MXPA06001088A - System and method for controlling access to a network using redirection - Google Patents

Abstract

A mechanism to improve the security and access control over a network, such as a wireless local area network ("WLAN"), that takes advantage of web browser interactions without requiring explicit separate communication session between a hot spot network and a service provider network. The method comprises receiving a request to access the WLAN from a mobile terminal (MT)/client disposed within a coverage area of the WLAN. The access point (AP) of the network associates a session ID and randomized number with an identifier associated with the MT and stores data mapping the session ID to the identifier of the MT and randomized number. The local server transmits an authentication request in the form of a web page, which includes the session ID and randomized number, to the MT. The AP receives from the MT a digitally signed authentication message, a parameter list containing user credential information, session ID, and randomized number concerning the MT, the authentication message being digitally signed using the session ID and randomized numbertogether with the parameter list. The AP correlates the session ID and parameter list received from the MT and, using the stored mapping data, generates a local digital signature for comparison with the received digitally signed authentication message for controlling access of the MT to the WLAN.

Description

CONTROL OF ACCESS TO A NETWORK WITH THE USE OF REDIRECTION FIELD OF THE INVENTION The invention provides an apparatus and method for improving security and access control over a network, such as a wireless local area network ("WLAN") through a redirection of a network browser.

BACKGROUND OF THE INVENTION The context of the present invention is the family of wireless local area networks (WLANs) that employ the IEEE 802.1x architecture that has an access point (AP) that provides access to mobile devices (also called "clients" or "client devices") and other networks, such as a wired local area network and global networks, such as the Internet Advancements in WLAN technology have resulted in wireless communication accessible to the public As in restaurants, cafes, libraries and similar public facilities, public WLANs currently offer users of the mobile communication device (client) access to a private data network, such as the corporate Intranet, or a public network of data such as the Internet, communication from device attached to device attached and wireless TV transmission.The relatively low cost to implement and operate a WLAN p The public as well as the high available bandwidth (usually greater than 10 Megabits / second) make the public WLAN an ideal access mechanism, through which users of the wireless mobile communications device can exchange packets with an external entity. When a mobile user is navigating in a work point network, it may be necessary for the work point network and the service provider network to carry out a navigation protocol to authenticate the user and grant the user access . More particularly, when a user attempts to access a service within the coverage area of the public WLAN, the WLAN first authenticates and authorizes user access, before granting access to the network. After authentication, the public WLAN opens a secure data channel to the mobile communications device to protect the privacy of data passing between the WLAN and the device. Currently, many WLAN equipment manufacturers have adopted the IEEE 802.1x protocol for deployed equipment. Therefore, the predominant authentication mechanism for WLANs uses this rule. Unfortunately, the IEEE 802.1x standard was designed with private LAN access as its use model. Therefore, the IEEE 802.1x standard does not offer certain features that would improve security in a public WLAN environment. Figure 1 illustrates the relationships between three entities typically involved in authentication in a public WLAN environment: a user terminal or mobile terminal / mobile communications device / client device (MT) 140, a WLAN 124 having at least an access point (AP), and an authentication server (AS) 150, which may be associated with a particular service provider, or a virtual operator. The trust relationships are as follows: the MT has an account with the AS, and therefore, they share a trust relationship 142, the WLAN operator and the operator owner of the AS (hereinafter referred to as "virtual operator") they have a business relationship, therefore the AP or WLAN and the AS have a trust relationship 126. The purpose of this authentication process is to establish a trust relationship between the MT and the AP by taking advantage of the two existing trust relationships . In an authentication method based on a network browser, the MT authenticates directly with the AS, with the use of the network browser through a protocol of Secure Sockets for HyperText Transfer Protocol (HTTPS) and ensures that the AP (and anyone in the path between the MT and the AS) can not transfer or steal confidential information from the user. While the channel is safe, the AP can not determine the result of the authentication unless it is explicitly notified by the AS. However, the only information that the AS has related to the MT is the Internet protocol or the IP address at the other end of the HTTPS session. When there are firewalls, the Network Address Transfer (NAT) servers, or network proxies are placed electronically between the AS and the MT, which is normally the case with the virtual operator configuration, it is difficult or almost impossible for the AS initiates a session to notify the AP about the authentication authentication result and to identify the MT. Most WLAN workstation wireless providers use a network browser-based solution for user authentication and access control, which is convenient for the user does not require downloading software on the user's device . In such a solution, the user is authenticated securely through HTTPS by a server, which in turn, notifies the wireless AP to grant access to the user. Such an authentication server AS may be owned by the WLAN operator or a third party provider, such as independent service providers (ISPs), prepaid card providers or cellular operators, commonly known as virtual operators. In the prior art, authentication was achieved through communication between the user and the authentication server, through a secure channel. As such, the AP does not transfer communication between the user and the authentication server. Accordingly, a separate communication, referred to as authorization information between the AP and the authentication server AS, must be established so that the AP is notified of the authorization information. The access control in the AP is based on the address of the mobile communications device / client device, where the addresses can be physical addresses (PHY), MAC addresses or IP addresses and therefore, the AS authentication server you can use the IP address of the mobile terminal MT (the source address of the HTTPS tunnel) as the identifier when the authentication result returns to the AP. This measure succeeds when there is no firewall or NAT between the AP and the authentication server AS, as illustrated by the firewall FW and the local LS server. In general, and when virtual operators are present (for example, when navigation is involved), the authentication server is located outside the domain of the wireless access network and thus outside the FW firewall, and often, the HTTPS connection used for authentication it is actually through the proxy of the network, as shown in Figure 2. The source address that the authentication server AS receives will be the proxy's address of the network, which can not be used to identify the device user of mobile terminal MT and therefore, can not be used by the AP to ensure a secure connection. The document PU030050, by Junbiao Zhang, Saurabh Mathur, Kumar Ramaswamy "TECHNIQUE FOR SECURE WIRELESS LAN ACCESS" (TECHNIQUE FOR SAFE ACCESS TO WIRELESS LAN), US Patent Application Serial No. 10 / 424,442, filed on 28 April 2003, describes a general technique for a solution for secure access in a WLAN based on a network browser at a work point.

