SE519072C2 - Method of access control in mobile communications - Google Patents

Method of access control in mobile communications

Info

Publication number
SE519072C2
SE519072C2 SE0200061A SE0200061A SE519072C2 SE 519072 C2 SE519072 C2 SE 519072C2 SE 0200061 A SE0200061 A SE 0200061A SE 0200061 A SE0200061 A SE 0200061A SE 519072 C2 SE519072 C2 SE 519072C2
Authority
SE
Sweden
Prior art keywords
policy
mobile
communication system
password
service provider
Prior art date
Application number
SE0200061A
Other languages
Swedish (sv)
Other versions
SE0200061L (en
SE0200061D0 (en
Inventor
Jonas Eriksson
Rolf Kaawe
Original Assignee
Telia Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telia Ab filed Critical Telia Ab
Priority to SE0200061A priority Critical patent/SE519072C2/en
Publication of SE0200061D0 publication Critical patent/SE0200061D0/en
Priority to AU2002359203A priority patent/AU2002359203A1/en
Priority to EP02793724A priority patent/EP1466438A1/en
Priority to PCT/SE2002/002424 priority patent/WO2003058880A1/en
Publication of SE0200061L publication Critical patent/SE0200061L/en
Publication of SE519072C2 publication Critical patent/SE519072C2/en
Priority to NO20042773A priority patent/NO20042773L/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Abstract

The present invention related to a method in a mobile radio communication system with mobile units and connected service providers who provide services over said communication system, where the access from a mobile terminal of a service at a service provider requires a password. The method includes the steps to: - from a service provider, or by him/her appointed certificate authority, electronically transmit/send a password policy to a mobile unit, - in a mobile unit electronically receive said policy and handle and create/configure password connected/associated with said service provider according to rules specified in, the from the service provider or by him/her appointed certificate authority, said policy. The method also includes that the mobile unit or a specific gateway authenticates and authorizes the transmitter/sender of the policy in order to prevent illegal utilization of the possibility to change a policy.

Description

nanm» 10 15 20 25 30 35 519 072 före, distribution av dessa enheter. nanm »10 15 20 25 30 35 519 072 before, distribution of these units.

Sàväl mobiloperatörer som banker är intresserade av, och arbetar med att ta fram, lösningar där en användare skall kunna autentiseras (identifieras ha uppgiven identitet) och skapa oavvisliga digitala signaturer med sin mobila enhet. Typiskt utgörs den mobila enheten av en mobiltelefon med ett eller flera sa kallade smart card. Den mobila enheten (eller i regel ett smart card i den mobila enheten) innehåller i sin tur en eller flera privata nycklar, vilka är användbara för autenti- sering och för att skapa oavvislighet först när en CA (Certificate Authority) utfärdat certifikat som intygar att en specifik användare innehar dessa privata nycklar.Both mobile operators and banks are interested in, and working to develop, solutions where a user can be authenticated (identified as having a stated identity) and create irrefutable digital signatures with their mobile device. Typically, the mobile device consists of a mobile phone with one or more so-called smart cards. The mobile device (or usually a smart card in the mobile device) in turn contains one or more private keys, which are useful for authentication and for creating intransigence only when a CA (Certificate Authority) has issued a certificate certifying that a specific user holds these private keys.

Användandet av de privata nycklarna skyddas sà gott som alltid av ett lösenord, som användare ofta själva har möjlighet att ändra eller välja. CA har i mánga fall synpunkter pà vilka regler som skall gälla för vilka lösenord en användare tilläts välja. CA har dä vad man kan kalla en lösenordspolicy.The use of the private keys is almost always protected by a password, which users often have the opportunity to change or choose. In many cases, CA has views on which rules should apply to which passwords a user was allowed to choose. CA then has what can be called a password policy.

Lösenordspolicyn kan t ex gälla regler avseende längd, tillàtna tecken och uppdateringsintervall. En sådan policy har endast kunnat tillämpas i de fall det redan vid kortets utgivande varit klarlagt vilken CA som skall utfärda certifikat kopplat till nycklarna pà kortet. I det mobila fallet kommer smartcardet ofta att distribueras till användaren innan någon vet vilken CA som kommer att utfärda certifikat kopplade till nyckelpar på kortet, varför metoden att lägga in CA:s lösenords-policy pà kortet innan det distribueras till användaren inte är tillämplig.The password policy can, for example, apply to rules regarding length, permitted characters and update intervals. Such a policy could only be applied in cases where it had already been clarified at the time of issuance of the card which CA was to issue the certificate linked to the keys on the card. In the mobile case, the smart card will often be distributed to the user before anyone knows which CA will issue certificates linked to key pairs on the card, so the method of entering the CA's password policy on the card before distributing it to the user is not applicable.

