WO2004016010A1 - Identity protection in a lan-universal radiotelephone system - Google Patents

Identity protection in a lan-universal radiotelephone system Download PDF

Info

Publication number
WO2004016010A1
WO2004016010A1 PCT/US2003/025129 US0325129W WO2004016010A1 WO 2004016010 A1 WO2004016010 A1 WO 2004016010A1 US 0325129 W US0325129 W US 0325129W WO 2004016010 A1 WO2004016010 A1 WO 2004016010A1
Authority
WO
WIPO (PCT)
Prior art keywords
wireless
network
wireless terminal
mobile
terminal
Prior art date
Application number
PCT/US2003/025129
Other languages
French (fr)
Other versions
WO2004016010B1 (en
Inventor
Shaily Verma
Charles Chuanming Wang
Junbiao Zhang
Guillaume Bichot
Original Assignee
Thomson Licensing S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thomson Licensing S.A. filed Critical Thomson Licensing S.A.
Priority to MXPA05001666A priority Critical patent/MXPA05001666A/en
Priority to AU2003259755A priority patent/AU2003259755A1/en
Priority to US10/524,183 priority patent/US7065358B2/en
Priority to BR0305740-2A priority patent/BR0305740A/en
Priority to EP03785189A priority patent/EP1530883B1/en
Priority to JP2004528038A priority patent/JP4280235B2/en
Publication of WO2004016010A1 publication Critical patent/WO2004016010A1/en
Publication of WO2004016010B1 publication Critical patent/WO2004016010B1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/75Temporary identity

