EP1844619A1 - Mobilfunknetz, verfahren zum betreiben eines endgerätes in einem solchen und endgerät mit integrierten elektronischen schaltungsanordnungen zur speicherung von das endgerät identifizierenden parametern - Google Patents
Mobilfunknetz, verfahren zum betreiben eines endgerätes in einem solchen und endgerät mit integrierten elektronischen schaltungsanordnungen zur speicherung von das endgerät identifizierenden parameternInfo
- Publication number
- EP1844619A1 EP1844619A1 EP05714912A EP05714912A EP1844619A1 EP 1844619 A1 EP1844619 A1 EP 1844619A1 EP 05714912 A EP05714912 A EP 05714912A EP 05714912 A EP05714912 A EP 05714912A EP 1844619 A1 EP1844619 A1 EP 1844619A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- terminal
- server
- network node
- nkn
- internet protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Definitions
- the invention relates to a mobile radio network having at least one network node and at least one server and a plurality of terminals with an electronic circuit arrangement integrated into the terminal, in which a parameter identifying the terminal is stored, wherein at least one access network node is connected to the network node to form a packet data network is.
- a mobile radio network of the type specified in the introduction is a cellular mobile radio network; Such mobile networks are nowadays usually operated based on mobile radio standards of the so-called second or third generation, for which often the abbreviations 2G or. 3G can be used.
- An example of a widely used second generation mobile radio standard is the GSM (Global System for Mobile Communications) standard.
- GSM Global System for Mobile Communications
- GPRS General Packet Radio Service
- IP Internet Protocol
- UMTS Universal Mobile Telephony
- SIM Subscriber Identity Module
- UICC Universal Integrated Circuit Chip
- SIM Universal Subscriber Identity Module
- MSISDN Mobile Subscriber ISDN Number
- Mobile subscriber identity IMSI International Mobile Subscriber Identity
- IMSI International Mobile Subscriber Identity
- An important task of the (U) SIM is the generation of the keys used to encrypt the data transmission and the signaling between the terminal and the mobile radio network.
- the routines of the (U) SIM for authentication and key calculation are usually specific to the respective network operator, both in the GSM standard and in the 3GPP standard. H . they are not part of the current mobile radio standards. This means that specific routines are realized both in the (U) SIM and in the authentication centers of the network operator for the respective network operator.
- the (U) SIM and the authentication center store a secret value specific to each (U) SIM needed for the symmetric procedure used for authentication and key generation. Symmetrical methods are generally distinguished by the fact that the same key is used for encryption and decryption.
- the mobile radio standards GSM and 3GPP currently also provide exclusively for packet data transmission provided terminals a stored on a • SIM card (U) SIM with an international mobile subscriber number MSISDN and an international mobile subscriber identity IMSI.
- the international mobile subscriber number MSISDN is required for data transmission via short messages SMS (Short Message Service) and for circuit-switched data services.
- SMS Short Message Service
- the billing under the international mobile subscriber number MSISDN typically also takes place.
- the identification of the subscriber, his network operator and the home location database HLR Home Location Register
- HLR Home Location Register
- the restriction of the services usable by a terminal with a (U) SIM is performed by the home database HLR.
- a restriction to one or more data services in the home database HLR may be configured.
- the quality of service QoS granted to a subscriber for packet data services may be limited in the home database HLR.
- SGSN Serving GPRS Support Node
- GGSN Gateway GPRS Support Node
- a server in the form of a home database HLR.
- a terminal in an integrated circuit in the device electronic circuitry in the form of a memory module, a terminal identifying parameters in the form of the international mobile device identifier IMEI (International Mobile Equipment Identity) to store or save .
- IMEI International Mobile Equipment Identity
- the term "electronic device integrated in the terminal" in the context of the present invention means all electronic circuit parts of the terminal that are conceptually inseparably connected to the terminal.
- this also includes electronic circuits through which routines or parameters can be realized.
- the SIM card does not belong to the electronic circuitry integrated in the terminal.
- the international mobile device identifier IMEI allows the blocking of such devices, which are either reported as stolen, or their use for technical reasons can no longer be tolerated.
- the international mobile device identifier IMEI can also be used as an identity for making emergency calls. This is the case when the terminal does not have a SIM card with a valid (U) SIM containing an international mobile subscriber identity IMSI.
- the function of the international mobile device identifier IMEI is to limit the misuse of terminal equipment to make deceptive emergency calls.
- the invention has for its object to further develop a mobile network of the type specified so that packet data services can be provided particularly cost.
- the terminals are SIM card-free terminals and in the integrated circuit in the electronic device, a further identification parameters and required for authentication routines or required for authentication routines and parameters are stored;
- the server is a server communicating with the network node on the basis of the Internet protocol, and the network node is designed such that it for the further identification parameters sent during the registration of the terminal on the mobile network and for the sent during the registration of the terminal on the mobile network Terminal-identifying parameter is ready to receive.
- SIM card-free terminals are used.
- a SIM card is a considerable cost factor, especially for simple devices such. B. be used as a data collection device. Such simple devices often realize only low sales, which is why there is interest in reducing the acquisition costs by eliminating the SIM card.
- the use of a server communicating with the Internet Protocol-based network node enables the use of relatively inexpensive network elements since there is no need for a mobile-specific home database HLR.
- the server has an internal or external database in which the subscriber-specific data is stored.
- the application of employs authentication and authorization procedures, thereby reducing the operating costs for the management and billing of operated in the mobile network terminals.
- the storage of the further identification parameter and the routines required for authentication or the routines and parameters required for authentication in the electronic circuit integrated in the terminal offers the advantage of reducing the possible damage caused by loss, end use or misuse of the terminal can arise. Since the capabilities of such devices are limited due to the lack of ability to exchange a SIM card, the interest in the theft of the terminal is reduced.
- the server communicating based on the internet protocol is an AAA server.
- AAA Authentication, Authorization and Accounting
- the conceptual idea of the AAA server is to unify and summarize the different steps involved in logging into a network, authorizing a service, and charging it.
- the connection of an AAA server takes place via special protocols, such as RADIUS or DIAMETER.
- the general architecture of an AAA server is z. B.
- an AAA server is in Internet publication 3GPP TS 23.234 V6.3.0 (2004-12), in which the interworking between a 3GPP system and a WLAN (Wireless Local Area Network) is specified, the aim being to allow a 3GPP user to services that enable the establishment of a connection over the WLAN to IP-based services, such as the Internet.
- the task of the AAA server is the authentication and authorization of the 3GPP subscriber connected via the WLAN.
- the AAA server completely or partially replaces the mobile-radio-specific home database HLR for the SIM card-free terminals used in the mobile radio network.
- HLR mobile-radio-specific home database
- the mobile radio network according to the invention can advantageously also be configured such that the access network node is arranged between the network node and the server communicating on the basis of the Internet protocol.
- the access network node in addition to its main task, which is to provide access to the packet data network, the access network node additionally serves to connect the server communicating on the basis of the internet protocol to the network node, i. H . the access network node is interposed in the communication of the network node with the server communicating based on the Internet protocol.
- the access network node already has a suitable interface for connecting the server based on the Internet protocol. This can be z. B. then apply when communicating on the basis of the Internet Protocol
- Server is an AAA server, since the access network node usually already has an AAA interface, whereby the connection tion of the server communicating based on the internet protocol.