The document PU030071, of Junbiao Zhang, "AN IDENTITY MAPPING MECHANISM IN WLAN ACCESS CONTROL WITH PUBLIC AUTHENTICATION SERVERS" (AN IDENTITY COPY MECHANISM IN A WLAN ACCESS CONTROL WITH PUBLIC AUTHENTICATION SERVERS), U.S. Patent Application No. No. 60 / 453,329, addresses the same subject as this invention, and utilizes a separate secure communication session between the work point network and the service provider's network that is initiated by the work point network. In this way, two separate secure sessions need to be maintained. What is required is a mechanism to improve security and access control over a network, such as a wireless local area network ("WLAN") that takes advantage of the interactions of a network browser without requiring a separate communication session between a work point network and a service provider network.

BRIEF DESCRIPTION OF THE INVENTION A method for controlling access to a network includes a mobile terminal and an access point for transmitting network communications to and from the mobile terminal, and an authentication server for carrying out an authentication process in response to a request from the mobile terminal. The method comprises at the access point, receiving a request for access to the network from the mobile terminal, associating unique data with an identifier of the mobile terminal and storing a copy of the association. The unique data is transmitted to the mobile terminal to be used when authenticating the mobile terminal through the authentication server. In the authentication server, the step of authenticating the mobile terminal is carried out with the use of the unique data, and after authentication, redirecting the acquisition code to the mobile terminal, which includes a digitally signed authentication message and the authentication parameters corresponding to the unique data, use a redirection header. The access point receives the redirected, retrieved, digitally signed URL and authentication parameters from the mobile terminal and correlates the authentication parameters with the copied association data to determine access to the network. According to another aspect, a system for controlling access to a network comprises a mobile terminal, an access point coupled with the local server to transmit the network communications to and from the client and an authentication server to carry out an Authentication process in response to the client's request. The local server, in response to a re-directed request for access to the network from the client, associates the unique data with an identifier of the mobile terminal, stores a copy of the association, and transmits the unique data to the client to be used. when authenticating the client through the authentication server. The authentication server, after authenticating the client with the use of the unique data, operates to provide a redirection header for client access, which includes a digitally signed authentication message and authentication parameters corresponding to the unique data , the AP receives the re-directed, retrieved, digitally signed URL and the client authentication parameters and correlates the authentication parameters with the copied association data to determine access to the network based on the results of the mapping.

