EP2274927A1 - Service reporting - Google Patents

Service reporting

Info

Publication number
EP2274927A1
EP2274927A1 EP08735981A EP08735981A EP2274927A1 EP 2274927 A1 EP2274927 A1 EP 2274927A1 EP 08735981 A EP08735981 A EP 08735981A EP 08735981 A EP08735981 A EP 08735981A EP 2274927 A1 EP2274927 A1 EP 2274927A1
Authority
EP
European Patent Office
Prior art keywords
service
security
information
server
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP08735981A
Other languages
German (de)
French (fr)
Inventor
Hannu Tuominen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Solutions and Networks Oy
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Publication of EP2274927A1 publication Critical patent/EP2274927A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/58Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP based on statistics of usage or network monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/61Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP based on the service used
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/24Accounting or billing

Definitions

  • the invention relates to a method, an application server, a security server and a computer program product for reporting information about use of services.
  • GBA Generic Authentication Architecture
  • GBA Generic Bootstrapping Architecture
  • 3GPP 3 rd generation partnership project
  • the GBA defines how to establish a shared secret between a service provider and a mobile terminal with help of a trusted authenticating party.
  • the authentication is possible if a user owns a valid identity in a Home Location Register (HLR) or a Home Subscriber Server (HSS) .
  • the shared secret can be given by the authenticating party to the service provider so that the terminal and the service provider have a common shared secret that can be used for user authentication or message confidentiality.
  • GAA/GBA specifies a mechanism how a user is authenticated and authorized with help of an authenticating party to access services provided by service providers
  • the authenticating party such as a mobile network operator, lacks the mechanism to manage the total service portfolio offered by the service providers .
  • the object of the invention is to overcome the above drawbacks .
  • Embodiments of the invention solve the problem of prior art by providing an application server, method and computer program product comprising, receiving a request for a service associated with a user, requesting security parameters from a security server to authenticate the user, and sending information about use of the service to the security server.
  • the application server, method and computer program product can comprise receiving instruction relating to sending the information about the use of the service to the security server.
  • the instruction can comprises at least one of
  • the information about the use of the service may comprise at least one of
  • the service may comprise a mobile television service and the sub service may comprise a television channel the user has selected.
  • the information about the use of the service can comprise at least one of - information relating to identification of a type of a content file downloaded by the user,
  • the content may comprise one of audio, video, ring tone, software application.
  • the information about the use of the service may comprise an identification of an electronic service.
  • the authentication may comprise authenticating according to generic authentication architecture of 3 rd generation partnership project.
  • the application server can be a network application function of the generic authentication architecture of 3 rd generation partnership project.
  • the application server can provide the service to the user.
  • the application server can be hosted by a service provider and the requesting security parameters from the security server can comprise contacting the security server of a network operator, other than the service provider, whose subscriber the user is.
  • a security server, method and computer program product comprising obtaining security parameters associated with a subscriber of a network operator, sending the security parameters to an application server controlled by a service provider other than the network operator, and receiving information about use of a service provided to the subscriber by the application server controlled by the service provider.
  • the security server, method and computer program product can comprise charging the subscriber on behalf of the service provider, and/or collecting statistics about use of services provided to subscribers of the network operator wherein the services are provided by a service providers other than the network operator, and statistics is collected based on the information received.
  • the security server can be a bootstrapping function and/or obtaining the security parameters can include obtaining the security parameters according to a generic bootstrapping architecture of 3 rd generation partnership project .
  • the security server, method and computer program product can comprise sending instruction to the application server relating to the information about the use of the service the application server is to report to the security server.
  • the security server can be hosted by the network operator.
  • a system is provided, the system comprises the security and the application server described above.
  • the present invention can provide one or more of advantages below: a network operator can have better focus on the services that end-users are interested to use. a network operator may advertise other services that are similar than users are currently using. - a network operator can decide to drop those services from the service portfolio that are not used by end-users. This is beneficial if there are many service providers wishing to provide services by means of GBA/GAA authenticating users with the network operator. - Add average revenue per user (ARPU) and reduce churn by being able better monitor the behaviour of the end-users .
  • ARPU average revenue per user
  • Figure 1 presents an overview of a network architecture relevant for this invention.
  • Figure 2 presents a signaling flow of a bootstrapping authentication procedure.
  • Figure 3 presents a signaling flow of an embodiment of the invention.
  • FIG. 4 illustrates process steps of an embodiment of the invention.
  • Figure 5 illustrates internal structures and functions of an entity providing an application and a security server of an embodiment of the invention.
  • FIG. 6 illustrates process steps of an embodiment of the invention. Detailed description of the invention
  • An example of an authenticating party is a bootstrapping server function (BSF) which mutually authenticates with the user equipment (UE) by using the authentication and key agreement (AKA) procedure, and agrees on session keys that are then applied between the UE and a service provider controlled network application function (NAF) .
  • BSF bootstrapping server function
  • AKA authentication and key agreement
  • NAF service provider controlled network application function
  • the GAA/GBA enables a user to authenticate to and communicate in a secure manner with third party service providers (NAFs) using existing trusted relationship to a home mobile network operator (BSF, HSS/HLR) of the user.
  • NAFs third party service providers
  • BPF home mobile network operator
  • HSS/HLR home mobile network operator
  • NAFs service providers
  • the UE and a NAF can run some application specific protocol where the authentication and securing of the actual content or messages can be based on those session keys generated during the mutual authentication between the UE and the BSF.
  • the BSF can be hosted in a network element under the control of a mobile network operator (MNO) .
  • MNO mobile network operator
  • SIM subscriber identity module
  • UICC Universal Mobile Telecommunications System
  • USIM Universal Mobile Telecommunications System
  • AKA Authentication and key agreement
  • 3G third generation
  • IETF Internet Engineering Task force
  • IETF Internet Engineering Task force
  • the AKA is a challenge-response based mechanism that uses symmetric cryptography and is typically run in a UMTS IP Multimedia Subsystem (IMS) Identity Module (ISIM), which resides on a smart card like device that also provides tamper resistant storage of shared secrets.
  • IMS IP Multimedia Subsystem
  • ISIM UMTS IP Multimedia Subsystem