SAMMANFATTNING AV UPPFINNINGEN Syftet med uppfinningen är att tillhandahålla en metod för att elektroniskt distribuera en lösenordspolicy över ett mobilt kommunikationssystem till en mobila enhet så att nämnda policy direkt kan börja tillämpas i den mobila enheten eller en tilläggsenhet. Uppfinningen innefattar sàledes en metod inom ett mobilt radiokommunikationssystem med mobila enheter och anslutna tjänstetillhandahàllare som tillhandahåller tjänster 10 15 20 25 30 35 519 072 över nämnda kommunikationssystem, där åtkomsten fràn en mobil terminal av en tjänst hos en tjänstetillhandahàllare kräver ett lösenord. Metod innefattar stegen att - frán en tjänstetillhandahàllare, eller av honom utpekad certifikat-myndighet elektroniskt avsända en lösenordspolicy mot en mobil enhet - i en mobil enhet, elektroniskt ta emot nämnda policy och hantera och utforma lösenord sammanhängande med nämnda tjänstetillhandahàllare i enlighet med regler specificerade i den fràn tjänstetillhandahàllaren eller av honom utpekad certifikat-myndighet, nämnda avsända policy.SUMMARY OF THE INVENTION The object of the invention is to provide a method for electronically distributing a password policy over a mobile communication system to a mobile device so that said policy can be directly applied in the mobile device or an additional device. The invention thus comprises a method within a mobile radio communication system with mobile units and connected service providers which provide services over said communication system, wherein the access from a mobile terminal of a service of a service provider requires a password. Method includes the steps of - from a service provider, or by the certificate authority designated by it, electronically sending a password policy to a mobile device - in a mobile device, electronically receiving said policy and managing and designing passwords associated with said service provider in accordance with rules specified in the said policy sent by the service provider or by the certificate authority designated by him.

Metoden innefattar även att den mobila enheten eller en speciell gateway autentiserar och auktoriserar avsändaren av policyn för att förhindra oseriöst utnyttjande av möjligheten att ändra en policy.The method also includes that the mobile device or a special gateway authenticates and authorizes the sender of the policy to prevent rogue use of the possibility to change a policy.

KORTFATTAD BESKRIVNING AV RITNINGARNA Uppfinningen kommer att beskrivas närmare i det följande under hänvisning till bifogade ritningar, i vilka: figur l visar en administrationsväg enligt en utföringsform av uppfinningen för PIN-policy, figur 2 visar en administrationsväg för PIN-policy enligt en annan utföringsform av uppfinningen, och figur 3 visar ett flödesschema för en metod enligt upp- finningen.BRIEF DESCRIPTION OF THE DRAWINGS The invention will be described in more detail below with reference to the accompanying drawings, in which: Figure 1 shows an administration route according to an embodiment of the invention for PIN policy, Figure 2 shows an administration route for PIN policy according to another embodiment of the invention, and Figure 3 shows a flow chart for a method according to the invention.

Figur 4A och 4B visar schematiskt placeringen av autentiserings- och auktoriserings-enheter enligt tvà utföringsformer av uppfinningen.Figures 4A and 4B schematically show the location of authentication and authorization units according to two embodiments of the invention.

BESKRIVNING Av FÖREDRAGNA UTFÖRINGSFORMER En utföringsform av uppfinningen avser en metod för att distribuera ett lösenord i form av en PIN-policy för kryptografiska nycklar i mobila enheter ”over-the-air", dvs via det kommunikationssystem som enheten är avsedd att verka i.DESCRIPTION OF PREFERRED EMBODIMENTS An embodiment of the invention relates to a method for distributing a password in the form of a PIN policy for cryptographic keys in mobile devices "over-the-air", ie via the communication system in which the device is intended to operate.

Nycklarna förvaras i typfallet i en ”manipulationssäker” anordning/smartcard i den mobila enheten, men det är inte nödvändigt. De kryptografiska nycklarna är i typfallet privata nycklar i asymmetriska nyckelpar. Det kryptografiska nycklarna, unna. 10 15 20 25 30 35 519 072 eller den enhet i vilken dessa genereras, har distribuerats till användaren redan innan det är känt vilken part som kommer att utfärda certifikat som kopplar användaren till ett visst nyckelpar.The keys are typically stored in a “tamper-proof” device / smartcard in the mobile device, but this is not necessary. The cryptographic keys are typically private keys in asymmetric key pairs. The cryptographic keys, treat. 10 15 20 25 30 35 519 072 or the device in which these are generated, has been distributed to the user even before it is known which party will issue certificates linking the user to a certain key pair.

