WO2004068785A1 - Method and device for controlling access to a communication network - Google Patents

Method and device for controlling access to a communication network Download PDF

Info

Publication number
WO2004068785A1
WO2004068785A1 PCT/EP2003/013459 EP0313459W WO2004068785A1 WO 2004068785 A1 WO2004068785 A1 WO 2004068785A1 EP 0313459 W EP0313459 W EP 0313459W WO 2004068785 A1 WO2004068785 A1 WO 2004068785A1
Authority
WO
WIPO (PCT)
Prior art keywords
service provider
token
access
network
communication
Prior art date
Application number
PCT/EP2003/013459
Other languages
German (de)
French (fr)
Inventor
Lachlan Brazier
Marcel Vencour
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to DE10303264A priority Critical patent/DE10303264A1/en
Priority to DE10303264.9 priority
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2004068785A1 publication Critical patent/WO2004068785A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Metering, charging or billing arrangements specially adapted for data wireline or wireless communications
    • H04L12/141Indication of costs
    • H04L12/1421Indication of expected costs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Metering, charging or billing arrangements specially adapted for data wireline or wireless communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Metering, charging or billing arrangements specially adapted for data wireline or wireless communications
    • H04L12/1403Architecture for metering, charging or billing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Metering, charging or billing arrangements specially adapted for data wireline or wireless communications
    • H04L12/1453Methods or systems for payment or settlement of the charges for data transmission involving significant interaction with the data transmission network
    • H04L12/146Methods or systems for payment or settlement of the charges for data transmission involving significant interaction with the data transmission network using digital cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Abstract

The invention relates to a method for controlling access to a communication network (IN), especially the Internet, for a communication subscriber (UA) who is registered with a home service provider (HISP) in a home network (HN) and asks for a network connection from a remote service provider (RISP) in a remote network (RN). According to said method, a token request is transmitted from the communication subscriber (UA) to the home service provider (HISP); at least one token is sent from the home service provider (HISP) to the remote access provider (RISP); and a decision is made by the remote access provider (RISP), after reception and validation of said at least one token (T), as to whether the communication subscriber (UA) is to be granted or refused access to the communication network (IN).

Description


   <Desc / Clms Page number 1>
 



  Method and device for controlling access to a communication network Technical field The invention relates to a method and device for controlling access to a communication network.



  A communication network provides a transmission path between locally distant communication participants for the purpose-specific transfer or exchange of information.



  The transmission path is usually made up of sections that are connected via network nodes. The transmission path can be a logical channel on a wired transmission link or a radio channel.



  In networks in which connected stations compete for permission to send, it is necessary to coordinate access to the network. A well-known, deterministic media access method is, for example, the token passing method according to the IEtE 802.5 standard, which only ever makes the medium available exclusively to a station willing to transmit for the transmission of a frame.



  Among the communication networks, the Internet has developed with incomparable growth in terms of the number of participants, the performance and the topographical development into a communication system that has led to sustainable changes in both the commercial and private sectors. The Internet is a self-contained, global network in which a large number of networks from different operators can be linked via so-called routers, which are special node computers.

 <Desc / Clms Page number 2>

 



  A communication participant sees the Internet as a large, self-contained global network to which providers, so-called Internet Service Providers (ISP), have access in the role of door openers. An Internet service provider maintains the necessary infrastructure, such as local, regional, national or international networks, routers, modem servers and dedicated lines. The communication participant, the user of this infrastructure, pays the provider a fee for this service.



  Internet access in the private sector can take place, for example, in such a way that a connection between the user's computer modem and the Internet service provider (ISP) is established when the user calls. After establishing this connection, the Internet service provider (ISP) asks the user to enter his user ID and password. After sending this message, the Internet service provider (ISP) compares this information with data in an internal database. Then he decides whether to provide the user with access to the Internet or to deny access. An Internet connection that was established by calling the Internet service provider continues until the Internet user or the ISP disconnects.

   The charging can take place in different ways. A monthly basic fee, a time-dependent fee or a fixed price, a so-called "flat rate", is customary for the provision of the infrastructure.