  • Hypertext transfer protocol (HTTP) digest authentication is an HTTP authentication which verifies with a challenge-response mechanism that both parties to the communication know a shared secret, such as a password.
  • HTTP Hypertext transfer protocol
  • USS User Security Setting
  • an authentication part which contains the list of identities of the user needed for the application (e.g. public user identities (IMPU), MSISDN, pseudonyms), and an authorisation part, which contains the user permission flags (e.g. access to application allowed, type of certificates which may be issued) .
  • a USS may contain a key selection indication, which is used in the UICC based GBA (GBA_U) case to mandate the usage of either the mobile equipment (ME) based key or the UICC-based key or both.
  • GBA_U UICC based GBA
  • the USS can be delivered to the BSF as a part of GBA User Security Settings (GUSS) from the HSS, and from the BSF to the NAF if requested by the NAF.
  • GUSS can contain the BSF specific information element and the set of all application-specific USSs.
  • Reference point Ub 11 is between a UE 1 and a BSF 2.
  • a cloud 15 illustrates a network of a mobile network operator.
  • the UE 1, the BSF 2 and the HSS 4 can be associated with the network 15 which means that the UE 1, the BSF 2 and the HSS 4 can communicate with each other in trusted way through the network 15.
  • the UE 1 can be a subscriber to the network 15.
  • the NAF 3 is located outside the trusted network 15, and belongs to a network of a service provider 16. Normally there exists no trusted way of communication between the UE 1 and the third party NAF 3.
  • the GAA/GBA provides this trusted relationship by means of the BSF 2 and the NAF 3 agreeing security parameters over trusted Zn interface 13.
  • a UE 1 When a UE wants to interact with a NAF, and it knows that the bootstrapping procedure is needed, it can first perform a bootstrapping authentication presented in figure 2.
  • a UE 1 sends an HTTP request towards the BSF 2.
  • the request contains a user identity, such as a private user identity (IMPI) .
  • RAND is a non-predictable number which is used as challenge in a challenge response protocol.
  • Cipher key (CK) is a sequence of symbols that can control the operation of encipherment and decipherment.
  • Integrity key (IK) is a data protection key that can be used for protecting the integrity of data items. The integrity key (IK) is generated, together with the ciphering key (CK) .
  • Expected user response (XRES) is a part of the authentication quintuplet which is used as a reference value for the response to the challenge during the authentication and key agreement (AKA) .
  • step 23 the BSF 2 forwards the RAND and AUTN to the UE 1 in the 401 "Unauthorized WWW -Authenticate" message (without the CK, IK and XRES) . This is to demand the UE 1 to authenticate itself.
  • step 24 the UE 1 checks the AUTN to verify that the challenge is from an authorised network.
  • the UE 1 can also calculate CK, IK and response (RES) . This will result in the session keys IK and CK in both the BSF 2 and the UE 1.
  • step 25 the UE 1 can send another HTTP request, containing the Digest AKA response (calculated using the RES), to the BSF 2 and in step 26, the BSF 2 can authenticate the UE 1 by verifying the Digest AKA response .
  • the BSF 2 can generate key material (Ks) by concatenating the CK and the IK. Also a Bootstrapping Transaction Identifier (B-TID) value is generated. B-TID is used to bind the subscriber identity to the keying material in reference points Ua 12, Ub 11 and Zn 13.
  • the BSF 2 can send a 200 OK message, including the B-TID, to the UE 1 to indicate the success of the authentication.
  • the BSF 2 can supply the lifetime of the key Ks.
  • the key material Ks can be generated in the UE 1 by concatenating CK and IK is step 29.
  • Figure 3 presents an embodiment of the invention.
  • the UE 1 and the NAF 3 can first agree whether to use shared keys obtained by means of the GBA.
  • the UE 1 can start communication over reference point Ua 12 with the NAF 3 by sending an application request.
  • the UE 1 may supply the B-TID to the NAF 3, to allow the NAF 3 to retrieve the corresponding keys from the BSF 2.
  • the NAF 3 starts communication over reference point Zn 13 with the BSF 2 by sending an authentication request to request key material corresponding to the B- TID supplied by the UE 1 to the NAF 3 over reference point Ua 12.
  • the NAF 3 may also request one or more application-specific USSs for applications which the UE 1 may access over reference point Ua 12.
  • the BSF 2 can derive the keys required to protect the protocol used over reference point Ua 12 from the key Ks and the key derivation parameters, and can supply to the NAF 3 in an authentication answer the requested key Ks_NAF, as well as the bootstrapping time and the lifetime of that key, and the requested application-specific and potentially NAF group specific USSs if they are available in subscriber's GUSS and if the NAF 3 is authorized to receive the requested USSs.
  • the BSF 2 may also send the private user identity (IMPI) and requested USSs to the NAF 3 according to the policy of the BSF 2.
  • IMPI private user identity
  • the BSF 2 may request in the authentication answer the NAF 3 to report to the BSF 2 information relating to use of the application the NAF 3 provides to the UE 1.
  • the NAF 3 can continue with the protocol used over the reference point Ua 12 with the UE 1 and responds with application answer to the UE 1.
  • the NAF 3 can then provide the requested application, for example mobile TV, to the UE 1.
  • the NAF 3 in step 35, can report to the BSF 2 information relating to use of the application.
  • the NAF 3 may do the reporting according to instructions received from the BSF 2, for example, in an
  • the NAF 3 may do the reporting based on other logic, for example based on its internal policy or configuration, or based on some other trigger.
  • An embodiment of this invention modifies a message, for example Authentication Answer, by adding a new information element in the message that allows a BSF 2 to request information about the service usage.
  • a new message called
  • the Application Report 35 can send by the NAF 3 to the BSF 2 containing information about the service usage.
  • the Application Report 35 may contain parameters relating to at least one of service usage time (when, how long) and data volumes transferred.
  • a new information element is added, for example to Authentication Answer 33 signaling message, from the BSF 2 to the NAF 3 for instructing which details and/or how often the NSF 3 should report to the BSF 2.
  • the BSF 2 can instruct the NAF 3 also using other signaling message than Authentication Answer, for example a completely new signaling message.
  • a user is authenticated to use Mobile TV service via a NAF 3, and can be authorized according a USS for the service to watch following TV channels: YLE, MTV, Eurosport and Disney Channel.
  • An Application Report 35 may contain information about the channels the user watched, and when.
  • the Application Report 35 may contain x start time' and x stop time' of watching certain channel (s) :
  • a BSF 2 can instruct the NAF 3 to send reports in certain intervals (e.g. every 30 minutes) or based on other criteria. If the BSF 2 is not giving any instructions to the NAF 3 about how often the reporting should be done, the NAF 3 may report to the BSF 2 after the user stops using or disconnects the service, or based on other criteria configured to the NAF 3.
  • a NAF 3 can be an application server which provides the service to a user.
  • a NAF can interface one or more further (trusted) application servers for providing parts of a service to the user. These other application servers can belong to the same service provider which hosts also the NAF, thereby having trusted interfaces between each other.
  • FIG 5 shows an example of the internal structure of an application server 3, such as NAF.
  • the NAF 3 can include a receiving unit 501 configured to receive a request for a service from a user 1.
  • the request can be an application request over Ua reference point of 3GPP GBA.
  • the NAF 3 may include security unit 502 which can request security parameters from a security server 2, such as BSF 2, for the user 1, for example to authenticate the user 1.
  • the security unit 502 can send an authentication request over Zn reference point to request key material corresponding to the B-TID supplied by the UE 1 to the receiving unit 501.