Definitions

  • This invention relates to a technique for protecting the identity of the user of a mobile wireless terminal upon a transition from one wireless network to another.
  • wireless LANs offer users access to a private data network, such as a Corporate Intranet, or a public data network such as the Internet. Few if any publicly accessible wireless LAN's offer any type of telephone service, let alone, wireless telephony service. Presently, users seeking wireless telephony service typically subscribe to one of many providers of such service.
  • GPRS General Packet Radio Service
  • UMTS Universal Mobile Telecommunications System
  • 3GPP 3rd Generation Partnership Project
  • the UMTS standard proposes transmission rates as high as 2 Mbps.
  • the relatively low cost to implement and operate a wireless LAN, as well as the available high bandwidth makes the wireless LAN a preferred access mechanism, even as compared to a UMTS network.
  • mobile wireless terminal users will often seek to transition to a wireless LAN when such service is available. When wireless LAN service becomes no longer available, the user will transition back to the wireless telephony network.
  • a user seeking access to a wireless telephony network receives a temporary identity, known as a Packet Temporary Mobile Subscriber Identity (P-TMSI).
  • P-TMSI Packet Temporary Mobile Subscriber Identity
  • VLR Visited Location Register attached to Serving GPRS Support Node
  • SGSN in the wireless telephony network maintains a copy of the user's P-TMSI.
  • the SGSN maps the P-TMSI to a permanent identity, known as the International Mobile Subscriber Identity (IMSI).
  • IMSI International Mobile Subscriber Identity
  • the wireless telephony network will assign the user a different P-TMSI if a long interval has elapsed since a previous identification.
  • a method for identifying the user of a mobile wireless terminal upon transitioning from a first wireless network to a second wireless network commences upon receipt in the second network of a request for identification from the user upon a transition to that network.
  • the identification request includes a temporary identifier previously supplied by the mobile wireless terminal to identify itself in the first wireless network. From the identification request, an identification is made of a node in the first network last accessed by the mobile wireless terminal. Upon identifying the last- accessed node, the identification request received in the second network is forwarded to the last-accessed node in the first network, which in turn, verifies the user's permanent identity from the temporary identifier.
  • Such verification information is then returned to the second network, which in response, grants access to the user upon successful user verification.
  • the user By sending a temporary identity to identify itself in the second network, the user avoids the need to send its permanent identity during the network transition, which could be intercepted resulting in a breach of security.
  • FIGURE 1 illustrates a block schematic diagram of a wireless telephony network interworked with a wireless LAN for providing communication service to a mobile wireless terminal.
  • FIGURE 1 depicts an illustrative embodiment of a wireless telephony network 12 interworked with a wireless Local Area Network (LAN) 14 to provide -communications service to a mobile wireless terminal 16 in accordance with the present principles.
  • the mobile wireless terminal 16 will attach itself to the wireless telephony network 12 to obtain voice and/or data services.
  • the user of mobile wireless terminal 16 often will transition from the wireless telephony network 12 to the wireless LAN 14 upon entering the coverage area of the later. A reverse transition occurs when the user leaves the wireless LAN for the wireless telephony network.
  • the wireless telephony network 12 has the architecture proposed in the "Universal Mobile Telecommunications System (UMTS) " standard for advanced packet radio service. Accordingly, the wireless telephony network 12 includes at least one Serving GPRS Support Node (SGSN) 18 for authenticating the mobile wireless terminal 16. The SGSN 18 also serves to process packet data for exchange with the mobile wireless terminal 16 while the terminal communicates with the wireless telephony network 12 through a wireless telephony radio network 20.
  • FIG. 1 depicts one wireless telephony radio network 20, the wireless telephony network 12 could include multiple radio networks, each managed by a separate SGSN.
  • a Home Location Register (HLR) 22 in the wireless telephony network 12 stores records of current wireless telephony service subscribers and contains packet domain subscription information as well as location information of which SGSN 18 serves a particular mobile wireless should the wireless telephony network contains more than one SGSN.
  • HLR Home Location Register
  • the wireless telephony network 12 also includes a wireless LAN (WLAN) interworking access server 24 for managing the interface between the wireless LAN 14 and the wireless telephony network.
  • the WLAN interworking access server 24 performs a function similar to the SGSN 18.
  • the WLAN interworking server 24 authenticates the mobile wireless terminal. It may or may not process the packet data depending on whether the data connection needs to go through the wireless telephony network or not.
  • the WLAN interworking access server 24 cooperates with the SGSN 18 to perform secure identification of the mobile wireless terminal 16 upon a transition from the wireless telephony network 12 to the wireless LAN 14 using the P-TMSI provided by the wireless mobile terminal.
  • such identification provides security by obviating the need for the mobile wireless terminal 16 to send a permanent identity.