När en CA skall utfärda ett certifikat, knyts användaren till en privat nyckel pà sedvanligt sätt via en ”over-the-air-proof- of possession”-procedur. Före, efter eller under denna procedur distribuerar CA sin PIN-policy via det cellulära mobila kommunikationssystemet till den mobila enheten vilken inne- häller den privata nyckeln. En applikation i den mobila enheten ser till att PIN-policyn träder i kraft, och tvingar användaren att välja en PIN-kod enligt policyn för nyttjande av den certifierade nyckeln. I figur 1 illustreras flödet: l.CA 101 har beslutat sig för att distribuera sin PIN-policy till en viss mobil enhet. 2.CA adresserar PIN-policyn till en viss mobil enhet och en viss privat nyckel i den mobila enheten 115 och skickar denna till en gateway 105 för ändamålet. Denna gateway 105 autentiserar CA 101 och avgör om CA 101 har rätt att distribuera en PIN-policy till den mobila enheten 115 (auktorisering). Nämnda gateway 105 är företrädesvis anordnad hos operatören av det mobila kommunikations- systemet. 3.Gateway 105 skickar PIN-policyn vidare över det mobila kommunikationsnätet 110. 4.Den mobila enheten 115 mottar PIN-policyn, säkerställer att den kommer fràn mobiloperatörens gateway 105 samt aktiverar policyn för aktuell nyckel. Om användaren sedan tidigare har en PIN-kod som inte uppfyller policyn, uppmanas han att välja en ny PIN-kod enligt policyn. 5.Alternativt, när användaren byter PIN-kod nästa gang mäste den uppfylla kraven i PIN-policyn.When a CA is to issue a certificate, the user is linked to a private key in the usual way via an "over-the-air-proof-of-possession" procedure. Before, after or during this procedure, the CA distributes its PIN policy via the cellular mobile communication system to the mobile device which contains the private key. An application in the mobile device ensures that the PIN policy enters into force, and forces the user to select a PIN code according to the policy for using the certified key. Figure 1 illustrates the flow: l.CA 101 has decided to distribute its PIN policy to a specific mobile device. 2.CA addresses the PIN policy to a specific mobile device and a specific private key in the mobile device 115 and sends this to a gateway 105 for the purpose. This gateway 105 authenticates CA 101 and determines whether CA 101 has the right to distribute a PIN policy to the mobile device 115 (authorization). The gateway 105 is preferably arranged at the operator of the mobile communication system. 3. Gateway 105 forwards the PIN policy over the mobile communication network 110. 4. The mobile unit 115 receives the PIN policy, ensures that it comes from the mobile operator's gateway 105 and activates the policy for the current key. If the user already has a PIN code that does not comply with the policy, he is prompted to select a new PIN code according to the policy. 5.Alternatively, the next time the user changes the PIN code, it must meet the requirements of the PIN policy.

Steg 1 föregås företrädesvis av en förfrågan fràn klienten/ användaren till CA om utfärdande av ett klientcertifikat. 10 15 20 25 30 35 519 072 5 En lösenordspolicy innehàller företrädesvis regler om, i det generella fallet: - antal tecken (min, max) - förbjudna tecken - förbjudna teckenkombinationer - intervall för hur ofta byte av lösenord mäste ske (t ex antal gànger ett lösenord får användas).Step 1 is preferably preceded by a request from the client / user to the CA for the issuance of a client certificate. 10 15 20 25 30 35 519 072 5 A password policy preferably contains rules on, in the general case: - number of characters (min, max) - prohibited characters - prohibited character combinations - intervals for how often password changes must take place (eg number of times a password may be used).

Policyn kan givetvis vara generell för alla användare, men också personaliserad, t ex innehálla kontroller pà att en viss användare inte nyttjar sitt personnummer som PIN osv.The policy can of course be general for all users, but also personalized, eg contain checks that a certain user does not use their social security number as a PIN, etc.

I en utföringsform bestàr en PIN-policy av en datastruktur som tolkas av en applikation för ändamålet som anordnats i den mobila enheten. I en annan utföringsform realiseras en PIN- policy som en exekverbar applikation som skickas till den mobila enheten. I det första fallet kan man tänka sig att flera PIN-policy kan vara aktiva samtidigt, men någon mekanism för att lösa eventuellt motstridiga policy krävs dà.In one embodiment, a PIN policy consists of a data structure which is interpreted by an application for the purpose provided in the mobile device. In another embodiment, a PIN policy is realized as an executable application that is sent to the mobile device. In the first case, it is conceivable that several PIN policies may be active at the same time, but some mechanism for resolving any conflicting policies is required then.

