GB2517814A - Mobile device authentication - Google Patents

Mobile device authentication Download PDF

Info

Publication number
GB2517814A
GB2517814A GB1406169.1A GB201406169A GB2517814A GB 2517814 A GB2517814 A GB 2517814A GB 201406169 A GB201406169 A GB 201406169A GB 2517814 A GB2517814 A GB 2517814A
Authority
GB
United Kingdom
Prior art keywords
subscriber
authentication
network
server
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1406169.1A
Other versions
GB201406169D0 (en
GB2517814B (en
Inventor
Willem Rudy Van Zoelen
Martin Zuurbier
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Elephant Talk Europ Holding Bv
Original Assignee
Elephant Talk Europ Holding Bv
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Elephant Talk Europ Holding Bv filed Critical Elephant Talk Europ Holding Bv
Priority to GB1406169.1A priority Critical patent/GB2517814B/en
Publication of GB201406169D0 publication Critical patent/GB201406169D0/en
Priority to PCT/EP2014/078707 priority patent/WO2015149891A1/en
Publication of GB2517814A publication Critical patent/GB2517814A/en
Priority to HK15104807.8A priority patent/HK1204418A1/en
Application granted granted Critical
Publication of GB2517814B publication Critical patent/GB2517814B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/02Inter-networking arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Abstract

Authentication information for a mobile device connected to a first mobile communication network operated by a first network operator is obtained by receiving a request for subscriber server information and determining whether the request is for information to authenticate the mobile device. If it is, it is determined whether this can be obtained from a first subscriber server controlled by the first network operator or from a second subscriber server not controlled by the first network operator. The authentication information is retrieved from the first or second subscriber server via an authentication proxy server according to the result of the determination. If the request is for information other than authentication information, this is retrieved from the first subscriber server. An embodiment describes the migration of mobile device users to a new network without requiring the user to change a SIM card. It may also apply to a Mobile Virtual Network Operator (MVNO).