  In addition to the infrastructure offered for access to the Internet, the Internet service provider can also offer the user additional communication applications, such as so-called chat rooms, news services, etc. Access service providers (ASP) are also named in the literature for an access service provider who only provides the technical infrastructure for Internet access via his access server (AS).

 <Desc / Clms Page number 3>

 



  In the following, an Internet access service provider, which offers its services in the home country of the user, as a home Internet service provider, abbreviated to HISP, and an access service provider, which provides its services abroad, as a remote Internet service Provider, abbreviated to RISP.



  Home internet service providers (HISP) and remote internet service providers (RISP) are usually different legal entities. The organizational form of a HISP or a RISP can be a commercial organization, e.g. B: a company, or a non-commercial organization, e.g. B.: be a university.



  Every computer in a home or foreign network on the Internet has a so-called IP address, which is a numerical, logical address that is unique for the entire Internet. It is assigned to a computer statically or dynamically. As soon as a client leaves the home network, the IP address also changes in conventional IP-based networks.



  Communication participants who frequently travel abroad have the need to use the Internet infrastructure abroad, wherever possible, without restrictions as if they were at home. However, this use is currently subject to various restrictions.



  State of the art There are various options for accessing the Internet abroad with a mobile device such as a laptop or a Personal Digital Assistant (PDA).



  A comparatively inexpensive access to the Internet can be established abroad via so-called Internet cafes.



  An internet cafe is public and allows i. d. Usually not the use of private devices. Access is therefore limited to the technical options offered. Further

 <Desc / Clms Page number 4>

 unprotected privacy and poor data security are perceived as disadvantageous by many users.



  Another option is to establish Internet access using a mobile phone. Within a radio cell, access can be used locally without restriction. Some hotels and airports also offer their guests wireless Internet access via a Wireless Local Area Network (WLAN), provided the participant's mobile device has a WLAN card. The resulting fee for the Internet connection is comparatively high.



  A third possibility of using Internet access abroad is that the subscriber can register with his home access provider for Internet roaming and thereby use the services of a third-party access provider who is in a contractual relationship with the subscriber's home access provider abroad can take.



  The subscriber can keep his private devices as well as his user ID and his password. The fee for Internet access is charged to the user by the home access provider. The disadvantage here, however, is that access is not possible from every location, but is restricted to those dial-in nodes that the contractual partner offers abroad. In addition, there are usually time-dependent roaming charges. The contractual partner abroad does not always correspond to the ideas of the user, which is also considered disadvantageous.



  DESCRIPTION OF THE INVENTION The object of the present invention is to specify a method and a device for controlling access to the Internet in such a way that worldwide access is possible abroad without being restricted to specific access providers.

 <Desc / Clms Page number 5>

 



  This object is achieved in a method by the features of patent claim 1 and in a device according to the features in patent claim 11. The subclaims refer to advantageous embodiments of the invention.



  A major aspect of the invention is a token-based interaction between a home service provider, a third-party service provider, and a financial service provider.



  For the purposes of the invention, a token is to be understood as an electronic document via which a user abroad gains access to the Internet. The token reflects a monetary value for an internet service applied for abroad. The document can have an XML structure, for example. Depending on the procedure, this document contains a description of the service requested by the user, a digital signature and / or a digital certificate. The issuer of the signature can be clearly identified by means of a digital signature. In this way, a relationship of trust can be established between the parties involved, which forms the basis for the secure billing of an Internet service used abroad.

   The method according to the invention provides that a token request is sent to the home service provider by a communication subscriber via the third-party access provider, that at least one token is sent from the home service provider to the third-party access provider, and that the third-party access provider receives and validates the token a decision is made to at least one token as to whether access to the communication network is provided or denied to the communication subscriber.



  The token is validated through an interaction between the home service provider, the third-party access provider and the financial service provider. The financial service provider acts as a clearing house. H. he practices the functional

 <Desc / Clms Page number 6>

 from a cash register, a billing exchange or giro center. The financial service provider can be a credit card company, for example.



