GB2485388A - Authorising a user device comprising a subscriber identity module to access wireless networks other than a cellular network - Google Patents

Authorising a user device comprising a subscriber identity module to access wireless networks other than a cellular network Download PDF

Info

Publication number
GB2485388A
GB2485388A GB1019148.4A GB201019148A GB2485388A GB 2485388 A GB2485388 A GB 2485388A GB 201019148 A GB201019148 A GB 201019148A GB 2485388 A GB2485388 A GB 2485388A
Authority
GB
United Kingdom
Prior art keywords
user device
wireless network
authorisation
server
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1019148.4A
Other versions
GB201019148D0 (en
Inventor
Hitesh Tewari
Mark Dennehy
Warren Kenny
Arthur Cagney
Shane Howley
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TRINITY COLLEGE DUBLIN
Original Assignee
TRINITY COLLEGE DUBLIN
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TRINITY COLLEGE DUBLIN filed Critical TRINITY COLLEGE DUBLIN
Priority to GB1019148.4A priority Critical patent/GB2485388A/en
Publication of GB201019148D0 publication Critical patent/GB201019148D0/en
Publication of GB2485388A publication Critical patent/GB2485388A/en
Application status is Withdrawn legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/04Key management, e.g. by generic bootstrapping architecture [GBA]
    • H04W12/0403Key management, e.g. by generic bootstrapping architecture [GBA] using a trusted network node as anchor
    • H04W12/04031Key distribution, e.g. key pre-distribution or key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Abstract

Authorising a user device comprising a subscriber identity module (SIM) to access wireless networks other than a cellular network, in order to reduce the data traffic on the cellular networks due to the proliferation of smart phones and the provision of mobile broadband for laptop and tablet computer devices. Data-related traffic on the cellular networks may be offloaded to nearby wireless networks (WLAN, WMAN, etc).

Description

"An authorisation method and system for wireless networks using subscriber identity module based information"

Introduction

This invention relates to a method and system to allow access to a wireless network using subscriber identity module based (SIM-based) information.

In recent years there has been a large shift towards using third generation (3G) mobile telephony networks, otherwise known as 3G cellular networks. These 3G cellular networks allow a theoretical data rate of the order of 56 Mbitls in the downlink direction and 22 Mbitls in the uplink direction, although typically the actual data rates are lower than these values. Nonetheless, the data rates achieved using 3G cellular networks have offered a significantly improved data rates compared to older cellular networks such as GFRS, EDGE and other 2G networks. As a result of these improved, higher data rates, an ever increasing number of people are using the cellular networks to transfer data.

There has also been a general transition and evolution in the mobile phone market from providing devices capable of telephony services only to providing devices capable of both telephony services and data-related services. These devices are commonly known as smartphones. The provision of a large number of smartphones has thus led to an increase in the amount of data-related traffic which is transmitted across the cellular networks. Many of the smartphones are more akin to mini computing devices and applications can be loaded and installed on the smartphones. The majority of these applications use data-related services and some applications are capable of continually running in the background constantly updating the user with information. All of these activities are very data dependent and increase the amount of data that is transmitted across the cellular networks.

This increase in data-related traffic on the cellular networks is predicted to continue to increase with data-related traffic levels on cellular networks expected to increase to 3.6 exabytes (3.6 x 1018 bytes) per month by 2014, which represents approximately a 40 fold increase on current levels.

Some of this increase in data-related traffic is due to the widespread take up of smartphones and larger numbers of people using the cellular network for data-related traffic on these smartphones. A portion of this increase is also as a result of a new service known as mobile broadband (MBB) being offered by the cellular network operators.

MBB allows a computer or networking device which does not normally have a cellular network connection, which is to say a radiofrequency antenna, to access the cellular network by connecting to an external plug-in antenna, typically in the form of a USB- connectable dongle and connect to the Internet at broadband speeds. Using this plug-in antenna and associated software, the computer can connect directly to the cellular network and upload and download data through the cellular network. Thus, people can wirelessly access the internet, e-mail and other services in areas where there is no wireless networks such as WiFi or WiMAX.

Recently, computer manufacturers and in particular laptop manufacturers have begun to hardwire these radio frequency antennas into the design of their computers so that users simply need to set up an account with their preferred cellular network operator and install the associated software for that cellular network operator.

There has been an extremely high take up of MBB and this level of take-up is predicted to continue in the future with the price plans offered by the cellular network operators being constantly reduced to make the service more affordable to a wider number of people. With the most recent laptops and computers already shipping with the necessary hardware pre-installed, even more people will be directed towards subscribing to the MBB service from one of their local cellular network operators.

Consequently, the amount of traffic on the cellular networks relating solely to data is set to increase even further as a result of this new service offered by the cellular network operators and the pre-installed, ready-to-go hardware offered by the computer manufacturers.

Whilst it is generally considered to be good for the cellular network operators that their services are in demand, this demand also presents a major problem for the mobile telephone network operators in that there is huge congestion on their cellular networks at present. As next generation cellular network protocols, such as 4G, become more widespread and adoption grows, this congestion problem will dissipate. However, these next-generation protocols are many years from full implementation and adoption, and it is important that the congestion problems currently found on the cellular networks be addressed now.

It has previously been suggested that a solution to this problem would be to offload the data-related traffic on the cellular networks from the cellular networks to nearby wireless networks, such as wireless local area networks (WLAN) and wireless metropolitan area networks (WMAN) networks.

Wireless networks are becoming increasingly widespread with many retail outlets, hotels, restaurants, bars and public spaces in general now offering wireless networks which are installed and operated by commercial enterprises. Indeed in some cities, wireless networks have been installed throughout the entire city using the existing street lighting network to provide wireless network coverage across the city.

