GB2407939A - Authentication in a secure wireless communication system - Google Patents
Authentication in a secure wireless communication system Download PDFInfo
- Publication number
- GB2407939A GB2407939A GB0405489A GB0405489A GB2407939A GB 2407939 A GB2407939 A GB 2407939A GB 0405489 A GB0405489 A GB 0405489A GB 0405489 A GB0405489 A GB 0405489A GB 2407939 A GB2407939 A GB 2407939A
- Authority
- GB
- United Kingdom
- Prior art keywords
- user
- authentication
- mobile device
- network
- user data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method of authentication via a secure wireless communication system; the method comprising sensing that a mobile device has come within range of a secure network; initiating a program (5) within the mobile device offering the user a plurality of authentication options; processing the chosen authentication option and providing requested user data to a service provider for the secure network (9), only if the chosen authentication option within the mobile device permits provision of the requested user data. This ensures that a user device (e.g. laptop, PDA) only connects to a wireless network (e.g. WLAN) if the user gives their permission by, for example, entering a password when prompted.
Description
A METHOD OF AUTHENTICATION VIA A SECI,TRE WIRELESS
COMMUNICATION SYSTEM
This invention relates to a method of authentication via a secure wireless communication system.
In wireless local area network (WLAN) and cellular standards, there are two ways of authenticating a user terminal for use on a network. These are commonly known as open and closed security types. Conventional WLAN hotspot authentication, commonly using a user name and password, allows users to access the hotspot infrastructure before authentication occurs, i.e. the access points (APB) do not implement any access control measures on user data entering the network. This is the open security' model. Typically, in the open system a user device detects the presence of a network in an area by its radio signal and then automatically connects to the system by opening up a web browser or otherwise starting an application and all further actions are at application level. The WLAN hotspot authentication utilises a web browser portal page on which the user typically types in their username and password, but this is inherently insecure since it is possible for someone to tap into the radio signal, without the service provider being aware of this. This web browsing transaction, initially has very little security, leaving both the user's equipment and that of the hotspot vulnerable to external attack.
This model is slowly being rejected in favour of a 'closed security' model where APs themselves implement access control, restricting user access to the network infrastructure until a successful authentication exchange has been carried out. This alternative 'closed' system operates in the radio layer and requires the mobile device to provide security information before opening an application, such as a web browser.
This authentication is arranged to occur automatically, as soon as the mobile device comes into range of the network using a security framework protocol standardised by IEEE 802.1 lit A problem of this 'closed' solution is that the user may not wish to share this security information via a network which is not known to him, such as at a foreign airport, or where he might incur costs when he does not need to use his mobile device.
As more and more of the closed-type secure systems appear, there is a requirement for the user to be able to prevent his authentication credentials being r exchanged automatically. Under the current arrangement, if the mobile device is switched on, then the wireless card detects a network on entry to the area of operation and automatically tries to log in.
In accordance with the present invention, a method of authentication via a secure wireless communication system comprises sensing that a mobile device has come within range of a secure network; initiating a program within the mobile device offering the user a plurality of authentication options; processing the chosen authentication option and providing requested user data to a service provider for the secure network, only if the chosen authentication option within the mobile device permits provision of the requested user data.
The invention ensures that the user's data is transferred via a secure route, but prevents automatic connection before the user has given permission and allows the user to control the time of data exchanged.
The user data may be any soft data, such as a user ID and PIN number, but preferably, the user data comprises a user name and password.
This maintains the 'open security' look and feel without the risk of open systems.
Optionally, the method further comprises exchanging authentication credentials via link layer specific protocols.
Specific protocols such as EAP can be used to exchange authentication credentials, such as SIM card data or credit card number, in accordance with the closed security aspects of the network, but if the user is concerned about releasing such data, then authentication can take place with only the soft data are exchanged.
The mobile device may be any electronic communication device, but preferably, the mobile device is one of a laptop, personal digital assistant or mobile phone.
The method is suitable for various types of networks, but preferably, the network is a wireless local area network.
Preferably, the offer of authentication options to the user is carried out by a local proxy on the user's mobile device.
Preferably, the local proxy encapsulates or decapsulatcs user data.
: ;' . 'l: ..e : . . tes *e.e:.
A method of authentication via a secure wireless communication system according to the present invention will now be described with reference to the accompanying drawing in which: Fig. 1 illustrates one possible implementation of the method of the invention.
The present invention addresses the need to provide a 'closed security' solution, whilst retaining the look and feel of conventional web browser authentication, typically using a user name and password, by providing secure authentication in a mobile terminal using a local proxy. In technical terms, the move to a 'closed security' model is not straightforward, so not all networks will be immediately upgraded. The complete solution as defined by IEEE 802.1 1 i (WLAN technology security project number) is hard to implement and compels hotspot providers to change their infrastructure. It also results in the user no longer being involved interactively. Although the 'closed security' model addresses the security shortcomings of the open model, it provides a totally different user experience because it does not involve a web based portal page, so there may be some user resistance to the closed system.
The present invention allows the user to intervene in the process before an exchange of credentials takes place and keep the general feel of the old open system the same for the user. This is done by causing a program, a DNS server stub, on the mobile device to start which appears to the user to be a web browser, but in fact is only on the mobile device. The user is informed that they are in a closed security model area and asked if they wish to proceed. Various options are given for the authentication method, which is effectively a request to the user for permission to connect. The network to which they are connecting will have certain basic requirements for authentication, but these are deemed by the service provider, rather than the hotspot. Using a local web- browser gives an option which is the equivalent of 'do not connect'. If the user does want to connect, then further authentication can be carried out in the usual way for a closed system, for example by means of a transfer of the user's SIM card data or other secure ID, such as a credit card number, after the local proxy has confirmed that the user will permit this. The mobile device could be provided with a credit card reader, into which the credit card is inserted to provide the connection credentials, without having to type in number. c: e c
Fig. I illustrates functional blocks in a mobile terminal for one possible implementation of the present invention. The terminal needs to exchange user name and password credentials with a network using a common authentication exchange protocol. This could be, for example, Extensible Authentication Protocol Message Digest no. 5 (EAP-MD5) or EAP Lightweight Directory Access Protocol. (EAP- LDAP) The sequence of events in the terminal to achieve this is as follows. When an association is required between a WEAN terminal and the network, a browser] is initiated by the user. The browser 1 sends a domain name server (DNS) request via a 'tune' interface 2, tune being a default address used in UNIX based terminals, and this route is set as default route A, 3. In a user space 4, a DNS server stub 5 replies with a loca] address. The browser I then does a HyperText Transfer Protoco] (HTTP) 'GET' request to this local address and a user space web server stub 6 replies with a simple HyperText Markup Language (HTML) page.
The HTML page is displayed on the browser I and requests that the user enter their user name and password. The browser then performs a POST operation on the page which is passed back through default route A 3 to a user space supplicant 7 which extracts the user name and password from the POSTed data. The user name and password are then passed into a suitable message type (e.g. MD5) and the supplicant 7 initiates a corresponding protocol (e.g. EAP-MD5) exchange with the network, via wlanO' 8 on a raw Ethernet socket. If this message exchange is successful, the supplicant 7 switches to default route B 8 via 'wlanO' 9 and on its next 'refresh' redirects the web-browser I to a uniform resource locator (URL), which conventionally would have opened automatically without the procedure described above.
The web browser then communicates directly through the 'wlanO' interface, default route B 9, and continues using a kernel Internet Protocol (IP) stack 10 in the user space 4 in a conventional manner.
As described above, the present invention uses a local proxy in the user terminal, which appears to the user as a normal web service, but which actually provides a 'closed security' authentication solution, since it does not allow the user to connect to a network until authentication credentials have been exchanged, but also prevents automatic connection where the user has no control over which networks he connects to. The 'open security' model user credentials of username and password are ë ce e ëcee . passed across a 'closed security' system, whilst still retaining the 'open security' look and feel to the user. This local proxy is not a true web server, although it appears like one to the user. By manipulating lower layer data within the proxy, still within the tcrrninal, a secure authentication method is provided.
Claims (7)
1. A method of authentication via a secure wireless communication system; the method comprising sensing that a mobile device has come within range of a secure network; initiating a program within the mobile device offering the user a plurality of authentication options; processing the chosen authentication option and providing requested user data to a service provider for the secure network, only if the chosen authentication option within the mobile device permits provision of the requested user data.
2. A method according to claim 1, wherein the user data comprises user name and password.
3. A method according to claim l or claim 2, the method further comprising l 5 exchanging authentication credentials via link layer specific protocols.
4. A method according to any preceding claim, wherein the mobile device is one of a laptop, personal digital assistant or mobile phone.
5. A method according to any preceding claim, wherein the network is a wireless local area network.
6. A method according to any preceding claim, wherein the offer of authentication options to the user is carried out by a local proxy on the user's mobile device.