  • the mobile wireless terminal 16 Upon the very first direct access of the wireless telephony network 12, the mobile wireless terminal 16 will receive a temporary identity, usually referred to as a Packet Temporary Mobile Subscriber Identity (P-TMSI) as part of the registration process.
  • P-TMSI Packet Temporary Mobile Subscriber Identity
  • the terminal Upon each subsequent direct access of the wireless telephony network 12, the terminal will deliver its P-TMSI to the corresponding SGSN 18 through the wireless radio network 20.
  • VLR Visited Location Register
  • the SGSN 18 maps the P-TMSI to the user's permanent identity, referred to as an International Mobile Subscriber Identity (IMSI) to verify the user of the terminal.
  • IMSI International Mobile Subscriber Identity
  • the mobile wireless terminal 16 When accessing the wireless telephony network 12, the mobile wireless terminal 16 uses its temporary identity (P-TMSI) such that its real identity need not cross the radio interface after initial registration. In the case of a handoff from one SGSN to another, the new SGSN receives the P-TMSI from the mobile wireless terminal 16. If the new SGSN does not currently serve the mobile wireless terminal user 16, the new SGSN will query the "old" SGSN. By doing so, the new SGSN will retrieve the address of the "old" SGSN that had previously served the mobile wireless terminal 16 and had last mapped the temporary identity of the terminal to its permanent identity. The new SGSN will request that the old SGSN send back the IMSI associated with the temporary address (P-TMSI) previously supplied by the mobile wireless terminal 16.
  • P-TMSI temporary identity
  • the technique of the present principles makes use of the user identity information (i.e., the P-TMSI) maintained by the last-attached SGSN (e.g., SGSN 18 of FIG. 1) to verify the user's permanent identity in the wireless LAN 14.
  • the user identity information i.e., the P-TMSI
  • the last-attached SGSN e.g., SGSN 18 of FIG. 1
  • the mobile wireless terminal 16 Upon transitioning to the wireless LAN 14, the mobile wireless terminal 16 sends the same identity information it previously sent to the wireless telephony network 12. Such identity information includes the old (i.e., previously sent) P-TMSI, P- TMSI signature and Routing Area Identifier (RAI). As described, the P-TMSI constitutes a temporary user identification. The P-TMSI signature provides verification of the P-TMSI, whereas the RAI distinguishes each SGSN 18 accessible to the mobile wireless terminal 16. Each SGSN 18, as well as the WLAN interworking access server 24, has its own unique RAI. Heretofore, the
  • the WLAN interworking access server 24 has its own RAI, so the server appears simply as another SGSN. In this way, the WLAN interworking access server 24 can query an old SGSN with a P-TMSI received from the mobile wireless terminal 16 for the purpose of obtaining the
  • the wireless LAN 14 Upon receipt of the identity information (i.e., the P-TMSI, P-TMSI signature, and RAI), the wireless LAN 14 forwards such information to the WLAN interworking access server 24 in the wireless telephony network 12. From such identity information, the WLAN interworking access server 24 first determines the identity of the old SGSN 18 previously accessed by the mobile wireless terminal 16 immediately prior to transitioning to the wireless LAN 14. Typically, the WLAN interworking access server 24 identifies the old SGSN by finding its address through an association with the old Routing Area in the RAI supplied by the mobile wireless terminal 16. Typically, the WLAN interworking access server 24 knows the address of each SGSN in the wireless telephony network 12 via the HLR 22. In the event that the WLAN interworking access server 24 does not know the address of the old SGSN 18, the server can acquires the address from a Domain Naming System (DNS) server (not shown) using a logical address provided by the mobile wireless terminal 16.
  • DNS Domain Naming System
  • the WLAN interworking access server 24 After identifying the old SGSN 18, the WLAN interworking access server 24 then sends the P-TMSI, P-TMSI signature and RAI to the old SGSN 18 to request the user's IMSI. 4. In response to the request from the WLAN interworking access server 24, the old SGSN 18 maps the P-TMSI to the IMSI. In this way, the old SGSN provides an identification response that includes both the IMSI and appropriate authentication vectors to identify the mobile wireless terminal 16. If unable to identify the mobile wireless terminal 16, the old SGSN 18 provides an appropriate error message.
  • the wireless LAN 14 After establishing the user's identity from the mapping performed by the old SGSN 18, the wireless LAN 14 will verify that the user of the mobile wireless terminal 16 constitutes a valid user and is entitled to use the Wireless LAN.
  • the WLAN interworking access server 24 serves as "old" SGSN. Upon request, it sends an identification response to a new SGSN in the wireless telephony network to which the user terminal is being attached.
  • the identification and verification technique of the present principles affords the advantage of providing secure user identification while minimizing repeated access of the HLR 20 by the WLAN interworking access server 24. Instead of broadcasting a permanent wireless LAN identifier easily intercepted by others, the identification technique of the present principles makes use of the secure identification process of the wireless telephony network 12. Thus, the identity of the user of the mobile wireless terminal 16 remains protected upon a transition from the wireless telephony network 12 to the wireless LAN 14.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