Den mobila enheten 115 innehåller företrädesvis ett eller flera integrerade eller löstagbara smartcard eller någon annan form av manipulationssäker anordning. Uppfinningen är givetvis tillämplig även i de fall den privata nyckeln inte är lagrad i en manipulationssäker anordning, utan pá nàgot annat sätt i den mobila enheten.The mobile unit 115 preferably contains one or more integrated or detachable smart cards or some other form of tamper-proof device. The invention is of course applicable even in cases where the private key is not stored in a tamper-proof device, but in some other way in the mobile unit.

I en utföringsform finns ej den speciella gateway som nämns i I stället skickar CA 201 sin policy via (GGSN steg 2, jämför figur 2. en generell trafikal gateway för mobilkommunikationsnätet för GPRS/UMTS) 210, auktorisering av CA 201. utan mekanismer för autentisering och I denna utföringsform implementeras i stället mekanismer för autentisering och auktorisering i den mobila enheten 215.In one embodiment, there is no special gateway mentioned in Instead, CA 201 sends its policy via (GGSN step 2, compare Figure 2. a general traffic gateway for the mobile communication network for GPRS / UMTS) 210, authorization of CA 201. without authentication mechanisms and In this embodiment, mechanisms for authentication and authorization are implemented in the mobile unit 215 instead.

I figur 3 visas metodstegen motsvarande distributionsvägen i figur l och figur 2. CA skapar 310 en policyspecifikation, samt adresserar 320 en mobil enhet och adresserar 330 en privat nyckel inom nämnda mobila enhet. Vidare skickas 340 ~u aßua» 10 15 20 25 30 35 519 072 specifikationen över mobilnätet, eventuellt via en speciell gateway sàsom nämnts ovan. Specifikationen mottages 350 och avsändaren autentiseras 360 respektive i förekommande fall auktoriseras 370. Beroende pà antal mellanliggande enheter mellan CA och mobil enhet som behöver egen autentisering och auktorisering upprepas 375 stegen skicka 340, ta emot 350, autentisera 360 och auktorisera 370. Slutligen lagras och aktiveras policyn i den mobila stationen.Figure 3 shows the method steps corresponding to the distribution path in Figure 1 and Figure 2. CA creates 310 a policy specification, and addresses 320 a mobile unit and addresses 330 a private key within said mobile unit. Furthermore, the 340 ~ u aßua »10 15 20 25 30 35 519 072 specification is sent over the mobile network, possibly via a special gateway as mentioned above. The specification is received 350 and the sender is authenticated 360 and, if applicable, authorized 370. Depending on the number of intermediate devices between CA and mobile device that need its own authentication and authorization, 375 steps are sent 340, receive 350, authenticate 360 and authorize 370. Finally stored and activated the policy of the mobile station.

Givetvis kan i alternativa utföringsformer andra parter än CA ladda ned en PIN-policy. Speciellt är i en utföringsform operatören av den mobila kommunikationstjänsten kapabel att ladda ned sin PIN-policy till de mobila enheterna i sitt nät.Of course, in alternative embodiments, parties other than CA can download a PIN policy. In particular, in one embodiment, the operator of the mobile communication service is capable of downloading its PIN policy to the mobile devices in its network.

PIN-policy för andra syften än upplåsning/användning av privata nycklar kan givetvis ocksa distribueras till den mobila enheten enligt uppfinningen. T ex PIN-koder och lösenord för: - användande av symmetriska nycklar - skriv-/läsrättigheter till datafiler - GSM - applikationsexekvering osv.PIN policy for purposes other than unlocking / using private keys can of course also be distributed to the mobile device according to the invention. Eg PIN codes and passwords for: - use of symmetric keys - write / read rights to data files - GSM - application execution etc.

I det fall det finns flera CA (vi kallar dessa A respektive B) som certifierar samma nyckel, är följande metod en utförings- form av uppfinningen: - Bàde A och B kan ladda ned sin policy till den mobila enheten. Bàde policy fràn CA A och policy fràn CA B tillämpas varje gàng PIN ändras. Detta kräver en mekanism i den mobila enheten för att lösa motstridiga krav.In case there are several CAs (we call these A and B respectively) that certify the same key, the following method is an embodiment of the invention: - Both A and B can download their policy to the mobile device. Both policy from CA A and policy from CA B apply each time the PIN is changed. This requires a mechanism in the mobile device to resolve conflicting requirements.

- Bàde A och B skickar sin policy till operatören av det mobila kommunikationsnätet. Operatören skapar en ”summering” av dessa regler och bestämmer över vilken policy som till slut skickas till den mobila enheten.- Both A and B send their policy to the operator of the mobile communication network. The operator creates a "summary" of these rules and decides on which policy is eventually sent to the mobile device.

