JP2008182695A - Method and system for providing access to services of second network via first network - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a method and system for providing access from a first network such as WLAN network or various others to services provided by a second network such as GPRS or various others. <P>SOLUTION: The method for providing access to services implemented by a second network via a first network, includes the steps of: using an authentication message for signal transportation of service selection information to an authentication server means of the second network via the first network; and using the service selection information to connect to services offered over an access point indicated in the service selection information. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention extends from a first network, such as a wireless local area network (WLAN), to a service on a second network, such as a service subscribed on a General Packet Radio Service (GPRS) network or a Universal Mobile Telecommunications System (UMTS) network. The present invention relates to a method and system for providing access.

  In recent years, the wireless communication market has enjoyed tremendous growth. Wireless technology can now communicate or have the ability to communicate to virtually anywhere on the planet. Given the tremendous success of wireless telephony and messaging services, it is not surprising that wireless communication is beginning to be applied in the world of computing for personal or business use. No longer tied to wired network harnesses, people will access and share information on a global scale at almost every place they visit.

  The main motivation and advantage of using WLAN is to improve mobility. Network users can move with almost no restrictions and can access the LAN almost anywhere. In addition to improving mobility, WLAN also increases flexibility. Employees can use small computers and wireless links to arrange meetings to share and discuss future design plans and product information. Such an ad hoc network can be set up and terminated in a very short time as needed, whether around the conference table or anywhere in the world. WLAN provides the connectivity and convenience of a wired LAN without the need for expensive wiring and rewiring.

  However, even the fastest laptop computers can be less productive while traveling because of poor access to the company intranet and the Internet. Despite the Global System for Mobile communication (GSM) revolution, laptop computer users need faster access to download large files and synchronize emails faster. In the mobile information society, which is becoming a reality, data is required to be available everywhere.

  As a solution to this problem, WLAN solutions by operators have been proposed, and broadband access is provided to laptop computers and terminal devices at specific locations such as airports, conference centers, hotels, and meeting rooms. Thus, mobile network operators can provide broadband access to the Internet, corporate intranets, or other service organizations from virtually anywhere in the world. Accordingly, a public WLAN service having an original WLAN roaming function is provided.

  In packet-switched cellular networks such as GPRS and UMTS networks, user service names are specified by access point names (APN). GPRS is a packet domain common core network used for both GSM and UMTS networks.

  This common core network is designed to support several quality service levels in order to provide packet-switched services and allow efficient transmission of real-time and non-real-time traffic. Serving GPRS Support Node (SGSN) tracks the location of individual mobile terminals and performs security functions and access control. The Gateway GPRS Support Node (GGSN) can interoperate with external packet switched networks and is connected to the SGSN through an IP-based packet domain backbone network. In the backbone network, the APN actually refers to the GGSN to be used. In addition, in the GGSN, the APN identifies the external network and may also identify the services provided. Further details about the use and structure of APN are defined in 3GPP specifications TS23.003.

  APN information selected by the terminal device, user device (UE), or user of the terminal device when the user connects to the GPRS service, such as establishing a Packet Data Protocol (PDP) context specified by 3GPP specifications TS23.060, etc. Is sent from the terminal device to the network by a PDP context establishment signal. This information includes the APN name and, optionally, a user name and password if required to access the services provided by the selected APN. In GPRS networks, this information is used to select an appropriate GGSN. This information also reaches the selected GGSN, which further uses the information to establish a connection with a network node beyond the GGSN, such as a company intranet or an operator service node. If usernames and passwords are provided, they are delivered to the associated network node beyond the GGSN to allow authentication of the connection.

However, existing public WLAN systems and operator WLAN systems do not provide functions such as PDP context activation in GPRS. In particular, there is no dedicated signaling for setting up a service between a WLAN terminal device such as WLAN UE and a WLAN network or a network on the other side of the WLAN network. For this reason, GPRS-type service selection and activation through a WLAN network is impossible, which is detrimental to existing public WLANs and operator WLANs.
3GPP specification TS23.060

  Thus, one of the objects of the present invention is to provide a method and system for providing access from a WLAN network or other various first networks to services provided by GPRS or other various second networks. That is.