- a mobile radio network can be used in which an authorization server is connected to the access network node and carries out an authorization of the terminal in the case of an activation of a service within the packet data network requested by the terminal.
- This also makes it possible for the authorization, d. H .
- the authorization check to use a server that can also be used elsewhere.
- the use of a mobile-specific home database HLR is therefore no longer required.
- the mobile radio network is designed such that the authorization server is an AAA server.
- an AAA server is specifically designed to perform authorizations for its architecture and the protocols it supports, such as RADIUS or DIAMETER.
- the mobile radio network can preferably also be designed such that the authorization server is the server communicating based on the Internet protocol. This offers the advantage that a common server can be used for authentication and authorization.
- the mobile radio network according to the invention can be configured in such a way that a presence server is connected to the network node and stores presence data concerning the terminal in the course of logging on.
- a presence server is connected to the network node and stores presence data concerning the terminal in the course of logging on.
- the presence server is known from the Internet publication 3GPP TS 23.141 V6.7.0 (2004-09). Its task is to manage the belonging to a subscriber or a terminal. the presence information. These can be provided by the presence server, called Watcher Applications, which enables them to process, display or use this information for other applications.
- the use of the presence server in the mobile radio network according to the invention is particularly advantageous because it makes it possible, even without using a home database HLR localization of the terminal or. of the participant.
- the presence server can realize additional functions. Such a function could, for. B. in that the presence server in terminals used in fixed vending machines for packet data communication in the event of alarm triggers that the terminal changes its position, which could indicate an abuse in the form of a theft.
- the access network node can also connect to the presence server. This can be done either by means of the network node or by means of a direct connection between the access network node and the presence server and allows the access network node, for example after activation of a packet data service, to update the status of the terminal in the presence server.
- a mobile radio network can be used in which a further server is connected to the access network node, which sends restrictions of the quality of service QoS to the access network node at the request of the access network node.
- a further server is connected to the access network node, which sends restrictions of the quality of service QoS to the access network node at the request of the access network node.
- the mobile radio network according to the invention can be configured such that the further server is a Policy Decision Function PDF server.
- the policy decision function is known from the Internet publication 3GPP TS 23.207 V ⁇ .4.0 (2004-09), which describes the concept and architecture for end-to-end Quality of Service (QoS) as part of 3GPP standardization.
- the limitation of the usable packet data services is made using standard IP mechanisms by using the Policy Decision Function PDF.
- the PDF server is in this case connected to the access network node and transmits to it the service restrictions with regard to the quality of service QoS to be provided.
- the realization of the further server in the form of a PDF server is advantageous since, due to the specification of the PDF server that has already been carried out as part of 3GPP standardization, there is no need for additional standardization and implementation of a new network component.
- the further server is a charging rules function CRF server.
- the Charging Rules Function is known from Internet publication 3GPP TS 23.125 V ⁇ .3.0 (2005-01) and allows the access network node to filter packet traffic so that packets belonging to a particular service data flow can be identified.
- the invention further relates to a method for operating a terminal in a mobile radio network with at least one network node, at least one connected to the network node Access network node to a packet data network and at least one server, wherein in the terminal a parameter identifying the terminal and another identification parameter are stored, and wherein the terminal-identifying parameter is stored in an integrated circuit in the electronic device, comprising the following method steps: Network node receives the further identification parameter, the network node determines from the received further identification parameter an address of a server and sends a request to the determined server, the server responds to the request by sending authentication information to the network node a response, the network node sends Receiving the authentication information an authentication request to the terminal, the terminal determines using stored in the terminal, required for authentication routines or in the Endgerä t stored, authentication-required routines and parameters and using authentication information received in the authentication request an authentication response and sends it to the network node and with successful verification of Au questionedentariasantwort by the network node, the authentication is completed.
- a method of the kind specified is known from the Internet publication 3GPP TS 23.060 V ⁇ .7.0 (2004-12), which contains a description of the processes and procedures occurring in connection with the provision of GPRS services.
- Chapter 6.5 of this Internet publication describes the procedure for the use of packet data services described.
- the known registration method is distinguished by the fact that a network node in the form of an SGSN receives a further identification parameter in the form of the international mobile subscriber identity IMSI, which identifies both the subscriber using the terminal and the identification of a server in the form of a home database HLR. in which the subscriber data are stored serves.
- the SGSN now sends an authentication request to the HLR, which answers it by sending authentication information.
- the SGSN then sends an authentication request to the terminal, which determines an authentication response and sends it to the SGSN using the routines stored on the (U) SIM and information received in the authentication request.
- the terminal also calculates the session key and the integrity key needed for the application of the encryption.
- the SGSN authenticates the subscriber identified by the international mobile subscriber identity IMSI stored on the (U) SIM on the basis of the authentication response transmitted by the terminal.
- the invention has for its object to develop a method of the type specified so that packet data services can be provided particularly cost.
- a SIM card-free terminal is used as the terminal and the further identification parameters and the routines or parameters required for authentication are stored in the electronic circuit arrangement integrated in the terminal, the network node the parameter identifying the terminal is received in addition to the further identification parameter, the further identification parameter being used to determine the address of a server communicating on the basis of the Internet protocol, and the request being transmitted to the server communicating on the basis of the Internet protocol of the parameter identifying the terminal; and the terminal is authenticated upon successful verification of the authentication response by the network node.
- the storage of the further identification parameter and the routines or parameters required for authentication in the electronic circuit arrangement integrated in the terminal offers advantages in the case of the loss, theft or misuse of the terminal. Due to the omission of the SIM card and, associated therewith, the U (SIM) and its parameters, both the storage location and the meaning of the further identification parameter change compared to the known method. So this is stored in the inventive method in the integrated circuit in the terminal electronic device. It is particularly advantageous that the further identification parameter allows the determination of the address of the server communicating based on the Internet protocol.
- the server communicating on the basis of the Internet protocol is typically arranged in the mobile network of the network operator who has issued the terminal, wherein the output of the terminal can be done directly by the network operator or by means of another provider.
- the network node at which the terminal registers and the servers communicating based on the Internet protocol are arranged in mobile networks of different network operators an authentication of the terminal takes place.
- the method is preferably configured in such a way that the terminal, after receiving the authentication request, uses the routines stored in the electronic circuit arrangement integrated in the terminal or the routines stored in the electronic circuit integrated in the terminal and Parameters and using information received in the authentication request to authenticate the mobile network.
- This is advantageous because an authentication of the mobile network by the terminal has an increase in security result and this continues to comply with the present 3GPP standardization according to the Internet publication 3GPP TS 23.060 V6.7.0 (2004-12).
- the inventive method for operating a terminal in a mobile network can be configured such that the terminal sends a registration request of the first kind to the network node when one of the terminal last serving network node the terminal assigned temporary identity is still valid, the registration request
- the network node of the terminal serving the network last requests the parameters of the terminal which belong to the temporary identity and the network node last servicing the terminal identifies the terminal identifying the first type of temporary identity and a network node last identifying the terminal last serving network node Sends parameters and the further identification parameter to the network node.
- This is advantageous since this avoids the unencrypted transmission of the parameter identifying the terminal and of the further identification parameter in the mobile radio network.