- Bàde A och B kan ladda ned sin policy till den mobila enheten. Separata Pin används för samma nyckel beroende pà vilket av sina certifikat användaren vill àberopa. Policy fràn CA A gäller när användaren àberopar sitt certifikat 519 072 ana... fràn CA A, och policy fràn CA B gäller när användaren àbe- ropar sitt certifikat fràn CA B.- Both A and B can download their policy to the mobile device. Separate Pin is used for the same key depending on which of its certificates the user wants to invoke. Policy from CA A applies when the user invokes his certificate 519 072 ana ... from CA A, and policy from CA B applies when the user invokes his certificate from CA B.

I fig. 4 A och 4 B visas hur enheter för autentisering och auktorisering anordnats i föredragna utföringsformer. Fig. 4 A visar en autentiseringsenhet 402 och en auktoriseringsenhet 404 anordnad i gateway 105. Fig. 4 B visar en autentiseringsenhet 402 och en auktoriseringsenhet 404 anordnad i en mobil enhet 115.Figures 4A and 4B show how units for authentication and authorization are arranged in preferred embodiments. Fig. 4A shows an authentication unit 402 and an authorization unit 404 arranged in gateway 105. Fig. 4B shows an authentication unit 402 and an authorization unit 404 arranged in a mobile unit 115.

Givetvis krävs det i de flesta fall en säker transportmekanism för att överföra en PIN-policy fràn CA, eller annan utgivare av policyn, till den mobila enheten. Det finns mànga metoder för att realisera detta, men det faller utanför uppfinningens ram.Of course, in most cases a secure transport mechanism is required to transfer a PIN policy from the CA, or other issuer of the policy, to the mobile device. There are many methods for realizing this, but it falls outside the scope of the invention.

Uppfinningens skyddsomfáng är endast begränsat av nedanstående patentkrav.The scope of the invention is limited only by the following claims.

Claims (1)