  This object is a method for providing access to a service realized by a second network through a first network, signaling service selection information to an authentication server means of the second network through the first network. Using an authentication message to do so, and using the service selection information to connect to a service provided over an access point indicated in the service selection information.

  Further, the above object is an authentication server device for providing an authentication mechanism, wherein service selection information for selecting a service is extracted from the received authentication message, and the access point indicated by the service selection information is passed. This is also achieved by an authentication server device (50) configured to utilize the service selection information to establish a connection to a service provided to the device.

  Furthermore, the above object is also achieved by a terminal device that provides access to a network service, the terminal device configured to place service selection information for selecting the network service in an authentication message. The

  Therefore, the service selection information and the type of service are transferred to the second network by using authentication signaling between the authentication server of the second network and the terminal device, and the service selection information is a desired value. Or used to establish a connection to a subscribed service. As a result, access to a third-party network service is possible over a first network such as a WLAN. Therefore, dynamic service selection and multiple simultaneous connections to different services are possible, and continuity of services between different networks such as a WAN or a cellular packet switching network can be obtained. As a result, network flexibility and user mobility can be improved, and service logic between different networks can be unified.

  The proposed solution is also useful from the network operator's point of view, since current service description schemes such as the APN scheme in GPRS can be used in new operator WLANs and therefore can support traditional solutions.

  The authentication message may be an Extensible Authentication Protocol (EAP) message. In particular, the authentication message can be an EAP response message.

  The service selection information can comprise at least one APN parameter. The at least one APN parameter can include the APN, user name, and password of the desired service. Furthermore, the APN parameter can be encrypted in the authentication message. Different encryption may be applied to different APN parameters. The selected APN parameter can then be transferred to the selected access point in encrypted format by the authentication server, and the selected APN parameter can only be encrypted by the access point or the selected service network. Can be released.

  Hereinafter, the present invention will be described in more detail based on preferred embodiments with reference to the accompanying drawings. A preferred embodiment will now be described based on the network architecture shown in FIGS. Here, the WLAN user is authenticated by EAP authentication in order to access the WLAN network and thereby gain access to the cellular packet switched service.

  FIG. 1 is a schematic block diagram of a network architecture comprising a WLAN 30 and a GPRS network 70. A terminal or UE 10 subscribing to a GPRS service and trying to gain access to the service first sends service selection information including at least one APN parameter and optionally a user name and password to the GPRS network 70 via the WLAN 30. Send to authentication server 50. For transmission, an authentication transmission signal such as an authentication request message is used (first step). Next, the authentication server 50 selects the WLAN gateway 60 provided in the GPRS network 70, transmits the service information to the WLAN gateway 60, and returns the response from the WLAN gateway 60 to the access server 40 and the application server 80 of the WLAN 30. Connection information for establishing a connection between them is received (second step). Application server 80 provides the requested service and is identified by at least one APN parameter. In particular, the authentication request may be further forwarded to the application server 80 or other external AAA server together with the user name and password, and the WLAN gateway 60 first receives a reply from it and sends the reply to the access server 40. Proxy.

  FIG. 2 shows a more detailed block diagram of the network architecture in a preferred embodiment in which the present invention may be implemented. In FIG. 2, the WLAN UE 10 is connected to the access point 20 of the WLAN 30 by wireless connection. It should be noted that the access point 20 has the same function as a base station in a general cellular network. The access point 20 is not portable and belongs to a part of the wired network facility. More detailed architecture and functional information regarding the WLAN network 30 can be obtained from, for example, the IEEE 802.11 specification.

  The WLAN 30 further includes a WLAN access server 40 for establishing a connection to an external network such as the GPRS network 70 or another packet switching network 90. The packet switching network 90 is, for example, the Internet, an operator or a company intranet. The GPRS network 70 includes an authentication server 50. The authentication server 50 is provided with an authentication server database 55 in which subscription information such as service profile information of each connected terminal or UE is stored. These pieces of information are stored in the database 55 after being retrieved from the permanent subscriber database 110 in the subscriber's home network 110. It should be noted that the function of the authentication server 50 can be placed in the user's home network, WLAN backbone or subsystem. When a GSP SIM card is used in the UE 10, the authentication transmission signal by the UE 10 can be an EAP SIM authentication protocol. Further, when a UMTS SIM card is used in the UE 10, authentication can be performed based on an EAP AKA (Authentication and Key Agreement) authentication protocol.