BRIEF DESCRIPTION OF THE DRAWINGS The invention will be better understood from the following detailed description, when read in connection with the accompanying drawings. The different characteristics of the drawings are not specified in detail. On the contrary, the different characteristics can be expanded or reduced arbitrarily for purposes of clarity. In the drawings are the following Figures. Figure 1 is a block diagram of a communication system for practicing the method of the present principles for authenticating a mobile wireless communication device. Figure 2 is a block diagram of the communication system in which the authentication server is behind the firewall. Figure 3 is a message exchange diagram illustrating the operation of the present invention.

DETAILED DESCRIPTION OF THE INVENTION In the Figures to be described, the associated circuits and blocks and arrows represent functions of the method according to the present invention, which can be implemented as electrical circuits and associated cables or busbars, which transport electrical signals. Alternatively, one or more associated arrows may represent communication (eg, data flow) between software routines, in particular, when the present method or apparatus of the present invention is implemented as a digital process. According to Figure 2, one or more mobile terminals represented by the MT 140, communicate through an AP access point WLAN and associated computers 120 (for example, local servers), in order to obtain access to the network and the associated peripheral devices, such as a database coupled with the network. There is at least one access point. The AP and the local server can be co-located and / or a single unit can carry out the functions of the AP and the local server. The MT communicates with an authentication server 150 to ensure access and authentication in the network. It should be understood that the principles embodied in the present invention, although described with respect to the wireless network as a WLAN, may find application in any access network, whether wired or wireless. As also illustrated in Figure 2, the IEEE 802.1x architecture encompasses several components and services that interact to provide transparent station mobility for the highest strata of a network stack. The IEEE 802.1x network defines AP stations as the access points 130 and one or more mobile terminals 140 as the components that connect to the wireless medium, and contain the functionality of the IEEE 802.1x protocols, which are MAC (access control to media) and corresponding PHY (physical layer) (not shown) and a connection 127 to the wireless medium. Typically, IEEE 802.1x functions are implemented in the hardware and software of a wireless modem or a network access or interface card. This invention proposes a method for implementing an identification means in the communication stream as an access point 130 compatible with the IEEE 802.1x WLAN MAC layers for downstream traffic (i.e., from the authentication server to the mobile terminal, such as a laptop) and can participate in the authentication of one or more mobile wireless devices / devices of the client 140 to a local server 120 and a virtual operator, which includes an authentication server 150. Referring now to Figure 3, a method of conforming to the present invention for improving the security of a mobile terminal 140 in a WLAN 124 is shown, and it is generally achieved by redirecting 210 a browser request 205 to a server 120 local by means of a message 220. The method of the present invention includes embedding a session ID 215 and a random number in the user's input request for the mobile terminal, within the HTTP request 205, authenticating the mobile terminal and including information digital signature together with the session ID and the random number within the redirect request to retrieve data from the WLAN, whereby the AP carries out the matching of the digital signature information received from the MT with the digital signature generated locally based on stored copied data, to determine access to the WLAN. More particularly, the method of the present invention processes an access request from a mobile terminal 140 via WLAN 124, the access point 130 (the network request 205 from the mobile terminal 140), by embedding it in an address location. network as a universal resource locator (URL), the session ID 125 and the random number associated with an identifier of the mobile terminal. The customer / MT address is obtained from (customer), AP) 138 and the local server then generates unique data 215, which may include the session ID and the random number. Unique data is sent to the AP by the local server when an association copy is made between the unique data and the TM / client identifier. The identifier of the MT / client is the client / MT address and can be a physical address (PHY), the MAC address or the IP address of the MT / client. The association copy is stored in the AP.