1. annas 10 15 20 25 30 35 519 072 PATENTKRAV 3. _ En metod enligt krav l, .En metod inom ett mobilt radiokommunikationssystem med mobila enheter och anslutna tjänstetillhandahállare som tillhandahåller tjänster över nämnda kommunikationssystem, där àtkomsten via en specifik mobil terminal av en specifik tjänst hos en specifik tjänstetillhandahállare kräver ett lösenord, kännetecknad av att nämnda metod innefattar stegen att - fràn en tjänstetillhandahàllare, eller av honom utpekad certifikat-myndighet elektroniskt avsända en lösenordspolicy mot en mobil enhet - i en mobil enhet, elektroniskt ta emot nämnda policy och hantera och utforma lösenord sammanhängande med nämnda tjänstetillhandahàllare i enlighet med regler specificerade i, frän tjänstetillhandahàllaren eller av honom utpekad certifikat-myndighet, nämnd avsänd policy_ kännetecknad av följande steg: - skapande av en lösenordspolicyspecifikation hos en tjänstetillhandahàllare eller av honom utpekad certifikat- myndighet (CA) - framtagning av adressen till en mobil enhet, - framtagning av adressen till en privat nyckel i nämnda, mobila enhet, - avsändande av specifikationen, specifikationen, av CA, av CA, - mottagande av - autentisering - auktorisering - lagring av en policy som svarar mot specifikationen, och - aktivering av nämnda policy. En metod enligt krav 1, kännetecknad av att den innefattar följande steg: - skapande av en lösenordspolicyspecifikation hos en CA, - framtagning av adressen till en mobil enhet, - framtagning av adressen till en privat nyckel inom nämnda 10 15 20 25 30 35 519 072 9 mobila enhet, - distribution av policyspecifikationen till en gateway för policynedladdning, autentisering av CA i nämnda gateway, - auktorisering av CA i nämnda gateway, - distribution av specifikationen fràn gateway till mobil enhet över ett mobilt kommunikationsnät, - mottagande av specifikationen, - säkerställande av att specifikationen kommer fràn godkänd gateway, - lagring av en policy som svarar mot specifikationen, och - aktivering av nämnda policy. En metod enligt krav 3, kännetecknad av att den vidare innefattar steget: - tvingande av användaren att omedelbart byta lösenord till ett som uppfyller den nya policyn. En metod enligt krav 3, kännetecknad av att den vidare innefattar steget: - avvaktande av att insätta policyn tills användaren byter lösenord nästa gäng. En metod enligt något av kraven l - 5, kännetecknad av att nämnda lösenord är en PIN-kod. Ett mobilt radiokommunikationssystem med mobila enheter och anslutna tjänstetillhandahàllare som tillhandahåller tjänster över nämnda kommunikationssystem, där åtkomsten via en specifik mobil terminal av en specifik tjänst hos en specifik tjänstetillhandahàllare kräver ett lösenord, kännetecknat av att nämnda system innefattar medel för att fràn en tjänstetillhandahàllare sända en policyspecifika- tion för lösenord till en mobil enhet. Ett mobilt kommunikationssystem enligt krav 7, kännetecknat av att nämnda system innefattar medel för att i en mobil enhet ta emot en policyspecifikation för lösenord. 10 15 20 25 lO. ll. 12. 13 14. 519 072 10 Ett mobilt kommunikationssystem enligt krav 8, kännetecknat av att i nämnda system har anordnats medel för autentise- ring av en policyavsändare. Ett mobilt kommunikationssystem enligt krav 8, kännetecknat av att i nämnda system har anordnats medel för auktorise- ring av en policyavsändare. Ett mobilt kommunikationssystem enligt krav 7, kännetecknat av att en gateway innefattande medel för autentisering och auktorisering av en policyavsändare anordnats för att ansluta en CA till mobilkommunikationssystemet, samt för att auktorisera och autentisera nämnda CA Ett mobilt kommunikationssystem enligt krav 9 eller 10, kännetecknat av att medel för auktorise-ring av en policyavsändare anordnats i en mobil enhet. .Ett mobilt kommunikationssystem enligt nagot av kraven 7 - 12, kännetecknat av att nämnda policyspecifikation är anordnad i form av en datastruktur. Ett mobilt kommunikationssystem enligt nàgot av kraven 7 - 12, kännetecknat av att nämnda policyspecifikation är anordnad i form av en exekverbar applikation.A method according to claim 1, a method within a mobile radio communication system with mobile units and connected service providers providing services over said communication system, where the access via a specific mobile terminal of a specific service of a specific service provider requires a password, characterized in that said method comprises the steps of - from a service provider, or by a certificate authority designated by him, electronically send a password policy to a mobile device - in a mobile device, electronically receiving said policy and manage and design passwords associated with said service provider in accordance with rules specified in the service provider designated by the service provider or designated by him, said sent policy_ characterized by the following steps: - creation of a password policy specification by a service provider or CA designated by him ) - generating the address of a mobile device, - generating the address of a private key in said mobile device, - sending the specification, the specification, of the CA, of the CA, - receiving of - authentication - authorization - storing a policy corresponding to the specification, and - activation of said policy. A method according to claim 1, characterized in that it comprises the following steps: - creation of a password policy specification of a CA, - generation of the address of a mobile unit, - generation of the address of a private key within said 1019 20 25 30 35 519 072 9 mobile device, - distribution of the policy specification to a gateway for policy download, authentication of CA in said gateway, - authorization of CA in said gateway, - distribution of the specification from gateway to mobile device over a mobile communication network, - receipt of the specification, - ensuring that the specification comes from an approved gateway, - storage of a policy corresponding to the specification, and - activation of said policy. A method according to claim 3, characterized in that it further comprises the step of: - forcing the user to immediately change the password to one that complies with the new policy. A method according to claim 3, characterized in that it further comprises the step of: - waiting to insert the policy until the user changes the password the next time. A method according to any one of claims 1-5, characterized in that said password is a PIN code. A mobile radio communication system with mobile devices and connected service providers providing services over said communication system, where access via a specific mobile terminal of a specific service of a specific service provider requires a password, characterized in that said system comprises means for transmitting a policy from a service provider password for a mobile device. A mobile communication system according to claim 7, characterized in that said system comprises means for receiving in a mobile unit a policy specification for passwords. 10 15 20 25 10. ll. A mobile communication system according to claim 8, characterized in that means for authenticating a policy sender have been arranged in said system. A mobile communication system according to claim 8, characterized in that means for authorizing a policy sender have been arranged in said system. A mobile communication system according to claim 7, characterized in that a gateway comprising means for authenticating and authorizing a policy sender is arranged to connect a CA to the mobile communication system, and for authorizing and authenticating said CA A mobile communication system according to claim 9 or 10, characterized in that means for authorizing a policy sender are arranged in a mobile unit. A mobile communication system according to any one of claims 7 - 12, characterized in that said policy specification is arranged in the form of a data structure. A mobile communication system according to any one of claims 7 to 12, characterized in that said policy specification is arranged in the form of an executable application.
SE0200061A 2002-01-10 2002-01-10 Method of access control in mobile communications SE519072C2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
SE0200061A SE519072C2 (en) 2002-01-10 2002-01-10 Method of access control in mobile communications
AU2002359203A AU2002359203A1 (en) 2002-01-10 2002-12-20 Method at access right control within mobile communication
EP02793724A EP1466438A1 (en) 2002-01-10 2002-12-20 Method at access right control within mobile communication
PCT/SE2002/002424 WO2003058880A1 (en) 2002-01-10 2002-12-20 Method at access right control within mobile communication
NO20042773A NO20042773L (en) 2002-01-10 2004-07-01 Procedure for controlling access rights in mobile communications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
SE0200061A SE519072C2 (en) 2002-01-10 2002-01-10 Method of access control in mobile communications