Description

MOBILE DEVICE AUTHENTICATION
[0001] This invention relates to a method of authenticating a mobile device connected to a mobile communication network. In particular, the present invention relates to obtaining authentication information necessary to authenticate a mobile device connected to a mobile communication network. Certain embodiments of the present invention relate to a method of authenticating a mobile device that makes it easier to migrate subscribers between mobile communication network operators.
BACKGROUND
[0002] A customer who is a subscriber to a mobile communication network is provided with a unique subscriber identifier. For a 3" Generation Partnership Project (3GPP) compliant network and mobile device, the subscriber identifier is usually stored within a Subscriber Identity Module (SIM) which is connected to a mobile device. Alternatively, the subscriber identifier can be stored within the mobile device itself in hardware or software.
The use of a subscriber identifier results from the need to authenticate a mobile device each time it connects to a mobile communication network and tries to access network services. The subscriber identifier may also serve to allow the mobile device to identify the correct mobile communication network. For a given network, the first part of the subscriber identifier for each subscriber may be the same and may be broadcast by network base stations. A Mobile Network Operator (MNO) needs to hold details of its subscribers (customers) in order to provide services such as voice calls, SMS and data traffic, and to route incoming network traffic to those subscribers. The details of the subscribers held by MNOs also enables the subscribers to be billed for those services [0003] A MNO controls the subscribers (customers) to their mobile communication network, and specifically controls access to a mobile communication network operated by the MNC and the services available to the subscribers. A Mobile Virtual Network Operator (MVNO) is a mobile communication service provider that does not operate an independent mobile communication network. Instead, an MVNO enters into an agreement with an MNO to allow access for the MVNO's subscribers to the mobile communication network operated by the MNO. There are two types of MVNO. A "light" MVNO is typically fully hosted by a mobile communication network operated by an MNO. A light MVNO does not own or run any of its own network equipment, except perhaps for a billing system. In particular, all subscriber information and authentication information is held by a subscriber server and /oran authentication server operated by the host MNO. A "full" MVNO typically operates its own core network for carrying data traffic for its subscribers, the MVNO core network incorporating its own subscriber server and / or authentication server.
A core network operated by a full MVNO network connects to the core network of a host MNO to allow access to the radio network of the host MNO.
[0004] Currently, in order to migrate a customer from being a subscriber to first network operator (an MNO or an MVNO) to being a subscriber to a second network operator (an MNO or an MVNO) it is necessary to issue a new subscriber identifier to the subscriber.
The new subscriber identifier is associated with the second network operator. Typically, this new subscriber identifier is provided to the customer in the form of a replacement SIM.
The customer must then physically swap the SIMs within their mobile device in a process known as a SIM swap. Commonly the customer wishes to retain the same mobile telephone number, and the association of the telephone number with a new subscriber identifier is known as porting. For the purposes of the present patent specification, it is assumed that there is no difference between migrating subscribers between MNOs or MVNOs in circumstances in which a new subscriber identifier must currently be issued. As an exception to this need to issue new subscriber identifiers, if two MNCs merge then one MNO may convert to being a MVNO hosted by the other MNO. The surviving MNO may then broadcast network identifiers associated with both previous MNOs such that subscribers to the converted MNO may connect to the surviving MNO.
[0005] When an individual customer wishes to become a subscriber to a new MNO or MVNO the overhead of issuing a new subscriber identifier may be tolerable. However, in the event of an MNO or MVNO acquiring or merging with another network operator the overhead of issuing a very large number of new subscriber identifiers to implement the subscriber migration may be prohibitive (paiticularly the physical distribution of new SIM cards). Additionally, as current network migration techniques require the cooperation of customers this can cause additional expense or delay due to responding to customer queries.
[0006] Accordingly, it is an aim of certain embodiments of the invention to reduce the financial and administrative overhead associated with migrating one or more subscribers between mobile communication network operators.
BRIEF SUMMARY OF THE DISCLOSURE
[0007] According to a first aspect of the present invention there is provided a method of obtaining authentication information for a mobile device connected to a first mobile communication network operated by a first network operator, the method comprising: receiving a request for subscriber server information; and determining whether the request is for authentication information to authenticate the mobile device; wherein if the request is for authentication information, the method further comprises: determining whether the authentication information can be obtained from a first subscriber server controlled by the first network operator or from a second subscriber server which is not controlled by the first network operator; and retrieving the authentication information from the first or second subscriber server according to the result of the determination; and wherein if the request is for at least a first type of information other than authentication information, the method further comprises retrieving the information from the first subscriber server.
[0008] Advantageously, by allowing a network device to identify and then obtain authentication information form more than one subscriber server operated by different network operators, certain embodiments of the present invention make it easier to migrate subscribers between mobile communication network operators (MNOs and MVNOs).
[0009] Each subscriber server may either incorporate an authentication server or is associated with an authentication server for retrieving authentication information.
[0010] The request for information may include a subscriber identifier associated with the mobile device, and wherein if the request is for authentication information the subscriber identifier is used to determine whether the authentication information can be obtained from the first subscriber server or the second subscriber.
[0011] The second subscriber server may be located outside of the first mobile communication network.
[0012] The authentication information may comprise a random number and a first authentication token calculated by the determined one of the first and second subscriber servers using the random number and a secret key known to the mobile device and the determined one of the first and second subscriber servers or an associated authentication server.