  • the NAF 3 can include sending unit 504 to send information about use of the service or application to the security server 2. The information may be sent in an application report signaling message over Zn reference point.
  • the NAF 3 can comprise an instruction unit 505 configured to receive instruction relating to sending the information about the use of the service to the security server 2.
  • the instruction can define, for example, what information and/or when (for example how often) the sending unit 504 should report to BSF 2.
  • the NAF 3 can have a rules unit 506 to store rules and policy relating to sending information about use of services.
  • the rules can define, for example, what information and/or when (for example how often) the sending unit 504 should report to BSF 2.
  • the NAF 3 can include service unit 503 configured to provide a service or application to the user 1.
  • the service unit 503 can apply the security parameters obtained from the security unit 502 to protect content or messages relating to providing the service or application to the user 1.
  • the service unit 503 can provide the service or application with help of a further trusted application server (not shown in Fig 5) .
  • FIG. 5 also shows an example structure of a security server 2, such as BSF.
  • the BSF 2 can include a security unit 516 to obtain security parameters for a subscriber 1 of a network operator.
  • the security unit 516 can communicate with a HLR or HSS 4 over Zh reference point of 3GPP to retrieve at least part of the security parameters, for example, as described in the explanation of step 22 of Fig 2 earlier in this document.
  • the security unit 516 can comprise an internal database for storing security parameters of subscribers of the network operator.
  • the BSF 2 can comprise sending unit
  • the BSF 2 may have a receiving unit 513 configured to receive information about use of a service provided to the subscriber 1 by the application server 3.
  • the BSF 2 can comprise a charging unit 514 which may be configured to collect and/or process charging and/or billing related data relating to providing the service or application to the subscriber 1.
  • the charging unit 514 can manage the data for subscriber charging and billing which the network operator can take care of on behalf of service provider (s) providing the actual services.
  • the BSF 2 can comprise a statistics unit 515 to collect statistics about use of services provided to subscribers 1 of the network operator.
  • the services can be provided by service providers other than the network operator.
  • the statistics unit 515 can be configured to collect statistics based on information received by the receiving unit 513. The collected can be used for preparing charging/billing of the user.
  • the BSF 2 can include instruction unit 512 to send instruction to the application server 3 relating to the information about the use of the service the application server 3 should report to the receiving unit 513.
  • the 512 can for example send instruction about what information and/or when (for example how often) the application server 3 should report to the receiving unit 513.
  • Items reported to a BSF can include identification of a used sub-service (e.g. watched TV channel), a time (when and/or how long a (sub-) service has been used, for example by indicating start/stop times of watching a channel) , transferred data volume (per service or sub- service) .
  • a used sub-service e.g. watched TV channel
  • a time when and/or how long a (sub-) service has been used, for example by indicating start/stop times of watching a channel
  • transferred data volume per service or sub- service
  • Items reported to a BSF can include a name and/or a type (audio, video, ring tone, software application etc) of downloaded file.
  • a type of a device or a model of a mobile device of the user 1 to which the content was downloaded can be reported to the BSF.
  • FIG. 4 presents a process according to an embodiment of the invention.
  • the process can be implemented for example by an application server, such as NAF 3.
  • a request for providing a service is received.
  • the request can be received from a UE 1, and/or can be associated with a user 1.
  • the request can include a B- TID.
  • security parameters are retrieved.
  • the security parameters can be retrieved based on the B-TID received in step 41, and thereby the security parameters can be linked to the user 1.
  • the security parameters may include at least one security key and/or at least one USS.
  • the USS can be linked to the service requested in step 41.
  • a reporting instruction can be received on reporting service use related parameters.
  • the instruction can be received from a security entity, such as BSF, and may treat reporting to the security entity.
  • the service is provided to the user 1.
  • information relating to the service is reported.
  • the reporting in step 45 and instruction in step 43 can include details described above in connection with 1.) streaming services, 2.) content services and 3.) electronic services.
  • Providing the service in step 44 can continue over time as indicated by arrow 46 and reporting information relating to the service in step 45 may take place several times.
  • the reporting step 45 can be done once after the service has been provided in step 44.
  • the reporting step 45 can be done based on pre-configured rules and policy.
  • FIG. 6 presents another process according to an embodiment of the invention.
  • the process can be implemented, for example, by a security server, such as BSF 2.
  • security parameters of a user 1 can be obtained. This may include retrieving from a HLR 4 or HSS 4 a set of GBA user security settings and/or authentication vector based on the identity of user 1, for example, IMPI.
  • the obtaining may include generating security keys (CK, IK, Ks) based on the retrieved security parameters.
  • a B-TID can be generated.
  • security parameters are transmitted to an application server.
  • the security parameters may include security keys, and the security parameters to be transmitted can be identified and/or associated with the user 1 based on the B-TID which can be received from the application server.
  • a reporting instruction can be sent on reporting service use related parameters.
  • a report is received.
  • the report comprises information relating to providing a service to the user 1.
  • the reporting in step 64 and instruction in step 63 can include details described above in connection with 1.) streaming services, 2.) content services and 3.) electronic services.
  • several reports can be received during providing the service.
  • the reporting 64 can be done once after the service has been provided.
  • information for charging and/or billing of the user can be prepared based on the reported information relating to services provided to the user 1.
  • statistics on use of services can be prepared based on reported information relating to services provided to users. As shown, one, both or none of the steps 65 and 67 can belong to the process.
  • an authenticating party can not receive information about use of services provided by third party application servers or proprietary methods must be mutually agreed between the authenticating party and the third party (internet service provider ISP, NAF) .
  • mobile network operators can receive information from service providers how subscribers of the mobile network operators use services relying on GAA/GBA authentication.
  • Embodiments of the invention can allow mobile networks operators to take care of charging and billing of end users on behalf of service providers by collecting relevant charging and billing related data through a BSF.
  • An application server and a security server may be physically implemented in a switch, router, server or other hardware platform or electronic equipment which can support data transmission and processing tasks, or can be implemented as a component of other existing device .
  • the invention is not limited to mobile networks, but can also be applied in other type of networks having similar type of authentication logic as the GAA/GBA, similar type of security entity role as the BSF and similar type of application server role as the NAF. Therefore, the BSF is only used here as an example of a security entity, and NAF only as an example of an application serving entity.
  • Functions of the security entity (BSF) and the application entity (NAF) described above may be implemented by code means, as software, and loaded into memory of a computer.