The local server then generates a network page 235 and transmits / sends the generated network page to the MT / client which includes embedded information and a request for the MT / client to select an AS: Embedded information can include unique data . After receiving the network page, the MT / client transmits an input message 240 of the authentication user that includes the session ID for the AS. The AS responds by sending an authentication entry page 245 to the MT / client requesting the authentication information from the MT / client. The MT / client responds to the authentication entry request by providing its credentials to the AS 250. Once the AS authenticates the MT / client, an authentication message 255, including a redirection header, is sent to the MT / client . The authentication message may also include an embedded digital signature, authentication parameters and at least a portion of the unique data. The MT / client responds to the authentication message when retrieving and sending the re-directed URL 265, including the embedded digital signature, the authentication parameters and the session ID to the AP. The AP creates a local 270 digital signature with the use of the embedded information from the re-directed, recovered URL and the associated copy and then performs a comparison between the locally generated digital signature and the digital signature generated by the AS. When there is a match between the two digital signatures, then access to the network is granted. When there is no match between the two digital signatures, then access to the network is denied. In accordance with an aspect of the invention, with reference to Figure 3 (together with the system of Figures 1 and 2), a method according to the present invention for improving the security of a mobile terminal 140 in an environment is shown. 124 WLAN (for example, a public work point) which redirects the browser request 205 from the mobile user to the local network server 120 of the WLAN 124. The local server 120 receives the redirected browser request 220 and obtains an identifier (a) as a MAC address "a" associated with the mobile terminal 140, or generates a unique session ID (SID) 215 together with a random number "r". It should be noted that the term random number as used herein includes any random number, pseudo-random numbers or any number generated in a way that provides at least a minimum degree of randomness. Various mechanisms are known to generate such numbers, the details of which are omitted for brevity. The WLAN 124 maintains a copy between the session ID 215, the MAC address 138"a" and the random number "r" of the mobile terminal 140 and stores a copy M associating the session ID 215, the address 138"a "and the random number" r "in the memory (for example, a lookup table, cache, RAM, flat files, etc). The address acts as an identifier for the client and can be a physical address (PHY), a MAC address or an IP address.