[0013] According to a second aspect of the present invention there is provided a method of authenticating a mobile device connected to a first mobile communication network, the method comprising: obtaining authentication information for the mobile device according to the method described above; sending the random number to the mobile device; receiving a second authentication token from the mobile device calculated by the mobile device using the random number and the secret key; determining whether the first authentication token matches the second authentication token; and authenticating the mobile device if it is determined that the authentication tokens match.
[0014] According to a third aspect of the present invention there is provided a method of migrating a subscriber from a second network operator to the first network operator, the method comprising: accessing a second subscriber record for the subscriber within the second subscriber server controlled by the second network operator; and copying at least a portion of the second subscriber record including a subscriber identifier to a first subscriber record within the first subscriber server.
[0015] The method may further comprise: identifying that the mobile device has connected to the first mobile communication network; and authenticating the mobile device according to the method described above; wherein authentication information to authenticate the mobile device can be obtained from the second subscriber.
[0016] The method may further comprise: receiving a subscriber identifier for the subscriber to be migrated: using the subscriber identifier to access the second subscriber record; and indicating in the first subscriber record that authentication information can be obtained from the second subscriber server.
[0017] The method may further comprise synchronising data between the first subscriber record and the second subscriber record.
[0018] According to a fourth aspect of the present invention there is provided a network device within a first mobile communication network operated by a first network operator, wherein the network device is arranged to: receive a request for subscriber server information; and determining whether the request is for authentication information to authenticate a mobile device connected to the first mobile communication network; wherein if the request is for authentication information, the network device is further arranged to: determine whether the authentication information can be obtained from a first subscriber server controlled by the first network operator or from a second subscriber server which is not controlled by the first network operator; and retrieve the authentication information from the first or second subscriber server according to the result of the determination; and wherein the network device is further arranged to retrieve the information from the first subscriber server if the request is for at least a first type of information other than authentication information.
[0019] The network device may be arranged to implement the above methods.
[0020] The network device may comprise an authentication proxy within the mobile communication network, the authentication proxy being arranged to receive requests for server information from another component within the mobile communication network and to retrieve the authentication from either the first or the second authentication server.
[0021] According to a fifth aspect of the present invention there is provided a mobile communication network comprising: a network device as described above; and a first subscriber server; wherein the mobile communication network is arranged to implement the above described method.
[0022] According to a sixth aspect of the present invention there is provided a mobile communication network comprising: a network device as described above; wherein the network device comprises the first authentication server; and wherein the mobile communication network is arranged to implement the above described method.
[0023] Another aspect of the invention provides a computer program comprising instructions arranged, when executed, to implement a method in accordance with any one of the above-described aspects. A further aspect provides machine-readable storage storing such a program.
BRIEF DESCRIPTION OF THE DRAWINGS
[0024] Embodiments of the invention are further described hereinafter with reference to the accompanying drawings, in which: Figure 1 illustrates interconnections between components of a mobile communication network involved in authenticating a mobile device connected to the network; Figure 2 illustrates a method of authenticating the connection of a mobile device to a mobile communication network; Figure 3 illustrates interconnections between components of a mobile communication network involved in authenticating a mobile device connected to the network in accordance with an embodiment of the present invention; Figure 4 illustrates a method of authenticating the connection of a mobile device to a mobile communication network in accordance with an embodiment of the present invention; and Figure 5 is a flowchart illustrating a method of migrating subscribers between network operators.
DETAILED DESCRIPTION
[0025] The need to issue a new subscriber identifier when migrating a subscriber from one network operator to another (where either may comprise an MNO or an MVNO) arises due to the way in which security is implemented in mobile communication networks.
Specifically, there is a need to authenticate a mobile device (and hence a subscriber) connected to a network before the mobile device is allowed to access network services.
[0026] A conventional process of authenticating a mobile device to a network operator (which may be an MNO or an MVNO) will now be described. Embodiments of the present invention described below relate specifically to mobile communication networks conforming to standards defined by 3GPP. These include a 2' Generation (2G) Global System for Mobile Communications (GSM) network, a 3 Generation (3G) Universal Mobile Telecommunication Service (UMTS) network and a 4th Generation (4G) Long Term Evolution (LTE) network. In such networks there are two major elements involved in implementing security: the SIM within the mobile device and an authentication server (or, as described below, an authentication server which implements the functions of an authentication server). However, it will be appreciated that the present invention is not restricted to any particular mobile communication standard and is applicable to any mobile communication network where there is a need to authenticate a mobile device connected to the network.
[0027] Referring to Figure 1, this illustrates the interconnections between components of a mobile communication network involved in authenticating a mobile device connected to the network in accordance with the prior art. Authentication information is received from both a mobile device 100 and an authentication server 110. Specifically, the mobile device connects across a radio interface to a base station 104. The base station 104 is connected to a core network 108 which includes a switching server 106 and a subscriber server 110. It will be appreciated that the core network 108 will include other components, including components between the components shown in Figure 1.