The wireless network providers allow access to their wireless networks if a user is subscribed to their network or pays an access fee. The users, upon payment of this fee and/or authentication of their subscription, are authorised to access the wireless network and can connect to e-mail servers, the Internet, private networks and the like.

It has been suggested that users could offload the data-related traffic from the cellular network to a wireless network themselves.

However, users do not wish to have multiple accounts with various different wireless network operators. If a user already has a contract with a cellular network operator and possibly a second MBB contract with the cellular network operator, they do not wish to set up further accounts with wireless network operators. Given that there are so many wireless network operators offering wireless network access in various different areas, in order to have access to a wireless network throughout a city space, the user would need to subscribe to many if not all of the wireless network operators.

This would result in multiple wireless network operator accounts being held by the user in addition to their already existing cellular network account(s). This is burdensome for the user to keep in control of all of the subscription fees, access fees, usernames and passwords.

Moreover, offloading the data-related traffic from the cellular networks to the wireless networks in this manner requires the user to actively implement this offload themselves by constantly checking if they are in range of a wireless network which they have access to and, if so, logging on to the wireless network.

Due to the above-mentioned problems, users would be discouraged from offloading the data-related traffic to a wireless network from a financial point of view and a logistical point of view.

Furthermore, from a practical point of view, the user would be required to switch between the wireless networks and their cellular network on multiple occasions as they move about a city space. This would be highly impractical and would be burdensome for the user to carry out.

A simpler method of connecting to these existing wireless networks is sought. In particular, a method to allow a user, or more specifically a user's device, to automatically connect to a near-by wireless network for data-related traffic usage is sought.

Recent innovations have mooted the possibility of using subscriber identity module-based (SIM-based) information to allow a user device to automatically connect to a wireless network and perform authentication, authorisation and accounting procedures.

One such example is discussed in European Patent Number EP 1 624 639 Bi (SERVICE FASCTORY AB). EP 1 624 639 BI describes SIM-based authentication to allow a user device to access a wireless network.

EP 1 624 639 BI requires that a bespoke server be installed in each of the cellular networks for each wireless network which is to be accessed using the SIM-based information relating to that cellular network.

Therefore, if the system were to be set up to allow two cellular network operators to offload some of the data traffic on their cellular networks to any of four different wireless networks, bespoke servers would have to be installed in each of the cellular network operator's networks. In essence, the SIM-based authentication method described in EP 1 624 639 BI only allows for a 1:M relationship between a cellular network operator and a wireless network operator respectively. Moreover, the server in EP 1 624 639 BI must be whitelisted with the wireless network to allow the server to be accessed initially by the wireless network.

The authentication and authorisation method described in EP 1 624 639 BI requires that usernames and passwords be forward-authenticated and back-authenticated between the wireless network and the cellular network. This forward-authentication and back-authentication is time-consuming. Every time the user device connects to the wireless network, the SIM is queried for the relevant SIM-based information to allow the logon to the wireless network to occur. If a user device moves in and out of a wireless network several times per day, the SIM could be queried several times each day. Each SIM only has a preset number of times which it can be queried before it must be replaced. Therefore, the method and system described in EP 1 624 639 BI is disadvantageous as it can cause the service life of the SIM to be shortened.

A further problem which exists with the method in the closest prior art, EP 1 624 639 BI, is that real-time accounting is not possible and therefore the method and system are, practically speaking, only applicable to bill pay' type cellular network users. The method and system cannot be applied to pre-paid' type cellular network users as the amount of credit left in the pre-paid account of the cellular network user cannot be updated and followed in real-time to ensure that the pre-paid user does not continue to have access to the wireless network after their account has reached zero credit.

It is a goal of the present invention to provide an apparatus/method that overcomes at least one of the above mentioned problems.

Summary of the Invention

The present invention is directed to an authorisation method which allows a user device comprising a subscriber identity module to access any one of a plurality of wireless networks, which each comprise a wireless network access server, using subscriber identity module based information which relates to any one of a plurality of cellular networks, which each comprise a home location register and are connected to a roaming gateway; wherein, an authorisation system comprising an authorisation server is remotely located from but communicatively connected to a plurality of the wireless networks and a plurality of the cellular networks; the method comprising the steps of the user device engaging one of the plurality of wireless networks; the authorisation server receiving the subscriber identity module based information from the user device via the engaged wireless network or one of the plurality of cellular networks; the authorisation server verifying the received subscriber identity module based information with the home location register of one of the plurality of cellular networks via the roaming gateway; and, the authorisation server instructing the wireless network access server in the engaged wireless network to allow the user device to access the engaged wireless network.

The advantage of providing an authorisation system whereby subscriber identity module information is used access any one of a plurality of wireless networks from any one of a plurality of cellular networks is that the system can accommodate an N:M relationship between the cellular networks and the wireless networks. The authorisation system does not need to be installed as part of either the wireless network or cellular network, but rather is a standalone system which interacts with both the wireless network and the cellular network as if it were an authorisation server on the one hand, and a roamed-to cellular network on the other respectively.

In a preferred embodiment, the user device connects to the authorisation server over one of the plurality of cellular networks prior to engaging one of the plurality of wireless networks.

In a preferred embodiment, the method further comprises the step of the authorisation server transmitting a time limited key seed to the user device which allows the user device to generate access credentials to access the engaged wireless network.

In a preferred embodiment, the method further comprises the step of the user device using the time limited key seed along with a time stamp to generate the access credentials for access the engaged wireless network.

In a preferred embodiment, the method further comprises the step of the engaged wireless network verifying the access credentials with the authorisation server to allow the user device to access the engaged wireless network.