- the corresponding use of temporary identities is in the form of temporary mobile subscribers.
- TMSI is known from the Internet publication 3GPP TS 23.060 V6.7.0 (2004-12), but not in connection with the method according to the invention.
- the inventive method can also be configured such that the terminal sends a registration request of the second kind to the network node which contains the parameter identifying the terminal, the network node then requests the terminal for information about the server communicating on the basis of the Internet protocol and the terminal responds with the sending of the further identification parameter to the network node.
- a corresponding registration request causes the SGSN
- the inventive method can also be configured such that the terminal with a registration request third type sends the terminal identifying parameters and the other identification parameters to the network node. This is advantageous because the signaling traffic between the terminal and the network node is optimized by the simultaneous transmission of the two parameters required for the registration of the terminal.
- the method can be configured in such a way that the identity of the server communicating on the basis of the Internet protocol is determined directly with the further identification parameter, and the network node directly determines the identity from the further identification parameter. determines the address of the server communicating based on the Internet protocol. It is particularly advantageous in this case that the address of the server communicating on the basis of the Internet protocol can be determined in a simple manner by the network node.
- the method can also be configured such that the network node derives the identity of the access network node from the further identification parameter, which identifies the packet data network that can be reached by the terminal.
- the network node derives the identity of the access network node from the further identification parameter, which identifies the packet data network that can be reached by the terminal.
- the method according to the invention can also be designed such that the identity of the access network node is determined directly with the further identification parameter and the network node derives the identity of the server communicating on the basis of the Internet protocol from the further identification parameter and from this the address of the server communicating on the basis of the Internet protocol certainly .
- This is advantageous since in the protocol messages currently defined in the context of 3GPP standardization between the terminal and the access network node, the identity of the access network node is already transmitted and thus the need for a modification of the protocol in this regard. deleted.
- the configuration and administration Reduced processing effort and limited the traffic to the achievable via the jähat parameter combination networks, which in turn reduces the abuse and the influence of faulty terminals.
- the method according to the invention can also be configured such that the identity of the server communicating on the basis of the Internet protocol identifies the network operator of the home network and / or the field of application of the terminal. This will advantageously the
- the method according to the invention can be configured such that the determination of the address of the server communicating on the basis of the Internet protocol is based on the identity of the server communicating on the basis of the Internet protocol using the Domain Name System DNS method. This is advantageous because it can be used to determine the address of the server based on the Internet protocol communicating server, a widely used standard method for the determination of IP addresses.
- Parameter uses the international mobile device identifier IMEI. This can be used to identify the terminal an already specified and in the integrated circuit in the device integrated circuit available parameters.
- the method according to the invention can also be designed in such a way that, after successful authentication, the network node tion of the terminal the terminal communicates on the basis of the Internet Protocol communicating server as logged in the mobile network, the server communicating based on the Internet Protocol sends a request to delete the data assigned to the terminal to the last node serving the terminal, the terminal last serving network node the deletion of the data associated with the terminal is confirmed by the sending of a signal to the server communicating on the basis of the internet protocol, and the server communicating on the basis of the internet protocol confirms the message of the terminal's booking by sending an acknowledgment signal to the network node.
- a home database HLR instead of the server communicating based on the Internet protocol, these method steps are in the Internet publication 3GPP TS
- the method according to the invention can also be configured such that the server communicating on the basis of the Internet protocol sends valid service and / or location area restrictions to the network node with the confirmation signal for the terminal.
- the server communicating on the basis of the Internet protocol sends valid service and / or location area restrictions to the network node with the confirmation signal for the terminal.
- the method can proceed in such a way that the network node sends a registration confirmation to the terminal after successful authentication of the terminal.
- the method may be configured such that a new temporary subscriber identity is transmitted in encrypted form with the registration confirmation sent by the network node to the terminal, and the terminal responds by sending an acknowledgment of receipt to the network node.
- the transmission of the parameter identifying the terminal is avoided for the following signaling messages.
- a corresponding procedure is disclosed in the Internet publication 3GPP TS 23.060 V6.7.0 (2004-12) for the method described there.
- the inventive method can be configured such that the terminal requests a service in the packet data network after successful authentication from the network node, the network node requests the establishment of the packet data service from the access network node, the access network node an authorization request for the authorization of the packet data service at a Authorization server sends, the authorization server the terminal by sending an authorization confirmation to the access network node as authorized for the use of the requested service, the access network node confirms the establishment of the packet data service to the network node and the network node sends a signal to the Sends terminal confirming the establishment of the packet data service.
- the Requesting the packet data service by the terminal can be done either immediately following the successful authentication or at a possibly much later date.
- a server of the type can be used as an authorization server, as they are used for other applications, such as the Internet area. This results in advantages over the use of a telecommunications-specific home database HLR advantages in terms of effort and costs for the establishment and management of the authorization server.
- a further advantageous embodiment of the method is that is used as an authorization server communicating based on the Internet Protocol server.
- This provides centralized management of all data required for authentication and authorization.
- the inventive method can be configured such that the authorization server with the authorization confirmation transmitted to the terminal number assigned to the terminal and / or an IP address assigned to the terminal to the access network node.
- the authorization server with the authorization confirmation transmitted to the terminal number assigned to the terminal and / or an IP address assigned to the terminal to the access network node can be dispensed with.
- the method can be configured such that with the authorization confirmation from the authorization server the granted quality of service QoS-defining parameters are transmitted to the access network node and the access network node uses the received parameters defining the quality of service QoS for the packet data service requested by the terminal.
- This embodiment is advantageous because it gives the authorization server as a central component the possibility of limiting the quality of service QoS provided.
- the method is configured such that an AAA server is used as the authorization server.
- an AAA server supports protocols suitable for automation, such as RADIUS or DIAMETER.
- the method can also be configured in such a way that the access network node sends a request message to another server after receiving the authorization confirmation, the server sends in its response the granted quality of service QoS-defining parameters to the access network node and the access network node sends the received parameters defining the quality of service QoS for the packet data service requested by the terminal.
- the method can advantageously also be designed so that a policy decision function PDF server is used as a further server. Since the network element PDF server, as already explained in connection with the mobile radio network according to the invention, has already been specified within the framework of the 3GPP standardization, this can result in the expense the additional standardization and realization of another network element can be avoided.
- the method according to the invention can also proceed in such a way that as a further server a charging rule
- the method can advantageously also be designed such that a symmetrical method is used between the terminal and the network node for authentication and key agreement.
- 3GPP TS 33.102 V6.3.0 2004-12
- the security architecture for third generation mobile networks according to 3GPP standardization is known.
- the Internet publication describes the symmetric method used for authentication and key agreement.
- the agreement of encryption of the data transmission and signaling between the terminal and the mobile network to be used in the following key simultaneously takes place.
- the symmetrical method described in the Internet publication this requires that the terminal as well as the authentication center hold a secret value specific to each (U) SIM.
- U secret value specific to each
- the method can preferably also be designed such that an asymmetrical method is used between the terminal and the network node for authentication and key agreement.
- an asymmetrical method is used between the terminal and the network node for authentication and key agreement.
- this eliminates advantageously the need to provide network operator-specific routines in the electronic circuit arrangement integrated in the terminal or, alternatively, to standardize the routines required for authentication and key agreement. Otherwise, this would be necessary because, according to the method according to the invention, the routines previously stored in the (U) SIM and required for authentication are stored in the electronic circuit arrangement integrated in the terminal.