In one configuration, the local server 120 generates a network page 235, which requests the user of the mobile terminal 140 to select a virtual operator and embed a session ID 215 and the random number "r" within the network page 235 for its transmission. This can be achieved, for example, by embedding a session ID and the random number "r" in the URL associated with the login button to initiate the HTTPS session with the authentication server 150. After the network page 235 is sent to the MT, the user makes the appropriate selection of the authentication server, and the authentication request 240 is sent with the user input which includes the session ID (SID) 215 and the random number "r" embedded in the request, through HTTPS to the selected authentication server 150. More particularly, the mobile terminal responds by embedding the URL associated with an enter button to initiate the HTTPS session with the authentication server 150, whereby, the MT sends an authentication request 240 having the session ID 215 embedded in the request, via HTTPS to the authentication server 150. In response, the authentication server 150 processes the request and communicates to the MT an authentication input program 245 that requests the authentication information. The user then enters certain authentication parameters or credentials 250 (e.g., the username and password) and presents them to the authentication server 150 via HTTPS. The authentication server then receives the authentication credentials 250 from the MT and authenticates the user based on the received information and the trust relationship with the MT. The authentication server generates an acquisition code 255 that includes the associated information (e.g., authentication information) important for MT access. This information is provided as a list of "p" parameters for the access network or the WLAN. The parameter list "p" together with the random number "r" and the session ID 215 are put together (for example, concatenated, juxtaposed or combined in another way) and digitally signed by the AS. Such a digital signature can be made, for example, by using the private key of the server or a shared or consolidated key between the authentication server and the WLAN. The resulting digital signature from the AS is designated as "g". The AS in turn returns a redirection header 260 to the MT to redirect the user's browser to a URL in the WLAN AP. The parameter "p" list, the SID session ID and the digital signature "g" are embedded in the URL from the AS and sent to the MT. In a configuration, the redirection header can be a real http header. In another configuration, the redirection header can be an "http-equiv" directive in the returned HTML page. In response to the http redirection, the MT of the network browser tries to retrieve the redirected URL 265 with the MT that sends the list "p" of parameters, the SID 215 and the digital signature "g" to the WLAN 124. In response to the received information (URL redirected) 265 from the MT, the WLAN retrieves the random number "r" and the identifier "a" of the stored copy data with the use of the SID from the stored copied data. More particularly, the local server 120 receives the SID sent in the URL request redirected from the MT and uses the SID together with the stored copied data M, which also contains the SID to determine the corresponding random "r" number and address or identifier "a- of the mobile communications device." The WLAN then places the parameter "p" list received from the MT together with the random number "r" recovered from the stored copied data and the SID following the same method that was used by the AS when generating the digital "g" signature, in order to generate its own digital "g" signature (270). The WLAN then compares the digital "g" and "g" signatures. The parameter list "p" will be accepted and access to the WLAN will be allowed only when it is determined that "g" and "g" are the same (275). There are several steps such as changing the traffic filtering rules that can be taken with respect to the "a" identifier of the MT address: The access control mechanism described above allows authentication and access to the network for a mobile terminal without the need to maintain two (or more) secure, separate communication sessions It should be understood that the form of this invention as shown is only a preferred embodiment For example, although the embodiments described relate to a WLAN access system, The aforementioned system and method can be applied in any access network, whether wired or wireless.In addition, it should be understood that the present invention can reside in the program storage medium that restricts the operation of the network. ration of the associated processors, and in the method steps that are taken by the cooperative operation of the processors in the messages within the communications network. These processes can exist in a variety of ways that have elements that are more or less active or passive. For example, exist as software programs, composed of program instructions in a source code or object code, executable code or other formats. Any of the above may be incorporated into a computer readable medium, which includes storage devices and signals, in a compressed or uncompressed form. Exemplary computer-readable storage devices include a computer system RAM (random access memory), a ROM (read-only memory), EPOM (programmable ROM, erasable), EEPROM (programmable ROM, electrically erasable), flash memory and optical or magnetic discs or tapes. Exemplary computer-readable signals, whether modulated with the use of a carrier or not, are signals that a compliance system running the computer program can be configured to provide access, including signals downloaded from the Internet or from other networks. Examples of the above include the distribution of a program on a CD ROM or through an Internet download. The same applies to computer networks in general. In the form of processes and devices implemented with digital processors, the associated programming means and the computer program code are loaded and executed by a processor, or can be referenced by a processor that is programmed in another way, to restrict the operations of the processor and / or other peripheral elements that cooperate with the processor. Due to such programming, the processor or computer becomes an apparatus that practices the method of the invention as well as the modalities thereof. When implemented in a general-purpose processor, segments of the computer program code configure the processor to create specific logic circuits. Such variations of the medium carried by the program and in the different configurations by means of which switching, control and computing elements can be coupled are within the scope of the present invention. Changes can be made in the functions and arrangements of parts, equivalent means of those illustrated and described here can be substituted and certain features can be used independently without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (25)

1. A method to control access to a network, the method is characterized in that it comprises: receiving, by the access point (AP) of the network, a request for access to the network, the request is transmitted by a client; redirect, by the AP, the request for access to a local server; associate the unique data with a customer identifier and store a copy of the association in the AP; generate a network page by the local server, which requests that the client select an authentication server (AS) and that includes the unique data and sends the generated network page to the client; transmit the authentication request to the selected authentication server; receive a response to the authentication request from the selected authentication server.

2. The method according to claim 1, characterized in that the network is a wireless local area network (WLAN).

3. The method according to claim 1, characterized in that it further comprises: sending the client identifier from the local server; and generate the unique data for the client by the local server.

The method according to claim 1, characterized in that it further comprises: retrieving, by the client, a re-addressed URL that has incorporated data that includes a first digital signature, authentication parameters and unique data and send the directed URL to P; create, by the AP, a second digital signature with the use of the authentication parameters, the unique data and the identifier; compare, by the AP, the first digital signature with the second digital signature; determine, by the AP, if there is a match between the first digital signature and the second digital signature; and perform, by the AP; one to grant access to the network and deny access to the network based on the match determination.

The method according to claim 1, characterized in that the unique data includes a session ID and a random number.