[0028] In order to authenticated the mobile device to the network, the mobile device 100 exchanges authentication information with the subscriber server 110 using authentication information stored within a SIM 102 coupled to the mobile device 100. As noted above, the SIM 102 stores the subscriber identifier. The SIM 102 also stores a secret key which is shared with the subscriber server 110, as will now be described in the context of a 2G GSM network. As discussed above, in other embodiments of the invention the subscriber identifier and the shared secret may be directly stored in the mobile device.
[0029] In a GSM network the mobile device 100 is termed the mobile equipment, and when coupled to a SIM the combination is termed the User Equipment (UE). The base station 104 comprises a combination of a Base Transceiver Station (BTS), with which the UE communicates across the radio interface, and a Base Station Controller (BSC). The role of a switching server 106 is performed by a Mobile Switching Centre (MSC). The MSC is responsible for routing voice calls and SMS between the BSC and the remainder of the core network. The subscriber server 110 comprises a Home Location Register (HLR). The HLR is a database containing details of subscribers who are authorised to use the network. The HLR normally implements the functions of an authentication server known as an Authentication Centre (AuC). Alternatively, the AuC may be collocated with or otherwise associated with the HLR. For the purposes of the present specification, the HLR may be considered to be a subscriber server to which requests for information may be made, and where those requests relate to authentication information, the subscriber server (HLR) either processes those requests itself using an integrated authentication server (AuC) function or using an associated or collocated authentication server (AuC).
Where the HLR and the AuC are collocated to form a HSS, the HSS may be considered to be a subscriber server incorporating an authentication server. Furthermore, where the following description refers to an authentication server or AuC performing functions, it may be considered that those functions are performed either by a subscriber server or are delegated to the authentication server by the subscriber server.
[0030] The AuC is responsible for providing authentication information used to authenticate each UE (more precisely, each SIM) that has connected to the GSM core network and is attempting to access network services. Authentication may be required when the UE is first turned on or when the UE moves into the GSM network area. After successful authentication the HLR manages access to the network services for that UE.
The AuC also generates an encryption key which is used to encrypt all wireless communications between the UE and the BTS. The authentication process is designed to ensure that the encryption key never needs to be communicated across the radio interface. The encryption key can be generated independently at the UE (using the shared secret key stored in the SIM) and at the AuC (and then sent to the BSC).
[0031] When the AuC receives a request to authenticate a UE via the MSC, this includes the subscriber identifier stored within the SIM card. The subscriber identifier is known as the International Mobile Subscriber Identity (IMSI). The IMSI is used by the AuC to locate the shared secret between the AuC and the SIM called the Ki and to identify the appropriate algorithm or algorithms to use in the authentication process. The GSM standard defines two standard algorithms for authentication and generation of an encryption key, known as A3 and A8, though proprietary algorithms may be used. The Ki may be stored within the AuC or the HLR, and is also stored in the SIM. The Ki is combined with the IMSI to produce a challenge/response for authentication.
[0032] The authentication process begins with identifying the correct shared secret Ki and the algorithms to be used, upon receipt of an authentication request via the MSC. The next step is for the AuC to generate a random number (RAND).
[0033] The RAND and the Ki are processed within the AuC using the A3 algorithm to generate a signed response (SRES) and using the AS algorithm to generate an encryption key (Kc). The SRES may be referred to as an authentication token. RAND, SRES, Kc collectively form a triplet that is returned to the MSC. The AuC plays no further role in the authentication process. The MSC sends only the RAND to the UE to continue the authentication process.
[0034] The UE (or the SIM) uses the RAND received from the MSC, and the locally stored shared secret Ki, to generate local copies of the signed response SRES and the encryption key Kc. The SRES generated at the UE is sent to the MSC, and if it matches the SRES received from the AuC then the UE is authenticated and is allowed to continue the process of aftaching to the GSM core network and to access GSM services. The MSC sends the encryption key Kc to the BSC for use in encrypting communications across the radio interface with the UE after successful authentication.
[0035] For a UMTS network, and with reference to Figure 1, the mobile device 100 in combination with the SIM 102 continues to form a UE. However, the base station 104 comprises a Node B, which generally corresponds to the BIS of GSM, and a Radio Network Controller (RNC) which generally corresponds to the BSC. The functions of the switching server 106, and the authentication server 110 continue to be performed by an MSC and an AuC (usually collocated with a HLR or combined with the HLR to form a HSS) respectively. As for the GSM network described above, the HSS may be considered to be a subscriber server incorporating or associated with an authentication server.
[0036] For an [TE network, and with continued reference to Figure 1, the mobile device in combination with the SIM 102 continues to comprise the UE. However, the base station 104 now comprises an enhanced Node B (eNB) which implements the functions performed in UMTS by the Node B and the RNC. For the purposes of UE authentication the switching server comprises a Mobile Management Entity (MME) which communicates across the remainder of core network with a HSS (as before, the HSS comprising a subscriber server incorporating or associated with an authentication server)..
[0037] Referring now to Figure 2, this illustrates a known authentication method for a GSM network, showing the exchange of information between a mobile device 100 (UE), a switching server 106 (MSC) and a subscriber server 110 (AuC). In Figure 2, and also Figure 4 discussed below, the names ascribed to particular messages passed between network components should be understood to be generic and do not imply any particular messaging format. At step 200 the mobile device 100 connects to the network, and specifically the mobile device connects to the switching server. At step 200 the mobile device 100 also sends its IMSI to the switching server 106.