- the effort for configuring and protecting the secret values (also known as shared secret) of the symmetric encryption method in the authentication center is avoided.
- the mechanisms and authentication parameters used by the asymmetric encryption method can also be used by other applications of the terminal.
- the method according to the invention is configured in such a way that a private key of the terminal and a public key of the server communicating on the basis of the Internet protocol are stored in the electronic circuit arrangement integrated in the terminal and in the server communicating on the basis of the Internet protocol. ver a private key of the server based on the Internet Protocol communicating server and a public key of the terminal are stored.
- the embodiment is particularly preferred in that the respectively required public and private keys are stored in the form of certificates in the electronic circuit arrangement integrated in the terminal and in the server communicating on the basis of the Internet protocol.
- the use of certificates ensures the integrity of the respective keys.
- the inventive method may be configured such that information is used as the authentication information, which includes a session key, an integrity key, a sequence number and an expected answer, which are all encrypted with the public key of the terminal, and a signature of the first kind
- the authentication information which includes a session key, an integrity key, a sequence number and an expected answer, which are all encrypted with the public key of the terminal, and a signature of the first kind
- the Internet Protocol communicating server which is calculated by means of the private key of the server based on the Internet Protocol from the session key, the integrity key, the sequence number and the expected response
- the network node sends the received information with the authentication request to the terminal
- the terminal decrypts the parameters encrypted with its public key, session key, integrity key, sequence number and expected response using its private key
- the endge advises the signature of the first type of server communicating on the basis of the Internet Protocol with the help of the decrypted parameters session key, integrity key, sequence number and expected response and a public key based on the Internet Protocol verifying server and the terminal sends the
- the method can also be configured in such a way that the authentication information includes information that includes the session key, the sequence number and the expected answer, which are all encrypted with the public key of the terminal, and a second type of signature based on the Internet protocol.
- server which is calculated by means of the private key of the server based on the Internet Protocol from the session key, the sequence number and the expected response, the network node sends the received information with the authentication request to the terminal, the terminal encrypted with its public key parameters
- the session key, sequence number and expected response are decrypted using its private key, the terminal from the session key and / or the sequence number and / or the expected response decrypts the integrit ts finallyl determines the terminal type of the signature second communicating based on the Internet Protocol server using the decrypted session key parameter, sequence number and expected response and the public key of the server communicating based on the Internet Protocol verifies and the terminal sends the decrypted expected response as an authentication response to the network node on successful verification.
- the derivation of the integrity key from the other authentication parameters eliminates the need to transmit the integrity key to the terminal.
- the data structure and data length of the authentication vectors known from the Internet publication 3GPP TS 33.102 V6.3.0 (2004-12) do not have to be changed, which reduces the effort involved in introducing the method according to the invention.
- the method according to the invention can also be configured such that information is used as authentication information which, as parameters encrypted with the public key of the terminal, comprises the session key, the integrity key, the sequence number and a server communicating by means of the private key of the Internet protocol based key from the session key , third-kind signature of the Internet protocol-communicating server computed by the integrity key and the sequence number, the node sending the received information with the authentication request to the terminal, the terminal transmitting the session key, integrity key, sequence number and signature parameters encrypted with its public key third type of server communicating based on the Internet Protocol using its private key decrypted, the terminal di e Third-party signature of the Internet-protocol-based server using the decrypted session key, integrity key and Sequence number and the public key of the server communicating based on the Internet Protocol verifies and the terminal sends the decrypted signature of the third type of communicating based on the Internet Protocol server authentication response to the network node on successful verification.
- the method according to the invention can also be configured such that information is used as authentication information, the parameters encrypted with the public key of the terminal, the session key, the sequence number and a server communicating by means of the private key of the Internet protocol based on the Internet protocol from the session key and the sequence number include the fourth type signature of the server communicating on the basis of the Internet protocol, the network node sends the received information with the authentication request to the terminal, the terminal the parameters encrypted with its public key, session key, sequence number and fourth type signature of the communication based on the Internet protocol Decrypting server using its private key, the terminal from the session key and / or the sequence number the integrity key besti the terminal verifies the signature of the fourth type of Internet Protocol-based server using the decrypted session key and sequence number parameters and the public key of the Internet Protocol-based server, and terminates the terminal upon successful completion of the Internet protocol.
- verification sends the decrypted signature of the fourth type of server communicating on the basis of the Internet Protocol as the authentication response to the network node.
- This embodiment is particularly advantageous, as it requires
- the method is configured such that an AAA server is used as the server communicating based on the Internet protocol.
- an AAA server is used as the server communicating based on the Internet protocol.
- the method according to the invention can also be configured such that the communication between the network node and the server communicating on the basis of the Internet protocol takes place via the access network node.
- This is advantageous in particular if, as a result, an already existing interface of the access network node can be used for the server communicating on the basis of the Internet protocol.
- This is z. B. this is the case when the server communicating on the basis of the Internet protocol is an AAA server and the access network node is a GGSN, since the latter already has an AAA interface.
- the method according to the invention can proceed in such a way that the terminal is combined with further terminals of the same type into a group, and the group of terminals is assigned a common call number, under which the billing of the charges caused by the terminals of the group takes place, and the Identification of the individual terminals on the basis of identifying the terminal Parameters or the IP address of the terminal takes place.
- MSISDN address list of telephone numbers
- a separate telephone number for each terminal is required only for short message service (SMS) data transmission and circuit-switched data services, but not for packet-switched data services.
- billing continues to be performed using the phone number as an assignment criterion.
- the assignment of a telephone number to a group of terminals now makes it possible to summarize all charges for the terminals of the group under this number.
- the terminals grouped into a group can be all terminals of an operator of remotely readable electricity meters.
- further actions can be summarized under the common number of the terminals, the identity of the communicating via the Internet Protocol server or the identity of the access network node. For example, rules for service restrictions or charging rules need only be defined once for the entire group.
- the inventive method can also be configured such that the network node sends the registration of the terminal relevant presence data to a presence server and the presence server confirms the entry of the presence data with a response signal.
- the presence server is known as such from the Internet publication 3GPP TS 23.141 V6.7.0 (2004-09). In the context of the method according to the invention, it is advantageous due to its use. enables a localization of the terminal even without using a home database HLR.
- the method can be configured in such a way that as a component of the presence data, information about the location of the terminal is sent. This is advantageous, since thus the monitoring and evaluation of the whereabouts of the terminal is made possible.
- a further preferred embodiment of the method according to the invention is such that the presence server compares the received information on the location of the terminal with a predetermined location and triggers an alarm when the location of the terminal does not match the predetermined location.
- the presence server compares the received information on the location of the terminal with a predetermined location and triggers an alarm when the location of the terminal does not match the predetermined location.
- the method may also preferably be such that, after the packet data service is activated, the presence server receives from the network node and / or the access network node a message updating the status of the terminal, which contains information on the activated packet data service and the associated IP address, and the presence server responds with a confirmation message.
- the activation of the packet data service is noted together with the IP address used by the terminal and this information can be made available to the encrypted applications for the terminal.