  The procedure according to the invention makes it possible that in advance, i. H. Before the communication subscriber abroad is granted an internet connection, certainty about the settlement is established. This enables global access. There is no restriction to certain Internet service providers abroad, since an existing contractual relationship between a home service provider and a third party access provider is no longer a prerequisite; rather, a contractual relationship becomes somewhat dynamic, that is. shortly before using the service. The consequence of this is that access to the Internet is not restricted to certain providers for the user.

   The gateway to the Internet is open to a communication participant anywhere where the technical requirements for Internet access with the roaming according to the invention are present. At any of these connection facilities, he can apply for access to the Internet at any time using a mobile device and any necessary adapters. Another advantage is that the user can keep his user ID and password abroad in the usual way.



  It is advantageous if the at least one token contains information about costs for the requested internet service.



  This enables price information about the desired service to be sent to the communication partner abroad. If this information is given in his home currency, it is very easy for him to decide whether he would like the service on the terms transmitted. The third-party access provider, who physically makes its facilities available to the user abroad, sets the fee for this service, but the modality of billing remains unchanged for the user, since

 <Desc / Clms Page number 7>

 he receives his billing in the usual way from his home access provider. In a broader sense, the invention makes it possible to use the Internet from any Internet socket.



  BRIEF DESCRIPTION OF THE DRAWING To further explain the invention, reference is made to the drawings in which an embodiment according to the invention is shown schematically in the figures. FIG. 1 shows the Internet as a simplified representation
Connection network with a communication subscriber who has access to a third-party access provider
Internet requested; Figure 2 is a schematic representation of a sequence of the access method according to the invention.



  EMBODIMENT OF THE INVENTION FIG. 1 shows the structure of the Internet IN as a computer network consisting of a large number of autonomous networks. An external network RN and a home network HN are shown as examples in the drawing. The individual networks are connected by routers. The illustration shows a communication subscriber UA who is registered with a home service provider HISP, but is connected with his subscriber terminal to the external network RN of a third-party service provider RISP. The user UA requests access to the Internet IN via the network operator RISP abroad.



  FIG. 2 shows the sequence of the method according to the invention step by step. The process steps of the interaction between the communication subscriber UA, the third-party service provider RISP, the home service provider HISP and a clearing house CH are shown in the drawing

 <Desc / Clms Page number 8>

 Arrows appear. For the sake of simplicity, the third-party service provider RISP and the home service provider HISP are only shown with one server, the access server AS and the token server TS. In reality, the network RN or the network HN can comprise a large number of servers. The network HN can, however, also consist of only one server, which is used exclusively for the billing of a communication service (cheap service provider).



  Initially, the communication subscriber UA in the foreign network RN is blocked from access to the Internet IN by the foreign service provider RISP, but the establishment of a connection to his original network HN is granted. According to steps 1 and 2, the communication subscriber UA sends a token request to an access server AS of the third-party service provider RISP, which forwards this message to a token server TS of the home service provider HISP. The token server TS in the originating network HN of the communication subscriber UA supplements this token request with price information. This price information reflects the service requested by the communication participant UA abroad. As a service provider, the third-party service provider RISP determines the price of the goods. As a rule, he will indicate the price of his goods in his currency.

   The token server TS converts this price information from the third-party service provider RISP into the currency of the communication subscriber UA. It supplements the token with this converted price information and sends a signed token back to the access server AS. Upon receipt of the token signed by the home service provider HISP, the third-party service provider RISP checks the solvency of the HISP by transmitting the token to a clearing house CH (step 4). The clearing house is a server in the Internet IN that can be addressed by any access server AS. As already mentioned above, the clearing house CH can be a credit card company, for example. The digital signature clearly identifies the issuer of the signature.

   In the clearing house CH

 <Desc / Clms Page number 9>

 this server, which is not shown in more detail in FIG. 2, receives the token. The Clearing House server is set up so that it can validate the token.



  After the token has been checked, the clearing house CH in turn supplements the token with a digital signature and sends it back to the access server AS of the third-party service provider RISP (step 5). With the digital signature, the clearing house is liable to the third-party service provider RISP for the home service provider HISP, because it confirms the token from the home service provider HISP with the feedback.