In a preferred embodiment, the method further comprises the step of the user device further using a substantially randomly generated value to generate the access credentials for access the engaged wireless network.

In a preferred embodiment, the authorisation system appears to the cellular network to be a roamed-to cellular network.

In a further embodiment, the method further comprises the step of the authorisation server instructing the wireless network access server in the engaged wireless network to allow the user device to access the engaged wireless network for a preset amount of time upon receipt of the subscriber identity module based information from the user device via the engaged wireless network and prior to verifying the received subscriber identity module based information with the home location register of one of the plurality of cellular networks via the roaming gateway. Moreover, no whitelisting, or walled garden approach, is required.

In a further embodiment, the step of the user device engaging one of the plurality of wireless networks comprises the steps of the user device receiving a Unified Access Method landing page from the wireless network access server; the user device analysing the Unified Access Method landing page; and, the user device sending subscriber identity module based information to the authorisation server as logon information in accordance with the Unified Access Method protocol.

This is preferable as the user does not have to implement the switch between the cellular network and the wireless network themselves. It is implemented in an automated fashion by the user device itself.

In a further embodiment, the method further comprising the steps of a heartbeat server, which forms part of the authorisation system, periodically communicating with the user device by one or more of: the heartbeat server periodically sending a message to the user device indicating the data capacity remaining on a user's account which is associated with the subscriber identity module based information; and/or, the user device periodically sending a message to the heartbeat server indicating the data usage by the user device on the engaged wireless network. This allows the authorisation system to keep an up-to-date record of the data usage by the user device and disconnect the user device from the wireless network should the data usage level reach a predetermined threshold, such as a zero credit level.

The present invention is further directed towards an authorisation system which allows a user device to access any one of a plurality of wireless networks using subscriber identity module based information which relates to any one of a plurality of cellular networks; wherein, the wireless networks each comprise a wireless network access server; the cellular networks each comprise a home location register and are connected to a roaming gateway; and, the user device comprises a subscriber identity module, a cellular network transceiver and a wireless network transceiver; whereby, the authorisation system comprises an authorisation server which is remotely located from but communicatively connected to a plurality of the wireless networks and a plurality of the cellular networks; the user device engaging one of the plurality of wireless networks using the wireless network transceiver; the authorisation server receiving the subscriber identity module based information from the user device via the engaged wireless network or one of the plurality of cellular networks; the authorisation server verifying the received subscriber identity module based information with the home location register of one of the plurality of cellular networks via the roaming gateway; and, the authorisation server instructing the wireless network access server in the engaged wireless network to allow the user device to access the engaged In a further embodiment, the authorisation server instructs the wireless network access server in the engaged wireless network to allow the user device to access the engaged wireless network for a preset amount of time upon receipt of the subscriber identity module based information from the user device via the engaged wireless network and prior to verifying the received subscriber identity module based information with the home location register of one of the plurality of cellular networks via the roaming gateway.

In a further embodiment, the user device initially connects to the wireless network and receives a Unified Access Method landing page from the wireless network access server; the Unified Access Method landing page is analysed and subscriber identity module based information is sent to the authorisation server as logon information in accordance with the Unified Access Method protocol.

In a further embodiment, the authorisation system further comprises a heartbeat server which periodically communicates with the user device by: the heartbeat server periodically sending a message to the user device indicating the data capacity remaining on a user's account which is associated with the subscriber identity module based information; and/or, the user device periodically sending a message to the heartbeat server indicating the data usage by the user device on the engaged wireless network.

In a further embodiment, the authorisation server instructs the wireless network access server in the engaged wireless network to no longer allow the user device to access the engaged wireless network if messages between the heartbeat server and the user device cease to be periodically sent.

In a further embodiment, the authorisation server instructs the wireless network access server in the engaged wireless network to no longer allow the user device to access the engaged wireless network should the data capacity remaining on the user's account reach a predetermined threshold limit.

In a further embodiment, the authorisation system further comprises an authorisation database for storing records of active sessions between user devices and wireless networks.

In a further embodiment, the authorisation server instructs the wireless network access server in the engaged wireless network to allow the user device to access the engaged wireless network by sending time limited keys to the user device which allow the user device to access the engaged wireless network for a limited amount of time.

Detailed Description of Embodiments

The invention will be more clearly understood from the following description of some embodiments thereof, given by way of example only with reference to the accompanying drawings, in which: Figure 1 is a diagrammatic view of an authorisation system in accordance with the present invention; Figure 2 is a signalling flow diagram showing a logon, usage and logoff procedure for the authorisation system of Figure 1; Figure 3 is a diagrammatic view of an authorisation system in accordance with a further embodiment of the present invention; Figure 4 is a signalling flow diagram showing a logon procedure for the authorisation system of Figure 3; Figure 5 is a signalling flow diagram showing a SIM-based information verification procedure for the authorisation system of Figure 3; Figure 6 is a signalling flow diagram showing a change of authorisation procedure for the authorisation system of Figure 3; and, Figure 7 is a signalling flow diagram showing a logon procedure for an authorisation system in accordance with a further embodiment of the authorisation system of Figure 3.

With reference to Figure 1, there is provided authorisation system generally indicated by reference numeral 100. The authorisation system 100 comprises an authorisation server 102, an authorisation database 104 and a heartbeat server 106.

A plurality of wireless networks I 08A, 108B and a plurality of cellular networks 11 OA, 11 OB are connected to the authorisation system 100.

Each of the wireless networks 108A, 108B comprise a wireless network access server 112 connected to a plurality of access points 114. The wireless network access server 112 controls and authorises access to the wireless network 108A, 108B. The wireless networks I 08A, I 08B are connected to the authorisation server 102 of the authorisation system 100 via connection links 118. The wireless networks I 08A, I 08B may be connected to the authorisation server 102 via a proxy server 116. In a preferred embodiment, the remote authentication dial in user service (RADIUS) protocol is used by the wireless networks 108A, 108B.