- the- Formation with respect to the IP address used by the terminal for the use of the packet data service is of particular interest when the terminal uses a dynamic IP address, i. H . such, the terminal only in the context of the booking in the mobile network or. is assigned to activate a packet data service.
- an application can request the IP address from the presence server and then transfer data to the terminal.
- the inventive method can also be configured such that an application server logs in to the presence server, the presence server evaluates the application server application and the presence server in the presence of a predefined evaluation result, the terminal to an activation of another Packet data service, which automatically assigns the terminal a dynamic IP address.
- This allows the establishment of data links from the mobile network with the assignment of a dynamic IP address to the terminal, thereby advantageously saving network resources for data connections for those applications which only occasionally transmit data and trigger this from the network side.
- applications located on the application server are allowed to send data to the terminal without the terminal having previously initiated or requested them (so-called push services).
- the method is such that the presence server modifies one to use dynamic IP addresses
- Prompt message to activate the further packet data service to the terminal sends and the terminal then activates the other packet data service, which the terminal a dynamic IP address is assigned.
- the presence server can initially send the request message directly to the network node, which then prompts the terminal to activate the further packet data service. However, the presence server can also send a request message to the access network node, which then sends a request message modified for the purpose of using dynamic IP addresses to the network node.
- the presence server initiates a so-called "network-requested PDP context activation", which is already known from the Internet publication 3GPP TS 23.060 V ⁇ .7.0 (2004-12) and according to a proposal from the Internet publication 3GPP S2-034257 (http: // www .3gpp.org / ftp / tsg_sa / WG2_Arch / TSGS2_3 ⁇ _New_York / tdocs /) is modified to use dynamic IP addresses, whereupon the terminal activates the further packet data service, thereby assigning the terminal a dynamic IP address
- the mechanisms already known from the Internet publication 3GPP TS 23.141 V6.7.0 (2004-09) then report the assigned IP address to the presence server, which in turn informs them of the Watcher Application or the Watcher Applications.
- the dynamic IP address of the terminal is communicated to the presence server by the access network node and the application server by the presence server.
- the prerequisite is that the terminal is logged in a mobile network of the type described above.
- an application server logs on to the presence server as a watcher application. If the terminal to which the application server wants to send data If no dynamic IP address is assigned yet, the presence server initiates this according to the procedure described above. Using known mechanisms, the assigned IP address is reported to the presence server, which then informs the watcher application. The application server can now transfer data to the terminal. After the data transfer, the application server preferably logs off the presence server as a watcher application again. Thus, the next application server registration as a watcher application at the presence server again trigger an assignment of a dynamic IP address to a corresponding terminal. A reassignment is required if the mobile radio network or the corresponding terminal have released the resources and the IP address due to, for example, prolonged disuse.
- the application server logs on only indirectly to the presence server.
- a so-called “push proxy” server logs on to the presence server as a watcher application, which is already known from the specification 3GPP TR 23.976 V6.1.0 (2004-06).
- the application server then always sends its push data to the corresponding "push proxy" server registered with the presence server, which then sends the data on to the terminal using the available paths, eg via If the "Push Proxy" server is to transmit the data on a packet-based basis, this is done to the IP address that the presence server communicates with, if a dynamic IP address has not yet been assigned Presence server this according to the procedure described th.
- the "push proxy" server preferably logs off as a watcher application at the presence server, so that the next logon as a watcher application for a data transmission can in turn trigger the assignment of a dynamic IP address if the mobile radio network or the terminal has released the resources and the IP address due to, for example, prolonged non-use.
- the application server at the presence server as a watcher application of a terminal or. a corresponding subscriber, whether this application should also lead to the assignment of an IP address, in particular a dynamic IP address, or whether the Watcher application only, as already known, should be informed about states or state changes.
- the predefined evaluation result is determined by the terminal and stored at the presence server. This means that it thereby the terminal or. the respective participant is able to deposit and change his preferences accordingly. It can be set by the terminal, whether the terminal wants to receive push data, d. H . Whether the mobile network for this purpose may initiate the activation of a packet data service with assignment of a dynamic IP address or. should or whether the transmission of push data by the terminal is not desired.
- the predefined evaluation result is determined by a network operator in such a way that the presence server stores each terminal newly entering the mobile radio network for activating the further packet data service. starts.
- the request of a network operator is taken into account, data resp. Transfer information to terminals or their subscribers as soon as they log in to the mobile network.
- a corresponding application server reports as a watcher application of all terminals or. corresponding subscriber or a subgroup, for example, from subscribers from foreign networks, at the presence server.
- the presence server initiates the request message modified for the use of dynamic IP addresses, namely the already mentioned modified "network-requested PDP context activation", which is then assigned to the terminal or the corresponding subscriber becomes the presence server by means of the in 3GPP TS 23.141 V6.7.0
- the presence server informs the application server which data which is to be transmitted to the terminal, such as a welcome greeting, then to the terminal or. to the participant.
- the presence server divides the IP address (es) of a terminal or terminal. a corresponding subscriber only from the subscriber and / or authorized by the network operator Watcher application or.
- Application servers with. Accordingly, activation of a packet data service on the part of a presence server at a terminal including an associated assignment of a dynamic IP address to the terminal only becomes then only then if the application server is authorized by the subscriber and / or network operator.
- the application server preferably transmits specific data to the terminal by means of the dynamic IP address.
- the initiation on the part of the terminal took place almost indirectly via the activation of the packet data service at the request of the presence server and an associated automatic assignment of an IP address, by means of which the terminal for the application server can now be reached.
- the application server can now send data in the form of a push service with the help of the IP address communicated to it by the presence server.
- the invention further relates to a terminal having an electronic circuit arrangement integrated in the terminal, in which a parameter identifying the terminal is stored, for use in a mobile radio network having at least one network node and at least one server, and at least one access network node connected to the network node to a packet data network.
- Such a terminal is known from the initially discussed prior art as known.
- the invention has for its object to further develop a terminal of the specified type so that packet data services can be provided particularly cost.
- a terminal of the specified type the object is achieved according to the invention by the terminal being a SIM card-free terminal and in the electronic circuitry integrated in the terminal a further identification parameter and routines or parameters required for authentication are stored.
- the terminal being a SIM card-free terminal and in the electronic circuitry integrated in the terminal a further identification parameter and routines or parameters required for authentication are stored.
- the terminal according to the invention is advantageously configured in such a way that the routines integrated into the terminal and the routines and parameters required for authentication and key agreement are stored in the electronic circuitry required for a symmetric method for authentication and key agreement.
- Support for a symmetric authentication and key agreement process avoids changes to the mobile network, as it removes the changes from the
- 3GPP standardization known symmetric method for authentication and key agreement can still be used despite the use of SIM card-free terminals.
- the method according to the invention can also be configured in such a way that in the electronic circuit arrangement integrated in the terminal the routines required for an asymmetrical method for authentication and key agreement are used. or the required routines and parameters for authentication and key agreement.
- the terminal according to the invention can also be configured such that a private key of the terminal and a public key of the server communicating on the basis of the Internet protocol are stored in the electronic circuitry integrated in the terminal.
- the terminal according to the invention can be configured such that the keys are stored in the electronic circuit arrangement integrated in the terminal in the form of certificates. This is advantageous because the use of certificates ensures the integrity of the stored keys.