   Since both third-party service providers RISP and home service provider HISP trust the clearing house, it is possible to create a basis of trust for secure payment between the third-party service provider RISP and the home service provider HISP: The third-party service provider RISP can trust that he securely receives the fee for the service requested by the communication subscriber UA in his network from the home service provider HISP. In step 6, the validated token is sent from the access server AS of the third-party service provider RISP to the communication subscriber UA. This signals to him that access to the Internet from his current location abroad can be opened at his request. The user can now decide whether he wants to continue to do so.

   The basis is the price information for the requested service, which is preferably sent to him in his home currency. In the response to the access server AS in step 7, he communicates his decision to the third-party service provider RISP. Depending on this decision, the third-party service provider RISP opens the door to the Internet for him or not. The IN user will be billed at a later date by his home service provider.



  The process sequence shown above is started again when the monetary value of the token has been used up or the

 <Desc / Clms Page number 10>

 User changes location and may therefore have to apply for access again.



  If the user does not have his own certificate and thus does not have a valid signature, a one-time password or other identification information, for example a transaction number, can also be used instead.

Claims

Claims 1. Method for controlling access to a communication network (IN), in particular to the Internet, for one Communication subscriber (UA) who is registered in a home network (HN) with a home service provider (HISP) and who requests network access from a third-party service provider (RISP) in a third-party network (RN), characterized in that the Communication subscriber (UA) a token request to the home service provider (HISP) that is sent from the home service provider (HISP) to the Third-party service provider (RISP) sends at least one token that the third-party service provider (RISP) makes a decision after receiving and validating this at least one token (T) whether the Communication participants (UA) have access to the communication network (IN)
 is provided or denied.
2. The method according to claim 1, characterized in that the validation of the at least one token by an interaction between the external service provider (RISP) and a network node in the communication network (IN), which is set up as a clearing house (CH) , is carried out.
3. The method according to any one of claims 1 or 2, characterized in that the at least one token Information about the charge for a callable by the communication subscriber (UA) from the communication network (KN) Contains communication service.
4. The method according to claim 3, characterized in that the information about the remuneration to the Communication participants (UA) is transmitted and the Decision to provide access to the  <Desc / Clms Page number 12>   Communication network (IN) is made dependent on the consent of the communication participant (UA).
5. The method of claim 4, d a d u r c h g e k e n n z e i c h- n e t, d a s s the information about the remuneration in one Home service provider currency is used.
6. The method according to at least one of the preceding claims, characterized in that when the token request is transmitted, information about the User identity and / or user authorization is transmitted.
7. The method according to at least one of claims 4 to 6, characterized in that a digital signature is used in the validation of the at least one token.
8. The method according to at least one of the preceding claims, characterized in that charging the communication subscriber (UA) for an in Third party network (RN) is used by the home service provider (HISP).
9. The method according to at least one of the preceding claims, characterized in that the access to the communication network already established is maintained by the repeated sending of further tokens.
10. The method according to at least one of the preceding claims, characterized in that any details of the desired service form part of at least one of the Are tokens.  <Desc / Clms Page number 13>  
11. Device for controlling access to a communication network (IN), in particular the Internet, comprising a token server (TS) which is integrated in a home network (HN) and on request from a communication subscriber (UA) at least one token is transmitted to an access server (AS) of a foreign network (RN), the access Server (AS) is set up in such a way that, after validation of the at least one token, it opens or blocks access to the communication network (IN) for the communication subscriber (UA).
12. Device according to claim 11, characterized in that the token is provided by an in extensible markup Language (XML) document is formed.
13. Device according to claim 12, characterized in that the document contains information about a Fee for a desired service.
PCT/EP2003/013459 2003-01-28 2003-11-28 Method and device for controlling access to a communication network WO2004068785A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
DE10303264A DE10303264A1 (en) 2003-01-28 2003-01-28 Method and device for controlling access to a communication network
DE10303264.9 2003-01-28

Publications (1)

Publication Number Publication Date
WO2004068785A1 true WO2004068785A1 (en) 2004-08-12

Family

ID=32694993

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2003/013459 WO2004068785A1 (en) 2003-01-28 2003-11-28 Method and device for controlling access to a communication network

Country Status (2)