[0038] At step 202 the switching server 106 sends a request for authentication information to the subscriber server 110. Specifically, the request for authentication information may be sent to the HLR. At step 204 the subscriber server 110 returns authentication information to the switching server 106. Specifically, the subscriber server returns the triplet comprising RAND, SRES and Kc.
[0039] At step 206 the switching server 106 sends authentication information to the mobile device 100. Specifically, the switching server 106 sends RAND to the mobile device 100. At step 208 the mobile device 100 returns a locally generated SRES to the switching server 106. If the SRES generated by the subscriber server 110 and the SRES generated by the mobile device 100 match, then the mobile device is authenticated to the network.
[0040] It will be well understood by the skilled person that the authentication process differs for UMTS and [TE compared to GSM (and indeed differs further for other communication network standards). However, the present invention is applicable to any type of network where authentication of a mobile device to the network is required, and this is based upon a shared secret between the mobile device (including within the SIM) and a subscriber server within the network. The present invention is not limited to any particular network hardware configuration, and, for instance, the functions described above for the authentication server may be implemented by any other component within the network, or a group of components acting together.
[0041] With reference to Figure 3 this shows a modified network for performing mobile device authentication in accordance with an embodiment of the present invention.
Components of the network common to Figure 1 are given the same reference numbers and will not be fully described again.
[0042] In accordance with an embodiment of the present invention, the mobile communication network further comprises an additional component: an authentication proxy 300. When the switching server 106 sends a request for authentication information this is routed through the authentication proxy 300. Each time a request for information is received by the authentication proxy 300, the authentication proxy 300 determines whether it is a request for authentication information. If it is determined that the request is a request for authentication information then the authentication proxy determines an appropriate subscriber server for handling the request. By inspection of the IMSI contained within the request for authentication information the authentication proxy 300 determines whether to send the request to a first subscriber server 302 associated with the network (operated by the same MNO or MVNO and within the core network 108 of that MNO or MVNO) or whether to send the request to a second subscriber server 304 operated by a separate MNO or MVNO. The first subscriber server 302 is used for subscribers who subscribe to the network, and who have not migrated from a previous network. For this type of subscriber it is necessary to send a SIM to the subscriber in order for there to be a shared secret between the mobile device and the first authentication server 302, and the authentication process is identical to that described above in connection with Figure 2 except for the request for authentication information and the returned authentication information being passed through the authentication proxy 300.
However, for a subscriber who has migrated from another MNO or MVNO, the request for authentication information is routed to a second subscriber server 304, which comprises a subscriber server operated by the MNO or MVNO with which they were previously a subscriber. In this way, there is no need to send a new SIM including a new shared secret to the subscriber. Additionally, there is no need to transfer shared secrets between subscriber servers (which would be undesirable due to the risk of unauthorised access to the shared secrets). If the authentication proxy 300 determines that the request is for any other type of information then the request is sent to the first authentication server 302 regardless of the identity of the mobile device 100 as other types of information may be more safely transmitted between subscriber servers upon migration of a subscriber between MNOs or MVNOs.
(0043] It will be appreciated that the second subscriber server 304, operated by the subscribers previous MNO or MVNO may be situated in an entirely separate network. The second subscriber server 304 may exist outside of any mobile communication network, and may be accessed through a separate data network, for instance the Internet.
[0044] The use of an authentication proxy 300 as shown in Figure, which is able to route requests for authentication information either to an first authentication server 302 operated by the current MNO or MVNO or to an authentication server operated by another MNO or MVNO enables a method of migrating subscribers from one MNO or MVNO to another in accordance with an embodiment of the present invention.
[0045] Referring now to Figure 4, this illustrates an authentication method for a GSM network in accordance with an embodiment of the present invention, showing the exchange of information between a mobile device 100 (UE), an switching server 106 (MSC), an authentication proxy 300, a first subscriber server (AuC) 302 and a second subscriber server (AuC) 304. At step 400 the mobile device 100 connects to the network, and specifically the mobile device connects to the switching server. At step 400 the mobile device 100 also sends its IMSI to the switching server 106.
[0046] At step 402 the switching server 106 sends a request for information to the authentication proxy. At step 403 the authentication proxy 300 determines whether the request is a request for authentication information. If the request is for any other type of information then the request is processed by the first subscriber server 302 (not shown in Figure 4. If the request is for authentication information then at step 404 the authentication proxy determines whether the mobile device 100 is associated with an original subscriber to the network, in which case at step 406 the request for authentication information is forwarded to the first subscriber server 302. If, at step 404 the authentication proxy determines that the mobile device is associated with a subscriber who has migrated from a different MNO/MVNO then at step 408 the request for authentication information is forwarded to the second subscriber server 304 controlled by the subscribers previous MNO/MVNO. Arrows 406 and 408 are shown dashed to indicate that they are alternatives.
At step 410 or 412 the first or second subscriber server 302, 304 respectively returns authentication information to the authentication proxy 300. Arrows 410 and 412 are shown dashed to indicate that they are alternatives. The authentication proxy 300 forwards the authentication information to the switching server 106 at step 414. Specifically, the first or second subscriber server 302, 304 returns the triplet comprising RAND, SRES and Kc.