Abstract

An application server (3) is receiving a request for a service associated with a user (1), requesting security parameters from a security server (2) to authenticate the user, and sending information about use of the service to the security server. The security server can send instruction to the application server relating to the information about the use of the service the application server is to report to the security server.

Description

Description
Title
Service reporting
Technical field of the invention
The invention relates to a method, an application server, a security server and a computer program product for reporting information about use of services.
Background of the invention
Generic Authentication Architecture (GAA) and Generic Bootstrapping Architecture (GBA) as specified by 3rd generation partnership project (3GPP) define a framework how smartcards can be used for service authentication, e.g for mobile television (Mobile TV) or internet services (web services) . The GBA defines how to establish a shared secret between a service provider and a mobile terminal with help of a trusted authenticating party. The authentication is possible if a user owns a valid identity in a Home Location Register (HLR) or a Home Subscriber Server (HSS) . The shared secret can be given by the authenticating party to the service provider so that the terminal and the service provider have a common shared secret that can be used for user authentication or message confidentiality.
Although GAA/GBA specifies a mechanism how a user is authenticated and authorized with help of an authenticating party to access services provided by service providers, the authenticating party, such as a mobile network operator, lacks the mechanism to manage the total service portfolio offered by the service providers .
The object of the invention is to overcome the above drawbacks .
Summary of the invention
Embodiments of the invention solve the problem of prior art by providing an application server, method and computer program product comprising, receiving a request for a service associated with a user, requesting security parameters from a security server to authenticate the user, and sending information about use of the service to the security server. The application server, method and computer program product can comprise receiving instruction relating to sending the information about the use of the service to the security server. The instruction can comprises at least one of
- time interval for sending the information to the security server,
- list of sub-services which use is to be reported to the security server.
The information about the use of the service may comprise at least one of
- information relating to identification of at least one sub service, - transferred data volume relating to the service and/or the at least one sub service
- information relating to when and/or how long the service or the at least one sub service has been used. The service may comprise a mobile television service and the sub service may comprise a television channel the user has selected. The information about the use of the service can comprise at least one of - information relating to identification of a type of a content file downloaded by the user,
- information relating to a name of a content file downloaded by the user,
- information relating to a type of a device of the user to which a content file has been downloaded,
- information relating to a model of a device of the user to which a content file has been downloaded.
The content may comprise one of audio, video, ring tone, software application. The information about the use of the service may comprise an identification of an electronic service.
The authentication may comprise authenticating according to generic authentication architecture of 3rd generation partnership project. The application server can be a network application function of the generic authentication architecture of 3rd generation partnership project. The application server can provide the service to the user. The application server can be hosted by a service provider and the requesting security parameters from the security server can comprise contacting the security server of a network operator, other than the service provider, whose subscriber the user is.
Also a security server, method and computer program product are provided, comprising obtaining security parameters associated with a subscriber of a network operator, sending the security parameters to an application server controlled by a service provider other than the network operator, and receiving information about use of a service provided to the subscriber by the application server controlled by the service provider.
The security server, method and computer program product can comprise charging the subscriber on behalf of the service provider, and/or collecting statistics about use of services provided to subscribers of the network operator wherein the services are provided by a service providers other than the network operator, and statistics is collected based on the information received.
The security server can be a bootstrapping function and/or obtaining the security parameters can include obtaining the security parameters according to a generic bootstrapping architecture of 3rd generation partnership project .
The security server, method and computer program product can comprise sending instruction to the application server relating to the information about the use of the service the application server is to report to the security server. The security server can be hosted by the network operator.
A system is provided, the system comprises the security and the application server described above.
In certain embodiments, the present invention can provide one or more of advantages below: a network operator can have better focus on the services that end-users are interested to use. a network operator may advertise other services that are similar than users are currently using. - a network operator can decide to drop those services from the service portfolio that are not used by end-users. This is beneficial if there are many service providers wishing to provide services by means of GBA/GAA authenticating users with the network operator. - Add average revenue per user (ARPU) and reduce churn by being able better monitor the behaviour of the end-users .
Description of drawings
Figure 1 presents an overview of a network architecture relevant for this invention.
Figure 2 presents a signaling flow of a bootstrapping authentication procedure.
Figure 3 presents a signaling flow of an embodiment of the invention.
Figure 4 illustrates process steps of an embodiment of the invention.
Figure 5 illustrates internal structures and functions of an entity providing an application and a security server of an embodiment of the invention.
Figure 6 illustrates process steps of an embodiment of the invention. Detailed description of the invention
An example of an authenticating party is a bootstrapping server function (BSF) which mutually authenticates with the user equipment (UE) by using the authentication and key agreement (AKA) procedure, and agrees on session keys that are then applied between the UE and a service provider controlled network application function (NAF) . Instead of asking the service provider to trust the BSF and relying on it at every authentication request, the BSF establish a shared secret between the SIM card of the UE and the service provider. This shared secret is limited in time and for a domain. The NAF shall be able to locate and communicate securely with the subscriber's BSF. Hence, the GAA/GBA enables a user to authenticate to and communicate in a secure manner with third party service providers (NAFs) using existing trusted relationship to a home mobile network operator (BSF, HSS/HLR) of the user. There can be many service providers (NAFs) providing services this way to users of the mobile network operator. Currently the mobile network operator lacks means for managing the service portfolio and service providers based on actual use of the services.
For providing an application to the user after the bootstrapping has been completed, the UE and a NAF can run some application specific protocol where the authentication and securing of the actual content or messages can be based on those session keys generated during the mutual authentication between the UE and the BSF. The BSF can be hosted in a network element under the control of a mobile network operator (MNO) .
An example of a smart card is a subscriber identity module (SIM) which is a security module that is inserted into a piece of mobile equipment for subscriber identification and other security related information. A SIM card may include for example a phone number of the user, phone book information, and account information. A universal integrated circuit card (UICC) is a smart card that contains a Universal Mobile Telecommunications System (UMTS) subscriber identity module (USIM) .
Authentication and key agreement (AKA) is a procedure defined by Internet Engineering Task force (IETF), used for example in third generation (3G) mobile networks and which authenticates the user and establishes a new pair of cipher and integrity keys. During the authentication, the user verifies the freshness of the authentication vector that is used. The AKA is a challenge-response based mechanism that uses symmetric cryptography and is typically run in a UMTS IP Multimedia Subsystem (IMS) Identity Module (ISIM), which resides on a smart card like device that also provides tamper resistant storage of shared secrets. Hypertext transfer protocol (HTTP) digest authentication is an HTTP authentication which verifies with a challenge-response mechanism that both parties to the communication know a shared secret, such as a password.