Country Link
DE (1) DE10303264A1 (en)
WO (1) WO2004068785A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1895777A1 (en) * 2006-09-01 2008-03-05 Alcatel Lucent Method of providing an IPTV service
US8782759B2 (en) 2008-02-11 2014-07-15 International Business Machines Corporation Identification and access control of users in a disconnected mode environment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000076249A1 (en) * 1999-06-08 2000-12-14 Telefonaktiebolaget Lm Ericsson (Publ) Mobile internet access

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2365679A (en) * 2000-03-14 2002-02-20 Ericsson Telefon Ab L M Cost control in a mobile telecommunications system
GB2365680B (en) * 2000-03-21 2004-01-28 Ericsson Telefon Ab L M Transmission of call detail records in a telecommunications system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000076249A1 (en) * 1999-06-08 2000-12-14 Telefonaktiebolaget Lm Ericsson (Publ) Mobile internet access

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GLASS S ET AL: "RFC 2977: Mobile IP Authentication, Authorization and Accounting Requirements", REQUEST FOR COMMENT, October 2000 (2000-10-01), XP002213102, Retrieved from the Internet <URL:http://www.ietf.org/rfc/rfc2977.txt> [retrieved on 20020911] *
YEGIN A E: "Secure Network Access Using Router Discovery and AAA", INTERNET DRAFT DRAFT-YEGIN-UNAP-SNARD-00, November 2001 (2001-11-01), pages 1- - 14, XP002274839, Retrieved from the Internet <URL:http://www.watersprings.org/pub/id/draft-yegin-unap-snard-00.txt> [retrieved on 20040324] *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1895777A1 (en) * 2006-09-01 2008-03-05 Alcatel Lucent Method of providing an IPTV service
WO2008025695A1 (en) * 2006-09-01 2008-03-06 Alcatel Lucent Method of providing an iptv service
KR101291526B1 (en) 2006-09-01 2013-08-08 알까뗄 루슨트 Method of providing an iptv service
US8689246B2 (en) 2006-09-01 2014-04-01 Alcatel Lucent Method of providing an IPTV service
US8782759B2 (en) 2008-02-11 2014-07-15 International Business Machines Corporation Identification and access control of users in a disconnected mode environment

Also Published As

Publication number Publication date
DE10303264A1 (en) 2004-08-12

Similar Documents

Publication Publication Date Title
US20190146968A1 (en) Methods and computer-readable media for enabling secure online transactions with simplified user experience
US10474660B2 (en) Universal data aggregation
US20160057628A1 (en) Hotspot communicator limiter
US7756507B2 (en) Method and device for authenticated access of a station to local data networks in particular radio data networks
US7020456B2 (en) Method and system for authentication of units in a communications network
CA2473793C (en) System, method and apparatus for federated single sign-on services
Vollbrecht et al. AAA authorization framework
US8051472B2 (en) Method and apparatus for personalization and identity management
CN1689369B (en) Method and system for establishing a connection via an access network
Glass et al. Mobile IP authentication, authorization, and accounting requirements
US8086217B1 (en) System and method for providing wireless services within a wireless local area network
JP4980882B2 (en) Connection support device
CN101018178B (en) Inter-working function for a communication system
US5845267A (en) System and method for billing for transactions conducted over the internet from within an intranet
US7979054B2 (en) System and method for authenticating remote server access
KR100420265B1 (en) Access method for inter-working with wireless internet networks
CN104158824B (en) Genuine cyber identification authentication method and system
US8566109B2 (en) Common interest community service via presence messaging
CN100444545C (en) Use of a public key pair in terminal equipment for authentication and authorization of telecommunication user with network operator and business partner
EP2053779B1 (en) A system and method for authenticating the accessing request for the home network
JP2014096181A (en) Method of granting privilege to share resource in telecommunication system
US7792538B2 (en) System and method for enabling subscribers of a communications carrier to access a network of wireless access points of subscribers of other communications carriers
US7735126B2 (en) Certificate based authentication authorization accounting scheme for loose coupling interworking
US7016361B2 (en) Virtual switch in a wide area network
CN101069402B (en) Method and system for transparently authenticating a mobile user to access web services

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): CN US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase