GB2407940A - Providing secure authentication data in a wireless network - Google Patents
Providing secure authentication data in a wireless network Download PDFInfo
- Publication number
- GB2407940A GB2407940A GB0405492A GB0405492A GB2407940A GB 2407940 A GB2407940 A GB 2407940A GB 0405492 A GB0405492 A GB 0405492A GB 0405492 A GB0405492 A GB 0405492A GB 2407940 A GB2407940 A GB 2407940A
- Authority
- GB
- United Kingdom
- Prior art keywords
- network
- authentication data
- security
- user
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 claims description 20
- 238000004891 communication Methods 0.000 claims description 4
- 230000007246 mechanism Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W74/00—Wireless channel access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention seeks to combine both an "open security" and "closed security" model to increase the security of an insecure network (e.g. WLANs). An "open security" model which allows a user to access the infrastructure before authentication occurs, which may take the form of a password and username, for example, is insecure as there is no access control on data entering the network. A "closed security" model however works at the radio level to restrict access to the network infrastructure until a successful authentication exchange has been carried out. A user can be connected to a "closed security" model network without their knowledge which is not necessarily desirable. Therefore, by combining both models the security of a network is improved.
Description
A METHOD OF PROVlDlNG SECURE AUTHENTICATION DATA IN AN
INSECURE NETWORK
This invention relates to a method of providing secure authentication data in an insecure network, such as a wireless network.
Conventiona] wireless loca] area network (WEAN) hotspot authentication allows users to access the hotspot infrastructure before authentication occurs. For example, a laptop wireless card detects that there is a wireless signal present and automatically connects to the system. Authentication commonly involves a user name and password, but hotspot access points (APB) do not implement any access control measures on user data entering the network. This is referred to as an 'open security' model or the Universal Access Method (UAM). This system is inherently insecure because it operates at the application level, so an eavesdropper can tap into the radio signal and glean information without the service provider being aware that this is 1 5 happening.
This model is slowly being rejected in favour of a 'closed security' model where the APs themselves implement access control, restricting user access to the network infrastructure until a successful authentication exchange has been carried out.
For the purpose of this description, this option is referred to as Wireless Protected Access (WPA). This is more secure because it works at the radio layer, so that when, for example, a laptop comes within range of the wireless signal, the system automatically demands security information from the laptop and prevents applications from starting until the security information has been processed.
One problem with this closed model, is that the user may not want his device to automatically connect every time he is within range. This applies particularly where the user is outside his usual environment, for example, at an overseas airport, and does not want his data to be passed through an unknown network, or where there are costs associated simply with connection and the user may not have any intention of making use of that particular connection. Another problem' is that having moved to a closed security system, there will be hotspots which have not been upgraded.
In accordance with the present invention, a method of providing secure authentication data in an insecure network comprises initializing a startup sequence when a mobile device comes within range of a wireless communication network; |. Id 'se e e e e c compiling authentication data; transmitting the authentication data to the network via a secure protocol; and preventing the mobile device from accessing the network until both open and closed security authentication is complete.
The present invcution enables a user to provide secure authentication data to their service provider before connecting up to a network, in circumstances where the network itself has not been upgraded to a secure system.
Preferably, authentication data is transferred using an application independent link layer protocol.
The mobile device may be any electronic communication device, but preferably, the mobile device is one of a laptop, personal digital assistant or mobile phone.
The method may be applied for any type of wireless network, but preferably, the network is a wireless local area network.
Preferably, the authentication data is one of a hardware token, credit card data, or a one-time scratch card.
A method of providing secure authentication data in an insecure network in accordance with the present invention will now be described with reference to the accompanying drawings in which: Figure 1 is one example of possible architecture for carrying out the method of the present invention; Figure 2 is a second example of possible architecture for carrying out the method of the present invention; and, Figure 3 is a third example of possible architecture for carrying out the method of the present invention; Within existing 'open security' hotspots, it is desirable to be able to use credentials from subscriber identity module (SIM), universal SIM (USIM) or hardware tokens, such as smart cards or PCMCIA standard cards, where there is no user intervention, to support authentication in an 'open security' network, which would normally rely on user input such as username and password, one time password (OTP) or generic token card ((]TP) type methods.
The present invention allows credentials from hardware tokens, e.g. from within the SIM card, to be accessed and sent to the backend authentication server using secure hypertext transfer protocol (HTTPS). Thus, transparent authentication exchanges, i.e. # r : : those that do not require user input, can be supported using a well-known user interaction pattern of 'open security' look and feel. The 'closed security' model user's credentials are passed across an 'open security' system, thus retaining the 'open security' model look and feel. The content handler can be a 'plugin' to the user's browser.