User Security Setting (USS) is an application and subscriber specific parameter set that defines two parts, an authentication part, which contains the list of identities of the user needed for the application (e.g. public user identities (IMPU), MSISDN, pseudonyms), and an authorisation part, which contains the user permission flags (e.g. access to application allowed, type of certificates which may be issued) . In addition, a USS may contain a key selection indication, which is used in the UICC based GBA (GBA_U) case to mandate the usage of either the mobile equipment (ME) based key or the UICC-based key or both. The USS can be delivered to the BSF as a part of GBA User Security Settings (GUSS) from the HSS, and from the BSF to the NAF if requested by the NAF. GUSS can contain the BSF specific information element and the set of all application-specific USSs.
Reference is now made to figure 1 to explain architecture relevant for the invention. Reference point Ub 11 is between a UE 1 and a BSF 2. Reference point Ub
11 provides mutual authentication between the UE 1 and the BSF 2. It allows the UE 1 to bootstrap session keys based on the 3GPP AKA infrastructure. Reference point Ua
12 between the UE 1 and a NAF 3 carries the application protocol, which is secured using the key material agreed between the UE 1 and the BSF 2 as a result of the run of HTTP Digest AKA over reference point Ub 11. Reference point Zn 13 between the BSF 2 and the NAF 3 is used by the NAF 3 to fetch the key material agreed during the previous HTTP Digest AKA protocol run over the reference point Ub 11 from the UE 1 to the BSF 2. It can also be used to fetch application-specific user security settings from the BSF 2, if requested by the NAF 3. The reference point Zh 14 used between the BSF 2 and a HSS 4 (or the HLR 4) allows the BSF 2 to fetch the required authentication information and all GBA user security settings from the HSS 4 (or from the HLR 4) . In figure 1, a cloud 15 illustrates a network of a mobile network operator. As can be seen, the UE 1, the BSF 2 and the HSS 4 can be associated with the network 15 which means that the UE 1, the BSF 2 and the HSS 4 can communicate with each other in trusted way through the network 15. The UE 1 can be a subscriber to the network 15. However, the NAF 3 is located outside the trusted network 15, and belongs to a network of a service provider 16. Normally there exists no trusted way of communication between the UE 1 and the third party NAF 3. However, the GAA/GBA provides this trusted relationship by means of the BSF 2 and the NAF 3 agreeing security parameters over trusted Zn interface 13.
When a UE wants to interact with a NAF, and it knows that the bootstrapping procedure is needed, it can first perform a bootstrapping authentication presented in figure 2. In step 21 a UE 1 sends an HTTP request towards the BSF 2. The request contains a user identity, such as a private user identity (IMPI) . In step 22, based on the user identity the BSF 2 can retrieve a set of GBA user security settings and an Authentication Vector (AV, AV = RAND | | AUTN | | XRES | | CK | | IK) of the user over the reference point Zh 14 from a HSS 4 (or a HLR 4) . RAND is a non-predictable number which is used as challenge in a challenge response protocol.
AUTN is an authentication token that can be used to authenticate its sender containing the claimant identity and a ticket, as well as signed and encrypted secret key exchange messages conveying a secret key to be used in future cryptographic operations. Cipher key (CK) is a sequence of symbols that can control the operation of encipherment and decipherment. Integrity key (IK) is a data protection key that can be used for protecting the integrity of data items. The integrity key (IK) is generated, together with the ciphering key (CK) . Expected user response (XRES) is a part of the authentication quintuplet which is used as a reference value for the response to the challenge during the authentication and key agreement (AKA) .
In step 23, the BSF 2 forwards the RAND and AUTN to the UE 1 in the 401 "Unauthorized WWW -Authenticate" message (without the CK, IK and XRES) . This is to demand the UE 1 to authenticate itself.
In step 24 the UE 1 checks the AUTN to verify that the challenge is from an authorised network. The UE 1 can also calculate CK, IK and response (RES) . This will result in the session keys IK and CK in both the BSF 2 and the UE 1. In step 25, the UE 1 can send another HTTP request, containing the Digest AKA response (calculated using the RES), to the BSF 2 and in step 26, the BSF 2 can authenticate the UE 1 by verifying the Digest AKA response .
In step 27, the BSF 2 can generate key material (Ks) by concatenating the CK and the IK. Also a Bootstrapping Transaction Identifier (B-TID) value is generated. B-TID is used to bind the subscriber identity to the keying material in reference points Ua 12, Ub 11 and Zn 13. In step 28, the BSF 2 can send a 200 OK message, including the B-TID, to the UE 1 to indicate the success of the authentication. In addition, in the 200 OK message, the BSF 2 can supply the lifetime of the key Ks. The key material Ks can be generated in the UE 1 by concatenating CK and IK is step 29.
Figure 3 presents an embodiment of the invention. Before communication between a UE 1 and a NAF 3 can start, the UE 1 and the NAF 3 can first agree whether to use shared keys obtained by means of the GBA. In step 31 the UE 1 can start communication over reference point Ua 12 with the NAF 3 by sending an application request. The UE 1 may supply the B-TID to the NAF 3, to allow the NAF 3 to retrieve the corresponding keys from the BSF 2. In step 32 the NAF 3 starts communication over reference point Zn 13 with the BSF 2 by sending an authentication request to request key material corresponding to the B- TID supplied by the UE 1 to the NAF 3 over reference point Ua 12. The NAF 3 may also request one or more application-specific USSs for applications which the UE 1 may access over reference point Ua 12.
In step 33 the BSF 2 can derive the keys required to protect the protocol used over reference point Ua 12 from the key Ks and the key derivation parameters, and can supply to the NAF 3 in an authentication answer the requested key Ks_NAF, as well as the bootstrapping time and the lifetime of that key, and the requested application-specific and potentially NAF group specific USSs if they are available in subscriber's GUSS and if the NAF 3 is authorized to receive the requested USSs. The BSF 2 may also send the private user identity (IMPI) and requested USSs to the NAF 3 according to the policy of the BSF 2. According to one aspect of the invention the BSF 2 may request in the authentication answer the NAF 3 to report to the BSF 2 information relating to use of the application the NAF 3 provides to the UE 1. In step 34, the NAF 3 can continue with the protocol used over the reference point Ua 12 with the UE 1 and responds with application answer to the UE 1. The NAF 3 can then provide the requested application, for example mobile TV, to the UE 1. According to an aspect of the invention, in step 35, the NAF 3 can report to the BSF 2 information relating to use of the application. The NAF 3 may do the reporting according to instructions received from the BSF 2, for example, in an
Authentication Answer 33. Alternatively, the NAF 3 may do the reporting based on other logic, for example based on its internal policy or configuration, or based on some other trigger.
An embodiment of this invention modifies a message, for example Authentication Answer, by adding a new information element in the message that allows a BSF 2 to request information about the service usage. In an example of the invention, a new message called
Application Report 35 can send by the NAF 3 to the BSF 2 containing information about the service usage. The Application Report 35 may contain parameters relating to at least one of service usage time (when, how long) and data volumes transferred. In one aspect of the invention, a new information element is added, for example to Authentication Answer 33 signaling message, from the BSF 2 to the NAF 3 for instructing which details and/or how often the NSF 3 should report to the BSF 2. The BSF 2 can instruct the NAF 3 also using other signaling message than Authentication Answer, for example a completely new signaling message. For example, a user is authenticated to use Mobile TV service via a NAF 3, and can be authorized according a USS for the service to watch following TV channels: YLE, MTV, Eurosport and Disney Channel. An Application Report 35 may contain information about the channels the user watched, and when. For example the Application Report 35 may contain xstart time' and xstop time' of watching certain channel (s) :
YLE news: 11:00-11:15, Disney Channel: 11:15-12.30,
Eurosport: 13:40-15:35.
A BSF 2 can instruct the NAF 3 to send reports in certain intervals (e.g. every 30 minutes) or based on other criteria. If the BSF 2 is not giving any instructions to the NAF 3 about how often the reporting should be done, the NAF 3 may report to the BSF 2 after the user stops using or disconnects the service, or based on other criteria configured to the NAF 3. A NAF 3 can be an application server which provides the service to a user.
A NAF can interface one or more further (trusted) application servers for providing parts of a service to the user. These other application servers can belong to the same service provider which hosts also the NAF, thereby having trusted interfaces between each other.