[0047] At step 416 the switching server 106 sends authentication information to the mobile device 100. Specifically, the switching server 106 sends RAND to the mobile device 100. At step 418 the mobile device 100 returns a locally generated SRES to the switching server 106. If the SRES generated by the subscriber server and the SRES generated by the mobile device 100 match, then the authentication process is complete.
[0048] It will be well understood by the skilled person that the authentication process differs for UMTS and [TE compared to GSM (and indeed differs further for other communication network standards). However, the present invention is applicable to any type of network where authentication of a mobile device to the network is required, and is based upon a shared secret between the mobile device (including within the SIM) and an subscriber server (either storing the shared secret itself and implementing the functions of an authentication server, or communicating with an associated authentication server). The present invention is not limited to any particular network hardware configuration, and, for instance, the functions described above for the authentication server may be implemented by any other component within the network, or a group of components acting together.
[0049] According to an embodiment of the present invention mobile communication network subscribers may be migrated from one MNO/MVNO network (the "donor network) to another network (the recipient" network). As noted above, in order to supply services to a subscriber, an MNO/MVNO stores details of the subscriber within a HLR (in the case of GSM networks) or a HSS (in the case of UMTS or LTE networks), or some other form of subscriber database for other types of network. In the following description of the migration process, reference is made only to HLRs (a donor HLR for the original network and a recipient HLR for the new network). Embodiments of the present invention comprise information being transferred from the donor HLR to the recipient HLR. In combination with the process of transferring requests for authentication information to a subscriber server associated with the original network, as described above, this avoids the need to perform a SIM swap and so the mobile device continues to use the SIM associated with the original network. This significantly reduces mobile network interruption for MNOs, MVNOs as well as subscribers.
[0050] According to an embodiment of the invention subscriber information is migrated (electronically moving or copying) all aspects of the subscriber information from one HLR to another such that this is available to the subscribers new network, while continuing to route requests for authentication to the original authentication server of the original MNO or MVNO. The migration process is illustrated in the flow chart of Figure 5.
[0051] At step 500 donor HLR core" data is extracted. Core data include subscriber and network settings, but potentially excludes, for instance, previous billing information and network specific services. At step 502 the donor HLR core data is imported into the recipient HLR. Quality assurance checks are performed on the new HLR data to ensure that all necessary data for providing network services is included. At step 504, optionally, additional donor HLR data (for instance, customer relationship management data and accounting/billing data, for instance including prepaid subscriber data) may then be imported into the recipient HLR. At step 506 data is synchronised between the donor HLR and the recipient HLR (in the event that requests for authentication information in the donor network are routed to the donor authentication server via the donor HLR). At step 508 the subscriber is switched to operating on the new network, save for continuing to perform authentication using authentication information received from the donor authentication server.
[0052] The present invention allows multiple mobile subscribers to be migrated (even invisibly" to the subscribers themselves) to another MNO/MVNO network, whilst the underlying authentication process continues to be performed by the original MNO/MVNO's authentication server.
[0053] Embodiments of the present invention have been described above include an authentication proxy. However, it will be appreciated that this is not essential to the invention. Indeed the function of determining which subscriber server to route a request for authentication information may be performed by an existing component within the network, for instance the switching server or the subscriber server present within the subscriber's new network. Indeed the present invention is limited only to a network configuration in which authentication information must be sent to or received from an authentication server.
[0054] It will be appreciated that embodiments of the present invention can be realized in the form of hardware, software or a combination of hardware and software. Any such software may be stored in the form of volatile or non-volatile storage, for example a storage device like a ROM, whether erasable or rewritable or not, or in the form of memory, for example RAM, memory chips, device or integrated circuits or on an optically or magnetically readable medium, for example a CD, DVD, magnetic disk or magnetic tape or the like. It will be appreciated that the storage devices and storage media are embodiments of machine-readable storage that are suitable for storing a program or programs comprising instructions that, when executed, implement embodiments of the present invention.
[0055] Accordingly, embodiments provide a program comprising code for implementing apparatus or a method as claimed in any one of the claims of this specification and a machine-readable storage storing such a program. Still further, such programs may be conveyed electronically via any medium, for example a communication signal carried over a wired or wireless connection and embodiments suitably encompass the same.
[0056] Throughout the description and claims of this specification, the words "comprise" and "contain" and variations of them mean "including but not limited to", and they are not intended to (and do not) exclude other components, integers or steps. Throughout the description and claims of this specification, the singular encompasses the plural unless the context otherwise requires. In particular, where the indefinite article is used, the specification is to be understood as contemplating plurality as well as singularity, unless the context requires otherwise.
[0057] Features, integers or characteristics described in conjunction with a particular aspect, embodiment or example of the invention are to be understood to be applicable to any other aspect, embodiment or example described herein unless incompatible therewith.
All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive. The invention is not restricted to the details of any foregoing embodiments. The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed. It will be also be appreciated that, throughout the description and claims of this specification, language in the general form of "X for Y" (where Y is some action, activity or step and X is some means for carrying out that action, activity or step) encompasses means X adapted or arranged specifically, but not exclusively, to do Y. [0058] The reader's attention is directed to all papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference.