Publications (3)

Publication Number Publication Date
SE0200061D0 SE0200061D0 (en) 2002-01-10
SE0200061L SE0200061L (en) 2003-01-07
SE519072C2 true SE519072C2 (en) 2003-01-07

Family

ID=20286626

Family Applications (1)

Application Number Title Priority Date Filing Date
SE0200061A SE519072C2 (en) 2002-01-10 2002-01-10 Method of access control in mobile communications

Country Status (5)

Country Link
EP (1) EP1466438A1 (en)
AU (1) AU2002359203A1 (en)
NO (1) NO20042773L (en)
SE (1) SE519072C2 (en)
WO (1) WO2003058880A1 (en)

Families Citing this family (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2107756A1 (en) 2008-03-31 2009-10-07 British Telecommunications Public Limited Company Policy resolution
US9137739B2 (en) 2009-01-28 2015-09-15 Headwater Partners I Llc Network based service policy implementation with network neutrality and user privacy
US8832777B2 (en) 2009-03-02 2014-09-09 Headwater Partners I Llc Adapting network policies based on device service processor configuration
US8548428B2 (en) 2009-01-28 2013-10-01 Headwater Partners I Llc Device group partitions and settlement platform
US8898293B2 (en) 2009-01-28 2014-11-25 Headwater Partners I Llc Service offer set publishing to device agent with on-device service selection
US8924543B2 (en) 2009-01-28 2014-12-30 Headwater Partners I Llc Service design center for device assisted services
US8589541B2 (en) 2009-01-28 2013-11-19 Headwater Partners I Llc Device-assisted services for protecting network capacity
US8391834B2 (en) 2009-01-28 2013-03-05 Headwater Partners I Llc Security techniques for device assisted services
US8626115B2 (en) 2009-01-28 2014-01-07 Headwater Partners I Llc Wireless network service interfaces
US8340634B2 (en) 2009-01-28 2012-12-25 Headwater Partners I, Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US8402111B2 (en) 2009-01-28 2013-03-19 Headwater Partners I, Llc Device assisted services install
US8635335B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc System and method for wireless network offloading
US8924469B2 (en) 2008-06-05 2014-12-30 Headwater Partners I Llc Enterprise access control and accounting allocation for access networks
US8275830B2 (en) 2009-01-28 2012-09-25 Headwater Partners I Llc Device assisted CDR creation, aggregation, mediation and billing
US8346225B2 (en) 2009-01-28 2013-01-01 Headwater Partners I, Llc Quality of service for device assisted services
US8406748B2 (en) 2009-01-28 2013-03-26 Headwater Partners I Llc Adaptive ambient services
US9557889B2 (en) 2009-01-28 2017-01-31 Headwater Partners I Llc Service plan design, user interfaces, application programming interfaces, and device management
US9571559B2 (en) 2009-01-28 2017-02-14 Headwater Partners I Llc Enhanced curfew and protection associated with a device group
US8893009B2 (en) 2009-01-28 2014-11-18 Headwater Partners I Llc End user device that secures an association of application to service policy with an application certificate check
US9647918B2 (en) 2009-01-28 2017-05-09 Headwater Research Llc Mobile device and method attributing media services network usage to requesting application
US9253663B2 (en) 2009-01-28 2016-02-02 Headwater Partners I Llc Controlling mobile device communications on a roaming network based on device state
US8745191B2 (en) 2009-01-28 2014-06-03 Headwater Partners I Llc System and method for providing user notifications
US9609510B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Automated credential porting for mobile devices
US10715342B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US9565707B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Wireless end-user device with wireless data attribution to multiple personas
US10057775B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Virtualized policy and charging system
US10492102B2 (en) 2009-01-28 2019-11-26 Headwater Research Llc Intermediate networking devices
US11218854B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US10841839B2 (en) 2009-01-28 2020-11-17 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US10264138B2 (en) 2009-01-28 2019-04-16 Headwater Research Llc Mobile device and service management
US10237757B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc System and method for wireless network offloading
US8793758B2 (en) 2009-01-28 2014-07-29 Headwater Partners I Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US10779177B2 (en) 2009-01-28 2020-09-15 Headwater Research Llc Device group partitions and settlement platform
US9858559B2 (en) 2009-01-28 2018-01-02 Headwater Research Llc Network service plan design
US10484858B2 (en) 2009-01-28 2019-11-19 Headwater Research Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US9392462B2 (en) 2009-01-28 2016-07-12 Headwater Partners I Llc Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy
US9706061B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Service design center for device assisted services
US9980146B2 (en) 2009-01-28 2018-05-22 Headwater Research Llc Communications device with secure data path processing agents
US9955332B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Method for child wireless device activation to subscriber account of a master wireless device
US10248996B2 (en) 2009-01-28 2019-04-02 Headwater Research Llc Method for operating a wireless end-user device mobile payment agent
US10064055B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US9954975B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Enhanced curfew and protection associated with a device group
US10798252B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc System and method for providing user notifications
US10783581B2 (en) 2009-01-28 2020-09-22 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US9578182B2 (en) 2009-01-28 2017-02-21 Headwater Partners I Llc Mobile device and service management
US9270559B2 (en) 2009-01-28 2016-02-23 Headwater Partners I Llc Service policy implementation for an end-user device having a control application or a proxy agent for routing an application traffic flow
US10326800B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Wireless network service interfaces
US9755842B2 (en) 2009-01-28 2017-09-05 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US10200541B2 (en) 2009-01-28 2019-02-05 Headwater Research Llc Wireless end-user device with divided user space/kernel space traffic policy system
US9351193B2 (en) 2009-01-28 2016-05-24 Headwater Partners I Llc Intermediate networking devices
US9572019B2 (en) 2009-01-28 2017-02-14 Headwater Partners LLC Service selection set published to device agent with on-device service selection
US9154826B2 (en) 2011-04-06 2015-10-06 Headwater Partners Ii Llc Distributing content and service launch objects to mobile devices