Each of the cellular networks II OA, II OB comprises a home location register 120. It will be generally understood that the home location register 120 retains and stores details regarding subscribed users for that associated cellular network 11 OA, 11 OB.

The home location register 120 is connected to the authorisation system 100 via a roaming gateway 122. The roaming gateway 122 is connected to the home location -12-register 120 of each cellular network IIOA, hUB via a communication link 126, and the roaming gateway 122 is connected to the authorisation system 100 via a communication link 124.

A user device 128 comprises a subscriber identity module (not shown) and means, such as an antenna, for communicating with a wireless network 108A, 108B, a cellular network 11 OA, 11 0B and the authorisation system 100 directly via a separate initial connection channel 132. The user device 128 is preferably a smart phone. Bespoke software may be downloaded and installed on the user device 128 to allow subscriber identity module based (SIM-based) information to be used to access a wireless network 108A, 108B.

In use, the user device 128 recognises that it is in range of a wireless network 108A, 108B, and contacts the authorisation system 100 via one of the plurality of cellular networks 11 OA, 11 OB via a channel 132. The user device 128 pre-authenticates itself with the authorisation system 100 using a challenge-response authentication process, which is preferably an EAP-SIM authentication process. Upon successful completion of this authentication process, the authorisation server 102 in the authorisation system and the user device 128 agree upon an access certificate which is preferably in the form of a time limited key seed (TLK seed) which is shared between the authorisation server 102 and the user device 128. The TLK seed (not shown) may be used to generate access credentials to allow the user device 128 to access one of the plurality of wireless networks 108A, 108B. Alternatively, in a further embodiment, the access certificate may comprise pre-arranged access credentials which can be used to access the wireless networks I 08A, I 08B without the need to perform any processing in the user device 128 to generate access credentials. The access credentials will typically comprise a username and password. In one embodiment, the username that is generated will be in the form of UlD@suura.com where UID stands for a User Identification Number assigned to each user device 128 by the authorisation system 100. A corresponding password may be formed by hashing a SRES value from the EAP-SIM process with a time stamp value, AT, which may be the time elapsed since the success EAP-SIM procedure, or since an agreed point in time.

Each TLK seed is unique to the authorisation server 102 and user device 128, and will remain valid for a predefined period of time. For example, the TLK seed may remain valid for a period of twenty-four hours. Upon invalidation of the TLK seed, the user device 128 must re-contact the authorisation system 100 and perform a further authentication process in order to generate and receive a new TLK seed.

In a preferred embodiment, the access credentials generated by the TLK seed are also generated using a time stamp value which is shared between the user device 128 and the authorisation server 102. For example, the time stamp value may be a mutually agreed time at which the user device 128 initially contacted the authorisation server 102. Moreover, a pseudo-randomly generated value, which is essentially a substantially randomly generated value, maybe also used as an input parameter to generate the access credentials. The use of the substantially randomly generated value and the time stamp value reduce the risk of man-in-the-middle attacks. In a preferred embodiment, the user device 128 initially connects to the authorisation system 100 via a secure connection link, such as a 3G HTTPs connection.

When the user device 128 is in range of a wireless network 108A, 108B, the user device 128 engages with the wireless network I 08A, I 08B and uses the access credentials generated by the TLK seed to access the engaged wireless network. The access credentials are forwarded by the wireless network 108A, 108B, and in particular by the wireless network access server 112, to the authorisation system 100.

The authorisation server 102 in the authorisation system 100 verifies that the access credentials presented by the user device 128 to the wireless network 108A, 108B are legitimate. Typically, the access credentials are presented to the wireless network 108A, 108B via a landing page which is automatically generated upon the user device 128 engaging with the wireless network 108A, 108B.

Referring to Figure 2, the logon procedure, usage procedure and logoff procedure for the present invention will be described.

Figure 2 shows the user device 128 initially contacting the authorisation system via a cellular network channel to perform a pre-authorisation procedure. It will -14-be appreciated that this initial contact may be made over a different channel, such as a wireless network channel or any Local Area Network (LAN) channel. The initial contact is shown by reference numeral 140. The authorisation system 100 performs a challenge-response authentication procedure with the relevant cellular network IIOA. In a preferred embodiment, this challenge-response authentication procedure is carried out using the known EAF-SIM authentication procedure. The signalling process of this authentication procedure is carried out between the cellular network IIOA and the authorisation system 100 via a roaming gateway 122. The signals may preferably be generated in accordance with the RADIUS protocol and the signals are shown in Figure 2 as reference numerals 142, 144, 146 and 148. Thereafter, randomly generated values are sent 150 to the user 128 and response signals 152 are generated by the user device using the SIM module (not shown). Upon corroboration of the response 154, the user device 128, or more particularly the SIM module in the user device 128, is adjudged to have been verified and an EAP success signal 156 is sent to the authorisation system 100.

Finally, an authentication result in the form of a TLK seed and/or a time stamp value and/or a substantially randomly generated value is sent from the authorisation system 100 to the user device 128.

The user device 128 uses the TLK seed, and possibly the time stamp value and/or substantially randomly generated value to generate the required access credentials to access the wireless network 108A. The access procedure 160 takes place using the access credentials generated from the TLK seed.

