayed to the user on a display screen of the User PC 170.
  • the MS 208 receives the SMS message containing the RAND and forwards it to the authentication application of the SIM (not shown) of the MS 208.
  • the authentication application processes the message and requests the user's PIN code, which may be the SIM's PIN code.
  • the user inputs the PIN code using an input device such as keypad of the MS 208 at step 239.
  • the authentication application of the SIM validates the PIN code. If the user types in an incorrect PIN code, the user has a limited number of re-tries to input the correct PIN code. If a maximum number of consecutive failures is reached, the application prevents the SIM from accepting a PIN code. If the PIN code corresponds to the PIN code stored in the SIM, the authentication application prompts the user for the authentication token.
  • the user enters the authentication token, which may be displayed on the display of the User PC 170 (at step 236), using the keypad of the MS 208.
  • the authentication application applies the appropriate algorithm to the RAND to obtain SRES.
  • the algorithm utilized may be the GSM A3 authentication algorithm, which obtains a SRES from the RAND and a private key stored in the SIM.
  • the MS 208 sends a short message containing the authentication token and the SRES to the SMS-C 180 based on a request by the authentication application.
  • the User PC 170 sends a response to the NAS 200.
  • the NAS 200 at step 244, sends an access-request response to the AAA server 196.
  • the AAA server 196 sends an access-request response to the authentication server 194.
  • the SMS-C 180 sends a SMS indication message, which contains the authentication token and the SRES to the authentication server 194.
  • the authentication server 194 compares the authentication token received to the authentication token sent to the AAA server 196, and the SRES to the SRES obtained from the AuC 188. If all the values match, the user is authenticated. Thus, at step 250, the authentication server 194 sends an access-accept message to the AAA server 194, instructing the AAA server 196 to authorize the user's access attempt. Finally, at step 252, the AAA server 196 confirms acceptance with the NAS 200.
  • FIG. 7 is a block diagram that illustrates a communication system for authenticating a user when performing e-commerce transactions according to an exemplary embodiment of the invention.
  • the communication system of FIG. 7 comprises a PLMN 258, a PDN 272, an access network 280, a modem 282, a remote host 284 and a MS 286.
  • the PLMN 258 comprises a BTS 260, a BSC 262, a MSC/VLR 264, a HLR 268, an AuC 270 a SMS-C 266 and a billing system_271.
  • the PDN 272 comprises an authentication server 274, an e-commerce server 276, and a NAS 278.
  • the communication system of FIG. 7 is identical to the communication system of FIG. 1, except the authenticating entity 60 of FIG. 1 is replaced with the e-commerce server 276 and the PLMN 258 has a billing system 271, which is connected to the authentication server 274. With exception to the e-commerce server 276 and the billing system 271, the components of FIG. 7 perform the same function as their corresponding components of FIG. 1, and thus will not be further described herein.
  • the e-commerce server 276 and the authentication server 274 may be located in different PDNs, so long as a secure data channel exists between them, e.g., IPsec tunnel. Moreover, the remote host 284 may be connected to the PDN 272 through other PDNs, e.g., Internet. In this approach, the authentication, for instance, would be triggered by an e-commerce application that wishes to authenticate the user for a purchase. The e- commerce server 276 would contact the authentication server 274 via a secure packet data connection to request the authentication of the user trying to gain access. The authentication request would include all the relevant payment information, e.g., price, items being purchased.
  • the apphcation may optionally show in the payment information, e.g., price, in the ME (not shown) of the MS 286.
  • the authentication server 274 After validating a response received from the application, the authentication server 274 would contact a payment server, i.e., the entity handling the charging for the e-commerce application.
  • the payment server can be part of the e-commerce infrastructure or could be integrated with the network billing system 271, or could be an Internet payment provider. If the authentication succeeds, the charging operation is accomplished and the authentication server 274 confirms the payment to the e-commerce server 276 to grant the user access to the requested service or article. Otherwise, an appropriate error condition is sent to the authenticating host. Thus, the user is denied access to the requested service or article.
  • the method begins at step 350, where the e-commerce server 276 requests the user's identity.
  • the e-commerce apphcation obtains the user identity via a response identity from the User PC 284, e.g., the user is prompted via a display screen of the User PC 284 to input his/her identity.
  • the e-commerce server 276 sends the authentication request to the authentication server 274.
  • the authentication request includes all the relevant payment information, e.g., price and items being purchased.
  • the authentication server 274 obtains from the AuC 270 in the PLMN 258 (FIG. 7) a RAND and a SRES pair. Then, at step 358, the authentication server 274 requests the SMS-C 266 to generate a SMS message to request the authentication apphcation in the SIM (not shown) of the MS 286 to authenticate the user.