- terminal In a further preferred embodiment of the terminal according to the invention, further data specific to the terminal and / or to the subscriber using the terminal are stored in the electronic circuit arrangement integrated in the terminal. This allows a personalization of the terminal according to the requirements of the j eching network operator. By storing the data usually stored on the SIM card in the device ration of electronic circuitry, restrictions on the functionality of the terminal are avoided.
- the terminal according to the invention is configured such that the further data is a
- the terminal according to the invention can also be configured such that the electronic circuitry integrated in the terminal contains a non-volatile memory. This is advantageous since the data stored in the electronic circuit arrangement integrated in the terminal should usually also be retained when the power supply is switched off.
- the terminal according to the invention can be configured such that the integrated in the terminal electronic see circuit arrangement includes a volatile memory, the contents of which is lost in case of interruption of the power supply. This is advantageous for certain applications, since this reduces the possibilities of abuse of stolen terminals and stores the routines stored in the electronic circuit arrangement integrated in the terminal for authentication and key agreement or for authentication and key agreement Routines and parameters are protected in case of a power interruption due to theft.
- the terminal according to the invention can also be configured such that the routines and parameters stored in the electronic circuit arrangement stored in the terminal and required for authentication and key agreement or the routines and parameters stored in the electronic circuit integrated in the terminal and required for authentication and key agreement the function of the terminal are protected by a password.
- a password a password
- FIG. 1 shows a schematic representation of the network elements of an embodiment of the mobile radio network according to the invention together with a packet data network
- FIG. 2 is a diagram showing the differences between the in
- FIG. 3 is a diagrammatic representation of the message flows between the network elements shown in FIG. 1 in a further embodiment of the method according to the invention as part of the authentication and key agreement
- FIG. 4 is a diagrammatic representation of the message flows between the network elements shown in FIG. 1 in an additional embodiment of the method according to the invention as part of the authentication and key agreement;
- FIG. 5 is a diagrammatic view of a type of message flows running between the network elements shown in FIG. 1 in the context of the request for a packet data service;
- FIG. 6 is a diagrammatic view of another type of message flow between the network elements shown in FIG. 1 as part of the request for a packet data service.
- FIG. 1 shows an embodiment of the mobile radio network MFN according to the invention and a packet data network PDN. It can be seen that a mobile network using MFN
- Terminal ME is connected by means of a base station system BS to the other elements of the mobile network MFN.
- a base station system BS to the other elements of the mobile network MFN.
- the base station system BS is connected to a network node NKn of the mobile network MFN.
- the network node NKn is connected to an access network node ZNK, which is connected to the packet data network PDN.
- the network node NKn and the access network node ZNK are two separate network elements; However, it is also possible to use a network element which implements both the functionality of the network node NKn and that of the access network node ZNK.
- the network node NKn is a Serving GPRS Support Node (SGSN) and the access network node ZNK is a Gateway GPRS Support Node (GGSN).
- SGSN Serving GPRS Support Node
- GGSN Gateway GPRS Support Node
- the network node NKn is connected to a presence server PS and a server S communicating on the basis of the internet protocol.
- the network node NKn also communicates with a network node NKa serving the terminal last.
- the access network node ZNK is connected to an authorization server AS and another server S2.
- the server S communicating on the basis of the Internet protocol provides authentication vectors, as they are supplied in known mobile networks from the home databases HLR. This can be done either directly by the communicating on the basis of the Internet Protocol server S itself, or by an attached to the server S, not shown authentication center. In the context of the invention that is based on the on the basis of the Internet Protocol communicating server S connected authentication center considered as part of the server S.
- the presence server PS may, in deviation from the representation of FIG. 1, also be connected directly to the access network node ZNK; It is also possible to connect via the network node NKn to the access network node ZNK.
- FIG. 2 illustrates the message flows between the network elements in one embodiment of the method according to the invention.
- the network elements are in each case illustrated by a rectangle with a line running vertically downwards.
- the messages exchanged between the various network elements are represented by horizontal arrows.
- the time sequence of the messages is given by the vertical axis, i. H .
- An arrow shown below in the figure represents a message which is usually transmitted in the time sequence according to a message represented by an arrow shown above.
- the method according to the invention for operating a terminal ME in a mobile radio network MFN can proceed in such a way that the terminal ME registers with the network node NKn with a registration request of the first type Ia, which contains its temporary identity.
- the temporary identity is a parameter identifying the terminal ME, which is provided to the terminal ME as part of an has been assigned to this registration process.
- the terminal ME transmits a location area identifier identifying the network node NKa last serving the terminal ME to the network node NKn.
- the network node NKn then sends a request 2 to the network node NKa serving the terminal ME last, which contains the temporary identity.
- the network node NKa last serving the terminal ME sends with the message 3 a parameter identifying the terminal ME and a further identification parameter to the network node NKn. Due to the use of the temporary identity, it is thus possible for the network node NKn to receive the parameter identifying the terminal ME and the further identification parameter, without the terminal ME having to send these parameters in unencrypted form to the network node NKn.
- the network node NKn determines from the received further identification parameter the address of the server S communicating on the basis of the internet protocol and sends a request 6 to the server S.
- the determination of the address of the server S communicating on the basis of the Internet protocol from the further identification parameter can take place in different ways in accordance with various embodiments of the method according to the invention.
- the identity that is, the identity
- H a parameter identifying the logon domain, deriving from the server S communicating based on the internet protocol.
- the network node NKn can be selected from the further identification packet.
- Parameters derive the address of the communicating based on the Internet Protocol server S approximately using the Domain Name System method.
- the identity of the access network node ZNK is preferably derived from the identity of the server S communicating on the basis of the Internet protocol.
- the identity of the access network node ZNK may be the known APN (Access Point Name), which defines the packet data network PDN that can be reached by the terminal ME. This may be, for example, a private IP network of a company.
- APN Access Point Name
- the further identification parameter directly determines the identity of the access network node ZNK.
- the network node NKn derives from the further identification parameter the identity of the server S communicating on the basis of the internet protocol and, from the identity of the server S communicating via the internet protocol, again determines the address of the server S communicating on the basis of the internet protocol.
- the two alternatives, d. H . the derivation of either the identity of the access network node ZNK from the identity of the server S communicating via the Internet protocol or the derivation of the identity of the server S communicating via the Internet protocol from the identity of the access network node ZNK are equivalent.
- the data traffic is thereby transferred to the respective identity of the person communicating via the Internet protocol
- Servers S and the j efar identity of the access network node ZNK accessible networks limited, thereby increasing the abuse and the impact of faulty terminals to reduce .
- the identity of the server S communicating on the basis of the internet protocol is approximately the character string AAA. x. y. gprs can be given.
- the identity of the access network node ZNK (which in the known 3GPP standardization corresponds to the APN) could be determined from e.g. B. to the string M2M_APN. x. y. gprs are derived.
- the network node NKn After the network node NKn has determined the identity of the server S communicating on the basis of the internet protocol using the further identification parameter, it sends a request 6 with the parameter identifying the terminal to the server S communicating on the basis of the internet protocol.
- the identity of the communicating on the basis of the Internet Protocol server S advantageously contains the name of the home network ,, z. B. in the form of the name components already defined for the APN in the Internet publication 3GPP TS 23.003 V ⁇ .5.0 (2004-12), country code and network code which together identify the home network of the terminal ME.