The TLK seed will expire after a preset amount of time. The user device 128 discovers the expiry of the TLK seed by attempting a access a wireless network 108A, 108B which fails. The access attempt fails as a fast re-authorisation in accordance with EAP-SIM protocols returns a failure due to a fast re-authorisation identification (fast re-auth ID) stored on the authorisation server 102 expiring. In this case, the user device 128 must connect to the authorisation server 102 via one of the plurality of cellular networks 11 OA, 11 OB and do a full authorisation and receive a new TLK seed.

A heartbeat channel 176 is established between the heartbeat server 106 in the authorisation system 100 and the user device 128. This heartbeat channel 176 will be described in greater detail hereinbelow with respect to the second embodiment of the present invention.

The user device 128 performs a logoff procedure 178 with the wireless network 108A.

Referring to Figure 3, wherein like parts previously described have been assigned the same reference numerals, there is provided the second embodiment of an authorisation system in accordance with the present invention, whereby the authorisation system is generally indicated by reference numeral 100. The authorisation system 100 comprises an authorisation server 102, an authorisation database 104 and a heartbeat server 106.

A plurality of wireless networks I 08A, 108B and a plurality of cellular networks I IOA, hUB are connected to the authorisation system 100.

Each of the wireless networks I 08A, I 08B comprise a wireless network access server (NAS) 112 connected to a plurality of access points (AP) 114. The wireless network access server 112 controls and authorises access to the network. The wireless networks I 08A, I 08B are connected to the authorisation server 102 of the authorisation system 100 via connection links 118. The wireless networks I 08A, I 08B may be connected to the authorisation server 102 via a proxy server 116. In a preferred embodiment, the remote authentication dial in user service (RADIUS) protocol is used by the wireless networks 108A, 108B.

Each of the cellular networks II OA, 11 OB comprises a home location register 120. It will be generally understood that the home location register (HLR) 120 keeps details regarding the subscribed users for that cellular network IIOA, IIOB. The home location register 120 is connected to the authorisation system 100 via a roaming gateway 122. The roaming gateway 122 is connected to the home location register of each cellular network IIOA, hUB via a communication link 126, and the roaming gateway 122 is connected to the authorisation system 100 via a communication link 124.

A user device 128 comprises a subscriber identity module (not shown) and means, such as an antenna, for communicating with a wireless network 108A, 108B and a cellular network IIOA, hUB. The user device 128 is preferably a smart phone.

Bespoke software may be downloaded and installed on the user device 128 to allow subscriber identity module based (SIM-based) information to be used to access a wireless network 108A, 108B.

The heartbeat server 106 of the authorisation system 100 may connect with the user device 128 via a heartbeat channel 130.

In use, the bespoke software on the user device 128 detects the presence of a wireless network 108A through one of the access points 114. The user device 128 engages the wireless network 108A. The user device 128 sends SIM-based information to the authorisation system 100.

The authorisation server 102 of the authorisation system 100 receives the SIM-based information from the user device 128. The authorisation server 102 instructs the wireless network access server 112 to allow the user device 128 to access the wireless network 108A. At the same time, the authorisation server 102 places a record of the active session in an active session record in the authorisation database 104.

The user device 128 opens the communications channel, known as the heartbeat channel 130 with the heartbeat server 106. The heartbeat server 106 sends periodic messages to the user device 128 indicating the capacity of data usage remaining for the user device 128. The user device 128 also sends periodic messages, in response to the heartbeat server's messages containing information regarding the amount of data that has been used by the user device 128 during the current active session. In this manner, the authorisation system 100 can monitor the continued presence of the user device 128 on the wireless network 108A by periodically sending a message to the user device 128 and expecting a response from the user device 128. The heartbeat channel 130 may preferably be implemented through the wireless network 108A.

Once the heart beat channel 130 has been established between the user device 128 and the heartbeat server 106, the authorisation server 102 forwards the SIM-based information to the home location register 120 of the cellular network IIOA via the roaming gateway 122. The home location register 120 verifies that the SIM-based information is correct. Preferably, an Extensible Authentication Protocol Method for Subscriber Identity Module (EAP-SIM) is used.

Returning to the operation of the heartbeat channel 130, if the user device 128 does not respond to the heartbeat server 106, the authorisation system 100 may send a Change of Authorisation (CoA) message to the wireless network access server 112 to discontinue allowing the user device 128 to access the wireless network 108A.

Similarly, if the data usage by the user device 128 reaches a predetermined threshold, a CoA message may be sent by the authorisation system 100 to the wireless network 108A.

It will be understood that a plurality of authorisation systems 100 may be employed, with each authorisation system 100 comprising a plurality of authorisation servers 102, authorisation databases 104 and/or heartbeat servers 106.

In a preferred embodiment, the authorisation server 102 is a plug-in module for a standard RADIUS server. Alternatively, the authorisation server 102 may be a stand-alone server.

Referring to Figure 4, wherein like parts previously described have been assigned the same reference numerals, there is provided a signalling diagram showing the initial logon procedure.

The user device 128 sends an initial hypertext transfer protocol (HTTP) request 200 to the wireless network access server 112 of the wireless network (not shown). The wireless network access server 112 responds by sending a landing page message 202 in accordance with the Unified Access Method (UAM) protocol. The user device 128 parses the UAM landing page for the required information, which is typically a username and password. The user device 128 accesses its subscriber identity module and retrieves SIM-based information, such as the International Mobile Subscriber Identity (IMSI) number, and uses this information along with a particular network access identifier (NAI) such as "@suura.com" which is generated by bespoke client software installed on the user device 128, along with a randomly generated session key. The IMSI and NAI may be used to form the username, with the randomly generated session key forming the password. This username and password is then sent as message 204 from the user device 128 to the wireless network access server 112.