Figure 5 shows an example of the internal structure of an application server 3, such as NAF. The NAF 3 can include a receiving unit 501 configured to receive a request for a service from a user 1. The request can be an application request over Ua reference point of 3GPP GBA. The NAF 3 may include security unit 502 which can request security parameters from a security server 2, such as BSF 2, for the user 1, for example to authenticate the user 1. The security unit 502 can send an authentication request over Zn reference point to request key material corresponding to the B-TID supplied by the UE 1 to the receiving unit 501. The NAF 3 can include sending unit 504 to send information about use of the service or application to the security server 2. The information may be sent in an application report signaling message over Zn reference point. The NAF 3 can comprise an instruction unit 505 configured to receive instruction relating to sending the information about the use of the service to the security server 2. The instruction can define, for example, what information and/or when (for example how often) the sending unit 504 should report to BSF 2. Alternatively or in addition, the NAF 3 can have a rules unit 506 to store rules and policy relating to sending information about use of services. The rules can define, for example, what information and/or when (for example how often) the sending unit 504 should report to BSF 2. The NAF 3 can include service unit 503 configured to provide a service or application to the user 1. The service unit 503 can apply the security parameters obtained from the security unit 502 to protect content or messages relating to providing the service or application to the user 1. The service unit 503 can provide the service or application with help of a further trusted application server (not shown in Fig 5) .
Figure 5 also shows an example structure of a security server 2, such as BSF. The BSF 2 can include a security unit 516 to obtain security parameters for a subscriber 1 of a network operator. The security unit 516 can communicate with a HLR or HSS 4 over Zh reference point of 3GPP to retrieve at least part of the security parameters, for example, as described in the explanation of step 22 of Fig 2 earlier in this document. The security unit 516 can comprise an internal database for storing security parameters of subscribers of the network operator. The BSF 2 can comprise sending unit
511 to send the security parameters to an application server 3, such as NAF, which can be controlled by a service provider other than the network operator. The BSF 2 may have a receiving unit 513 configured to receive information about use of a service provided to the subscriber 1 by the application server 3. The BSF 2 can comprise a charging unit 514 which may be configured to collect and/or process charging and/or billing related data relating to providing the service or application to the subscriber 1. The charging unit 514 can manage the data for subscriber charging and billing which the network operator can take care of on behalf of service provider (s) providing the actual services. The BSF 2 can comprise a statistics unit 515 to collect statistics about use of services provided to subscribers 1 of the network operator. The services can be provided by service providers other than the network operator. The statistics unit 515 can be configured to collect statistics based on information received by the receiving unit 513. The collected can be used for preparing charging/billing of the user. The BSF 2 can include instruction unit 512 to send instruction to the application server 3 relating to the information about the use of the service the application server 3 should report to the receiving unit 513. The instruction unit
512 can for example send instruction about what information and/or when (for example how often) the application server 3 should report to the receiving unit 513.
All units described above may be implemented for example using microprocessors and/or other electrical components and/or by software.
In the following some non-limiting examples of services provided by the NAF 3 and items which can be reported by the sending unit 504 of the NAF 3 and received by the receiving unit 513 of the BSF 2 are given:
1.) Streaming services, such as mobile TV. Items reported to a BSF can include identification of a used sub-service (e.g. watched TV channel), a time (when and/or how long a (sub-) service has been used, for example by indicating start/stop times of watching a channel) , transferred data volume (per service or sub- service) .
2.) Content services (music, games, file download, ring tones) . Items reported to a BSF can include a name and/or a type (audio, video, ring tone, software application etc) of downloaded file. A type of a device or a model of a mobile device of the user 1 to which the content was downloaded can be reported to the BSF.
3.) Other electronic services for which the type of service (such as e-ticket, train ticket) can be reported to the BSF.
Figure 4 presents a process according to an embodiment of the invention. The process can be implemented for example by an application server, such as NAF 3. In step 41 a request for providing a service is received. The request can be received from a UE 1, and/or can be associated with a user 1. The request can include a B- TID. In step 42, security parameters are retrieved. The security parameters can be retrieved based on the B-TID received in step 41, and thereby the security parameters can be linked to the user 1. The security parameters may include at least one security key and/or at least one USS. The USS can be linked to the service requested in step 41. Optionally, in step 43, a reporting instruction can be received on reporting service use related parameters. The instruction can be received from a security entity, such as BSF, and may treat reporting to the security entity. In step 44, the service is provided to the user 1. In step 45, information relating to the service is reported. The reporting in step 45 and instruction in step 43 can include details described above in connection with 1.) streaming services, 2.) content services and 3.) electronic services. Providing the service in step 44 can continue over time as indicated by arrow 46 and reporting information relating to the service in step 45 may take place several times. Alternatively the reporting step 45 can be done once after the service has been provided in step 44. The reporting step 45 can be done based on pre-configured rules and policy.
Figure 6 presents another process according to an embodiment of the invention. The process can be implemented, for example, by a security server, such as BSF 2. Is step 61, security parameters of a user 1 can be obtained. This may include retrieving from a HLR 4 or HSS 4 a set of GBA user security settings and/or authentication vector based on the identity of user 1, for example, IMPI. The obtaining may include generating security keys (CK, IK, Ks) based on the retrieved security parameters. Also a B-TID can be generated. In step 62, security parameters are transmitted to an application server. The security parameters may include security keys, and the security parameters to be transmitted can be identified and/or associated with the user 1 based on the B-TID which can be received from the application server. Optionally, in step 63, a reporting instruction can be sent on reporting service use related parameters. In step 64, a report is received. The report comprises information relating to providing a service to the user 1. The reporting in step 64 and instruction in step 63 can include details described above in connection with 1.) streaming services, 2.) content services and 3.) electronic services. As shown with arrow 66, several reports can be received during providing the service. Alternatively the reporting 64 can be done once after the service has been provided. In step 65, information for charging and/or billing of the user can be prepared based on the reported information relating to services provided to the user 1. In step 67, statistics on use of services can be prepared based on reported information relating to services provided to users. As shown, one, both or none of the steps 65 and 67 can belong to the process.
Without this invention either an authenticating party (mobile network operator, BSF) can not receive information about use of services provided by third party application servers or proprietary methods must be mutually agreed between the authenticating party and the third party (internet service provider ISP, NAF) . With aspects of the invention, mobile network operators can receive information from service providers how subscribers of the mobile network operators use services relying on GAA/GBA authentication. Embodiments of the invention can allow mobile networks operators to take care of charging and billing of end users on behalf of service providers by collecting relevant charging and billing related data through a BSF.
An application server and a security server may be physically implemented in a switch, router, server or other hardware platform or electronic equipment which can support data transmission and processing tasks, or can be implemented as a component of other existing device .
The invention is not limited to mobile networks, but can also be applied in other type of networks having similar type of authentication logic as the GAA/GBA, similar type of security entity role as the BSF and similar type of application server role as the NAF. Therefore, the BSF is only used here as an example of a security entity, and NAF only as an example of an application serving entity. Functions of the security entity (BSF) and the application entity (NAF) described above may be implemented by code means, as software, and loaded into memory of a computer.