  The EAP protocol mechanism is used for GSM SIM and USIM authentication and session key distribution. Authentication is based on a challenge-response scheme, and an authentication algorithm operating on a SIM or USIM card can be given a random number (RAND) as a challenge. SIM or USIM operates an operator specific secret algorithm. This algorithm uses a private key and RAND stored in SIM or USIM as input, and generates a reply (SRES) and key as output. This key was originally intended to be used as an encryption key in the air interface. The authentication server 50 has an interface with the GSM or UMTS home network 100 of the UE 10 and operates as a gateway between the packet exchange AAA (Authentication, Authorization and Accounting) network and the GSM or UMTS authentication facility. The authentication server 50 receives an EAP identification reply containing a user identity that can be mapped to the user's international mobile phone subscriber identification number (IMSI), and then the home location register (HLR) or subscription of the user's home network 100. N triplets and triplets are obtained from the authentication center in the administrator management server (HSS) 110. The authentication server 50 extracts key material from the triple cipher based on the descrambling algorithm.

  According to a preferred embodiment, WLAN authentication signaling is used to transmit GPRS service subscription information and service selection information to the GPRS network 70 through the authentication server 50. The GPRS service information and service selection information can optionally include an APN of a desired service and a user name and password required to connect to the service via a designated APN. The authentication server 50 uses the obtained service selection information to select the WLAN gateway 60 having a function similar to the GGSN. Users can gain access to subscribed services from the WLAN gateway 60. The subscribed service can be, for example, access to a company intranet or a service of a mobile telephone operator.

FIG. 3 illustrates a signaling diagram representing EAP-SIM authentication signaling between the UE 10 and the authentication server 50 of the GPRS network 70. The first EAP request (not shown) issued from the network is an EAP Identity Request. The client or the UE 10 returns an EAP Identity Response with an anonymous attribute (pseudonym) or IMSI (step 1). Anonymous attributes are used when identity privacy support is used by UE10.
In response to the EAP Identity Response message or packet, the authentication server 50 transmits an EAP challenge request including n random numbers RAND in other parameters (step 2).
In response to this, the UE 10 issues an EAP Challenge Response including the calculated response value SRES. And in a preferred embodiment of the present invention, the EAP Challenge Response includes at least one encrypted APN parameter that specifies the desired GPRS service to access. The encrypted APN parameters optionally include the APN of the desired service and a username and password to gain access to the service (step 3).
Different APN parameters are selected to apply different encryption. For example, the APN itself is just an APN parameter required for access point selection, so this parameter need only be in a format that can be decrypted and / or readable by the access server. The username and password parameters can be transferred in encrypted format to the access point selected by the authentication server, and these parameters may only be decrypted at the access point or the selected service network. For this reason, they cannot be accessed while they are being communicated in the first network. If the authentication procedure is successful, the authentication server 50 returns an EAP Success message (step 4).

  The above signaling procedure does not require any context activation function that would be required in a conventional GPRS network without WLAN functionality, and to the service selection parameter authentication server 50. Signal transmission. In order to achieve such an enhanced authentication signaling function, the client software of UE 10 is modified or programmed to add the respective service selection information to the EAP Challenge Response message. In particular, if the user has selected to connect to a service identified by the APN, the service information and service selection information are configured in the UE 10 client software. In an individual service, the following settings can be performed. Initially, a free text entry identifying the service for the user can be set. Second, for example, an APN that is an identification mark of a domain name server (DNS) assigned a name to a public land mobile network (PLMN) and a mobile operator (Mobile Operator, MO) points to a specific service. Can be set for. Third, the client software makes a setting that indicates whether a user name and password are required (for example, setting Yes and No). The third setting may include setting whether to use a default user name and password or to newly input a user name and password.

  After receiving the EAP request message at the latest, the UE 10 gets information about the requested service selection from the user and encrypts it as specified by the used signaling protocol such as EAP-SIM. Then, the UE 10 inserts the APN parameter information into the EAP Challenge Response message and transmits it to the authentication server 50 through the WLAN 30.