- the network node NKn can also determine the identity of the access network node ZNK from the identity of the server S communicating on the basis of the Internet protocol.
- HLR PDP context In the case of a mobile network according to the GPRS standard, this corresponds to the APN.
- APN a so-called HLR PDP context is then created and stored, which restricts the allowed packet data services.
- the parameters of the quality of service QoS contained in the HLR PDP context are set by the network node NKn to maximum values or to values predefined in the network node NKn. These can then be set to the values permitted in the specific case when setting up a packet data service. be changed, as will be explained in more detail in connection with Figures 5 and 6.
- the request 6 is answered by the communicating on the basis of the Internet Protocol server S by sending 7 of authentication information to the network node NKn.
- the content of the authentication information may differ depending on whether a symmetric or an asymmetric method is used for authentication and key agreement.
- a symmetric method for authentication and key agreement it should be noted that in this case, due to the use of SIM card-free terminals ME, different encryption methods may also have to be implemented in the electronic circuit integrated in the terminal ME for different network operators. This could be avoided by standardizing the routines needed for authentication and key agreement.
- an asymmetric method can be used, which additionally has the advantage that the expense of configuring and protecting the secret values of the symmetric encryption method in the authentication center is avoided.
- the mechanisms and authentication parameters used by the asymmetric encryption method can also be used by applications of the terminal.
- the inventive method is designed such that the required extensions of the functionality of the network node NKn are minimized. This makes it easier, at the same time, to rate with SIM cards and a (U) SIM and SIM card-free terminals ME according to the present invention to use.
- the network node NKn After receiving the authentication information, the network node NKn sends an authentication request 8 to the terminal ME.
- the terminal ME uses the routines implemented in the electronic circuitry integrated in the terminal ME or using the routines and parameters implemented in the electronic circuitry integrated in the terminal ME, to authenticate the mobile radio network - Some MFN before, with the additional use of the information received in the authentication request determined a value for the expected response, and sends an authentication response 9 to the network node NKn upon successful authentication.
- the network node NKn carries out a check of the expected response contained in the authentication response 9 and, after successful authentication, informs the terminal ME of the server S communicating on the basis of the Internet protocol by means of the message 10 as being logged on to the mobile radio network MFN.
- the server S communicating on the basis of the Internet protocol sends a request 11 for deleting the data assigned to the terminal ME to the network node NKa serving the terminal ME last.
- the network node NKa last operating the terminal ME confirms the deletion of the data assigned to the terminal ME by sending a signal 12 to the server S communicating on the basis of the internet protocol.
- the server S communicating on the basis of the internet protocol confirms the entry of the terminal ME by sending an acknowledgment signal 13 to the network node NKn. It should be noted that, in principle, the confirmation signal 13 takes place before the acknowledgment of the
- Terminal ME last serving network node NKa with respect to the deletion of the terminal ME associated data by sending the signal 12 can be done.
- the server S communicating on the basis of the Internet protocol can now inform the network node NKn of further data specific to the terminal ME.
- This data may be an HLR PDP context, if it has not already been generated after transmission of the message 6.
- the network node NKn now sends the message by means of the message 14
- Terminal ME concerning presence data PS to a presence server PS and the presence server PS confirms the entry of the presence data with a response signal 15th
- the network node NKn sends in the next step a registration confirmation 16 to the terminal ME, which contains in encrypted form a new temporary subscriber identity.
- the terminal ME then responds by sending an acknowledgment of receipt 17 to the network node NKn.
- FIG. 3 illustrates the message flow in a further embodiment of the method according to the invention.
- the terminal ME first sends a registration request of the second type Ib to the network node NKn, which contains the parameter identifying the terminal ME.
- This form of the registration request is required in particular if the terminal ME does not have a valid temporary identity.
- the network node NKn requests with the message 4 a further identity from the terminal ME.
- the terminal ME then responds by sending the message 5 to the network node NKn, which contains the further identification parameter.
- the further steps 6 to 17 shown in FIG. 3 are identical to the method steps already explained in connection with FIG.
- FIG. 4 shows a diagrammatic representation of the message flow between the network elements involved on the basis of a further exemplary embodiment of the method according to the invention, in which a further type of registration request is sent by the terminal ME.
- the terminal ME directly transmits both the parameter ME identifying the terminal ME and the further identification parameter to the network node NKn.
- both identification parameters required by the network nodes NKn ie. H . both the parameter ME identifying the parameter and the further identification parameter, together with the application request Ic to the network node NKn transmitted.
- the advantage here is that the number of messages sent between the network elements is minimized.
- the two identifiers tion parameters are transmitted unencrypted between the terminal ME and the network node NKn, since no authentication and key agreement between the terminal ME and the network node NKn has yet taken place.
- the further messages 6 to 17 correspond to the messages already explained in connection with FIG.
- FIG. 5 shows a diagram of the message flow for an exemplary embodiment of the method according to the invention, in which a packet data service is requested by the terminal ME.
- the signaling of the corresponding messages takes place after the successful authentication and key agreement, which have already been explained in more detail with reference to the exemplary embodiments illustrated in FIGS. 2 to 4.
- the terminal ME requests the packet data service with the message 21 from the network node NKn.
- the terminal ME can notify an IP address, an identity of an access network node (corresponding to the APN) and the desired quality of service QoS.
- the terminal ME can request the respective values specified in the mobile radio network MFN.
- the network node NKn validates the requested parameters and can restrict the desired quality of service QoS.
- the network node NKn requests the establishment of the packet data service by means of the message 22 with the desired parameters from the access network node ZNK.
- the parameters contain u. a. the identifier identifying the terminal and the identity of the access network node ZNK, wherein the identity of the access network node ZNK is preferably derived from the identity of the server S communicating based on the internet protocol, d. H . the value stored in the created HLR PDP context is used.
- the access network node ZNK then sends an authorization request 23 for the authorization of the packet data service or for querying restrictions of the quality of service QoS to an authorization server AS, which is preferably an AAA server.
- the authorization server AS authorizes the terminal ME by means of an authorization confirmation 24 sent to the access network node ZNK and can thereby assign the terminal ME a call number and / or an IP address and / or service restrictions, in particular with regard to the quality of service QoS. far as this has not already occurred in one of the previous steps.
- the terminal ME, the subscriber or the application (s) on the terminal ME can hereby be identified by the identity of the access network node and / or the call number and / or the IP address. These parameters can also be used as an identity under the charge.
- the access network node ZNK uses the restrictions received with the authorization confirmation 24, in particular the quality of service QoS, for the packet requested by the terminal ME. customer service. This means that the access network node can reduce the quality of service QoS according to the restrictions obtained.
- the access network node ZNK Upon receipt of the authorization confirmation 24, the access network node ZNK acknowledges the establishment of the packet data service to the network node NKn by sending the message 27. This may include the quality of service QoS and / or the IP address and / or the telephone number.
- the network node NKn sends a signal 28 to the terminal ME, which confirms the establishment of the packet data service.
- the quality of service QoS and / or the IP address and / or the telephone number can be transmitted from the network node NKn to the terminal ME, provided that the network node NKn has previously received these parameters in the message 27.
- the network node NKn now sends a state updating the status of the terminal ME message 29 to the presence server PS, which contains information about the established packet data service and the associated IP address.