7. A method according to claim 6, wherein the local proxy encapsulates or decapsulates user data.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/972,780 US7743405B2 (en) | 2003-11-07 | 2004-10-26 | Method of authentication via a secure wireless communication system |
CA2486226A CA2486226C (en) | 2003-11-07 | 2004-10-28 | A method of authentication via a secure wireless communication system |
AU2004224971A AU2004224971B2 (en) | 2003-11-07 | 2004-10-29 | A method of authentication via a secure wireless communication system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GBGB0325980.1A GB0325980D0 (en) | 2003-11-07 | 2003-11-07 | Secure authentication in a mobile terminal using a local proxy |
Publications (3)
Publication Number | Publication Date |
---|---|
GB0405489D0 GB0405489D0 (en) | 2004-04-21 |
GB2407939A true GB2407939A (en) | 2005-05-11 |
GB2407939B GB2407939B (en) | 2006-01-11 |
Family
ID=29726102
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GBGB0325980.1A Ceased GB0325980D0 (en) | 2003-11-07 | 2003-11-07 | Secure authentication in a mobile terminal using a local proxy |
GB0405489A Expired - Fee Related GB2407939B (en) | 2003-11-07 | 2004-03-12 | A method of authentication via a secure wireless communication system |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GBGB0325980.1A Ceased GB0325980D0 (en) | 2003-11-07 | 2003-11-07 | Secure authentication in a mobile terminal using a local proxy |
Country Status (1)
Country | Link |
---|---|
GB (2) | GB0325980D0 (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1345386A2 (en) * | 2002-03-16 | 2003-09-17 | Samsung Electronics Co., Ltd. | Method of controlling network access in wireless environment and recording medium therefor |
WO2004064306A2 (en) * | 2003-01-13 | 2004-07-29 | Motorola Inc. A Corporation Of The State Of Delaware | Method and apparatus for providing network service information to a mobile station by a wireless local area network |
-
2003
- 2003-11-07 GB GBGB0325980.1A patent/GB0325980D0/en not_active Ceased
-
2004
- 2004-03-12 GB GB0405489A patent/GB2407939B/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1345386A2 (en) * | 2002-03-16 | 2003-09-17 | Samsung Electronics Co., Ltd. | Method of controlling network access in wireless environment and recording medium therefor |
WO2004064306A2 (en) * | 2003-01-13 | 2004-07-29 | Motorola Inc. A Corporation Of The State Of Delaware | Method and apparatus for providing network service information to a mobile station by a wireless local area network |
Also Published As
Publication number | Publication date |
---|---|
GB2407939B (en) | 2006-01-11 |
GB0405489D0 (en) | 2004-04-21 |
GB0325980D0 (en) | 2003-12-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3657894B1 (en) | Network security management method and apparatus | |
CN107534651B (en) | Method and apparatus for communicating session identifier | |
EP3120591B1 (en) | User identifier based device, identity and activity management system | |
EP1693988B1 (en) | A method of the subscriber terminal selecting the packet data gateway in the wireless local network | |
EP3008935B1 (en) | Mobile device authentication in heterogeneous communication networks scenario | |
CN101573998B (en) | Method and apparatus for determining an authentication procedure | |
US9113332B2 (en) | Method and device for managing authentication of a user | |
CN102017677B (en) | Access through non-3GPP access networks | |
KR100996983B1 (en) | Method and apparatus enabling reauthentication in a cellular communication system | |
KR100644616B1 (en) | Method for single-sign-on based on markup language, and system for the same | |
CN1781099B (en) | Automatic configuration of client terminal in public hot spot | |
CN108496380B (en) | Server and storage medium | |
US20010054157A1 (en) | Computer network system and security guarantee method in the system | |
US20110289573A1 (en) | Authentication to an identity provider | |
EP2477360B1 (en) | Session updating method for authentication, authorization and accounting and equipment and system thereof | |
JP2004505383A (en) | System for distributed network authentication and access control | |
CA2530891A1 (en) | Apparatus and method for a single sign-on authentication through a non-trusted access network | |
US8274985B2 (en) | Control of cellular data access | |
CA2486226C (en) | A method of authentication via a secure wireless communication system | |
US20020042820A1 (en) | Method of establishing access from a terminal to a server | |
EP2267974A1 (en) | System and method for local policy enforcement for internet service providers | |
JP2004166226A (en) | Method and system for controlling online access from terminal user to content service | |
GB2407939A (en) | Authentication in a secure wireless communication system | |
KR100687722B1 (en) | Authenticating server and method for user authentication using the same | |
GB2407940A (en) | Providing secure authentication data in a wireless network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PCNP | Patent ceased through non-payment of renewal fee |
Effective date: 20180312 |