The SIM-based information, in the form of a username and password, is forwarded by the wireless network access server 112 as message 206 to the authorisation server 102 in the authorisation system 100. The authorisation server 102 immediately sends back an access approved message 208 to the wireless network access server 112 instructing the wireless network access server 112 to allow the user device 128 to access the wireless network (not shown).

With reference to Figures 5 and 6, wherein like parts previously described have been assigned the same reference numerals, the establishment of the heartbeat channel (not shown) is described. The user device 128 forwards the SIM-based information, preferably the IMSI, to the authorisation server (not shown) as previously described with reference to Figure 2. The authorisation sever, in turn, forwards the SIM-based information to the heartbeat server 106 of the authorisation system (not shown) as message 300. The heartbeat server 106 sends the SIM-based information onward by message 302 to the roaming gateway 122. It will be understood that the roaming gateway 122 is connected to a plurality of cellular networks (not shown) each of which comprise a home location register which may be used for an EAP-SIM verification process. The roaming gateway 122 acts as a portal to the correct cellular network which needs to be connected in accordance with the SIM-based information which has been received.

The roaming gateway 122 sends a message 304 to the heartbeat server 106 requesting that the EAP-SIM verification process be started. A response message 306 is sent from the heartbeat server 106 to the roaming gateway 122. The roaming gateway 122 then, after contacting the home location register (not shown) of the relevant cellular network (not shown), sends an EAP-SIM challenge message 308 to the heartbeat server 106, which forwards this onward to the user device 128 as message 310. The challenge message 308 contains a random number (RAND). The user device 128 generates a response to this challenge message 308 by inputting the RAND to the SIM and receiving a response SRES. The SRES is formed into a response message 312 and sent to the heartbeat server 106, which forwards this message onward to the roaming gateway 122 as message 314.

The roaming gateway 122 sends an EAP success message 316 to the heartbeat server 106, which forwards this onward to the user device 128 as message 318.

The heartbeat channel between the user device 128 and the heartbeat server 106 is then opened, and, periodic messages 320 are sent from the user device 128 to the heartbeat server 106 detailing the amount of data used by the user device 128 on the wireless network I 08A, and analogously periodic messages 322 from the heartbeat server 106 to the user device 128 detailing the data capacity remaining for the user device 128. These messages are continually sent between the user device 128 and the heartbeat server 106 during the active session of the user device 128 accessing the wireless network.

At the end of a session, a session_end message 400 is sent from the heartbeat server 106 to the authorisation server 102 and the session is removed from the active session record in the authorisation database 104. The authorisation server 102 also sends a Change of Authorisation (CoA) message 402 to the wireless network access server 112, which in turn sends an access termination message 404 to the user device 128.

The session may end due to the user device 128 reaching its predetermined data capacity threshold, the user device 128 failing to respond on the heartbeat channel, or the user device 128 actively requesting an end of the session by sending a HTTP request to the logoff URL specified in the landing page of the wireless network.

Referring to Figure 7, wherein like parts previously described have been assigned the same reference numerals, there is an alternate embodiment of the present invention whereby a residential wireless network comprising an access point, or wireless router, may be set up to allow data-related traffic to be offloaded from a cellular network onto the residential wireless network. In essence, the wireless network provided by a commercial enterprise as described hereinbefore in relation to Figures 3 to 6 is replaced by a residential wireless network.

In use, the user device 128 may access a wireless network of a residential property only if the owner of the residential wireless network has set up the residential wireless network accordingly. In order to set up the residential wireless network, bespoke sharing software must be downloaded from an Internet Service Provider (ISP) 504 onto a user's computer 500 as indicated by flow line 506. The user registers their wireless network with the authorisation server 102 of the authorisation system (not shown). The registration message 508 comprises information regarding the wireless network name and associated passwords. For example, the Service Set Identifier (SSID) and/or WiFi Protected Access (WPA/VVAP2) codes may be sent to the authorisation server 102 and stored in the authorisation database (not shown).

Once the residential wireless network has been set up, the user device 128 which comprises its own bespoke software, detects the presence of a residential wireless network and queries 510 the authorisation server 102 via the cellular network if the protected residential wireless network is set up for sharing. The SSID may be used to identify the residential wireless network to the authorisation server 102. In addition to querying the authorisation server 102, the user device 128 also transmits the SSID and the IMSI to the authorisation server 102.

If the residential wireless network is set up to allow access to user devices through the authorisation system (not shown), then the authorisation system conducts an EAP-SIM verification procedure 512 as described hereinbefore. -21 -

Upon successful completion of the EAP-SIM verification procedure, the authorisation server 102 transmits the wireless network name and associated passwords, for example the SSID and WPA or WPA2, in the form of an authentication message 514 to allow the user device 128 to access the residential wireless network 502.

The user device 128 offloads the data-related traffic to the residential wireless network 502 as shown by flow line 516.

Throughout the preceding specification, the term "user device" shall be understood to encompass any type of device capable of communicating with a wireless network and a cellular network using the appropriate hardware. In particular, the user device is preferably a smart phone or other such handheld portable unit comprising one or more antennas capable of transmitting and receiving signals with a cellular network and Throughout the preceding specification, the term "cellular network" shall be understood to encompass any type of mobile phone network capable of transmitting data.

Preferably the cellular network, otherwise known as a mobile telephony network, is a third generation (3G) network. It will be generally understood that the cellular network comprises a number of cells, each having a base station in the cell which provides network coverage across the range of the cell. The cellular network refers to the entire network comprising a plurality of such cells.

Throughout the preceding specification, the term "authorisation server" shall be understood to encompass any type of server which authorises access to a service. In a preferred embodiment, the authorisation server is an Authentication, Accounting, and Authorisation server (AAA server) which is well-known in the art.

Throughout the preceding specification, the term "wireless network" shall be understood to encompass any type of wireless local area network (WLAN) including WiFi networks and WiMAX networks and/or wireless metropolitan area network (WMAN). It will be generally understood that these types of wireless networks comprise a plurality of access points linked to a wireless network access server which -22 -controls access to the wireless network.

Throughout the preceding specification, the term "engaging" when described with reference to accessing one of the wireless networks should be understood to encompass any activity by a device in initially attempting to gain access to that wireless network.

The terms "comprise" and "include", and any variations thereof required for grammatical reasons, are to be considered as interchangeable and accorded the widest possible interpretation.

The invention is not limited to the embodiments hereinbefore described which may be varied in both construction and detail in accordance with the scope of the appended claims.

Claims (12)

  1. CLAIMS1. An authorisation method which allows a user device comprising a subscriber identity module to access any one of a plurality of wireless networks, which each comprise a wireless network access server, using subscriber identity module based information which relates to any one of a plurality of cellular networks, which each comprise a home location register and are connected to a roaming gateway; wherein, an authorisation system comprising an authorisation server is remotely located from but communicatively connected to a plurality of the wireless networks and a plurality of the cellular networks; the method comprising the steps of: a) the user device engaging one of the plurality of wireless networks; b) the authorisation server receiving the subscriber identity module based information from the user device via the engaged wireless network or one of the plurality of cellular networks; c) the authorisation server verifying the received subscriber identity module based information with the home location register of one of the plurality of cellular networks via the roaming gateway; and, d) the authorisation server instructing the wireless network access server in the engaged wireless network to allow the user device to access the engaged wireless network.
  2. 2. An authorisation method as claimed in claim 1, wherein, the method further comprises the step of: e) the authorisation server transmitting a time limited key seed to the user device which allows the user device to generate access credentials to access the engaged wireless network.
  3. 3. An authorisation method as claimed in claim 2, wherein, the method further comprises the step of: f) the user device using the time limited key seed along with a time stamp to generate the access credentials for access the engaged -24 -
  4. 4. An authorisation method as claimed in claim 3, wherein, the method further comprises the step of: g) the engaged wireless network verifying the access credentials with the authorisation server to allow the user device to access the engaged
  5. 5. An authorisation method as claimed in claims 3 or 4, wherein, the method further comprises the step of: h) the user device further using a substantially randomly generated value to generate the access credentials for access the engaged wireless network.
  6. 6. An authorisation method as claimed in claim 1, wherein, the method further comprises the step of: i) the authorisation server instructing the wireless network access server in the engaged wireless network to allow the user device to access the engaged wireless network for a preset amount of time upon receipt of the subscriber identity module based information from the user device via the engaged wireless network and prior to verifying the received subscriber identity module based information with the home location register of one of the plurality of cellular networks via the roaming gateway.
  7. 7. An authorisation method as claimed in claims I or 6, wherein, the step of the user device engaging one of the plurality of wireless networks comprises the steps of: j) the user device receiving a Unified Access Method landing page from the wireless network access server; k) the user device analysing the Unified Access Method landing page; and, I) the user device sending subscriber identity module based information -25 -to the authorisation server as logan information in accordance with the Unified Access Method protocol.
  8. 8. An authorisation method as claimed in any of claims 1, 6 or 7, the method further comprising the steps of: m) a heartbeat server, which forms part of the authorisation system, periodically communicating with the user device by one or more of: a. the heartbeat server periodically sending a message to the user device indicating the data capacity remaining on a user's account which is associated with the subscriber identity module based information; and/ar, b. the user device periodically sending a message to the heartbeat server indicating the data usage by the user device on the engaged wireless network.
  9. 9. An authorisation system which allows a user device to access any one of a plurality of wireless networks using subscriber identity module based information which relates to any one of a plurality of cellular networks; wherein, the wireless networks each comprise a wireless network access server; the cellular networks each comprise a home location register and are connected to a roaming gateway; and, the user device comprises a subscriber identity module, a cellular network transceiver and a wireless network transceiver; whereby, the authorisation system comprises an authorisation server which is remotely located from but communicatively connected to a plurality of the wireless networks and a plurality of the cellular networks; the user device engaging one of the plurality of wireless networks using the the authorisation server receiving the subscriber identity module based information from the user device via the engaged wireless network or one of the plurality of cellular networks; the authorisation server verifying the received subscriber identity module based information with the home location register of one of the plurality of cellular networks via the roaming gateway; and, the authorisation server instructing the wireless network access server in the engaged wireless network to allow the user device to access the engaged wireless network.
  10. 10. An authorisation system as claimed in claim 9, wherein, the authorisation server instructs the wireless network access server in the engaged wireless network to allow the user device to access the engaged wireless network for a preset amount of time upon receipt of the subscriber identity module based information from the user device via the engaged wireless network and prior to verifying the received subscriber identity module based information with the home location register of one of the plurality of cellular networks via the roaming gateway.
  11. 11. An authorisation system as claimed in claims 9 or 10, wherein, the user device initially connects to the wireless network and receives a Unified Access Method landing page from the wireless network access server; the Unified Access Method landing page is analysed and subscriber identity module based information is sent to the authorisation server as logon information in accordance with the Unified Access Method protocol.
  12. 12. An authorisation system as claimed in any of claims 9 to 11, wherein, the authorisation system further comprises a heartbeat server which periodically communicates with the user device by: the heartbeat server periodically sending a message to the user device indicating the data capacity remaining on a user's account which is associated with the subscriber identity module based information; and/or, the user device periodically sending a message to the heartbeat server indicating the data usage by the user device on the engaged wireless network.
GB1019148.4A 2010-11-12 2010-11-12 Authorising a user device comprising a subscriber identity module to access wireless networks other than a cellular network Withdrawn GB2485388A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1019148.4A GB2485388A (en) 2010-11-12 2010-11-12 Authorising a user device comprising a subscriber identity module to access wireless networks other than a cellular network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1019148.4A GB2485388A (en) 2010-11-12 2010-11-12 Authorising a user device comprising a subscriber identity module to access wireless networks other than a cellular network

Publications (2)

Publication Number Publication Date
GB201019148D0 GB201019148D0 (en) 2010-12-29
GB2485388A true GB2485388A (en) 2012-05-16

Family

ID=43431355

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1019148.4A Withdrawn GB2485388A (en) 2010-11-12 2010-11-12 Authorising a user device comprising a subscriber identity module to access wireless networks other than a cellular network

Country Status (1)

Country Link
GB (1) GB2485388A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014084760A1 (en) * 2012-11-27 2014-06-05 Telefonaktiebolaget Lm Ericsson (Publ) System for handling access by wireless devices in wi-fi network
EP2894890A1 (en) * 2014-01-09 2015-07-15 Koninklijke KPN N.V. Conditional access to a wireless network
WO2016173621A1 (en) * 2015-04-28 2016-11-03 Telecom Italia S.P.A. Method and system for authenticating users in public wireless networks
WO2017167695A1 (en) * 2016-03-31 2017-10-05 British Telecommunications Public Limited Company Roaming management

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004097590A2 (en) * 2003-04-29 2004-11-11 Azaire Networks Inc. Method and system for providing sim-based roaming over existing wlan public access infrastructure
GB2417856A (en) * 2004-03-20 2006-03-08 Alcyone Holding S A Wireless LAN Cellular Gateways
WO2007097673A1 (en) * 2006-02-21 2007-08-30 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for providing access for a limited set of mobile stations to a restricted local access point
EP1624639B1 (en) * 2004-08-02 2009-04-08 Service Factory AB Sim-based authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004097590A2 (en) * 2003-04-29 2004-11-11 Azaire Networks Inc. Method and system for providing sim-based roaming over existing wlan public access infrastructure
GB2417856A (en) * 2004-03-20 2006-03-08 Alcyone Holding S A Wireless LAN Cellular Gateways
EP1624639B1 (en) * 2004-08-02 2009-04-08 Service Factory AB Sim-based authentication
WO2007097673A1 (en) * 2006-02-21 2007-08-30 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for providing access for a limited set of mobile stations to a restricted local access point

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014084760A1 (en) * 2012-11-27 2014-06-05 Telefonaktiebolaget Lm Ericsson (Publ) System for handling access by wireless devices in wi-fi network
CN104854893A (en) * 2012-11-27 2015-08-19 瑞典爱立信有限公司 System for handling access by wireless devices in wi-fi network
EP2926583A4 (en) * 2012-11-27 2016-05-11 Ericsson Telefon Ab L M System for handling access by wireless devices in wi-fi network
EP2894890A1 (en) * 2014-01-09 2015-07-15 Koninklijke KPN N.V. Conditional access to a wireless network
WO2016173621A1 (en) * 2015-04-28 2016-11-03 Telecom Italia S.P.A. Method and system for authenticating users in public wireless networks
US10390215B2 (en) 2015-04-28 2019-08-20 Telecom Italia S.P.A. Method and system for authenticating users in public wireless networks
WO2017167695A1 (en) * 2016-03-31 2017-10-05 British Telecommunications Public Limited Company Roaming management
US20190098556A1 (en) * 2016-03-31 2019-03-28 British Telecommunications Public Limited Company Roaming management
US10462729B2 (en) 2016-03-31 2019-10-29 British Telecommunications Public Limited Company Roaming management

Also Published As

Publication number Publication date
GB201019148D0 (en) 2010-12-29

Similar Documents

Publication Publication Date Title
KR101396725B1 (en) Methods and apparatus for access control client assisted roaming
US8943552B2 (en) Methods and apparatus to discover authentication information in a wireless networking environment
US8194589B2 (en) Systems and methods for wireless network selection based on attributes stored in a network database
CA2571255C (en) Wireless device authentication between different networks
US8893246B2 (en) Method and system for authenticating a point of access
EP2763443B1 (en) On-demand services by wireless base station virtualization
US9253712B2 (en) Automatic configuration of a wireless device
US8116735B2 (en) System and method for mobile telephone roaming
US7127234B2 (en) Radio LAN access authentication system
EP2016750B1 (en) Simplified dual mode wireless device authentication apparatus and method
EP1743252B1 (en) Method and system for verifying and updating the configuration of an access device during authentication
US8589675B2 (en) WLAN authentication method by a subscriber identifier sent by a WLAN terminal
US8184603B2 (en) Communication system having a community wireless local area network for voice and high speed data communication
US8407769B2 (en) Methods and apparatus for wireless device registration
CN100574202C (en) Method and system for content-based billing in IP-networks
RU2351098C2 (en) Authentication between cdma network and gsm network
US9717042B2 (en) Network discovery and selection
JP2007525731A (en) Method and system for providing SIM-based roaming to an existing WLAN public access infrastructure
US20060155822A1 (en) System and method for wireless access to an application server
JP2004507973A (en) Generic WLAN architecture
US20090265775A1 (en) Proximity Based Authentication Using Tokens
US8553883B2 (en) Method and apparatus for managing subscription credentials in a wireless communication device
AU2010272153B2 (en) Methods and apparatus to register with external networks in wireless network environments
JP2004304824A (en) Authentication method and authentication apparatus in wireless lan system
US20040181692A1 (en) Method and apparatus for providing network service information to a mobile station by a wireless local area network

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)