  FIG. 4 shows the format of an improved EAP SIM Challenge Response message generated in SIM according to the preferred embodiment. The “Code” field is used to identify that the message is a Response message. The "identifier" field is 1 octet and is used to match the response to Response. In particular, the “identifier” field must match the “identifier” field of the message sent in the Response. The “length” field indicates the length of the EAP message or packet. In the “type” and “sub-type” fields, special values specifying the EAP SIM Challenge Response message are set. The “reserved” field is set to 0 on transmission and ignored on reception. The “AT_SRES” field indicates an attribute value, followed by another “length” field indicating the length of the subsequent SRES value and a “reserved” field. Finally, the proposed APN parameter that identifies the requested service can be added as an encrypted value, for example.

  The present invention is not limited to the described WLAN or GPRS service, but is used in any network architecture where the access network does not provide the control plane signaling required to access the packet switched service Note that it can be done. The functionality of the authentication server 50 and the gateway 60 does not necessarily have to be GPRS functionality, and may be provided in any backbone network or subsystem of the WLAN or any other network accessible by the WLAN 30. These may be provided in a stand-alone server device, or may be provided in the functions of GPRS, GGSN, and SGSN. Also, the accessed service need not be a GPRS service. Therefore, WLAN UE10 does not have GPRS functionality, but is a single-mode WLAN terminal with functionality to access external services through authentication signal transmission using a method similar to the GPRS service selection method. it can. In addition, any known authentication message can be used to send service selection information. Accordingly, the preferred embodiments can be modified within the scope of the claims.

Embodiments of the present invention described in the scope of claims of the present application are as follows.
(1) A method for providing access to a service realized by a second network through a first network, wherein (a) service selection information is sent to an authentication server means of the second network through the first network. Using an authentication message to signal; and (b) using the service selection information to connect to a service provided over an access point indicated in the service selection information.
(2) The method according to (1), wherein the first network is a wireless local area network.
(3) The method according to (1) or (2), wherein the second network is a cellular packet switching network.
(4) The method according to (3), wherein the cellular packet switching network is a GPRS network.
(5) The method according to any one of (1) to (4), wherein the authentication message is an EAP message.
(6) The method according to (5), wherein the EAP message is an EAP SIM message or an EAP AKA message.
(7) The method according to (5) or (6), wherein the authentication message is an EAP Challenge Response message.
(8) The method according to any one of (1) to (7), wherein the service selection information includes at least one APN parameter.
(9) The method according to (8), wherein the at least one APN parameter includes an APN, a user name, and a password.
(10) The method according to (7) or (8), wherein the APN parameter is encrypted in the authentication message.
(11) The method according to (9) or (10), wherein the at least one APN parameter is encrypted so as to be decryptable only in a network defined by the APN.
(12) An authentication server device for providing an authentication mechanism, wherein (a) service selection information for selecting a service is extracted from the received authentication message, and (b) access indicated in the service selection information An authentication server device configured to use the service selection information to establish a connection to a service provided over a point.
(13) The authentication server according to (12), wherein the authentication mechanism is based on an EAP protocol.
(14) The authentication server according to (13), wherein the received authentication message is an EAP Challenge Response message.
(15) The authentication server according to any one of (12) to (14), wherein the authentication server is a stand-alone WLAN authentication server.
(16) The authentication server according to any one of (12) to (14), wherein the authentication server is a GGSN.
(17) The authentication server according to any one of (12) to (16), wherein the service selection information includes at least one APN parameter.
(18) The authentication server according to (17), wherein the APN parameter is encrypted in the authentication message.
(19) The authentication server according to (17) or (18), wherein at least one APN parameter is decrypted in the authentication server.
(20) The authentication server according to any one of (17) to (19), wherein at least one of the APN parameters is transferred to the access point in an encrypted manner by the authentication server .
(21) A terminal device that provides access to a network service, the terminal device configured to place service selection information for selecting the network service in an authentication message.
(22) The device according to (21), wherein the authentication message is an EAP message.
(23) The device according to (22), wherein the EAP message is an EAP Challenge Response message.
(24) The device according to (23), wherein the EAP Challenge Response message is an EAP SIM message or an EAP AKA message.
(25) The device according to any one of (21) to (24), wherein the service selection information includes at least one APN parameter.
(26) The device according to any one of (21) to (25), wherein the service is a GPRS service.
(27) A system that provides access from a first network to a service of a second network, the system comprising: a terminal device according to any one of (21) to (26); and (14) The authentication server device according to any one of (20), wherein the terminal device is connected to the first network, and the authentication server is connected to the second network.