- a corresponding message can alternatively or additionally also be sent by the access network node ZNK.
- the access network node ZNK can either communicate directly with the presence server or by means of the network node NKn.
- the presence server PS responds with a confirmation message 30.
- FIG. 6 shows the message flow for a further embodiment of the method according to the invention with respect to the request for a packet data service.
- the first two messages 21 and 22 correspond to the messages already described in connection with FIG.
- the access network node ZNK in the authorization request 23 now, however, does not impose restrictions on the quality of service QoS from the authorization server AS, which is why they are not transmitted with the authorization confirmation 24 from the authorization server AS to the access network node ZNK. Instead, after receiving the authorization confirmation 24, the access network node ZNK additionally sends a request message 25 to a further server S2.
- the further server S2 sends in its response 26 service restrictions, in particular with regard to the quality of service QoS granted, at the access network node ZNK and this applies the received service restrictions for the packet data service requested by the terminal ME.
- the further server S2 is preferably a policy decision function PDF server or a charging rules function CRF server.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/DE2005/000150 WO2006079298A1 (de) | 2005-01-26 | 2005-01-26 | Mobilfunknetz, verfahren zum betreiben eines endgerätes in einem solchen und endgerät mit integrierten elektronischen schaltungsanordnungen zur speicherung von das endgerät identifizierenden parametern |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1844619A1 true EP1844619A1 (de) | 2007-10-17 |
Family
ID=34961706
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05714912A Withdrawn EP1844619A1 (de) | 2005-01-26 | 2005-01-26 | Mobilfunknetz, verfahren zum betreiben eines endgerätes in einem solchen und endgerät mit integrierten elektronischen schaltungsanordnungen zur speicherung von das endgerät identifizierenden parametern |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1844619A1 (de) |
DE (1) | DE112005003522A5 (de) |
WO (1) | WO2006079298A1 (de) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102007054474A1 (de) * | 2007-11-13 | 2009-05-28 | Vodafone Holding Gmbh | Verfahren und System zur Kommunikation mit einem Mobilfunknetz |
FR2928064B1 (fr) | 2008-02-21 | 2011-08-26 | Alcatel Lucent | Etablissement d'une communication par paquets entre un serveur et une entite de service d'un reseau de radiocommunication |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10004164A1 (de) * | 2000-02-01 | 2001-08-02 | Bosch Gmbh Robert | Mobilfunkkommunikationsgerät |
FR2843521A1 (fr) * | 2002-08-07 | 2004-02-13 | Theobald Jorg | Telephone mobile avec carte sim integree et non detachable |
FI20030672A0 (fi) * | 2003-05-05 | 2003-05-05 | Jari Ruuttu | Matkapuhelimen käyttöjärjestelmä |
-
2005
- 2005-01-26 WO PCT/DE2005/000150 patent/WO2006079298A1/de active Application Filing
- 2005-01-26 DE DE112005003522T patent/DE112005003522A5/de not_active Withdrawn
- 2005-01-26 EP EP05714912A patent/EP1844619A1/de not_active Withdrawn
Non-Patent Citations (2)
Title |
---|
None * |
See also references of WO2006079298A1 * |
Also Published As
Publication number | Publication date |
---|---|
WO2006079298A1 (de) | 2006-08-03 |
DE112005003522A5 (de) | 2008-01-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE60125519T2 (de) | Zählerinitialisierung, insbesondere für funkrahmen | |
DE60313445T2 (de) | Apparat und Methode für eine Authentisierung mit einmaliger Passworteingabe über einen unsicheren Netzwerkzugang | |
EP1365620B1 (de) | Verfahren zum Registrieren eines Kommunikationsendgeräts in einem Dienstnetz (IMS) | |
EP1989853B1 (de) | Vermittlungssystem und entsprechendes verfahren für unicast oder multicast end-to-end daten- und/oder multimediastreamübertragungen zwischen netzwerknodes | |
DE60131625T2 (de) | Bestimmung verfügbarer dienste über subskription in einem kommunikationssystem | |
DE4317143C2 (de) | Verfahren und Einrichtung zum Betrieb eines Mobilfunknetzes | |
DE102006004868B4 (de) | Verfahren und Server zum Bereitstellen eines Mobilitätsschlüssels | |
DE60132211T2 (de) | Steuerung von unchiffriertem benutzerverkehr | |
EP1529374A1 (de) | Verfahren und system für gsm-authentifizierung bei wlan-roaming | |
DE102006008745A1 (de) | Verfahren und Server zum Bereitstellen eines Mobilitätsschlüssels | |
DE10138718A1 (de) | Verfahren zur Übermittlung von Chiffrierungsinformationen an Teilnehmer einer Multicast-Gruppe | |
WO2004019640A1 (de) | Verfahren zum identifizieren eines kommunikationsendgeräts | |
WO2005084058A1 (de) | Verfahren zur steuerung und auswertung eines nachrichtenverkehrs einer kommunikationseinheit durch eine erste netzwerkeinheit innerhalb eines mobilfunksystems, dazugehörige kommunikationseinheit und erste netzwerkeinheit | |
DE602004008293T2 (de) | Transparente Zugangsauthentifikation in GPRS-Kern-Netzwerken | |
EP1673921A1 (de) | Verfahren zur sicherung des datenverkehrs zwischen einem mobilfunknetz und einem ims-netz | |
EP1825648B1 (de) | Zugangsverfahren im wlan von ip-mobilfunktelefon mit authentifizierung mittels hlr | |
DE102011115154B3 (de) | Verfahren zur Initialisierung und/oder Aktivierung wenigstens eines Nutzerkontos | |
EP1378108B1 (de) | Verfahren zur durchführung von überwachungsmassnahmen und auskunftsersuchen in telekommunikations - und datennetzen | |
EP2055087B1 (de) | Verfahren zum weiterleiten von notfallnachrichten eines endgerätes in einem kommunikationsnetz | |
EP1844619A1 (de) | Mobilfunknetz, verfahren zum betreiben eines endgerätes in einem solchen und endgerät mit integrierten elektronischen schaltungsanordnungen zur speicherung von das endgerät identifizierenden parametern | |
DE10025270C2 (de) | Verfahren und System zum Anmelden einer Teilnehmer-Station an der Paketdienst-Dienstezustands-Steuerfunktion CSCF in einem Kommunikationssystem | |
DE102006054091B4 (de) | Bootstrapping-Verfahren | |
EP1522202B1 (de) | Erstellen von dienstevereinbarungen zur nutzung netzinterner funktionen von telekommunikationsnetzen | |
DE60037674T2 (de) | Verfahren und gerät zur durchführung von sicherheitsprozeduren unter einbeziehung von mobilstationen in hybriden, zellularen telekommunikationssystemen | |
DE10238928A1 (de) | Verfahren zur Authentifizierung eines Nutzers eines Kommunikationsendgerätes bei Nutzung eines Dienstnetzes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20070827 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU MC NL PL PT RO SE SI SK TR |
|
RAP3 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: NOKIA SIEMENS NETWORKS S.P.A. |
|
RAP3 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: NOKIA SIEMENS NETWORKS GMBH & CO. KG |
|
17Q | First examination report despatched |
Effective date: 20071129 |
|
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: NOKIA SOLUTIONS AND NETWORKS GMBH & CO. KG |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20180529 |