Claims

Claims
1. An application server (3) comprising, receiving means (501) for receiving a request for a service associated with a user (1), requesting means (502) for requesting security parameters from a security server (2) to authenticate the user (1) , and sending means (504) for sending information about use of the service to the security server (2) .
2. The application server (3) of claim 1 further comprising instruction means (505) for receiving instruction relating to sending the information about the use of the service to the security server (2) .
3. The application server (3) of claim 2 wherein the instruction comprises at least one of - time interval for sending the information to the security server (2),
- list of sub services which use is to be reported to the security server (2) .
4. The application server (3) of any of claims 1 - 3, wherein the information about the use of the service comprises at least one of
- information relating to identification of at least one sub service, - transferred data volume relating to the service and/or the at least one sub service
- information relating to when and/or how long the service or the at least one sub service has been used.
5. The application server (3) of claim 4, wherein the service comprises a mobile television service and the sub service comprises a television channel the user (1) has selected.
6. The application server (3) of any of claims 1 - 3, wherein the information about the use of the service comprises at least one of - information relating to identification of a type of a content file downloaded by the user (1),
- information relating to a name of a content file downloaded by the user (1),
- information relating to a type of a device of the user (1) to which a content file has been downloaded,
- information relating to a model of a device of the user (1) to which a content file has been downloaded.
7. The application server (3) of claim 6, wherein the content comprises one of audio, video, ring tone or software application.
8. The application server (3) of any of claims 1 - 3, wherein the information about the use of the service comprises an identification of an electronic service.
9. The application server (3) of any of preceding claims, wherein the authentication comprises authenticating according to generic authentication architecture of 3rd generation partnership project.
10. The application server (3) of any of preceding claims, wherein the application server (3) comprises a network application function of generic authentication architecture of 3rd generation partnership project.
11. The application server (3) of any of preceding claims, further comprising service means (503) for providing the service to the user (1) .
12. The application server (3) of any of preceding claims, wherein the application server (3) is hosted by a service provider (16) and wherein the requesting security parameters from the security server (2) comprises contacting the security server (2) of a network operator (15), other than the service provider (16), whose subscriber the user (1) is.
13. A security server (2) in a communication system, comprising security means (516) for obtaining security parameters associated with a subscriber (1) of a network operator (15) , sending means (511) for sending the security parameters to an application server (3) controlled by a service provider (16) other than the network operator (15), receiving means (513) for receiving information about use of a service provided to the subscriber (1) by the application server (3) controlled by the service provider (16) .
14. The security server (2) of claim 13 further comprising charging means (514) for preparing charging related data for billing the subscriber (1) on behalf of the service provider (16) .
15. The security server (2) of claim 13 or 14 further comprising statistics means (515) for collecting statistics about use of services provided to subscribers (1) of the network operator (15) and wherein the services are provided by service providers (16) other than the network operator (15), wherein the statistics means (515) is configured to collect statistics based on information received by the receiving means (513) .
16. The security server (2) of any of claims 13 or 15 wherein the security server (2) comprises a bootstrapping function and the security means (516) is configured to obtain the security parameters according to a generic bootstrapping architecture of 3rd generation partnership project.
17. The security server (2) of any of claims 13 or 16 further comprising instruction means (512) for sending instruction to the application server (3) relating to the information about the use of the service the application server (3) is to report to the security server (2) .
18. The security server (2) of any of claims 13 or 17 wherein the security server (2) is hosted by the network operator (15) .
19. A system comprising a security server of any of claims 13-18 and an application server of any of claims 1-12.
20. A method for sending service reports comprising steps of, receiving a request (31, 41) for a service associated with a user (1), requesting (32, 42) security parameters from a security server (2) to authenticate the user (1), and sending (35, 45) information about use of the service to the security server (2) .
21. The method according to claim 20 further comprising receiving (33, 43) instruction relating to sending the information about the use of the service to the security server (2) .
22. The method according to claim 21 wherein the instruction comprises at least one of - time interval for sending the information to the security server (2),
- list of sub-services which use is to be reported to the security server (2) .
23. The method according to any of claims 20 - 22, wherein the information about the use of the service comprises at least one of
- information relating to identification of at least one sub service, - transferred data volume relating to the service and/or the at least one sub service
- information relating to when and/or how long the service or the at least one sub service has been used.
24. The method according to claim 23, wherein the service comprises a mobile television service and the sub service comprises a television channel the user (1) has selected.
25. The method according to any of claims 20 - 22, wherein the information about the use of the service comprises at least one of
- information relating to identification of a type of a content file downloaded by the user (1),
- information relating to a name of a content file downloaded by the user (1),
- information relating to a type of a device of the user (1) to which a content file has been downloaded, - information relating to a model of a device of the user (1) to which a content file has been downloaded.
26. The method according to claim 25, wherein the content comprises one of audio, video, ring tone, software application.
27. The method according to any of claims 20 - 22, wherein the information about the use of the service comprises an identification of an electronic service.
28. The method according to any of claims 20 - 27, wherein the authentication comprises authenticating according to generic authentication architecture of 3rd generation partnership project.
29. The method according to any of claims 20 - 28, wherein the method steps are implemented by an application server (3) comprising a network application function of generic authentication architecture of 3rd generation partnership project.
30. The method according to any of claims 20 - 29, further comprising providing (34, 44) the service to the user (1) .
31. The method according to any of claims 20 or 30, wherein the method steps are implemented by an application server (3) hosted by a service provider (16) and wherein the requesting security parameters from the security server (2) comprises contacting the security server (2) of a network operator (15), other than the service provider (16), whose subscriber the user (1) is.
32. A method for receiving information on use of services in a communications system comprising steps of obtaining (22, 61) security parameters associated with a subscriber (1) of a network operator (15), sending (33, 62) the security parameters to an application server (3) controlled by a service provider (16) other than the network operator (15), receiving (35, 64) information about use of a service provided to the subscriber (1) by the application server (3) controlled by the service provider (16) .
33. The method of claim 32, further comprising preparing charging related data (65) for billing the subscriber (1) on behalf of the service provider (16) .
34. The method of claim 32 or 33, further comprising collecting statistics (67) about use of services provided to subscribers (1) of the network operator (15), wherein the services are provided by service providers (16) other than the network operator (15) and the collecting statistics (67) is based on the received information about the use of the service.
35. The method of any of claims 32 or 34 wherein the method steps are implemented by a security server (2) comprising a bootstrapping function and wherein the obtaining the security parameters comprises obtaining the security parameters according to a generic bootstrapping architecture of 3rd generation partnership project.
36. The method of any of claims 32 or 35, further comprising sending (33, 63) instruction to the application server (3) relating to the information about the use of the service the application server (3) is to report to the security server (2) .
37. The method of any of claims 32 or 36 wherein the security server (2) is hosted by the network operator (15) .
38. A computer program product comprising code means adapted to produce the steps of any one of claims 20 - 37 when loaded into the memory of a computer.
EP08735981A 2008-04-09 2008-04-09 Service reporting Withdrawn EP2274927A1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2008/054255 WO2009124587A1 (en) 2008-04-09 2008-04-09 Service reporting