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0354771B1 (en) * 1988-08-11 1995-05-31 International Business Machines Corporation Personal identification number processing using control vectors
US4924514A (en) * 1988-08-26 1990-05-08 International Business Machines Corporation Personal identification number processing using control vectors
US5944824A (en) * 1997-04-30 1999-08-31 Mci Communications Corporation System and method for single sign-on to a plurality of network elements
US6202157B1 (en) * 1997-12-08 2001-03-13 Entrust Technologies Limited Computer network security system and method having unilateral enforceable security policy provision
DK174672B1 (en) * 1999-11-09 2003-08-25 Orange As Electronic identification code delivery system

Also Published As

Publication number Publication date
SE0200061L (en) 2003-01-07
AU2002359203A1 (en) 2003-07-24
NO20042773L (en) 2004-09-10
SE0200061D0 (en) 2002-01-10
EP1466438A1 (en) 2004-10-13
WO2003058880A1 (en) 2003-07-17

Similar Documents

Publication Publication Date Title
SE519072C2 (en) Method of access control in mobile communications
US7487357B2 (en) Virtual smart card system and method
CN101421970B (en) Avoiding server storage of client state
US6075860A (en) Apparatus and method for authentication and encryption of a remote terminal over a wireless link
EP1486025B1 (en) System and method for providing key management protocol with client verification of authorization
US6718470B1 (en) System and method for granting security privilege in a communication system
US7362869B2 (en) Method of distributing a public key
KR100990320B1 (en) Method and system for providing client privacy when requesting content from a public server
US8001615B2 (en) Method for managing the security of applications with a security module
CN101129014B (en) System and method for multi-session establishment
US20040148429A1 (en) Method and system for remote activation and management of personal security devices
US20050120248A1 (en) Internet protocol telephony security architecture
CN101014958A (en) System and method for managing user authentication and service authorization to achieve single-sign-on to access multiple network interfaces
CA2475216A1 (en) Method and system for providing third party authentification of authorization
US20110213959A1 (en) Methods, apparatuses, system and related computer program product for privacy-enhanced identity management
WO2013007525A1 (en) Method and system to share or storage personal data without loss of privacy
RU2007138849A (en) NETWORK COMMERCIAL TRANSACTIONS
WO2006112761A1 (en) Method and system for electronic reauthentication of a communication party
EP1075748B1 (en) Method, arrangement and apparatus for authentication
CN112565294B (en) Identity authentication method based on block chain electronic signature
JP4607602B2 (en) How to provide access
KR102372503B1 (en) Method for providing authentification service by using decentralized identity and server using the same
EP0645688A1 (en) Method for the identification of users of telematics servers
HUE029848T2 (en) Method and equipment for establishing secure connection on a communication network
EP3685563A1 (en) Method for configuring user authentication on a terminal device by means of a mobile terminal device and for logging a user onto a terminal device

Legal Events

Date Code Title Description
NUG Patent has lapsed