It is a schematic block diagram which shows the basic principle used as the foundation of this invention. 1 is a schematic block diagram of a WLAN connected to an application server through a WLAN gateway of a GPRS network. FIG. Fig. 4 illustrates EAP signaling in a preferred embodiment of the present invention. Fig. 4 shows an improved EAP Response Challenge packet format in a preferred embodiment.

Claims (29)

A method for providing access to a service realized by a second network through a first network, comprising:
(A) using an authentication message to communicate service selection information to the authentication server means of the second network through the first network;
(B) using the service selection information to connect to a service provided over the access point indicated in the service selection information;
A method comprising:   The method of claim 1, wherein the delivery of service selection information is not related to PDP context activation.   The method according to claim 1 or 2, wherein the first network is a wireless local area network.   4. A method as claimed in any preceding claim, wherein the second network is a cellular packet switched network.   The method of claim 4, wherein the cellular packet switched network is a GPRS network.   The method according to claim 1, wherein the service selection information includes at least one APN parameter.   The method of claim 6, wherein the at least one APN parameter includes an APN, a username, and a password.   The method according to claim 6 or 7, wherein the APN parameter is encrypted in the authentication message.   The method according to any one of claims 6 to 8, wherein at least one of the APN parameters is encrypted such that it can be decrypted only in a network defined by the APN. An authentication server for providing an authentication mechanism for providing access to a service realized by the second network through the first network, the server being connected to the second network;
(A) extracting service selection information for selecting a service from the authentication message received through the first network;
(B) An authentication server configured to use the service selection information to establish a connection to a service provided over the access point indicated in the service selection information.   The authentication server according to claim 10, wherein the transmission of the service selection information is not related to PDP context activation.   The authentication server according to claim 10 or 11, wherein the authentication server is a stand-alone WLAN authentication server.   The authentication server according to any one of claims 10 to 12, wherein the authentication server is a GGSN.   The authentication server according to claim 10, wherein the service selection information includes at least one APN parameter.   The authentication server according to claim 14, wherein the APN parameter is encrypted in the authentication message.   16. The authentication server according to claim 14 or 15, wherein at least one APN parameter is decrypted in the authentication server.   The authentication server according to any one of claims 14 to 16, wherein at least one of the APN parameters is transferred to the access point in an encrypted manner by the authentication server.   A terminal device for providing access to a network service, wherein the terminal device is configured to arrange service selection information for selecting the network service in an authentication message.   The apparatus of claim 18, wherein the authentication message is an EAP message.   The apparatus according to claim 19, wherein the EAP message is an EAP Challenge Response message.   The apparatus according to claim 20, wherein the EAP Challenge Response message is an EAP SIM message or an EAP AKA message.   The apparatus according to any one of claims 18 to 21, wherein the service selection information includes at least one APN parameter.   The apparatus according to any one of claims 18 to 22, wherein the service is a GPRS service.   A system for providing access from a first network to a service of a second network, the system comprising: a terminal device according to any of claims 18 to 23; and a system according to any of claims 10 to 17. The authentication server device according to claim 1, wherein the terminal device is connected to the first network, and the authentication server is connected to the second network. A method for providing an authentication mechanism comprising:
(A) extracting service selection information for selecting a service from the received authentication message;
(B) using the service selection information to establish a connection to a service provided over the access point indicated in the service selection information;
A method comprising:   A method for providing access to a network service, comprising the step of incorporating service selection information for selecting the network service in an authentication message at a terminal device.   A computer program comprising software code means configured to produce the steps according to any of claims 1, 25, 26 of the method invention when operated on a computer device.   27. A processor device configured to produce the steps of any of claims 1, 25, 26 of the method invention. In a computer-readable recording medium,
A recording medium on which data having a data structure of an authentication message and including service selection information for selecting a service is recorded.