Publications (1)

Publication Number Publication Date
EP2274927A1 true EP2274927A1 (en) 2011-01-19

Family

ID=40417649

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08735981A Withdrawn EP2274927A1 (en) 2008-04-09 2008-04-09 Service reporting

Country Status (3)

Country Link
EP (1) EP2274927A1 (en)
CN (1) CN101990771B (en)
WO (1) WO2009124587A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188229B (en) * 2011-12-30 2017-09-12 上海贝尔股份有限公司 The method and apparatus accessed for secure content
CN110830240B (en) * 2018-08-09 2023-02-24 阿里巴巴集团控股有限公司 Communication method and device of terminal and server
KR102617900B1 (en) * 2019-01-07 2023-12-27 애플 인크. Performance measures related to quality of service flow and service requests

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE0103337D0 (en) * 2001-10-08 2001-10-08 Service Factory Sf Ab System and method relating to mobile communications
KR100509936B1 (en) * 2003-02-10 2005-08-24 주식회사 케이티프리텔 System and method for providing prepaid wise network service of multimedia data in mobile communication network
US20050177515A1 (en) * 2004-02-06 2005-08-11 Tatara Systems, Inc. Wi-Fi service delivery platform for retail service providers
WO2005109938A1 (en) * 2004-05-12 2005-11-17 Telefonaktiebolaget L M Ericsson (Publ) Authentication system
EP1898349A1 (en) * 2006-09-06 2008-03-12 Siemens Aktiengesellschaft Method and system for providing a service to a subscriber of a mobile network operator

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA); Generic bootstrapping architecture (Release 8)", 3GPP STANDARD; 3GPP TS 33.220, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V8.3.0, 1 March 2008 (2008-03-01), pages 1 - 75, XP050376712 *

Also Published As

Publication number Publication date
WO2009124587A1 (en) 2009-10-15
CN101990771A (en) 2011-03-23
CN101990771B (en) 2014-07-02

Similar Documents

Publication Publication Date Title
KR101078455B1 (en) Key management protocol and authentication system for secure internet protocol rights management architecture
EP3376735B1 (en) Method and system for providing third party authentication of authorization
RU2335866C2 (en) Method of cryptographic key forming and distribution in mobile communication system and corresponding mobile communication system
US7185362B2 (en) Method and apparatus for security in a data processing system
US7246236B2 (en) Method and apparatus for providing peer authentication for a transport layer session
KR101461455B1 (en) Authentication method, system and device
US20060059344A1 (en) Service authentication
CN110995418B (en) Cloud storage authentication method and system, edge computing server and user router
US20080141313A1 (en) Authentication bootstrap by network support
US20080072301A1 (en) System And Method For Managing User Authentication And Service Authorization To Achieve Single-Sign-On To Access Multiple Network Interfaces
CN101322428A (en) Method and apparatus for distributing keying information
US8875236B2 (en) Security in communication networks
KR20070102722A (en) User authentication and authorisation in a communications system
CN101449510A (en) Method, devices and computer program product for encoding and decoding media data
EP1639782B1 (en) Method for distributing passwords
CN101990771B (en) Service reporting
CN109120408A (en) For authenticating the methods, devices and systems of user identity
CN115767527A (en) Improved 5G message RCS access authentication IMS-AKA mechanism for balancing safety and efficiency
WO2011017851A1 (en) Method for accessing message storage server securely by client and related devices
Proserpio et al. Introducing Infocards in NGN to enable user-centric identity management
KR20120054949A (en) Method for establishing a dynamic user-centric trust relationship
KR20080036731A (en) Method of bootstrapping for authenticated execution of application in mobile communication network

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20101109

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA MK RS

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20110701

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NOKIA SOLUTIONS AND NETWORKS OY

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 12/08 20090101ALI20171124BHEP

Ipc: H04L 29/08 20060101AFI20171124BHEP

INTG Intention to grant announced

Effective date: 20171212

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20181101