Claims (15)

  1. CLAIMS: 1. A method of obtaining authentication information for a mobile device connected to a first mobile communication network operated by a first network operator, the method comprising: receiving a request for subscriber server information; and determining whether the request is for authentication information to authenticate the mobile device; wherein if the request is for authentication information, the method further comprises: determining whether the authentication information can be obtained from a first subscriber server controlled by the first network operator or from a second subscriber server which is not controlled by the first network operator; and retrieving the authentication information from the first or second subscriber server according to the result of the determination; and wherein if the request is for at least a first type of information other than authentication information, the method further comprises retrieving the information from the first subscriber server.
  2. 2. A method according to claim 1, wherein each subscriber server either incorporates an authentication server or is associated with an authentication server for retrieving authentication information.
  3. 3. A method according to claim 1 or claim 2, wherein the request for information includes a subscriber identifier associated with the mobile device, and wherein if the request is for authentication information the subscriber identifier is used to determine whether the authentication information can be obtained from the first subscriber server or the second subscriber.
  4. 4. A method according to any one of the preceding claims, wherein the second subscriber server is located outside of the first mobile communication network.
  5. 5. A method according to any one of the preceding claims, wherein the authentication information comprises a random number and a first authentication token calculated by the determined one of the first and second subscriber servers using the random number and a secret key known to the mobile device and the determined one of the first and second subscriber servers or an associated authentication server.
  6. 6. A method of authenticating a mobile device connected to a first mobile communication network, the method comprising: obtaining authentication information for the mobile device according to the method ofclaim5; sending the random number to the mobile device; receiving a second authentication token from the mobile device calculated by the mobile device using the random number and the secret key; determining whether the first authentication token matches the second authentication token; and authenticating the mobile device if it is determined that the authentication tokens match.
  7. 7. A method of migrating a subscriber from a second network operator to the first network operator, the method comprising: accessing a second subscriber record for the subscriber within the second subscriber server controlled by the second network operator; and copying at least a portion of the second subscriber record including a subscriber identifier to a first subscriber record within the first subscriber server.
  8. 8. A method according to claim 7, further comprising: identifying that the mobile device has connected to the first mobile communication network; and authenticating the mobile device according to the method of claim 6; wherein authentication information to authenticate the mobile device can be obtained from the second subscriber.
  9. 9. A method according to claim 7 or 8, further comprising: receiving a subscriber identifier for the subscriber to be migrated: using the subscriber identifier to access the second subscriber record; and indicating in the first subscriber record that authentication information can be obtained from the second subscriber server.
  10. 10. A method according to claim 9, further comprising synchronising data between the first subscriber record and the second subscriber record.
  11. 11. A network device within a first mobile communication network operated by a first network operator, wherein the network device is arranged to: receive a request for subscriber server information; and determining whether the request is for authentication information to authenticate a mobile device connected to the first mobile communication network; wherein if the request is for authentication information, the network device is further arranged to: determine whether the authentication information can be obtained from a first subscriber server controlled by the first network operator or from a second subscriber server which is not controlled by the first network operator; and retrieve the authentication information from the first or second subscriber server according to the result of the determination; and wherein the network device is further arranged to retrieve the information from the first subscriber server if the request is for at least a first type of information other than authentication information.
  12. 12. A network device according to claim 11, wherein the network device is arranged to implement the method of any one of claims 2 to 5.
  13. 13. A network device according to claim 11 or claim 12, wherein the network device comprises an authentication proxy within the mobile communication network, the authentication proxy being arranged to receive requests for server information from another component within the mobile communication network and to retrieve the authentication from either the first or the second authentication server.
  14. 14. A mobile communication network comprising: a network device according to claim 13; and a first subscriber server; wherein the mobile communication network is arranged to implement the method of any one of claims 6 to 9.
  15. 15. A mobile communication network comprising: a network device according to claim 11 or claim 12; wherein the network device comprises the first authentication server; and wherein the mobile communication network is arranged to implement the method of any one of claims 6 to 9.Amended claims have been filed as follows:-CLAIMS: 1. A method of obtaining authentication information for a mobile device connected to a first mobile communication network operated by a first network operator, the method comprising: receiving a request for subscriber server information; and determining whether the request is for authentication information to authenticate the mobile device; wherein if the request is for authentication information, the method further comprises: determining whether the authentication information can be obtained from a first subscriber server controlled by the first network operator or from a second subscriber server which is controlled by a second network operator; and retrieving the authentication information from the first or second subscriber server according to the result of the determination; and wherein if the request is for at least a first type of information other than authentication information, the method further comprises retrieving the information from the first subscriber server; wherein if the mobile device is associated with a subscriber who has migrated from the second network operator to the first network operator then the authentication CO information can be obtained from the second subscriber server.2. A method according to claim 1, wherein each subscriber server either incorporates an authentication server or is associated with an authentication server for retrieving authentication information.3. A method according to claim 1 or claim 2, wherein the request for information includes a subscriber identifier associated with the mobile device, and wherein if the request is for authentication information the subscriber identifier is used to determine whether the authentication information can be obtained from the first subscriber server or the second subscriber.4. A method according to any one of the preceding claims, wherein the second subscriber server is located outside of the first mobile communication network.5. A method according to any one of the preceding claims, wherein the authentication information comprises a random number and a first authentication token calculated by the determined one of the first and second subscriber servers using the random number and a secret key known to the mobile device and the determined one of the first and second subscriber servers or an associated authentication server.6. A method of authenticating a mobile device connected to a first mobile communication network, the method comprising: obtaining authentication information for the mobile device according to the method of claimS; sending the random number to the mobile device; receiving a second authentication token from the mobile device calculated by the mobile device using the random number and the secret key; determining whether the first authentication token matches the second authentication token; and authenticating the mobile device if it is determined that the authentication tokens match.7. A method according to any one of the preceding claims, further comprising: prior to receiving a request for subscriber server information, migrating the subscriber associated with the mobile device from the second network operator to the first network operator, the migration comprising: CO accessing a second subscriber record for the subscriber within the second subscriber server; and copying at least a portion of the second subscriber record including a subscriber identifier to a first subscriber record within the first subscriber server.8. A method according to claim 7, further comprising: receiving a subscriber identifier for the subscriber to be migrated: using the subscriber identifier to access the second subscriber record; and indicating in the first subscriber record that authentication information can be obtained from the second subscriber server.9. A method according to claim 8, further comprising synchronising data between the first subscriber record and the second subscriber record.10. A network device within a first mobile communication network operated by a first network operator, wherein the network device is arranged to: receive a request for subscriber server information; and determine whether the request is for authentication information to authenticate a mobile device connected to the first mobile communication network; wherein if the request is for authentication information, the network device is further arranged to: determine whether the authentication information can be obtained from a first subscriber server controlled by the first network operator or from a second subscriber server which is controlled by a second network operator; and retrieve the authentication information from the first or second subscriber seiver according to the result of the determination; and wherein the network device is further arranged to retrieve the information from the first subscriber server if the request is for at least a first type of information other than authentication information; wherein if the mobile device is associated with a subscriber who has migrated from the second network operator to the first network operator then the authentication information can be obtained from the second subscriber server.11. A network device according to claim 10, wherein the network device is arranged to implement the method of any one of claims 2 to 5. a)12. A network device according to claim 10 or claim 11, wherein the network device CO comprises an authentication proxy within the mobile communication network, the authentication proxy being arranged to receive requests for server information from another component within the mobile conimunication network and to retrieve the authentication from either the first or the second authentication server.13. A mobile communication network comprising: a network device according to claim 12; and a first subscriber server; wherein the mobile communication network is arranged to implement the method of any one of claims 6 to 9.14. A mobile communication network comprising: a network device according to claim 10 or claim 11; wherein the network device comprises the first authentication server; and wherein the mobile communication network is arranged to implement the method of any one of claims 6 to 9.
GB1406169.1A 2014-04-04 2014-04-04 Mobile device authentication Active GB2517814B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB1406169.1A GB2517814B (en) 2014-04-04 2014-04-04 Mobile device authentication
PCT/EP2014/078707 WO2015149891A1 (en) 2014-04-04 2014-12-19 Mobile device authentication
HK15104807.8A HK1204418A1 (en) 2014-04-04 2015-05-20 Mobile device authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1406169.1A GB2517814B (en) 2014-04-04 2014-04-04 Mobile device authentication