6. The method according to claim 1, characterized in that the identifier is a customer address.

The method according to claim 1, characterized in that the step of authenticating also comprises: processing by the AS, the authentication request, wherein the authentication request includes a session ID incorporated in the authentication request; respond to the authentication request when sending the client by the AS, an authentication entry page, the authentication entry page includes a request for the authentication information; and receiving, by the AS, the client authentication credentials, wherein the response to the authentication request sent to the client includes a re-address header and an acquisition code and the associated information important for accessing the network by the client.

The method according to claim 7, characterized in that the sending step also comprises, generating by the AS, the acquisition code and the associated information includes a first digital signature and authentication parameters.

The method according to claim 5, characterized in that the random number is one of a random number and a pseudo-random number.

The method according to claim 1, characterized in that the identifier is one of a physical address (PHY) of the client, a MAC address of the client and an IP address of the client.

The method according to claim 1, characterized in that the AP and the local server are co-located.

The method according to claim 4, characterized in that the first and second digital signatures are generated with the use of an AS private key and a shared key between the AS and the local server.

The method according to claim 4, characterized in that the second digital signature is generated locally by the AP.

14. A system for controlling access to a network, characterized in that it comprises: a client; an access point (AP) coupled with the local server (LS) to transmit network communications to and from the client; and an authentication server for carrying out an authentication process in response to a request from the client; wherein: the AP, in response to a re-directed request for access to the network from the client, associates the unique data with a customer identifier and stores a copy of the association; the LS transmits the unique data to the client; the authentication server, after authenticating the client with the use of the unique data, operates to provide a re-address header for client access, which includes a digitally signed authentication message and authentication parameters corresponding to the data Unique, the AP receives the URL re-directed, retrieved, digitally signed and the authentication parameters from the client and the AP also correlates the authentication parameters with the copied association data to determine access to the network based on the results of the correlation.

15. The system according to claim 14, characterized in that the network is a wireless local area network (WLAN) comprising an access point and a local server.

16. The system according to claim 14, characterized in that the local server generates a network page that requests the client to select an authentication server, and incorporates the unique data in the network page for transmission to the client.

The system according to claim 14, characterized in that the client identifier is one of a physical address, a MAC address and an IP address, and wherein the unique data comprises a session ID and a random number.

18. The system according to claim 17, characterized in that the session ID and the random number are generated by a local server.

The system according to claim 17, characterized in that the authentication server receives the user's credential information from the client and provides a digitally signed authentication message, which includes authentication parameters that use the unique data through HTTPS to the client through the re-address header to the client.

20. The system according to claim 19, characterized in that the AP, in response to receiving the digitally signed authentication message redirected from the client includes the authentication parameters and at least a portion of the customer's unique data, generates a digital signature local with the use of the received portion of unique data and copies the stored data together with the authentication parameters, and compares the local digital signature with the digitally signed authentication message to determine access to the network by the client.

21. The system according to claim 14, characterized in that the re-address header also comprises a means for re-directing a client browser for a URL in the network, and embedding in the URL the digitally signed authentication message, the parameters of authentication and a portion of the unique data.

22. The system according to claim 15, characterized in that the AP and the LS are co-located.

23. The method according to claim 1, characterized in that it further comprises: in the authentication server, authenticating the client with the use of the unique data, and sending the response to the client with the use of the re-address header, and include a digitally signed authentication message and the authentication parameters corresponding to the unique data; and the access point receives from the client, in accordance with the re-address header, the digitally signed authentication message and the authentication parameters and correlates the authentication parameters with the copied association data to determine access to the network.

24. The method according to claim 1, characterized in that the unique data comprises a session ID and a random number and also comprises, receiving, by the AP, a request re-directed from the client and including the digitally signed authentication message, a list of authentication parameters, and the session ID, the digitally signed authentication message is generated with the use of a random number, the session ID and the list of authentication parameters, by the selected authentication server associated with the client; and correlating the digitally signed authentication message received with the re-address request for access with the use of the stored copied data to control the client's access to the network.

25. The method according to claim 24, characterized in that the AP and the LS are co-located.