  • the request contains the RAND obtained from the AuC 270.
  • the request may include the price and the items being purchased in order to ensure the integrity of such payment/purchase information.
  • the authentication server 274 checks the user identity and generates an authentication token. At step 360, the authentication token is sent to the e-commerce server 276.
  • the e-commerce server 276 sends an authentication token request to the user via the User PC 284.
  • the User PC 284 displays the authentication token request to the user.
  • the SMS-C 266 sends a SMS message including the RAND to the MS 286.
  • the MS 286 receives the message and forwards it to the authentication application in the SIM (not shown) of the MS 286.
  • the authentication application processes the message and requests the user to enter a PIN code, which may be the SIM's PIN code.
  • the user inputs the PIN code via a keypad of the MS 286 at step 365.
  • the authentication application validates the PIN code. The user has a limited number of re-tries to input the correct PIN code. If the maximum number of consecutive failures is reached, the application prevents the SIM from accepting a PIN code. If the value corresponds to the PIN code stored in the SIM, the authentication application prompts the user for the authentication token.
  • step 365 the user types in the authentication token, which is shown on the display of the User PC 284 (see step 362), using the keypad of the MS 286.
  • the authentication application applies the appropriate algorithm to the RAND to obtain the SRES.
  • the algorithm utilized in this approach is the GSM A3 authentication algorithm, which obtains the SRES from the RAND and a private key stored in the SIM (step 366).
  • the authentication application requests the MS 286 to send a SMS message containing the authentication token and the SRES to the SMS-C 266.
  • the SMS-C 266 sends the SMS indication message containing the authentication token SRES to the authentication server 274.
  • the authentication server 274 compares the authentication token received to the one sent to the e-commerce application and the SRES to the SRES obtained from the AuC 270. If all the values match, the authentication server 274 could optionally contact a payment server and forward the payment information received from the e-commerce application to the payment server.
  • the authentication server 274 generates a charging record (payment information) and transfer it to the billing system 271 of the PLMN 258. Thus, the purchase would be included in the bill corresponding to the wireless subscription of the user.
  • the e-commerce apphcation is informed of the result of the operation.
  • the authentication server 274 sends a message to the e-commerce server 276.
  • the e-commerce server 276 confirms the operation.
  • the present invention can be implemented in a communication system that uses
  • FIG. 9 is a block diagram that illustrates a communication system for USSD according to an exemplary embodiment of the invention.
  • the communication system of FIG. 9 comprises a PLMN 400, a PDN 402, an access network 404, a modem 406, a remote host 408, a MS 410 and a radio link 412.
  • the PLMN 400 comprises a BTS 414, a BSC 416, a MSC/VLR 418, a HLR 420, an AuC 422.
  • the PDN 402 comprises an authentication server 424, an AAA server 426, and a NAS 428.
  • the communication system of FIG. 9 is substantially similar to the communication system of FIG. 1, except the PLMN 400 does not require a SMS-C.
  • the AuC 422 is connected to the HLR 420 and the HLR 420 is connected to the authentication server 424.
  • the handling of USSD is described in ETS 300 625, which is hereby incorporated by reference.
  • FIG. 10 is a message sequence chart illustrating a method of handling USSD of the communication system shown in FIG. 9 according to an-exemplary embodiment of the present invention.
  • the user starts the communication from the User PC 408, which serves as the user's remote access, to the ISP/Intranet (not shown) using a conventional dial-up client application.
  • the set-up process begins.
  • the NAS 428 sends an identity request to the User PC 408, requesting the User PC 408 to identify the user.
  • the User PC 408 responds to the identity request by sending a response containing the user's identity to the NAS 428.
  • an access-request (identity) is sent to the AAA server 426.
  • the AAA server 426 checks the identity of the user and forwards the access-request to the authentication server 424 (step 506).
  • the authentication server 424 sends a USSD request to the HLR 420.
  • the HLR transmits the USSD request to the MSC/VLR serving the area where the subscriber is currently located.
  • the MSC/VLR receives the request and forwards it to the MS via the BSC and the BTS (not shown in the flow).
  • the authentication server 424 also sends an access-challenge containing the authentication token to the AAA server 426 (step 510).
  • the AAA server 426 sends the access-challenge containing the authentication token to the NAS 428.
  • the NAS 428 sends a request containing the authentication token to the User PC 408.
  • the MSC/VLR 418 sends a USSD request to the MS 410.
  • the user inputs the authentication token in the MS 410.
  • the MS 410 sends a USSD response containing the authentication token the MSC/VLR 418.