A mobile wireless terminal (16), upon transitioning from a wireless telephony network (12) to a wireless Local Area Network (LAN) (14), seeks identification by sending the same identity information used for identification in the wireless telephony network. Upon receipt of the identity information, a wireless LAN Access Server (24) in the wireless telephony network identifies a Serving General Packet Radio Service Serving Node (SGSN) (18) that had last served the wireless terminal in the wireless telephony network prior to transition. The wireless LAN Access Server forwards the identity information to the SGSN, which, in turn, provides an identification response for validating the terminal.

Description

USER IDENTITY PROTECTION IN A WIRELESS LAN-UNIVERSAL MOBILE TELEPHONE SYSTEM INTERWORKING ARRANGEMENT
CROSS REFERENCE TO RELATED APPLICATION
This application claims priority under 35 U.S.C. 119(e) to U.S. Provisional Patent Application Serial No 60/403,159, filed August 13, 2002, the teachings of which are incorporated herein.
TECHNICAL FIELD
This invention relates to a technique for protecting the identity of the user of a mobile wireless terminal upon a transition from one wireless network to another.
BACKGROUND ART
Advances in the field of wireless LAN technology has led to the availability of relatively inexpensive wireless LAN equipment, which, in turn, has resulted in the emergence of publicly accessible wireless LANs {e.g., "hot spots") at rest stops, cafes, libraries and similar public facilities. Presently, wireless LANs offer users access to a private data network, such as a Corporate Intranet, or a public data network such as the Internet. Few if any publicly accessible wireless LAN's offer any type of telephone service, let alone, wireless telephony service. Presently, users seeking wireless telephony service typically subscribe to one of many providers of such service. Today's wireless telephony service providers not only offer voice calling but also offer General Packet Radio Service (GPRS) to enable the exchange data packets via a mobile wireless terminal. While GPRS exists in many areas, data transmission rates typically do not exceed 56 Kbps and the costs to wireless network service providers to support this service remain high, making GPRS expensive.
To provide enhanced data communications, efforts are underway to establish new standards for wireless telephony. One such effort is the proposed "Universal Mobile Telecommunications System (UMTS) " standard specified by the 3rd Generation Partnership Project (3GPP) for advanced packet radio service in wireless telephony networks. The UMTS standard proposes transmission rates as high as 2 Mbps. However, the relatively low cost to implement and operate a wireless LAN, as well as the available high bandwidth (usually in excess of 10 Megabits/second) makes the wireless LAN a preferred access mechanism, even as compared to a UMTS network. Given the advantage of lower cost and higher bandwidth, mobile wireless terminal users will often seek to transition to a wireless LAN when such service is available. When wireless LAN service becomes no longer available, the user will transition back to the wireless telephony network.
Access to the wireless telephony network and the wireless LAN both require user identification and verification. From the perspective of the network operator, revenue generation depends on reliable user identification and verification. Absent correct user identification and validation, the network operator will likely be unable to bill for such services. From the user's perspective, identification and verification should occur in a manner that safeguards against identity fraud. Thus, user identification should not occur in a manner that would allow others to make improper use of such information.
Presently, a user seeking access to a wireless telephony network receives a temporary identity, known as a Packet Temporary Mobile Subscriber Identity (P-TMSI). Typically, a Visited Location Register (VLR) attached to Serving GPRS Support Node
(SGSN) in the wireless telephony network maintains a copy of the user's P-TMSI. The SGSN maps the P-TMSI to a permanent identity, known as the International Mobile Subscriber Identity (IMSI). To avoid compromising the user's identity, the wireless telephony network will assign the user a different P-TMSI if a long interval has elapsed since a previous identification.
Current wireless LANs lack secure user identification and verification mechanisms. A potential security risk currently exists for users seeking to transition to a wireless LAN from a wireless telephony network.
Thus, there is a need for a technique for protecting the identity of a user when transitioning from one wireless network to another. BRIEF SUMMARY OF THE INVENTION
Briefly, in accordance with a preferred embodiment of the present principles, there is provided a method for identifying the user of a mobile wireless terminal upon transitioning from a first wireless network to a second wireless network. The method commences upon receipt in the second network of a request for identification from the user upon a transition to that network. The identification request includes a temporary identifier previously supplied by the mobile wireless terminal to identify itself in the first wireless network. From the identification request, an identification is made of a node in the first network last accessed by the mobile wireless terminal. Upon identifying the last- accessed node, the identification request received in the second network is forwarded to the last-accessed node in the first network, which in turn, verifies the user's permanent identity from the temporary identifier. Such verification information is then returned to the second network, which in response, grants access to the user upon successful user verification. By sending a temporary identity to identify itself in the second network, the user avoids the need to send its permanent identity during the network transition, which could be intercepted resulting in a breach of security.
BRIEF DESCRIPTION OF THE DRAWING
FIGURE 1 illustrates a block schematic diagram of a wireless telephony network interworked with a wireless LAN for providing communication service to a mobile wireless terminal.
DETAILED DESCRIPTION
FIGURE 1 depicts an illustrative embodiment of a wireless telephony network 12 interworked with a wireless Local Area Network (LAN) 14 to provide -communications service to a mobile wireless terminal 16 in accordance with the present principles. In practice, the mobile wireless terminal 16 will attach itself to the wireless telephony network 12 to obtain voice and/or data services. However, for higher speed, lower cost data access, the user of mobile wireless terminal 16 often will transition from the wireless telephony network 12 to the wireless LAN 14 upon entering the coverage area of the later. A reverse transition occurs when the user leaves the wireless LAN for the wireless telephony network. In the illustrated embodiment, the wireless telephony network 12 has the architecture proposed in the "Universal Mobile Telecommunications System (UMTS) " standard for advanced packet radio service. Accordingly, the wireless telephony network 12 includes at least one Serving GPRS Support Node (SGSN) 18 for authenticating the mobile wireless terminal 16. The SGSN 18 also serves to process packet data for exchange with the mobile wireless terminal 16 while the terminal communicates with the wireless telephony network 12 through a wireless telephony radio network 20. Although FIG. 1 depicts one wireless telephony radio network 20, the wireless telephony network 12 could include multiple radio networks, each managed by a separate SGSN. A Home Location Register (HLR) 22 in the wireless telephony network 12 stores records of current wireless telephony service subscribers and contains packet domain subscription information as well as location information of which SGSN 18 serves a particular mobile wireless should the wireless telephony network contains more than one SGSN.
The wireless telephony network 12 also includes a wireless LAN (WLAN) interworking access server 24 for managing the interface between the wireless LAN 14 and the wireless telephony network. The WLAN interworking access server 24 performs a function similar to the SGSN 18. Thus, the WLAN interworking server 24 authenticates the mobile wireless terminal. It may or may not process the packet data depending on whether the data connection needs to go through the wireless telephony network or not. In accordance with the present principles, the WLAN interworking access server 24 cooperates with the SGSN 18 to perform secure identification of the mobile wireless terminal 16 upon a transition from the wireless telephony network 12 to the wireless LAN 14 using the P-TMSI provided by the wireless mobile terminal. As described in greater detail below, such identification provides security by obviating the need for the mobile wireless terminal 16 to send a permanent identity. Upon the very first direct access of the wireless telephony network 12, the mobile wireless terminal 16 will receive a temporary identity, usually referred to as a Packet Temporary Mobile Subscriber Identity (P-TMSI) as part of the registration process. Upon each subsequent direct access of the wireless telephony network 12, the terminal will deliver its P-TMSI to the corresponding SGSN 18 through the wireless radio network 20. Using its Visited Location Register (VLR) 23, the SGSN 18 maps the P-TMSI to the user's permanent identity, referred to as an International Mobile Subscriber Identity (IMSI) to verify the user of the terminal.
When accessing the wireless telephony network 12, the mobile wireless terminal 16 uses its temporary identity (P-TMSI) such that its real identity need not cross the radio interface after initial registration. In the case of a handoff from one SGSN to another, the new SGSN receives the P-TMSI from the mobile wireless terminal 16. If the new SGSN does not currently serve the mobile wireless terminal user 16, the new SGSN will query the "old" SGSN. By doing so, the new SGSN will retrieve the address of the "old" SGSN that had previously served the mobile wireless terminal 16 and had last mapped the temporary identity of the terminal to its permanent identity. The new SGSN will request that the old SGSN send back the IMSI associated with the temporary address (P-TMSI) previously supplied by the mobile wireless terminal 16.
Heretofore, there did not exist a secure access arrangement that allowed the mobile wireless terminal 16 to transition from the wireless telephony network 12 to the wireless LAN 14 while maintaining the terminal's identity secure from possible interception. Typically, the user of the mobile wireless terminal 16, upon transitioning to the wireless LAN 14, needed to send its permanent identity (i.e., its IMSI) to the wireless
LAN 14, thus compromising its identity.
In accordance with the present principles, there is provided a technique for protecting the IMSI of the mobile wireless terminal 16 upon transitioning from one wireless network (the wireless telephony network 12) to the wireless LAN 14. To protect the identity of the user, the technique of the present principles makes use of the user identity information (i.e., the P-TMSI) maintained by the last-attached SGSN (e.g., SGSN 18 of FIG. 1) to verify the user's permanent identity in the wireless LAN 14. Such user identification and verification occurs as follows:
1. Upon transitioning to the wireless LAN 14, the mobile wireless terminal 16 sends the same identity information it previously sent to the wireless telephony network 12. Such identity information includes the old (i.e., previously sent) P-TMSI, P- TMSI signature and Routing Area Identifier (RAI). As described, the P-TMSI constitutes a temporary user identification. The P-TMSI signature provides verification of the P-TMSI, whereas the RAI distinguishes each SGSN 18 accessible to the mobile wireless terminal 16. Each SGSN 18, as well as the WLAN interworking access server 24, has its own unique RAI. Heretofore, the
RAI only identified SGSNs in the wireless telephony network 12. In accordance with an aspect of the present principles, the WLAN interworking access server 24 has its own RAI, so the server appears simply as another SGSN. In this way, the WLAN interworking access server 24 can query an old SGSN with a P-TMSI received from the mobile wireless terminal 16 for the purpose of obtaining the
IMSI of the terminal.
2. Upon receipt of the identity information (i.e., the P-TMSI, P-TMSI signature, and RAI), the wireless LAN 14 forwards such information to the WLAN interworking access server 24 in the wireless telephony network 12. From such identity information, the WLAN interworking access server 24 first determines the identity of the old SGSN 18 previously accessed by the mobile wireless terminal 16 immediately prior to transitioning to the wireless LAN 14. Typically, the WLAN interworking access server 24 identifies the old SGSN by finding its address through an association with the old Routing Area in the RAI supplied by the mobile wireless terminal 16. Typically, the WLAN interworking access server 24 knows the address of each SGSN in the wireless telephony network 12 via the HLR 22. In the event that the WLAN interworking access server 24 does not know the address of the old SGSN 18, the server can acquires the address from a Domain Naming System (DNS) server (not shown) using a logical address provided by the mobile wireless terminal 16.
3. After identifying the old SGSN 18, the WLAN interworking access server 24 then sends the P-TMSI, P-TMSI signature and RAI to the old SGSN 18 to request the user's IMSI. 4. In response to the request from the WLAN interworking access server 24, the old SGSN 18 maps the P-TMSI to the IMSI. In this way, the old SGSN provides an identification response that includes both the IMSI and appropriate authentication vectors to identify the mobile wireless terminal 16. If unable to identify the mobile wireless terminal 16, the old SGSN 18 provides an appropriate error message.
5. After establishing the user's identity from the mapping performed by the old SGSN 18, the wireless LAN 14 will verify that the user of the mobile wireless terminal 16 constitutes a valid user and is entitled to use the Wireless LAN.
6. . When a user moves away from the wireless LAN and transitions back to wireless telephony network, the WLAN interworking access server 24 serves as "old" SGSN. Upon request, it sends an identification response to a new SGSN in the wireless telephony network to which the user terminal is being attached.
The identification and verification technique of the present principles affords the advantage of providing secure user identification while minimizing repeated access of the HLR 20 by the WLAN interworking access server 24. Instead of broadcasting a permanent wireless LAN identifier easily intercepted by others, the identification technique of the present principles makes use of the secure identification process of the wireless telephony network 12. Thus, the identity of the user of the mobile wireless terminal 16 remains protected upon a transition from the wireless telephony network 12 to the wireless LAN 14.

Claims

1 A method for identifying a mobile wireless terminal upon a transition of the terminal from a first wireless network to a second wireless network, comprising the steps of: receiving in the second wireless network from the mobile wireless terminal a temporary identity information previously used by the mobile wireless terminal to access the first wireless network; identifying a serving node in the first wireless network that last served the mobile wireless terminal prior to transitioning to the second wireless network in accordance with the temporary identity information received from the mobile wireless terminal in the second wireless network; forwarding the temporary identity information of the mobile wireless terminal to the last- accessed serving node in the first wireless network for identification; receiving from the last-accessed serving node in the first wireless network an identification response indicating whether the mobile wireless terminal has been properly identified; and validating the mobile terminal in accordance with the identification response.
2. The method according to claim 1 wherein the step of receiving the temporary identifier information further comprising the step of receiving a Packet Temporary Mobile Subscriber Identity (P-TMSI), a P-TMSI signature and a Routing Area Identifier (RAI).
3. The method according to claim 2 wherein the step of identifying the serving node in the first wireless network further comprises the step of identifying the serving node in accordance with the RAI received from the mobile wireless terminal.
4. The method according to claim 3 further comprising the steps of: receiving a logical address information from the mobile wireless terminal; and accessing a Domain Naming System (DNS) server to identify the serving node in accordance with the logical address.
5. The method according to claim 1 further comprising the step of providing an error message when the serving node cannot identify the mobile wireless terminal from the temporary identity information.
6. A method for identifying a mobile wireless terminal upon a transition of the terminal from a wireless telephony network to a wireless Local Area Network (LAN), comprising the steps of: receiving in the wireless LAN from the mobile wireless terminal identity information previously used by the mobile wireless terminal to access the wireless telephony network; identifying a serving node in the wireless telephony network that last served the mobile wireless terminal prior to transitioning to the wireless LAN in accordance with the identity information received from the mobile wireless terminal in the wireless LAN; forwarding the identity information of the mobile wireless terminal to the last-accessed serving node in the wireless telephony network for identification; receiving from the last-accessed serving node in the wireless telephony network an identification response indicating whether the mobile wireless terminal has been properly identified; and validating the mobile terminal in accordance with the identification response.
7. The method according to claim 1 wherein the step of receiving the temporary identifier information further comprises the step of receiving a Packet Temporary Mobile Subscriber Identity (P-TMSI), a P-TMSI signature and a Routing Area Identifier (RAI).
8. The method according to claim 7 wherein the step of identifying the serving node in the first wireless network further comprises the step of identifying the serving node in accordance with the RAI received from the mobile wireless terminal.
9. The method according to claim 8 further comprises the steps of: receiving a logical address information from the mobile wireless terminal; and accessing a Domain Naming System (DNS) server to identify the serving node in accordance with the logical address.
10. The method according to claim 7 further comprising the step of providing an error message when the serving node cannot identify the mobile wireless terminal from the temporary identity information.
11. A wireless telephony network for identifying a mobile wireless terminal upon a transition of the terminal from the wireless telephony network to a wireless Local Area Network (LAN), comprising: a serving node for identifying the mobile wireless terminal upon access to the wireless telephony network; and an access server for receiving from the wireless LAN temporary identity information from the mobile wireless terminal previously used by the terminal to access the wireless telephony network and for identifying the serving node in the first wireless network that last served the mobile wireless terminal prior to transitioning to the second wireless network by forwarding the identity information of the mobile wireless terminal to the serving node for identification and from the identification response, the access server indicating whether the mobile wireless terminal has been properly identified and forwarding such response to the wireless LAN.
12. The network according to claim 11 wherein the identity information further comprises a Packet Temporary Mobile Subscriber Identity (P-TMSI), a P-TMSI signature and a Routing Area Identifier (RAI) received from the mobile wireless terminal.
13. The network according to claim 11 wherein the access server has its own RAI distinct from an RAI assigned to the serving node.
PCT/US2003/025129 2002-08-13 2003-08-11 Identity protection in a lan-universal radiotelephone system WO2004016010A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
MXPA05001666A MXPA05001666A (en) 2002-08-13 2003-08-11 Identity protection in a lan-universal radiotelephone system.
AU2003259755A AU2003259755A1 (en) 2002-08-13 2003-08-11 Identity protection in a lan-universal radiotelephone system
US10/524,183 US7065358B2 (en) 2002-08-13 2003-08-11 Identity protection in a LAN-universal radiotelephone system
BR0305740-2A BR0305740A (en) 2002-08-13 2003-08-11 Interoperable Array User Identity Protection for Universal Wireless LAN Mobile Phone System
EP03785189A EP1530883B1 (en) 2002-08-13 2003-08-11 Identity protection in a lan-universal radiotelephone system
JP2004528038A JP4280235B2 (en) 2002-08-13 2003-08-11 Mobile radio terminal identification method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US40315902P 2002-08-13 2002-08-13
US60/403,159 2002-08-13

Publications (2)

Publication Number Publication Date
WO2004016010A1 true WO2004016010A1 (en) 2004-02-19
WO2004016010B1 WO2004016010B1 (en) 2004-04-08

Family

ID=31715952

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/025129 WO2004016010A1 (en) 2002-08-13 2003-08-11 Identity protection in a lan-universal radiotelephone system

Country Status (9)

Country Link
US (1) US7065358B2 (en)
EP (1) EP1530883B1 (en)
JP (1) JP4280235B2 (en)
KR (1) KR20050051639A (en)
CN (1) CN100366028C (en)
AU (1) AU2003259755A1 (en)
BR (1) BR0305740A (en)
MX (1) MXPA05001666A (en)
WO (1) WO2004016010A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005109818A1 (en) * 2004-05-06 2005-11-17 Telefonaktiebolaget L M Ericsson (Publ) Method of and system for storage of i-wlan temporary identities
WO2007028028A1 (en) * 2005-09-01 2007-03-08 Qualcomm Incorporated Hard handoff from a wireless local area network to a cellular telephone network
US7706796B2 (en) 2005-09-01 2010-04-27 Qualcomm Incorporated User terminal-initiated hard handoff from a wireless local area network to a cellular network
US8295836B2 (en) 2007-05-08 2012-10-23 Ntt Docomo, Inc. Mobile switching center, radio base station, and mobile communication method

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1372201A (en) * 2002-04-03 2002-10-02 张平 Novel network safety method
US7991843B2 (en) * 2003-10-29 2011-08-02 Nokia Corporation System, method and computer program product for managing user identities
US7206301B2 (en) * 2003-12-03 2007-04-17 Institute For Information Industry System and method for data communication handoff across heterogenous wireless networks
EP1938545B1 (en) * 2005-09-27 2009-08-05 Telefonaktiebolaget LM Ericsson (publ) A network architecture and a method relating to access of user stations
US8041335B2 (en) * 2008-04-18 2011-10-18 Kineto Wireless, Inc. Method and apparatus for routing of emergency services for unauthorized user equipment in a home Node B system
US8477941B1 (en) * 2008-07-10 2013-07-02 Sprint Communications Company L.P. Maintaining secure communication while transitioning networks
KR101712865B1 (en) * 2010-09-09 2017-03-08 삼성전자주식회사 Communication supporting method and apparatus using non-access stratum protocol in mobile telecommunication system
US10560842B2 (en) 2015-01-28 2020-02-11 Verint Systems Ltd. System and method for combined network-side and off-air monitoring of wireless networks
IL245299B (en) 2016-04-25 2021-05-31 Verint Systems Ltd System and method for decrypting communication exchanged on a wireless local area network
IL254438B (en) 2017-09-07 2021-12-01 Verint Systems Ltd System and method for decrypting communication over a umts network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104929A (en) * 1997-06-20 2000-08-15 Telefonaktiebolaget Lm Ericsson Data packet radio service with enhanced mobility management
US6275706B1 (en) * 1998-11-09 2001-08-14 Telefonaktiebolaget L M Ericsson Mobile telecommunications network and method for implementing and identifying hierarchical overlapping radio coverage areas
US6308267B1 (en) * 1999-05-14 2001-10-23 Siemens Aktiengesellschaft Arrangement and method for mobile communications having an IP link

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NO319527B1 (en) * 1997-01-15 2005-08-22 Ericsson Telefon Ab L M Method for obtaining a unique identification at a mobile station
WO1998059505A1 (en) * 1997-06-20 1998-12-30 Telefonaktiebolaget Lm Ericsson (Publ) Data packet radio service with enhanced mobility management
US6463055B1 (en) * 1998-06-01 2002-10-08 Telefonaktiebolaget L M Ericsson (Publ) Integrated radio telecommunications network and method of interworking an ANSI-41 network and the general packet radio service (GPRS)
AU2001261239A1 (en) * 2000-05-05 2001-11-20 Nokia Internet Communications Inc. Method and apparatus for translating network address identifiers related to mobile stations
WO2001091382A1 (en) * 2000-05-22 2001-11-29 Nokia Corporation System and method for providing a connection in a communication network
JP2005523613A (en) * 2002-04-17 2005-08-04 トムソン ライセンシング ソシエテ アノニム WLAN as a public mobile network for interconnection of wireless local area networks (WLANs) / universal mobile communication systems
US6937605B2 (en) * 2002-05-21 2005-08-30 Nokia Corporation Wireless gateway, and associated method, for a packet radio communication system
JP2005529540A (en) * 2002-06-06 2005-09-29 トムソン ライセンシング ソシエテ アノニム Wireless LAN as a logical serving GPRS support node (SGSN) for interconnection between wireless LAN and mobile communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104929A (en) * 1997-06-20 2000-08-15 Telefonaktiebolaget Lm Ericsson Data packet radio service with enhanced mobility management
US6275706B1 (en) * 1998-11-09 2001-08-14 Telefonaktiebolaget L M Ericsson Mobile telecommunications network and method for implementing and identifying hierarchical overlapping radio coverage areas
US6308267B1 (en) * 1999-05-14 2001-10-23 Siemens Aktiengesellschaft Arrangement and method for mobile communications having an IP link

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1530883A4 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005109818A1 (en) * 2004-05-06 2005-11-17 Telefonaktiebolaget L M Ericsson (Publ) Method of and system for storage of i-wlan temporary identities
AU2005241625B2 (en) * 2004-05-06 2009-08-06 Telefonaktiebolaget L M Ericsson (Publ) Method of and system for storage of I-WLAN temporary identities
US7836305B2 (en) 2004-05-06 2010-11-16 Telefonaktiebolaget L M Ericsson (Publ) Method of and system for storage of I-WLAN temporary identities
KR101143082B1 (en) 2004-05-06 2012-05-08 텔레폰악티에볼라겟엘엠에릭슨(펍) Method of and system for storage of i-wlan temporary indentities
WO2007028028A1 (en) * 2005-09-01 2007-03-08 Qualcomm Incorporated Hard handoff from a wireless local area network to a cellular telephone network
JP2009507429A (en) * 2005-09-01 2009-02-19 クゥアルコム・インコーポレイテッド Hard handoff from wireless local area network to cellular telephone network
US7706796B2 (en) 2005-09-01 2010-04-27 Qualcomm Incorporated User terminal-initiated hard handoff from a wireless local area network to a cellular network
US8798627B2 (en) 2005-09-01 2014-08-05 Qualcomm Incorporated Apparatus and method of handoff between wireless networks
US8295836B2 (en) 2007-05-08 2012-10-23 Ntt Docomo, Inc. Mobile switching center, radio base station, and mobile communication method

Also Published As

Publication number Publication date
KR20050051639A (en) 2005-06-01
JP2005536121A (en) 2005-11-24
EP1530883A4 (en) 2010-12-01
US20050202815A1 (en) 2005-09-15
AU2003259755A1 (en) 2004-02-25
EP1530883A1 (en) 2005-05-18
EP1530883B1 (en) 2012-02-01
US7065358B2 (en) 2006-06-20
WO2004016010B1 (en) 2004-04-08
CN1692659A (en) 2005-11-02
MXPA05001666A (en) 2005-04-19
BR0305740A (en) 2004-09-28
CN100366028C (en) 2008-01-30
JP4280235B2 (en) 2009-06-17

Similar Documents

Publication Publication Date Title
CA2530891C (en) Apparatus and method for a single sign-on authentication through a non-trusted access network
FI105966B (en) Authentication in a telecommunications network
CA2495343C (en) Method and system for gsm billing during wlan roaming
US6603761B1 (en) Using internet and internet protocols to bypass PSTN, GSM map, and ANSI-41 networks for wireless telephone call delivery
KR100450950B1 (en) Authentication method of a mobile terminal for private/public packet data service and private network system thereof
US20090129371A1 (en) Method and system to enable mobile roaming over ip networks and local number portability
US20040162998A1 (en) Service authentication in a communication system
US20040153555A1 (en) Method and apparatus enabling reauthentication in a cellular communication system
US8891498B2 (en) Method for wireless network re-selection in a plurality of networks environment
US7065358B2 (en) Identity protection in a LAN-universal radiotelephone system
US20050059398A1 (en) Telecommunication method and system
EP2227918B1 (en) Method and node to control access to a telecommunications network core
US7215943B2 (en) Mobile terminal identity protection through home location register modification
EP1023801A2 (en) Data access in a telephone system
US20020042820A1 (en) Method of establishing access from a terminal to a server
GB2450575A (en) Controlling the use of access points in a telecommunications network
Sandrasegaran et al. Digital Identity in Current Networks

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

B Later publication of amended claims

Effective date: 20040123

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2003818690X

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 464/DELNP/2005

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 2004528038

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 10524183

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: PA/a/2005/001666

Country of ref document: MX

Ref document number: 2003785189

Country of ref document: EP

Ref document number: 1020057002395

Country of ref document: KR

WWP Wipo information: published in national office

Ref document number: 2003785189

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1020057002395

Country of ref document: KR