EP1466438A1 - Method at access right control within mobile communication - Google Patents

Method at access right control within mobile communication

Info

Publication number
EP1466438A1
EP1466438A1 EP02793724A EP02793724A EP1466438A1 EP 1466438 A1 EP1466438 A1 EP 1466438A1 EP 02793724 A EP02793724 A EP 02793724A EP 02793724 A EP02793724 A EP 02793724A EP 1466438 A1 EP1466438 A1 EP 1466438A1
Authority
EP
European Patent Office
Prior art keywords
policy
mobile
password
communication system
mobile unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP02793724A
Other languages
German (de)
English (en)
French (fr)
Inventor
Jonas Eriksson
Rolf Kawe
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telia Co AB
Original Assignee
Telia AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telia AB filed Critical Telia AB
Publication of EP1466438A1 publication Critical patent/EP1466438A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Definitions

  • the present invention relates to the field access right control within mobile communication systems.
  • the mobile unit consists of a mobile telephone with one or more so called smart cards.
  • the mobile unit (or usually a smart card in the mobile unit) in its turn contains one or more private keys, which can be used for authentication and to create "non-rejection" only when a CA (Certificate Authority) has issued certificate which verifies that a specific user holds these private keys .
  • CA Certificate Authority
  • CA has in many cases points of view on which rules that shall apply for which passwords a user is allowed to select.
  • CA then has what is generally called a password policy.
  • the password policy can for instance apply to rules regarding length, allowed characters and updating intervals.
  • Such a policy only has been possible to apply to the cases where it already at the issuing of the card has been made clear which CA that shall issue the certificate connected/associated to the keys on the card.
  • the smart card often will be distributed to the user before anyone knows what CA that shall issue the certificate connected/associated to pair of keys on the card; so the method of entering/applying CA's password policy on the card before it is distributed to the user is not applicable.
  • the aim of the invention is to provide a method to electronically distribute a password policy over a mobile communication system to a mobile unit so that said policy directly can start being applied in the mobile unit or an additional unit.
  • the invention consequently includes a method within a mobile radio communication system with mobile units and connected service providers who provide services over said communication system, where the access from a mobile terminal of a service at a service provider requires a password. The method includes the steps to:
  • a mobile unit electronically receive said policy and handle and draw up/configure passwords associated with/to said service provider according to rules specified in the from the service provider or by him/her appointed certificate authority, said issued/transmitted policy.
  • the method also includes that the mobile unit or a specific gateway authenticates and authorizes the sender of the policy in order to prevent illegal utilization of the possibility to change a policy.
  • Figure 1 shows an administration route/path according to one embodiment of the invention for PIN-policy.
  • Figure 2 shows an administration route/path for PIN-policy according to another embodiment of the invention; and
  • Figure 3 shows a flow chart for a method according to the invention .
  • Figure 4A and 4B show schematically the location/placing of authentication and authorization units according to two embodiments of the invention.
  • One embodiment of the invention relates to a method to distribute a password in form of a PIN-policy for cryptographic keys in mobile units "over the air", that is via the communication system in which the unit is intended to operate.
  • the keys are in the typical case held/kept in a device/smart card in the mobile unit which cannot be juggled with, but it is not necessary.
  • the cryptographic keys are in the typical case private keys in asymmetric pair of keys.
  • the cryptographic keys, or the unit in which these are generated, have been distributed to the user already before it is known which party that will issue certificate which associates/connects the user to a certain pair of keys .
  • CA When a CA shall issue a certificate, the user is linked/associated to a private key in usual way via an "over the air proof of possession"-procedure .