  • the User PC 408 sends a response message to the NAS 428.
  • the NAS 428 sends an access-request containing the user identity and the response message to the AAA server 426.
  • the AAA server 426 sends the access-request containing the user identity and the response request to the authentication server 424 (step 526).
  • the HLR 420 sends a USSD response containing the authentication token to the authentication server 424.
  • the authentication server sends an access-accept message to the AAA server 426.
  • the AAA server 426 sends the access-accept message to the NAS 428.
  • the present invention can be implemented in a communication system that uses the WAP.
  • the WAP specifies an application framework as .well as network protocols for wireless devices.
  • the WAP model is similar to the World Wide Web (WWW), being optimized to match the characteristics of the wireless environment.
  • the WAP architecture and protocols are specified in the corresponding WAP Forum specifications, e.g., WAP Architecture, April 30, 1998, wherein the latest version is WAP specification suite 1.1.
  • FIG. 11 is a block diagram that illustrates a communication system for WAP according to an exemplary embodiment of the present invention.
  • the communication system comprises a PLMN 600, a PDN 602, an access network 604, a remote host 606, a MS 608 containing a WAP browser (not shown), and a radio link 610.
  • the PDN 602 comprises an authenticating entity 614, an authentication server 616, a NAS 618 and a WAP server 620.
  • the PLMN 600 may be constructed according to the GSM standards.
  • the PLMN 600 may comprise a WAP Gateway 612.
  • the WAP Gateway 612 maybe connected to the WAP server 620 via communication link 626.
  • the WAP server 620 maybe connected to the authentication server 616 via communication link 628.
  • the MS user and the authentication application in the WAP Server 620 communicate according to the WAP specifications defined by the WAP Forum.
  • FIG. 12 illustrates a method of authenticating a user in the communication system shown in FIG. 11 according to an exemplary embodiment of the present invention.
  • the user requests a service that requires authentication.
  • the method begins at step 700 where the authenticating entity 614 sends an identity request to the User PC 606 to identify the user.
  • the User PC 606 responds to the identity request by sending a response containing the user's identity to the authenticating entity 614.
  • the authenticating entity 614 sends an access-request to the authentication server 616.
  • the authentication server 616 sends an authentication token to the authenticating entity 614.
  • the authentication server 616 also sends an authentication request to the authentication application within the WAP server 620 (step 708).
  • the authenticating entity 614 sends the authentication token to the User PC 606.
  • the WAP server 620 pushes the request through the WAP gateway 612 to the MS 608 (steps 712 and 714).
  • the user inputs the authentication token in the MS 608.
  • the MS 608 sends a response containing the authentication token through the WAP gateway 612 to the WAP server 620.
  • the WAP server 620 sends a response containing the authentication token to the authentication server 616.
  • the authentication server sends an access accept message to the authenticating entity 614.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Finance (AREA)
  • Software Systems (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne des procédés et un appareil utilisés dans un système de communications appliquant des principes de sécurité GSM pour authentifier des utilisateurs qui souhaitent accéder à des réseaux de données en paquet. Le procédé d'authentification est déclenché, le cas échéant, par une entité d'authentification, de façon à vérifier l'identité d'un utilisateur qui essaie d'accéder à certaines ressources, par exemple, une application de réseau. L'entité d'authentification envoie une demande d'authentification à un serveur d'authentification. Le serveur d'authentification vérifie si l'identité de l'utilisateur correspond à un utilisateur connu. Le cas échéant, le serveur d'authentification génère un jeton d'authentification qui est envoyé à l'utilisateur via un réseau d'accès et un hôte distant. Le serveur d'authentification utilise une liaison de communication sécurisée, via un réseau sans fil, pour demander à l'utilisateur de renvoyer le jeton d'authentification audit serveur d'authentification, via la liaison de communication sécurisée, sur un réseau mobile terrestre public. Une fois que l'utilisateur a renvoyé le jeton d'authentification audit serveur d'authentification via la voie sécurisée, le serveur d'authentification compare le jeton d'authentification envoyé à l'utilisateur et renvoyé par celui-ci, par l'intermédiaire d'une liaison de communication sécurisée. Si les jetons d'authentification correspondent, le serveur d'authentification demande à l'entité d'authentification d'accorder à l'utilisateur l'accès aux services demandés. Si les jetons d'authentification ne correspondent pas, l'utilisateur ne pourra pas accéder aux services demandés.
EP00959088A 1999-08-31 2000-08-31 Syst me de s curit gsm pour r seaux de donn es en paquet Withdrawn EP1208715A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US38625399A 1999-08-31 1999-08-31
US386253 1999-08-31
PCT/SE2000/001673 WO2001017310A1 (fr) 1999-08-31 2000-08-31 Système de sécurité gsm pour réseaux de données en paquet

Publications (1)

Publication Number Publication Date
EP1208715A1 true EP1208715A1 (fr) 2002-05-29

Family

ID=23524822

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00959088A Withdrawn EP1208715A1 (fr) 1999-08-31 2000-08-31 Syst me de s curit gsm pour r seaux de donn es en paquet

Country Status (6)

Country Link
EP (1) EP1208715A1 (fr)
CN (1) CN1385051A (fr)
AU (1) AU7047100A (fr)
MX (1) MXPA02002018A (fr)
WO (1) WO2001017310A1 (fr)
ZA (1) ZA200201005B (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11627463B2 (en) * 2019-08-09 2023-04-11 Critical Ideas, Inc. Authentication via unstructured supplementary service data

Families Citing this family (73)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI115355B (fi) * 2000-06-22 2005-04-15 Icl Invia Oyj Järjestely suojatun järjestelmän käyttäjän tunnistamiseen ja todentamiseen
WO2002015626A1 (fr) * 2000-08-15 2002-02-21 Telefonaktiebolaget Lm Ericsson (Publ) Authentification de reseau a l'aide d'un telephone mobile a fonctionnalite wap
GB2369530A (en) * 2000-11-24 2002-05-29 Ericsson Telefon Ab L M IP security connections for wireless authentication
CA2435329A1 (fr) * 2001-01-17 2002-07-25 Arcot Systems, Inc. Appareil de pre-authentification d'utilisateurs utilisant des mots de passe a usage unique
US6983381B2 (en) 2001-01-17 2006-01-03 Arcot Systems, Inc. Methods for pre-authentication of users using one-time passwords
US7181762B2 (en) 2001-01-17 2007-02-20 Arcot Systems, Inc. Apparatus for pre-authentication of users using one-time passwords
US7194251B2 (en) 2001-03-20 2007-03-20 3Com Corporation Intelligent gate distributed use and device network access management on personal area network
WO2002102019A2 (fr) * 2001-04-20 2002-12-19 3Com Corporation Procede et dispositif de gestion de reseau
US20040218762A1 (en) 2003-04-29 2004-11-04 Eric Le Saint Universal secure messaging for cryptographic modules
US8209753B2 (en) 2001-06-15 2012-06-26 Activcard, Inc. Universal secure messaging for remote security tokens
US20020194499A1 (en) * 2001-06-15 2002-12-19 Audebert Yves Louis Gabriel Method, system and apparatus for a portable transaction device
CN101448259A (zh) 2001-06-27 2009-06-03 诺基亚西门子通信公司 用于无线通信网中承载授权的方法和系统
EP1863220A3 (fr) * 2001-06-27 2009-09-02 Nokia Corporation Procédé et système d'autorisation au porteur dans un réseau de communication sans fil
GB0119629D0 (en) 2001-08-10 2001-10-03 Cryptomathic As Data certification method and apparatus
DE10138381B4 (de) * 2001-08-13 2005-04-07 Orga Systems Enabling Services Gmbh Computersystem und Verfahren zur Datenzugriffskontrolle
CA2356420A1 (fr) * 2001-08-30 2003-02-28 Wmode Inc. Authentification et non-repudiation d'un abonne sur un reseau public
FR2832576A1 (fr) * 2001-11-20 2003-05-23 Schlumberger Systems & Service Procede et dispositif d'authentification d'un utilisateur aupres d'un fournisseur de service a l'aide d'un dispositif de communication
FR2834163B1 (fr) * 2001-12-20 2004-11-19 Cegetel Groupe Procede de controle d'acces a un contenu et systeme pour le controle d'acces a un contenu
AU2003209194A1 (en) 2002-01-08 2003-07-24 Seven Networks, Inc. Secure transport for mobile communication network
DE10200681B4 (de) * 2002-01-10 2004-09-23 Siemens Ag Temporäre Zugansberechtigung zum Zugriff auf Automatisierungseinrichtungen
DE10218729B4 (de) * 2002-04-26 2004-05-27 Andawari Gmbh Verfahren zum Authentifizieren und/oder Autorisieren von Personen
FR2842055B1 (fr) * 2002-07-05 2004-12-24 Nortel Networks Ltd Procede pour controler l'acces a un systeme cellulaire de radiocommunication a travers un reseau local sans fil, et organe de controle pour la mise en oeuvre du procede
US7264411B2 (en) * 2002-11-06 2007-09-04 Matsushita Electric Industrial Co., Ltd. Print system, print device and print instruction method
CN100449989C (zh) * 2003-07-16 2009-01-07 华为技术有限公司 一种触发802.1x认证过程的方法
CN1853190B (zh) * 2003-08-11 2010-06-09 索尼株式会社 信息处理设备和通信方法
US7907935B2 (en) 2003-12-22 2011-03-15 Activcard Ireland, Limited Intelligent remote device
US20050138380A1 (en) 2003-12-22 2005-06-23 Fedronic Dominique L.J. Entry control system
US7548620B2 (en) * 2004-02-23 2009-06-16 Verisign, Inc. Token provisioning
KR101150241B1 (ko) * 2004-08-18 2012-06-12 마스터카드 인터내셔날, 인코포레이티드 동적 인증 코드를 이용한 트랜잭션의 승인 방법 및 시스템
GB2419067A (en) * 2004-10-06 2006-04-12 Sharp Kk Deciding whether to permit a transaction, based on the value of an identifier sent over a communications channel and returned over a secure connection
GB0423301D0 (en) 2004-10-20 2004-11-24 Fujitsu Ltd User authorization for services in a wireless communications network
BRPI0517521B1 (pt) 2004-10-26 2019-04-09 Telecom Italia S.P.A. Método e sistema para autenticar um assinante de uma primeira rede para acessar um serviço de aplicação através de uma segunda rede
CN1838591B (zh) 2005-03-21 2010-05-05 松下电器产业株式会社 用于无线网络的自动安全认证系统及方法
WO2006136750A2 (fr) * 2005-06-20 2006-12-28 France Telecom Authentification d'un serveur avant envoi de donnees d'identification d'un client
EP2074524B1 (fr) * 2005-10-11 2014-12-03 Amazon Technologies, Inc. Systeme et procede d'autorisation de transactions
US8352376B2 (en) 2005-10-11 2013-01-08 Amazon Technologies, Inc. System and method for authorization of transactions
US8447700B2 (en) 2005-10-11 2013-05-21 Amazon Technologies, Inc. Transaction authorization service
EP1802155A1 (fr) * 2005-12-21 2007-06-27 Cronto Limited Système et procédé pour authentification dynamique basée sur plusieurs facteurs
ATE510396T1 (de) 2006-02-01 2011-06-15 Research In Motion Ltd System und methode für die validierung eines benutzerkontos mit einer drahtlosen vorrichtung
GB0604001D0 (en) * 2006-02-28 2006-04-05 Orange Personal Comm Serv Ltd System and method for controlling network access
FR2900019B1 (fr) * 2006-04-12 2008-10-31 Alcatel Sa Procede d'authentification, terminal et operateur associes
CA2651592A1 (fr) * 2006-05-10 2007-11-15 Worldwide Gpms Ltd. Procede et systeme de confirmation de transactions au moyen d'unites mobiles
NZ547322A (en) * 2006-05-18 2008-03-28 Fronde Anywhere Ltd Authentication method for wireless transactions
SG172721A1 (en) 2006-06-16 2011-07-28 Fmt Worldwide Pty Ltd An authentication system and process
EP1871065A1 (fr) 2006-06-19 2007-12-26 Nederlandse Organisatie voor Toegepast-Natuuurwetenschappelijk Onderzoek TNO Procédés, dispositif et système pour le contrôle d'accès à un réseau
US20080243696A1 (en) * 2007-03-30 2008-10-02 Levine Richard B Non-repudiation for digital content delivery
US7945246B2 (en) * 2007-10-26 2011-05-17 Sony Ericsson Mobile Communications Ab System and method for establishing authenticated network communications in electronic equipment
FR2924294A1 (fr) * 2007-11-28 2009-05-29 France Telecom Procede de transmission et systeme de telecommunications
FR2958821A1 (fr) * 2007-12-11 2011-10-14 Mediscs Procede d'authentification d'un utilisateur
JP5211686B2 (ja) * 2007-12-28 2013-06-12 ブラザー工業株式会社 データ提供システムとデータ提供装置
JP4983596B2 (ja) * 2007-12-28 2012-07-25 ブラザー工業株式会社 データ提供システムとデータ提供装置
TR200800255A1 (tr) * 2008-01-15 2009-08-21 Vodafone Teknoloji̇ Hi̇zmetleri̇ Anoni̇m Şi̇rketi̇ Mobil onay sistem ve yöntemi.
US8244592B2 (en) 2008-03-27 2012-08-14 Amazon Technologies, Inc. System and method for message-based purchasing
US8620826B2 (en) 2008-03-27 2013-12-31 Amazon Technologies, Inc. System and method for receiving requests for tasks from unregistered devices
US8204827B1 (en) 2008-03-27 2012-06-19 Amazon Technologies, Inc. System and method for personalized commands
FR2940580B1 (fr) * 2008-12-23 2012-11-30 Solleu Yann Le Procede et systeme de controle d'acces a un service
DE102009060946A1 (de) * 2009-12-23 2011-06-30 Doering, Wolfram, 13469 Verfahren zur elektronischen Kommunikation von Bankaufträgen und Kommunikationssystem zur Ausübung des Verfahrens
US9961075B2 (en) 2012-03-30 2018-05-01 Nokia Technologies Oy Identity based ticketing
US9053304B2 (en) 2012-07-13 2015-06-09 Securekey Technologies Inc. Methods and systems for using derived credentials to authenticate a device across multiple platforms
US20140095387A1 (en) * 2012-10-01 2014-04-03 Nxp B.V. Validating a transaction with a secure input and a non-secure output
US10147090B2 (en) 2012-10-01 2018-12-04 Nxp B.V. Validating a transaction with a secure input without requiring pin code entry
US9495524B2 (en) 2012-10-01 2016-11-15 Nxp B.V. Secure user authentication using a master secure element
US8972296B2 (en) * 2012-12-31 2015-03-03 Ebay Inc. Dongle facilitated wireless consumer payments
GB2516412A (en) * 2013-05-03 2015-01-28 Vodafone Ip Licensing Ltd Access control
WO2014181028A1 (fr) * 2013-05-06 2014-11-13 Nokia Corporation Procédé et appareil de contrôle d'accès
EP3008935B1 (fr) 2013-06-12 2022-04-20 Telecom Italia S.p.A. Authentification de dispositif mobile dans un scénario à réseaux de communication hétérogène
EP2924944B1 (fr) * 2014-03-25 2018-03-14 Telia Company AB Authentification de réseau
EP2940618A1 (fr) * 2014-04-29 2015-11-04 Deutsche Telekom AG Procédé, système, équipement d'utilisateur et programme d'authentification d'utilisateur
CN104506510B (zh) * 2014-12-15 2017-02-08 百度在线网络技术(北京)有限公司 用于设备认证的方法、装置及认证服务系统
ITUB20154749A1 (it) * 2015-10-30 2017-04-30 Oikia R&V S R L Apparecchiatura di interfaccia
FI128171B (en) 2015-12-07 2019-11-29 Teliasonera Ab network authentication
US20210327547A1 (en) * 2020-04-16 2021-10-21 Mastercard International Incorporated Systems, methods, and non-transitory computer-readable media for secure biometrically-enhanced data exchanges and data storage
CN113742533A (zh) * 2021-08-05 2021-12-03 北京思特奇信息技术股份有限公司 一种基于Prim算法的推荐方法、系统和推荐装置

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5668876A (en) * 1994-06-24 1997-09-16 Telefonaktiebolaget Lm Ericsson User authentication method and apparatus
FR2771875B1 (fr) * 1997-11-04 2000-04-14 Gilles Jean Antoine Kremer Procede de transmission d'information et serveur informatique le mettant en oeuvre

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0117310A1 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11627463B2 (en) * 2019-08-09 2023-04-11 Critical Ideas, Inc. Authentication via unstructured supplementary service data

Also Published As

Publication number Publication date
AU7047100A (en) 2001-03-26
MXPA02002018A (es) 2002-09-18
ZA200201005B (en) 2003-04-30
CN1385051A (zh) 2002-12-11
WO2001017310A1 (fr) 2001-03-08

Similar Documents

Publication Publication Date Title
WO2001017310A1 (fr) Système de sécurité gsm pour réseaux de données en paquet
EP1551149B1 (fr) Transmission de messages sécurisée universelle pour les jetons de sécurité à distance
US8369833B2 (en) Systems and methods for providing authentication and authorization utilizing a personal wireless communication device
US8737964B2 (en) Facilitating and authenticating transactions
JP4364431B2 (ja) 通信網を通して認証する方法、配列及び装置
US20040097217A1 (en) System and method for providing authentication and authorization utilizing a personal wireless communication device
US20070178885A1 (en) Two-phase SIM authentication
US20030061503A1 (en) Authentication for remote connections
US20020166048A1 (en) Use and generation of a session key in a secure socket layer connection
EP1865656A1 (fr) Établissement d'une communication sécurisée utilisant une authentification par un tiers
US20120144189A1 (en) Wlan authentication method, wlan authentication server, and terminal
WO2002019593A2 (fr) Authentification d'un utilisateur final basee sur la boite a outils d'application du module d'identification d'abonne (sat), independante du fournisseur de services
EP1602194A1 (fr) Procede et progiciel pour l'authentification mutuelle dans un reseau de communications
WO2011084419A1 (fr) Authentification multi-uim sécurisée et échange de clés
CA2435329A1 (fr) Appareil de pre-authentification d'utilisateurs utilisant des mots de passe a usage unique
WO2006103383A1 (fr) Procede pour faciliter et authentifier des transactions
Halonen Authentication and authorization in mobile environment
WO2003019856A2 (fr) Authentification et non-repudiation d'un abonne sur un reseau public
US20060265586A1 (en) Method and system for double secured authenication of a user during access to a service by means of a data transmission network
KR100474419B1 (ko) 유무선 통신망에서 무선 통신 단말기의 인증/과금 시스템및 방법
AU2002259074B2 (en) Use and generation of a session key in a secure socket layer connection
CN116032493A (zh) 一种安全检测方法及解码服务器
Ubisafe The Mobile Phone as Authentication Token
Ubisafe et al. Strong Authentication for Internet Applications with the GSM SIM
Bjornstad et al. Securing virtual private networks with SIM authentication

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20020131

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

RIN1 Information on inventor provided before grant (corrected)

Inventor name: RUIZ SANCHEZ, JOSE LUIS

Inventor name: MARIZ RIOS, JOSE LUIS

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20050301