Publications (3)

Publication Number Publication Date
GB201406169D0 GB201406169D0 (en) 2014-05-21
GB2517814A true GB2517814A (en) 2015-03-04
GB2517814B GB2517814B (en) 2015-09-16

Family

ID=50776886

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1406169.1A Active GB2517814B (en) 2014-04-04 2014-04-04 Mobile device authentication

Country Status (3)

Country Link
GB (1) GB2517814B (en)
HK (1) HK1204418A1 (en)
WO (1) WO2015149891A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11064345B1 (en) 2020-01-15 2021-07-13 Nokia Solutions And Networks Oy Touchless support for commercial in-service user equipment in private mobile networks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004084424A2 (en) * 2003-03-18 2004-09-30 Qualcomm Incorporated Authentication between a cdma network and a gsm network
US7359704B1 (en) * 2002-07-23 2008-04-15 At&T Mobility Ii Llc Registration of communications devices
US20100330957A1 (en) * 2009-06-30 2010-12-30 Fujitsu Limited Mobile terminal authentication method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2002217140A1 (en) * 2001-12-18 2003-06-30 Telefonaktiebolaget Lm Ericsson (Publ) Method for migrating subscriber data between different servers of a telecommunications network
JP2010088055A (en) * 2008-10-02 2010-04-15 Fujitsu Ltd Communication system, mobile unit, terminal management apparatus, and communication method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7359704B1 (en) * 2002-07-23 2008-04-15 At&T Mobility Ii Llc Registration of communications devices
WO2004084424A2 (en) * 2003-03-18 2004-09-30 Qualcomm Incorporated Authentication between a cdma network and a gsm network
US20100330957A1 (en) * 2009-06-30 2010-12-30 Fujitsu Limited Mobile terminal authentication method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11064345B1 (en) 2020-01-15 2021-07-13 Nokia Solutions And Networks Oy Touchless support for commercial in-service user equipment in private mobile networks

Also Published As

Publication number Publication date
HK1204418A1 (en) 2015-11-13
GB201406169D0 (en) 2014-05-21
GB2517814B (en) 2015-09-16
WO2015149891A1 (en) 2015-10-08

Similar Documents

Publication Publication Date Title
JP6339713B2 (en) Method for activating user, method for authenticating user, method for controlling user traffic, method for controlling user connection of 3G traffic Wi-Fi network and 3G traffic routing system
US10306432B2 (en) Method for setting terminal in mobile communication system
US10141966B2 (en) Update of a trusted name list
US11689920B2 (en) System and method for security protection of NAS messages
EP3487196B1 (en) Privacy managing entity selection in communication system
US10455402B2 (en) Identity module with interchangeable unique identifiers
US11722891B2 (en) User authentication in first network using subscriber identity module for second legacy network
US20190274072A1 (en) Communication system, security device, communication terminal, and communication method
US20190182654A1 (en) Preventing covert channel between user equipment and home network in communication system
US20120263298A1 (en) Method and system for supporting security in a mobile communication system
EP3624473B1 (en) Mode switching with multiple security certificates in a wireless device
CN101248644A (en) Management of user data
US9591476B2 (en) Mobile using reconfigurable user identification module
US20190007835A1 (en) Profile installation based on privilege level
JPWO2018012611A1 (en) Subscriber information management apparatus, information acquisition method, communication system, and communication terminal
US11792633B2 (en) Device authentication verification for device registration
CN101160784B (en) Cipher key updating negotiation method and apparatus
US20230013030A1 (en) Electronic subscriber identity module transfer eligibility checking
EP3316608B1 (en) A communication network and a method for establishing non-access stratum connections in a communication network
CN107786937B (en) Method for realizing mobile terminal localization roaming, mobile terminal and roaming server
GB2517814A (en) Mobile device authentication
EP4096264A1 (en) On-device physical sim to esm conversion
KR101385846B1 (en) Communications method and communications systems
CN100417296C (en) Method for controlling terminal accessing to 3G network
KR20100068692A (en) System and method for providing service using imsi(international mobile subscriber identity)

Legal Events

Date Code Title Description
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1204418

Country of ref document: HK

REG Reference to a national code

Ref country code: HK

Ref legal event code: GR

Ref document number: 1204418

Country of ref document: HK

732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20190411 AND 20190417

732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20220929 AND 20221005