  • CA distributes its PIN-policy via the cellular mobile communication system to the mobile unit which holds/contains the private key.
  • An application in the mobile unit attends to that the PIN-policy comes into force, and forces the user to select a PIN-code according to the policy for utilization of the certified key.
  • Figure 1 the flow is illustrated:
  • CA 101 has decided to distribute its PIN-policy to a certain mobile unit.
  • CA addresses the PIN-policy to a certain mobile unit and a certain private key in the mobile unit 115 and transmits/sends this to a gateway 105 for the purpose.
  • This gateway 105 authenticates CA 101 and decides whether CA 101 is entitled to distribute a PIN-policy to the mobile unit 115 (authorization) .
  • Said gateway 105 is preferably arranged at the operator of the mobile communication system.
  • Gateway 105 sends/transmits the PIN-policy further over the mobile communication network 110.
  • the mobile unit 115 receives the PIN-policy, secures that it is coming from the mobile operator' s gateway
  • Step 1 is preferably preceded by an inquiry from the client/user to CA about issuing of a client certificate.
  • a password policy preferably includes rules about, in the general case:
  • a PIN-policy consists of a data structure which is interpreted by an application for the purpose which has been arranged in the mobile unit.
  • a PIN-policy is realized as an executable application which is transmitted to the mobile unit. In the first case it is conceivable that a plurality of PIN-polices can be active at the same time, but some mechanism to solve conflicting policies, if any, then is needed.
  • the mobile unit 115 then preferably includes one or more integrated or removable smart cards or any other form of device which is protected against manipulations.
  • the invention of course is applicable also in the cases when the private key is not stored in a device which is protected against manipulation, but in any other way in the mobile unit.
  • CA 201 transmits its policy via a general traffic gateway for the mobile communication network (GGSN for GPRS/UMTS) 210, without mechanisms for authentication and authorization of CA 201.
  • GGSN for GPRS/UMTS
  • mechanisms for authentication and authorization are instead implemented in the mobile unit 215
  • CA creates 310 a policy specification, and addresses 320 a mobile unit and addresses 330 a private key within said mobile unit. Further, the specification is transmitted 340 over the mobile network, possibly via a specific gateway as has been mentioned above. The specification is received 350 and the transmitter/sender is authenticated 360, respective, whenever applicable, authorized 370. Depending on the number of units between CA and mobile unit which need own authentication and authorization, the steps to transmit 340, receive 350, authenticate 360 and authorize 370 are repeated 375. Finally, the policy is stored and activated in the mobile station.
  • PIN-policy for other purposes than unlocking/use of private keys of course also can be distributed to the mobile unit according to the invention.
  • Both A and B can load down its policy to the mobile unit. Both policy from CA A and a policy from CA B are put into practice each time PIN is changed. This requires a mechanism in the mobile unit to solve conflicting demands.
  • Both A and B sends/transmits its policy to the operator of the mobile communication network.
  • the operator creates a "summing up" of these rules and decides about which policy that finally is transmitted to the mobile unit.
  • Both A and B can load down its policy to the mobile unit. Separate PINs are used for the same key depending on which of his/her certificates the user wants to refer to. Policy from CA A applies when the user refers to his/her certificate from CA A, and policy from CA B applies when the user refers to his/her certificate from CA B.
  • FIG. 4A shows an authentication unit 402 and an authorization unit 404 arranged in gateway 105.
  • Figure 4B shows an authentication unit 402 and an authorization unit 404 arranged in a mobile unit 115.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
EP02793724A 2002-01-10 2002-12-20 Method at access right control within mobile communication Withdrawn EP1466438A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SE0200061 2002-01-10
SE0200061A SE519072C2 (sv) 2002-01-10 2002-01-10 Metod vid behörighetskontroll inom mobil kommunikation
PCT/SE2002/002424 WO2003058880A1 (en) 2002-01-10 2002-12-20 Method at access right control within mobile communication