The 'open security' model assumes username and password style authentication procedures including other user input authentication mechanisms such as OTP and GTC. The presenting invention broadens this to include authentication mechanism types, more usually associated with closed security models, which are transparent to the user, so user credentials may be exchanged between the mobile terminal and the network via extendible markup language (XML) or multipurpose internet mail extension (MIME), but implementation of the method is not limited to these. It is also possible to use keying material generated as a side effect of this authentication exchange to secure the user data.
In each example illustrated, the system comprises a mobile terminal, the user equipment (UK) 1, an access point 2 by which the UE can connect to the network, a public access control gateway (PAC G/w) 3 and an authentication server (AS) 4.
The sequence of events is as follows. The user I associates with an AP 2 in a WEAN hotspot and opens a web browser. The PAC gateway 3 redirects the user to a login page which is processed internally within the user device, "transparent", i.e. not visible to the user. Part of this processing is to retrieve user data from the mobile device which may be, for example, by means of an XML based schema which retrieves credentials from a S1M card in the UE 1. An authentication exchange is carried out between the mobile terminal and the network to mutually authenticate and the user is provided with feedback as to the result of the authentication procedure. In the first example shown in Fig. 1, the PAC gateway 3 downloads authentication information 5, analogous to GSM triples, from the AS 4 to a visitor location register VLR.
In the example of Fig. 2, communication between the UE l and AS 4 is via HTTPS. An access accept indication 6 is provided between the AS 4 and the PAC gateway 3. There is a requirement for the access accept indication to correlate to the UE 1. In Fig. 3, an extensible authentication protocol (EAP) between the UE I and the AS 4 is achieved using HTTPS from the UEI to the PAC gateway and AAA backhaul from the gateway to the AS.
Claims (6)
1. A method of providing secure authentication data in an insecure network; the method comprising initialising a start-up sequence when a mobile device comes within range of a wireless communication network; compiling authentication data; transmitting the authentication data to the network via a secure protocol; and preventing the mobile device from accessing the network until both open and closed security authentication is complete.
2. A method according to claim 1, wherein authentication data is transferred using an application independent link layer protocol.
3. A method according to claim I or claim 2, wherein the mobile device is one of a laptop' personal digital assistant or mobile phone.
4. A method according to any preceding claim, wherein the network is a wireless local area network.
5. A method according to any preceding claim, wherein the authentication data is one of a hardware token, credit card data, or a one-time scratch card.
6. A method as hereinbefore described with reference to the accompanying figures.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GBGB0325978.5A GB0325978D0 (en) | 2003-11-07 | 2003-11-07 | Transparent authentication on a mobile terminal using a web browser |
Publications (2)
Publication Number | Publication Date |
---|---|
GB0405492D0 GB0405492D0 (en) | 2004-04-21 |
GB2407940A true GB2407940A (en) | 2005-05-11 |
Family
ID=29726100
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GBGB0325978.5A Ceased GB0325978D0 (en) | 2003-11-07 | 2003-11-07 | Transparent authentication on a mobile terminal using a web browser |
GB0405492A Withdrawn GB2407940A (en) | 2003-11-07 | 2004-03-12 | Providing secure authentication data in a wireless network |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GBGB0325978.5A Ceased GB0325978D0 (en) | 2003-11-07 | 2003-11-07 | Transparent authentication on a mobile terminal using a web browser |
Country Status (1)
Country | Link |
---|---|
GB (2) | GB0325978D0 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB560448A (en) * | 1941-11-04 | 1944-04-05 | Warwick Chemical Company | Improvements in or relating to water repellants and the treatment of textiles therewith |
WO2008027165A2 (en) * | 2006-08-28 | 2008-03-06 | Sandisk Corporation | Memory device for cryptographic operations and method for interacting therewith |
EP1965597A1 (en) * | 2005-12-28 | 2008-09-03 | Matsushita Electric Industrial Co., Ltd. | Radio communication base station device and call connection method |
US7743258B2 (en) | 2006-08-28 | 2010-06-22 | Sandisk Corporation | Method for interacting with a memory device in cryptographic operations |
WO2010115455A1 (en) * | 2009-04-07 | 2010-10-14 | Togewa Holding Ag | Method and system for authenticating a network node in a uam-based wlan network |
GB2527151A (en) * | 2014-06-13 | 2015-12-16 | Chris Hagan | Wireless access point allocation and transfer |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1345386A2 (en) * | 2002-03-16 | 2003-09-17 | Samsung Electronics Co., Ltd. | Method of controlling network access in wireless environment and recording medium therefor |
-
2003
- 2003-11-07 GB GBGB0325978.5A patent/GB0325978D0/en not_active Ceased
-
2004
- 2004-03-12 GB GB0405492A patent/GB2407940A/en not_active Withdrawn