Publications (1)

Publication Number Publication Date
EP1466438A1 true EP1466438A1 (en) 2004-10-13

Family

ID=20286626

Family Applications (1)

Application Number Title Priority Date Filing Date
EP02793724A Withdrawn EP1466438A1 (en) 2002-01-10 2002-12-20 Method at access right control within mobile communication

Country Status (5)

Country Link
EP (1) EP1466438A1 (no)
AU (1) AU2002359203A1 (no)
NO (1) NO20042773L (no)
SE (1) SE519072C2 (no)
WO (1) WO2003058880A1 (no)

Families Citing this family (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2107756A1 (en) 2008-03-31 2009-10-07 British Telecommunications Public Limited Company Policy resolution
US8924543B2 (en) 2009-01-28 2014-12-30 Headwater Partners I Llc Service design center for device assisted services
US8391834B2 (en) 2009-01-28 2013-03-05 Headwater Partners I Llc Security techniques for device assisted services
US8402111B2 (en) 2009-01-28 2013-03-19 Headwater Partners I, Llc Device assisted services install
US8346225B2 (en) 2009-01-28 2013-01-01 Headwater Partners I, Llc Quality of service for device assisted services
US8626115B2 (en) 2009-01-28 2014-01-07 Headwater Partners I Llc Wireless network service interfaces
US8275830B2 (en) 2009-01-28 2012-09-25 Headwater Partners I Llc Device assisted CDR creation, aggregation, mediation and billing
US20100188993A1 (en) 2009-01-28 2010-07-29 Gregory G. Raleigh Network tools for analysis, design, testing, and production of services
US8548428B2 (en) 2009-01-28 2013-10-01 Headwater Partners I Llc Device group partitions and settlement platform
US8924469B2 (en) 2008-06-05 2014-12-30 Headwater Partners I Llc Enterprise access control and accounting allocation for access networks
US8635335B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc System and method for wireless network offloading
US8340634B2 (en) 2009-01-28 2012-12-25 Headwater Partners I, Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US8589541B2 (en) 2009-01-28 2013-11-19 Headwater Partners I Llc Device-assisted services for protecting network capacity
US8406748B2 (en) 2009-01-28 2013-03-26 Headwater Partners I Llc Adaptive ambient services
US8898293B2 (en) 2009-01-28 2014-11-25 Headwater Partners I Llc Service offer set publishing to device agent with on-device service selection
US8832777B2 (en) 2009-03-02 2014-09-09 Headwater Partners I Llc Adapting network policies based on device service processor configuration
US9578182B2 (en) 2009-01-28 2017-02-21 Headwater Partners I Llc Mobile device and service management
US10798252B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc System and method for providing user notifications
US9647918B2 (en) 2009-01-28 2017-05-09 Headwater Research Llc Mobile device and method attributing media services network usage to requesting application
US9253663B2 (en) 2009-01-28 2016-02-02 Headwater Partners I Llc Controlling mobile device communications on a roaming network based on device state
US9557889B2 (en) 2009-01-28 2017-01-31 Headwater Partners I Llc Service plan design, user interfaces, application programming interfaces, and device management
US10200541B2 (en) 2009-01-28 2019-02-05 Headwater Research Llc Wireless end-user device with divided user space/kernel space traffic policy system
US10492102B2 (en) 2009-01-28 2019-11-26 Headwater Research Llc Intermediate networking devices
US10264138B2 (en) 2009-01-28 2019-04-16 Headwater Research Llc Mobile device and service management
US9955332B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Method for child wireless device activation to subscriber account of a master wireless device
US10783581B2 (en) 2009-01-28 2020-09-22 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US9392462B2 (en) 2009-01-28 2016-07-12 Headwater Partners I Llc Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy
US9571559B2 (en) 2009-01-28 2017-02-14 Headwater Partners I Llc Enhanced curfew and protection associated with a device group
US10248996B2 (en) 2009-01-28 2019-04-02 Headwater Research Llc Method for operating a wireless end-user device mobile payment agent
US8893009B2 (en) 2009-01-28 2014-11-18 Headwater Partners I Llc End user device that secures an association of application to service policy with an application certificate check
US9572019B2 (en) 2009-01-28 2017-02-14 Headwater Partners LLC Service selection set published to device agent with on-device service selection
US9980146B2 (en) 2009-01-28 2018-05-22 Headwater Research Llc Communications device with secure data path processing agents
US9954975B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Enhanced curfew and protection associated with a device group
US11218854B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US9755842B2 (en) 2009-01-28 2017-09-05 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US10484858B2 (en) 2009-01-28 2019-11-19 Headwater Research Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US10237757B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc System and method for wireless network offloading
US11973804B2 (en) 2009-01-28 2024-04-30 Headwater Research Llc Network service plan design
US8745191B2 (en) 2009-01-28 2014-06-03 Headwater Partners I Llc System and method for providing user notifications
US10057775B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Virtualized policy and charging system
US10064055B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US9706061B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Service design center for device assisted services
US11985155B2 (en) 2009-01-28 2024-05-14 Headwater Research Llc Communications device with secure data path processing agents
US10841839B2 (en) 2009-01-28 2020-11-17 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US9351193B2 (en) 2009-01-28 2016-05-24 Headwater Partners I Llc Intermediate networking devices
US10326800B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Wireless network service interfaces
US9565707B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Wireless end-user device with wireless data attribution to multiple personas
US9858559B2 (en) 2009-01-28 2018-01-02 Headwater Research Llc Network service plan design
US9270559B2 (en) 2009-01-28 2016-02-23 Headwater Partners I Llc Service policy implementation for an end-user device having a control application or a proxy agent for routing an application traffic flow
US10715342B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US8793758B2 (en) 2009-01-28 2014-07-29 Headwater Partners I Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US10779177B2 (en) 2009-01-28 2020-09-15 Headwater Research Llc Device group partitions and settlement platform
US9154826B2 (en) 2011-04-06 2015-10-06 Headwater Partners Ii Llc Distributing content and service launch objects to mobile devices
WO2014159862A1 (en) 2013-03-14 2014-10-02 Headwater Partners I Llc Automated credential porting for mobile devices

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE68922884T2 (de) * 1988-08-11 1995-11-30 Ibm Verarbeitung von Personenidentifizierungsnummern mit Hilfe von Kontrollvektoren.
US4924514A (en) * 1988-08-26 1990-05-08 International Business Machines Corporation Personal identification number processing using control vectors
US5944824A (en) * 1997-04-30 1999-08-31 Mci Communications Corporation System and method for single sign-on to a plurality of network elements
US6202157B1 (en) * 1997-12-08 2001-03-13 Entrust Technologies Limited Computer network security system and method having unilateral enforceable security policy provision
DK174672B1 (da) * 1999-11-09 2003-08-25 Orange As System til elektronisk udlevering af en personlig identifikationskode

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO03058880A1 *

Also Published As

Publication number Publication date
SE0200061D0 (sv) 2002-01-10
SE0200061L (sv) 2003-01-07
NO20042773L (no) 2004-09-10
AU2002359203A1 (en) 2003-07-24
WO2003058880A1 (en) 2003-07-17
SE519072C2 (sv) 2003-01-07

Similar Documents

Publication Publication Date Title
EP1466438A1 (en) Method at access right control within mobile communication
US8001615B2 (en) Method for managing the security of applications with a security module
KR101047641B1 (ko) 보안 장치용 보안 및 프라이버시 강화
CN101167388B (zh) 对移动终端特征的受限供应访问
EP2368339B1 (en) Secure transaction authentication
EP1476980B1 (en) Requesting digital certificates
RU2404520C2 (ru) Способ предоставления подписывающего ключа для цифрового подписания, верифицирования или шифрования данных, а также мобильный терминал
EP2106191B1 (en) A method for updating a smartcard and a smartcard having update capability
US20060262929A1 (en) Method and system for identifying the identity of a user
US20070209081A1 (en) Methods, systems, and computer program products for providing a client device with temporary access to a service during authentication of the client device
US20040266395A1 (en) Process for securing a mobile terminal and applications of the process for executing applications requiring a high degree of security
US20020187808A1 (en) Method and arrangement for encrypting data transfer at an interface in mobile equipment in radio network, and mobile equipment in radio network
US7734279B2 (en) Method and system for controlling resources via a mobile terminal, related network and computer program product therefor
KR20060116822A (ko) 애플리케이션의 인증을 위한 방법
US7865719B2 (en) Method for establishing the authenticity of the identity of a service user and device for carrying out the method
KR20140098872A (ko) 모바일 nfc단말기 웹 서비스를 위한 바이오인식과 tsm 기반의 보안 시스템 및 방법
US7072646B1 (en) Method of distributing keys to subscribers of communications networks
US9648495B2 (en) Method and device for transmitting a verification request to an identification module
US8296575B2 (en) Method for protecting electronic device, and electronic device
US7394901B2 (en) Method for exchanging authentication information between a communication entity and an operator server
Khu-Smith et al. Enhancing e-commerce security using GSM authentication

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20040810

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LI LU MC NL PT SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: TELIASONERA AB

17Q First examination report despatched

Effective date: 20100518

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20100929