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1345386A2 (en) * | 2002-03-16 | 2003-09-17 | Samsung Electronics Co., Ltd. | Method of controlling network access in wireless environment and recording medium therefor |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB560448A (en) * | 1941-11-04 | 1944-04-05 | Warwick Chemical Company | Improvements in or relating to water repellants and the treatment of textiles therewith |
EP1965597A4 (en) * | 2005-12-28 | 2013-04-24 | Panasonic Corp | Radio communication base station device and call connection method |
US8855606B2 (en) | 2005-12-28 | 2014-10-07 | Panasonic Intellectual Property Corporation Of America | Integrated circuit for radio communication mobile station device and call connection method |
EP2709417A1 (en) * | 2005-12-28 | 2014-03-19 | Panasonic Corporation | Radio communication terminal apparatus device and call connection method |
EP1965597A1 (en) * | 2005-12-28 | 2008-09-03 | Matsushita Electric Industrial Co., Ltd. | Radio communication base station device and call connection method |
US8594633B2 (en) | 2005-12-28 | 2013-11-26 | Panasonic Corporation | Radio communication mobile station device and call connection method |
US7743258B2 (en) | 2006-08-28 | 2010-06-22 | Sandisk Corporation | Method for interacting with a memory device in cryptographic operations |
US8135961B2 (en) | 2006-08-28 | 2012-03-13 | Sandisk Technologies Inc. | Method and computing device for interfacing with a memory device in operations |
WO2008027165A3 (en) * | 2006-08-28 | 2008-07-31 | Sandisk Corp | Memory device for cryptographic operations and method for interacting therewith |
WO2008027165A2 (en) * | 2006-08-28 | 2008-03-06 | Sandisk Corporation | Memory device for cryptographic operations and method for interacting therewith |
WO2010115455A1 (en) * | 2009-04-07 | 2010-10-14 | Togewa Holding Ag | Method and system for authenticating a network node in a uam-based wlan network |
US8806587B2 (en) | 2009-04-07 | 2014-08-12 | Togewa Holding Ag | Method and system for authenticating a network node in a UAM-based WLAN network |
US9015815B2 (en) | 2009-04-07 | 2015-04-21 | Togewa Holding Ag | Method and system for authenticating a network node in a UAM-based WLAN network |
GB2527151A (en) * | 2014-06-13 | 2015-12-16 | Chris Hagan | Wireless access point allocation and transfer |
US9439235B2 (en) | 2014-06-13 | 2016-09-06 | Chris Hagan | Wireless access point allocation and transfer |
GB2527151B (en) * | 2014-06-13 | 2017-03-22 | Hagan Chris | Wireless access point allocation and transfer |
Also Published As
Publication number | Publication date |
---|---|
GB0405492D0 (en) | 2004-04-21 |
GB0325978D0 (en) | 2003-12-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8285992B2 (en) | Method and apparatuses for secure, anonymous wireless LAN (WLAN) access | |
EP1058872B1 (en) | Method, arrangement and apparatus for authentication through a communications network | |
US8782759B2 (en) | Identification and access control of users in a disconnected mode environment | |
US20060023682A1 (en) | Wireless communication network, wireless terminal, access server, and method therefor | |
US20080268815A1 (en) | Authentication Process for Access to Secure Networks or Services | |
US20060069914A1 (en) | Mobile authentication for network access | |
US20080037486A1 (en) | Methods And Apparatus Managing Access To Virtual Private Network For Portable Devices Without Vpn Client | |
EP1343093B1 (en) | Method and device for authenticating users | |
US20080070544A1 (en) | Systems and methods for informing a mobile node of the authentication requirements of a visited network | |
US20050195778A1 (en) | Method and device for setting up connections between communication terminals and data and/or communication networks having wireless transmission links, such as, for example, wireless local area networks (WLAN) and/or mobile telephone networks, and a corresponding computer program and a corresponding computer-readable storage medium | |
JP2009055454A (en) | Base station apparatus | |
US7743405B2 (en) | Method of authentication via a secure wireless communication system | |
KR20040083272A (en) | Method and System for Authentication of User on Web and/or Wireless Network by Using Mobile Terminal Loaded a Challenge/Response Based Mobile One-Time Password Module | |
GB2407940A (en) | Providing secure authentication data in a wireless network | |
US20230284025A1 (en) | Hyperledger Authorization into a Radio Access Network (RAN) | |
US11146944B1 (en) | Mobile phone peer-to-peer electronic subscriber identity module (eSIM) transfer | |
WO2018124430A1 (en) | Online information security system utilizing cell broadcasting service | |
McCann et al. | Novel WLAN hotspot authentication | |
Lin et al. | GPRS-based WLAN authentication and auto-configuration | |
Schuba et al. | Internet id-flexible re-use of mobile phone authentication security for service access | |
GB2407939A (en) | Authentication in a secure wireless communication system | |
Vincze | How secure personal mobility can be? | |
KR20180107537A (en) | Authentication system and method using special character | |
Ubisafe et al. | Unifying CardSpace and Liberty Alliance with SIM Authentication | |
MXPA00007816A (en) | Method, arrangement and apparatus for authentication through a communications network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |