WO2005069567A1 - 移動無線通信システム、移動無線端末装置、仮想私設網中継装置及び接続認証サーバ - Google Patents
移動無線通信システム、移動無線端末装置、仮想私設網中継装置及び接続認証サーバ Download PDFInfo
- Publication number
- WO2005069567A1 WO2005069567A1 PCT/JP2005/000193 JP2005000193W WO2005069567A1 WO 2005069567 A1 WO2005069567 A1 WO 2005069567A1 JP 2005000193 W JP2005000193 W JP 2005000193W WO 2005069567 A1 WO2005069567 A1 WO 2005069567A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal device
- wireless terminal
- public
- wireless lan
- private network
- Prior art date
Links
- 238000004891 communication Methods 0.000 title claims abstract description 82
- 238000000034 method Methods 0.000 claims abstract description 62
- 238000010586 diagram Methods 0.000 description 14
- 230000002542 deteriorative effect Effects 0.000 description 5
- 230000007423 decrease Effects 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Definitions
- Mobile radio communication system mobile radio terminal device, virtual private network relay device, and connection authentication server
- the present invention relates to a mobile VPN connection environment in which a public network such as a public wireless LAN system accesses a private network.
- the present invention also relates to a mobile radio communication system for establishing a communication path, a mobile radio terminal, a virtual private network relay device, and a connection authentication server.
- IPTF In connection with a public network, the IPTF technology has been standardized by the IETF to establish a secure communication channel for connection to a private network. In IPv6, it is mandatory to support this IPsec technology. It is assumed that IPsec is applied to a mobile environment in which a mobile wireless terminal can freely move between a public network and a private network, and that the mobile wireless terminal connects from the public network to a private network. In this case, the mobile wireless terminal device is assigned an IP address that can be used in the destination public network by DHCP (Dynamic Host Configuration Protocol) or the like every time it moves. That is, the IP address changes depending on the destination of the mobile wireless terminal device.
- DHCP Dynamic Host Configuration Protocol
- PIC Pre-IKE
- PIC is also used in IPsec.
- a secure communication path is established between the mobile wireless terminal device and the authentication server by using Key Management Protocol, and authentication is performed by exchanging authentication information required for authentication in the PIC. If this authentication succeeds, the authentication server issues authentication information (for example, a pre-shared secret key and a public key certificate) called credentials to be used in subsequent IPsec authentication to the mobile radio terminal.
- authentication information for example, a pre-shared secret key and a public key certificate
- Non-Patent Document 1 "PIC, A Pre-IKE Credential Provisioning Protocol"
- a mobile wireless terminal device When a mobile wireless terminal device connects to a private network such as an in-house network in a public network such as a public wireless LAN system, the mobile wireless terminal device uses IPsec to secure a secure communication path with the private network. That is, it is conceivable to establish an IPsec tunnel.
- IPsec IPsec
- the IP address of the mobile radio terminal changes every time it moves. Therefore, it is difficult to exchange IPsec keys in the IPsec main mode. For this reason, a tunnel must be established by IPsec key exchange in the aggressive mode, and the IPsec user ID flows through the network in an unencrypted state, which causes a problem of lowering security.
- PIC has been proposed as a protocol for dynamically distributing a pre-shared secret key used for IPsec authentication.
- PIC has been proposed as a protocol for dynamically distributing a pre-shared secret key used for IPsec authentication.
- PIC protocol function it is necessary to add PIC protocol function to existing equipment.
- an ISAKMP communication path is established between the mobile wireless terminal and the connection authentication server using PIC, and an ISAKMP communication is performed between the mobile wireless terminal and the security gateway.
- ISAKMP For a mobile radio terminal device to establish a path, a communication path based on ISAKMP is established twice, so that the procedure is redundant, so that there is a problem that the time required to establish an IPsec tunnel becomes longer.
- a mobile radio communication system includes a public network, a private network, and a public wireless LAN system, and establishes an IPsec tunnel with a network relay device installed in the private network via the public network.
- a virtual private network relay device that establishes an IPsec tunnel with the mobile wireless terminal device and relays the connection of the mobile wireless terminal device to the public wireless LAN system and the public wireless LAN system, and is installed in the public wireless LAN system.
- a connection authentication server that authenticates the connection of the mobile wireless terminal device to the public wireless LAN system and a public wireless LAN connection authentication procedure performed between the mobile wireless terminal device and the connection authentication server. And a wireless LAN access point to be relayed.
- the present invention it is possible to prevent a decrease in security, do not require special operations of users and administrators, and reduce the time required for establishing an IPsec tunnel in a mobile pile VPN connection environment. be able to.
- FIG. 1 is a diagram showing a configuration of a mobile radio communication system according to an embodiment of the present invention.
- FIG. 2 is a block diagram showing a configuration of a mobile wireless terminal device according to one embodiment of the present invention.
- FIG. 3 is a block diagram showing a configuration of a virtual private network relay device according to one embodiment of the present invention.
- FIG. 4 is a block diagram showing a configuration of a connection authentication server according to one embodiment of the present invention.
- FIG. 5 is a block diagram illustrating a configuration of a wireless access point according to an embodiment of the present invention.
- FIG. 6 is a block diagram illustrating a configuration of a home agent according to an embodiment of the present invention.
- FIG. 7 is a sequence diagram illustrating a mobile radio communication system according to one embodiment of the present invention.
- FIG. 8 is a diagram for explaining an EAPOL message format used in the mobile radio communication system according to one embodiment of the present invention.
- FIG. 9 is a diagram for explaining an addr message format used in the mobile radio communication system according to one embodiment of the present invention.
- a mobile radio communication system 100 includes a public network 101, a private network 102, a public wireless LAN system 103, a network relay device 104, a virtual private network relay device 105, It has a home agent 106.
- the public wireless LAN system 103 includes a public wireless LAN 107, a connection authentication server 108, a wireless LAN access point 109, and a plurality of mobile wireless terminal devices 110 (only one is shown)! .
- the virtual private network relay device 105 statically establishes an IPsec tunnel with the network relay device 104 installed in the private network 102 via the public network 101, and the virtual private network relay device 105 and the private network. It realizes secure communication with 102.
- the virtual private network relay device 105 establishes an IPsec tunnel with the mobile wireless terminal device 110 existing in the public wireless LAN system 103, and connects the mobile wireless terminal device 110 to the private network 102 from the public wireless LAN system 103. Relay connection.
- an IPsec tunnel between the virtual private network relay device 105 and the mobile wireless terminal device 110 is dynamically established each time the mobile wireless terminal device 110 connects to the public wireless LAN system 103. Established dynamically each time a connection request from 110 to private network 102 is made.
- connection authentication server 108 authenticates connection of the mobile wireless terminal device 110 to the public wireless LAN 107.
- the wireless LAN access point 109 plays a role of relaying a connection authentication procedure performed between the mobile wireless terminal device 110 and the connection authentication server 108.
- FIG. 2 is a block diagram showing a configuration of mobile radio terminal apparatus 110 according to one embodiment of the present invention.
- FIG. 3 is a block diagram showing a configuration of the virtual private network relay device 105 according to one embodiment of the present invention.
- FIG. 4 is a block diagram showing a configuration of the connection authentication server 108 according to one embodiment of the present invention.
- FIG. 5 is a block diagram showing a configuration of the wireless LAN access point 109 according to one embodiment of the present invention.
- FIG. 6 is a block diagram showing a configuration of home agent 106 according to one embodiment of the present invention.
- mobile radio terminal apparatus 110 includes authentication processing section 201, address notification section 202, address acquisition section 203, IPsec shared key acquisition section 204, IPsec key exchange section 205, and MIP shared key acquisition. It has a section 206 and a MIP registration section 207.
- the mobile wireless terminal device 110 includes a device (not shown) for performing mobile wireless communication!
- the virtual private network relay device 105 includes an address acquisition unit 301, an IPsec shared key acquisition unit 302, and an IPsec key exchange unit 303.
- the connection authentication server 108 includes an authentication processing unit 401, an address notification unit 402, an address acquisition unit 403, an IPsec shared key distribution unit 404, and a MIP shared key distribution unit 405.
- the wireless LAN access point 109 includes an authentication relay unit 501.
- the home agent 106 includes a MIP shared key acquisition unit 601 and a MIP processing unit 602.
- mobile wireless terminal device 110 existing in public wireless LAN system 103 is connected to private network 10.
- the procedure for connecting to 2 will be described as an example.
- the authentication processing unit 201 of the mobile wireless terminal device 110 connects to the public wireless LAN system 103 in order to connect to the public wireless LAN system 103.
- a connection request is transmitted to the authentication processing unit 401 of the connection authentication server 108 via the authentication relay unit 501 of the access point 109.
- IEEE the Institute of Electrical
- an Extensible Authentication Protocol (EAP) protocol is applied between the mobile wireless terminal device 110 and the wireless LAN access point 109.
- EAP Extensible Authentication Protocol
- RADIUS Remote Authentication Protocol
- the wireless LAN access point 109 has a bridge function for relaying the two protocols.
- the authentication processing unit 401 of the connection authentication server 108 first authenticates the connection request transmitted from the authentication processing unit 201 of the mobile wireless terminal device 110. This authentication is performed by various authentication methods such as EAP-MD5, EAP-TLS, EAP-LEAP or PEAP. Here, for the sake of simplicity, the procedure when EAP-TLS is applied will be described. In the EAP-TLS, mutual authentication is performed by exchanging an electronic certificate between the mobile radio terminal apparatus 110 and the connection authentication server 108.
- the mobile radio terminal device 110 and the connection authentication server 108 exchange a random number and perform an arithmetic process using a pseudo random number function or the like, thereby holding a common master secret.
- the mobile wireless terminal device 110 and the connection authentication server 108 generate a PMK (Pairwise Master Key) from the master secret.
- PMK Packetwise Master Key
- the mobile wireless terminal device 110 and the connection authentication server 108 use the master secret to connect to the connection authentication server 108 and the mobile wireless terminal device.
- the communication path with the device 110 is encrypted.
- the authentication relay unit 501 of the wireless LAN access point 109 plays a role of relaying the communication path, so that the confidential communication between the mobile wireless terminal device 110 and the connection authentication server 108 is performed. It becomes possible. That is, a secure communication path is established between the authentication processing unit 201 of the mobile wireless terminal device 110, the authentication relay unit 501 of the wireless LAN access point 109, and the authentication processing unit 401 of the connection authentication server 108. . Thereafter, unless otherwise specified, the communication between the mobile wireless terminal device 110, the wireless LAN access point 109, and the connection authentication server 108 is performed using this secure communication path.
- connection authentication server 108 transmits the PMK to wireless LAN access point 109 using the encrypted secure communication path.
- the mobile wireless terminal device 110 and the wireless LAN access point 109 generate a WEP key from the shared PMK, and encrypt the wireless communication channel in the public wireless LAN system 103 using the WEP key. (Step ST1 in Figure 7).
- the IP addresses of the mobile wireless terminal device 110 and the virtual private network relay device 105 are used. Exchange addresses.
- the address notification unit 402 of the connection authentication server 108 transmits the IP address of the virtual private network relay device 105 to the address acquisition unit 203 of the mobile wireless terminal device 110 via the authentication relay unit 501 of the wireless LAN access point 109 (see FIG. 7, step ST2).
- connection authentication server 108 holds the IP address of the virtual private network relay device 105 in advance.
- the address acquisition unit 203 of the mobile wireless terminal device 110 that has received the IP address of the virtual private network relay device 105 sends a signal to the address notification unit 202.
- the address notifying unit 202 that has received the signal transmits the IP address assigned to itself to the address obtaining unit 403 of the connection authentication server 108 via the authentication relay unit 501 of the wireless LAN access point 109 (see FIG. Seven steps ST3).
- connection authentication server 108 and the mobile radio terminal device 110 transmit and receive IP addresses
- the EAP protocol and the EAPOL protocol are extended.
- EAP-IPADDR is newly defined as the message type of the EAP protocol.
- the authentication processing unit 401 of the connection authentication server 108 sends the attribute of the vendor specific field of the RADIUS protocol to the authentication relay unit 501 of the wireless LAN access point 109. Send the IP address as the gender value.
- the packet type of the EAPOL protocol shown in FIG. Is newly defined, and an addr format (Fig. 9) for notifying the IP address as an attribute value is added.
- the reception of this EAPOL-IPADDR message indicates the reception of the IP address of the virtual private network relay device 105 for the mobile wireless terminal device 110, and the IP address of the mobile wireless terminal device 110 for the wireless LAN access point 109. Respectively.
- address notifying section 402 of connection authentication server 108 transmits the IP address of mobile radio terminal apparatus 110 to address acquiring section 301 of virtual private network relay apparatus 105 (step ST4 in FIG. 7).
- mobile radio terminal apparatus 110 and virtual private network relay apparatus 105 can acquire a mutual IP address. Then, the IPsec key exchange unit 205 of the mobile wireless terminal device 110 and the IPsec key exchange unit 303 of the virtual private network relay device 105 can start the key exchange in the IPsec main mode using the obtained IP address. .
- connection authentication server 108 communicates with the mobile wireless terminal 110 and the virtual private network using a communication path encrypted by the master secret shared between the mobile wireless terminal 110 and the connection authentication server 108.
- the IPsec pre-shared secret key used when establishing an IPsec tunnel with the relay device 105 is distributed to the mobile wireless terminal device 110 and the virtual private network relay device 105.
- the authentication relay unit 401 of the connection authentication server 108 transmits the IPsec pre-shared secret key to the authentication relay unit 501 of the wireless LAN access point 109.
- receiving the IPsec pre-shared secret key authentication relay section 501 of wireless LAN access point 109 transmits the IPsec pre-shared secret key to authentication processing section 201 of mobile radio terminal apparatus 110 as it is (step ST4 in FIG. 7).
- the EAP protocol and the EAPOL protocol are extended in order to transmit the IPsec pre-shared secret key from the authentication processing unit 401 of the connection authentication server 108 to the authentication processing unit 201 of the mobile wireless terminal device 110.
- the EAP EAP-IPSECKEY is newly defined as the message type of the protocol. Then, the IPsec pre-shared secret key is transmitted as the attribute value of the vendor specific field of the RADI US protocol.
- the key distribution message of the EAPOL protocol is used to transmit the IPsec pre-shared secret key from the authentication relay unit 501 of the wireless LAN access point 109 to the authentication processing unit 201 of the mobile wireless terminal device 110.
- the descriptor type of the key description format is set to IPsec, and the IPsec pre-shared secret key is notified using the key field.
- IPsec shared key distribution section 404 of connection authentication server 108 transmits the IPsec pre-shared secret key identical to the IPsec pre-shared secret key transmitted to mobile radio terminal 110 to IPsec of virtual private network relay apparatus 105. Sent to shared key acquisition section 302.
- connection authentication server 108 The communication path from the connection authentication server 108 to the virtual private network relay device 105 statically establishes an IPsec tunnel, and realizes a secure communication path in which the IPsec pre-shared secret key is not eavesdropped. Furthermore, the IPsec pre-shared secret key held by the connection authentication server 108 can be dynamically generated by the connection authentication server 108, or can be received by another key generation server. .
- mobile wireless terminal apparatus 110 and virtual private network relay apparatus 105 share the same IPsec pre-shared secret key.
- the IPsec key exchange unit 205 of the mobile wireless terminal device 110 and the IPsec key exchange unit 303 of the virtual private network relay device 105 start key exchange in the IPsec main mode using the shared IPsec pre-shared secret key.
- the IPsec key exchange unit 303 of the virtual private network relay device 105 transmits the IPsec pre-shared secret key, IP address, and user ID described in the authentication request from the IPsec key exchange unit 205 of the mobile wireless terminal device 110 to the virtual private network relay. If the IPsec pre-shared secret key, the IP address, and the user ID held by the device 105 match, the authentication of the mobile wireless terminal device 110 is permitted to establish an IPsec tunnel.
- connection authentication server 108 uses the communication path encrypted by the master secret shared between the mobile wireless terminal device 110 and the connection authentication server 108 to connect the mobile wireless terminal device 110 to the home agent 106.
- the mobile terminal transmits the MIP pre-shared secret key used for registration to the mobile radio terminal 110.
- the authentication processing unit 401 of the connection authentication server 108 transmits the MIP pre-shared secret key to the authentication relay unit 501 of the wireless LAN access point 109.
- Authentication relay unit 50 of wireless LAN access point 109 that has received this MIP pre-shared secret key 1 transmits the MIP pre-shared secret key to the authentication processing unit 201 of the mobile wireless terminal device 110
- the EAP protocol and the EAPOL protocol are extended so that the authentication processing unit 401 of the connection authentication server 108 transmits the MIP pre-shared secret key to the authentication processing unit 201 of the mobile wireless terminal device 110.
- EAP-MIPKEY is newly defined as the message type of the EAP protocol.
- the authentication processing unit 401 of the subsequent authentication server 108 transmits the MIP pre-shared secret key to the authentication relay unit 501 of the wireless LAN access point 109 as an attribute value of the vendor specific field of the RADIUS protocol.
- a key distribution message of the EAPOL protocol is used for the authentication relay unit 501 of the wireless LAN access point 109 to transmit the MIP pre-shared secret key to the authentication processing unit 201 of the mobile wireless terminal device 110.
- the descriptor type of the key description format is set to MIP, and the MIP pre-shared secret key is notified using the key field.
- MIP shared key distribution section 405 of connection authentication server 108 transmits the same MIP pre-shared secret key as the MIP pre-shared secret key transmitted to mobile radio terminal apparatus 110 and the IP address of mobile radio terminal apparatus 110. Is transmitted to the MIP shared key acquisition unit 601 of the home agent 106 (step ST5 in FIG. 7).
- connection authentication server 108 statically establishes an IPsec tunnel, and realizes a secure communication path in which the MIP pre-shared secret key is not eavesdropped.
- the MIP pre-shared secret key held by the connection authentication server 108 can be dynamically generated by the connection authentication server 108, or can be received by another key generation server or the like. Is possible.
- mobile radio terminal apparatus 110 and home agent 106 share the same MIP pre-shared secret key.
- the MIP registration unit 207 of the mobile wireless terminal device 110 performs a mopil IP registration (Binding Update) to the MIP processing unit 602 of the home agent 106 using the MIP pre-shared key.
- the MIP processing unit 602 of the home agent 106 provides an authentication field for the Mopile IP registration message from the MIP registration unit 207 of the mobile radio terminal 110. If the MIP pre-shared secret key and the SPI described in the password match the MIP pre-shared secret key and the SPI held by the home agent 106, the mobile radio terminal device 110 is permitted to authenticate the mobile IP terminal 110 for registration. Since an IPsec tunnel has already been established between mobile radio terminal apparatus 110 and virtual private network relay apparatus 105, the communication path between mobile radio terminal apparatus 110 and home agent 106 is secure.
- the IPsec pre-shared key and the MIP pre-shared key can be dynamically updated each time mobile radio terminal apparatus 110 accesses public wireless LAN system 103. . Therefore, according to the embodiment of the present invention, it is possible to prevent the security from deteriorating, do not require any special work of the user and the administrator, and set the time required for establishing the IPsec tunnel in the Mopile VPN connection environment. Can be shortened.
- the mobile radio communication system includes a public network, a private network, and a public wireless LAN system, and a network relay device installed in the private network via the public network.
- a virtual private network relay device that establishes an IPsec tunnel, establishes an IPsec tunnel with the mobile wireless terminal device, and relays the connection of the mobile wireless terminal device from the public wireless LAN system to the private network;
- a connection authentication server that is installed in a public wireless LAN system and authenticates the connection of the mobile wireless terminal device to the public wireless LAN system, and a public wireless LAN that is performed between the mobile wireless terminal device and the connection authentication server.
- a wireless LAN access point that relays the connection authentication procedure.
- the mobile wireless terminal device can obtain the IP address of the virtual private network relay device, and the virtual private network relay device can obtain the IP address of the mobile wireless terminal device. Therefore, since the mobile wireless terminal device and the virtual private network relay device can start key exchange in the IPsec main mode using their respective IP addresses, security can be prevented from lowering, and user and management can be prevented. It does not require special work of the person. According to this configuration, the mobile wireless terminal device and the connection authentication server transmit the IP address using the secure communication path established by the connection authentication procedure. Since it is not necessary to newly establish a secure communication channel for distributing IP addresses, the time required for establishing an IPsec tunnel in a mono VPN connection environment can be reduced.
- a mobile wireless terminal device includes a public network, a private network, and a public wireless LAN system, and is a network relay device installed in the private network via the public network.
- a virtual private network relay device that establishes an IPsec tunnel with the mobile wireless terminal device and establishes an IPsec tunnel with the mobile wireless terminal device to relay the connection of the mobile wireless terminal device from the public wireless LAN system to the private network.
- a connection authentication server installed in a public wireless LAN system to authenticate the connection of the mobile wireless terminal device to the public wireless LAN system, and a public wireless LAN performed between the mobile wireless terminal device and the connection authentication server.
- a mobile wireless terminal device in a mobile wireless communication system comprising: a wireless LAN access point that relays a connection authentication procedure, wherein the mobile communication terminal device connects to the public wireless LAN system with respect to the connection authentication server.
- An authentication processing unit for performing a continuous authentication process an address obtaining unit for obtaining an IP address of the virtual private network relay device from the connection authentication server when connection to the public wireless LAN system is permitted, and the mobile wireless terminal device
- An address notifying unit that notifies the connection authentication server of the IP address of the virtual private network
- an IPsec key exchange unit that performs an IPsec key exchange with the virtual private network relay using the IP address of the virtual private network relay.
- the mobile wireless terminal device can obtain the IP address of the virtual private network relay device, and the virtual private network relay device can obtain the IP address of the mobile wireless terminal device. Therefore, since the mobile wireless terminal device and the virtual private network relay device can start key exchange in the IPsec main mode using their respective IP addresses, security can be prevented from lowering and user and management can be prevented. It does not require special work of the person. Further, according to this configuration, the secure communication path for distributing the IP address is transmitted by transmitting the IP address using the secure communication path established by the connection authentication procedure between the mobile wireless terminal device and the connection authentication server. Since it is not necessary to re-establish the IPSec tunnel, the time required to establish an IPsec tunnel in a mono VPN connection environment can be reduced.
- a mobile wireless terminal device includes a public network, a private network, and a public wireless LAN system, and is a network relay device installed in the private network via the public network.
- a virtual private network relay device that establishes an IPsec tunnel with the mobile wireless terminal device and establishes an IPsec tunnel with the mobile wireless terminal device to relay the connection of the mobile wireless terminal device from the public wireless LAN system to the private network;
- a connection authentication server that is installed in a public wireless LAN system and authenticates the connection of the mobile wireless terminal device to the public wireless LAN system; and a public wireless LAN that is performed between the mobile wireless terminal device and the connection authentication server.
- a mobile wireless terminal device in a mobile wireless communication system comprising: a wireless LAN access point that relays a connection authentication procedure, wherein the mobile communication terminal device connects to the public wireless LAN system with respect to the connection authentication server. And an IPsec pre-shared secret key used for IPsec key exchange between the connection authentication server and the virtual private network relay device when connection to the public wireless LAN system is permitted.
- the configuration includes an IPsec shared key acquisition unit to be acquired, and an IPsec key exchange unit that exchanges IPsec keys with the virtual private network relay device using the IPsec pre-shared secret key.
- the mobile wireless terminal device and the virtual private network relay device can acquire the same IPsec pre-shared secret key, and the mobile wireless terminal device can access the public wireless LAN system. Since the IPsec pre-shared secret key can be updated each time a connection is established, security can be prevented from lowering, and no special work by the user or administrator is required. Further, according to this configuration, the IPsec pre-shared secret key is distributed by transmitting the IPsec pre-shared secret key using the secure communication path established by the connection authentication procedure between the mobile wireless terminal device and the connection authentication server. It is not necessary to re-establish a secure communication path, so the time required to establish an IPsec tunnel in a Mopile VPN connection environment can be reduced.
- a mobile radio terminal includes a public network, a private network, and a public wireless LAN system, and is a network relay device installed in the private network via the public network.
- a virtual private network relay device that establishes an IPsec tunnel with the mobile wireless terminal device and establishes an IPsec tunnel with the mobile wireless terminal device to relay the connection of the mobile wireless terminal device from the public wireless LAN system to the private network.
- Home age for controlling movement of mobile radio terminal A connection authentication server installed in the public wireless LAN system to authenticate the connection of the mobile wireless terminal device to the public wireless LAN system, and a public authentication server performed between the mobile wireless terminal device and the connection authentication server.
- a mobile wireless terminal device in a mobile wireless communication system comprising: a wireless LAN access point that relays a wireless LAN connection authentication procedure, and performs a connection authentication process to the public wireless LAN system with respect to the connection authentication server.
- An authentication processing unit, and a MIP shared key acquisition unit that acquires a pre-shared secret key used for a mobile IP registration between the connection authentication server and the home agent when connection to the public wireless LAN system is permitted.
- a MIP registration unit for performing a mobile IP registration with the home agent using the pre-shared secret key.
- the mobile wireless terminal device and the home agent can acquire the same MIP pre-shared secret key, and the mobile wireless terminal device can connect to the public wireless LAN system. Since the MIP pre-shared secret key can be updated each time, it is possible to prevent the security from lowering, and it does not require special work of the user and the administrator. Also, by transmitting the MIP pre-shared secret key using the secure communication path established by the connection authentication procedure between the mobile wireless terminal and the connection authentication server, a secure communication path for distributing the MIP pre-shared secret key is obtained. Since it is not necessary to re-establish the IPsec tunnel, the time required to establish the IPsec tunnel in the Mopile VPN connection environment can be reduced.
- a mobile wireless terminal device includes a public network, a private network, and a public wireless LAN system, and is a network relay device installed in the private network via the public network.
- a virtual private network relay device that establishes an IPsec tunnel with the mobile wireless terminal device and establishes an IPsec tunnel with the mobile wireless terminal device to relay the connection of the mobile wireless terminal device from the public wireless LAN system to the private network.
- a home agent for controlling movement of the mobile wireless terminal device a connection authentication server installed in the public wireless LAN system for authenticating connection of the mobile wireless terminal device to the public wireless LAN system, A wireless LAN access point that relays a public wireless LAN connection authentication procedure performed with the connection authentication server.
- An authentication processing unit for performing a connection authentication process to the public wireless LAN system with respect to the connection authentication server, and the connection authentication server when the connection to the public wireless LAN system is permitted.
- An address obtaining unit for obtaining an IP address of the virtual private network relay device, an address notifying unit for notifying the IP address of the mobile wireless terminal device to the connection authentication server, and the virtual private network relay device from the connection authentication server.
- An IPsec shared key acquisition unit that acquires an IPsec pre-shared secret key used for IPsec key exchange performed between the IPC and the MIP pre-shared secret key used for mopile IP registration between the home agent and the connection authentication server.
- the mobile wireless terminal device can obtain the IP address of the virtual private network relay device, and the virtual private network relay device can obtain the IP address of the mobile wireless terminal device. Therefore, key exchange in the IPsec main mode can be started using each IP address, and the mobile wireless terminal device and the virtual private network relay device can acquire the same IPsec pre-shared secret key. Therefore, the IPsec pre-shared secret key can be updated each time the mobile wireless terminal device connects to the public wireless LAN system. Further, according to this configuration, the mobile wireless terminal device and the home agent can acquire the same MIP pre-shared secret key, and each time the mobile wireless terminal device connects to the public wireless LAN system. The MIP pre-shared secret key can be updated. As a result, security can be prevented from deteriorating, and no special work of the user and the administrator is required.
- the IP address, the IPsec pre-shared secret key, and the MIP pre-shared secret key are exchanged between the mobile wireless terminal device and the connection authentication server using the secure communication path established by the connection authentication procedure.
- the connection authentication server uses the secure communication path established by the connection authentication procedure.
- the virtual private network relay device comprises a public network, a private network, and a public wireless LAN.
- An AN system and establishes an IPsec tunnel with a network relay device installed in the private network via the public network, establishes an IPsec tunnel with a mobile wireless terminal device, and establishes an IPsec tunnel for the mobile wireless terminal device.
- a virtual private network relay device that relays the connection from the public wireless LAN system to the private network, and a connection that is installed in the public wireless LAN system and authenticates the connection of the mobile wireless terminal device to the public wireless LAN system.
- a virtual private network relay device in a mobile wireless communication system comprising: an authentication server; and a wireless LAN access point that relays a connection authentication procedure of a public wireless LAN performed between the mobile wireless terminal device and the connection authentication server.
- An address acquisition unit for receiving an IP address of the mobile wireless terminal device from the connection authentication server, and using the IP address of the mobile wireless terminal device.
- IPsec key exchange unit which performs dynamic radio terminal apparatus and the IPsec key exchange, the structure of jig Bei the take.
- the virtual private network relay device can obtain the IP address of the mobile wireless terminal device, a key exchange using the IP address in the IPsec main mode can be started. Therefore, it is possible to prevent the security from deteriorating, do not require any special operation of the user and the administrator, and shorten the time required for establishing the IPsec tunnel in the mobile pile connection environment.
- a virtual private network relay apparatus includes a public network, a private network, and a public wireless LAN system, and is provided with a network relay installed in the private network via the public network.
- a virtual private network relay device that establishes an IPsec tunnel with the device, establishes an IPsec tunnel between the mobile wireless terminal device, and relays the connection of the mobile wireless terminal device from the public wireless LAN system to the private network.
- a connection authentication server installed in the public wireless LAN system to authenticate the connection of the mobile wireless terminal device to the public wireless LAN system, and a public wireless communication performed between the mobile wireless terminal device and the connection authentication server.
- a wireless private network relay device in a mobile wireless communication system comprising: a wireless LAN access point that relays a LAN connection authentication procedure, wherein the virtual private network relay device is provided between the connection authentication server and the mobile wireless terminal device.
- a configuration that comprises: an IPsec shared key acquisition unit that receives a preshared secret key used for IPsec key exchange; and an IPsec key exchange unit that performs IPsec key exchange with the mobile wireless terminal device using the preshared secret key.
- the mobile wireless terminal device and the virtual private network relay device can acquire the same IPsec pre-shared secret key, and the mobile wireless terminal device's public wireless LAN system. Since the IPsec pre-shared secret key can be updated each time a connection is made, security can be prevented from lowering, no special work is required for users and administrators, and a mobile VPN connection The time required to establish an IPsec tunnel in the environment can be reduced.
- a virtual private network relay device includes a public network, a private network, and a public wireless LAN system, and is provided with a network relay installed in the private network via the public network.
- a virtual private network relay device that establishes an IPsec tunnel with the device, establishes an IPsec tunnel between the mobile wireless terminal device, and relays the connection of the mobile wireless terminal device from the public wireless LAN system to the private network.
- a connection authentication server installed in the public wireless LAN system to authenticate the connection of the mobile wireless terminal device to the public wireless LAN system, and a public wireless communication performed between the mobile wireless terminal device and the connection authentication server.
- a virtual private network relay device in a mobile wireless communication system comprising: a wireless LAN access point for relaying a LAN connection authentication procedure, wherein the connection authentication server sends the IP address of the mobile wireless terminal device to the virtual private network relay device.
- An address acquisition unit that receives a pre-shared secret key used for IPsec key exchange between the connection authentication server and the mobile wireless terminal device;
- An IPsec key exchange unit that performs an IPsec key exchange with the mobile wireless terminal device using an IP address and the pre-shared secret key is adopted.
- the virtual private network relay device can acquire the IP address of the mobile wireless terminal device, key exchange in the IPsec main mode can be started using the IP address. Further, according to this configuration, the mobile wireless terminal device and the virtual private network relay device can acquire the same IPsec pre-shared secret key, and the mobile wireless terminal device can access the public wireless LAN system of the mobile wireless terminal device.
- the IPsec pre-shared secret key can be updated each time a connection is made. As a result, it is possible to prevent the security from deteriorating, do not require any special work of the user and the administrator, and shorten the time required for establishing the IPsec tunnel in the Mopile VPN connection environment.
- a connection authentication server includes a public network, a private network, and a public wireless LAN system, and a network relay device installed in the private network via the public network and an IP. a virtual private network relay device that establishes an IPsec tunnel with the mobile wireless terminal device and relays a connection of the mobile wireless terminal device from the public wireless LAN system to the private network, and the public wireless network.
- a connection authentication server installed in a LAN system for authenticating the connection of the mobile wireless terminal device to the public wireless LAN system; and a public wireless LAN connection authentication performed between the mobile wireless terminal device and the connection authentication server.
- a connection authentication server for a mobile wireless communication system comprising: a wireless LAN access point that relays a certification procedure; and a connection authentication server for authenticating a connection of the mobile wireless terminal device to the public wireless LAN system.
- An address notification unit that notifies the IP address of the private network relay device to the mobile wireless terminal device and notifies the virtual private network relay device of the IP address of the mobile wireless terminal device is adopted.
- the mobile wireless terminal device can obtain the IP address of the virtual private network relay device, and the virtual private network relay device can obtain the IP address of the mobile wireless terminal device. Therefore, since the mobile wireless terminal device and the virtual private network relay device can start the key exchange in the IPsec main mode using their respective IP addresses, it is possible to prevent the security from lowering and to reduce the user's security. And does not require any special work by the administrator. Further, according to this configuration, the mobile communication device and the connection authentication server transmit the IP address using the secure communication channel established by the connection authentication procedure, thereby providing a secure communication channel for distributing the IP address. Since it is not necessary to re-establish the IPsec tunnel, the time required to establish the IPsec tunnel in the Mopile VPN connection environment can be reduced.
- a connection authentication server includes a public network, a private network, and a public wireless LAN system, and a network relay device installed in the private network via the public network and an IP. Establish a sec tunnel and establish an IPsec tunnel with the mobile wireless terminal to relay the connection of the mobile wireless terminal from the public wireless LAN system to the private network.
- a wireless LAN access point for relaying a public wireless LAN connection authentication procedure performed between the mobile wireless terminal and the public wireless LAN system.
- An authentication processing unit for performing connection authentication of the mobile wireless terminal device and an IPsec key exchange performed between the mobile wireless terminal device and the virtual private network relay device when permitting connection of the mobile wireless terminal device to a public wireless LAN system.
- An IPsec shared key distribution unit that distributes a pre-shared secret key to the mobile wireless terminal device and the virtual private network relay device is adopted.
- the mobile wireless terminal device and the virtual private network relay device can obtain the same IPsec pre-shared secret key, and the public wireless LAN system of the mobile wireless terminal device can be obtained. Because the IPsec pre-shared secret key can be updated each time a connection is made, security can be prevented from deteriorating, and no special work by the user or administrator is required. Further, according to this configuration, the IPsec pre-shared secret key is transmitted to the mobile wireless terminal device and the connection authentication server using the secure communication channel established by the connection authentication procedure. Since it is not necessary to re-establish a secure communication channel for distributing keys, the time required to establish an IPsec tunnel in a Mopile VPN connection environment can be reduced.
- a connection authentication server includes a public network, a private network, and a public wireless LAN system, and a network relay device installed in the private network via the public network and an IP.
- a virtual private network relay device that establishes an IPsec tunnel with the mobile wireless terminal device and establishes a connection between the mobile wireless terminal device and the public wireless LAN system to the private network.
- a wireless LAN access point that relays a public wireless LAN connection authentication procedure performed with an authentication server.
- An authentication processing unit that authenticates connection of the mobile wireless terminal device to the public wireless LAN system, and the mobile wireless terminal device when permitting connection of the mobile wireless terminal device to the public wireless LAN system.
- a MIP shared key distribution unit that distributes a pre-shared secret key used for mobile IP registration between the mobile agent and the home agent to the mobile agent and the home agent.
- the mobile wireless terminal device and the home agent can obtain the same MIP pre-shared secret key, and can connect the mobile wireless terminal device to the public wireless LAN system. Since the MIP pre-shared secret key can be updated every time, it is possible to prevent the security from lowering, and it does not require any special work of the user and the administrator. Further, according to this configuration, the MIP pre-shared secret key is distributed by transmitting the MIP pre-shared secret key using the secure communication path established by the connection authentication procedure between the mobile wireless terminal device and the connection authentication server. Since it is not necessary to establish a secure communication path again, the time required to establish an IPsec tunnel in a Mopile VPN connection environment can be reduced.
- a connection authentication server includes a public network, a private network, and a public wireless LAN system, and a network relay device installed in the private network via the public network and an IP.
- a virtual private network relay device that establishes an IPsec tunnel with the mobile wireless terminal device and establishes a connection between the mobile wireless terminal device and the public wireless LAN system to the private network.
- a wireless LAN access point that relays a public wireless LAN connection authentication procedure performed with an authentication server.
- An authentication processing unit for authenticating connection of the mobile wireless terminal device to the public wireless LAN system, and moving the IP address of the mobile wireless terminal device when permitting connection of the mobile wireless terminal device to the public wireless LAN system;
- An address acquisition unit for receiving from the wireless terminal device, an IP address of the virtual private network relay device, and a notification to the mobile wireless terminal device; and an IP address of the mobile wireless terminal device in the virtual private network.
- An address notifying unit for notifying a relay device, and an IPsec pre-shared secret key used for IPsec key exchange between the mobile wireless terminal device and the virtual private network relay device, the mobile wireless terminal device and the virtual private network.
- An IPsec shared key distribution unit to be distributed to the relay device; and a MIP pre-shared secret key used for the mobile IP registration performed between the mobile wireless terminal device and the home agent, to the mobile wireless terminal device and the home agent. And a MIP shared key distribution unit to be distributed respectively.
- the mobile wireless terminal device can obtain the IP address of the virtual private network relay device, and the virtual private network relay device can obtain the IP address of the mobile wireless terminal device. Therefore, the mobile wireless terminal device and the virtual private network relay device can start tunnel establishment in the IPsec main mode using their respective IP addresses. Further, according to this configuration, the mobile wireless terminal device and the virtual private network relay device can obtain the same IPsec pre-shared secret key, and the mobile wireless terminal device can access the public wireless LAN system of the mobile wireless terminal device. The IPsec pre-shared secret key can be updated each time the connection is made.
- the mobile wireless terminal device and the home agent can acquire the same MIP pre-shared secret key, and each time the mobile wireless terminal device connects to the public wireless LAN system.
- the MIP pre-shared secret key can be updated. This makes it possible to prevent the security from lowering and does not require any special work by the user and the administrator.
- the IP address, the IPsec pre-shared secret key, and the MIP pre-shared secret key are established using the secure communication path established by the connection authentication procedure between the mobile wireless terminal device and the connection authentication server.
- the IP address By transmitting the IP address, it is not necessary to re-establish a secure communication path for distributing them, so that the time required to establish an IPsec tunnel in a mopile VPN connection environment can be reduced.
- a wireless LAN access point includes a public network, a private network, and a public wireless LAN system, and a network relay device installed in the private network via the public network.
- a virtual private network relay device that establishes an IPsec tunnel and establishes an IPsec tunnel with the mobile wireless terminal device to relay the connection of the mobile wireless terminal device from the public wireless LAN system to the private network;
- Homeware that controls the movement of mobile radio terminals
- a connection authentication server installed in the public wireless LAN system for authenticating the connection of the mobile wireless terminal device to the public wireless LAN system, and a connection authentication server between the mobile wireless terminal device and the connection authentication server.
- a wireless LAN access point for relaying a connection authentication procedure of a public wireless LAN performed in the mobile wireless communication system, the wireless LAN access point being provided between the mobile wireless terminal device and the connection authentication server.
- the mobile terminal uses the secure communication path established in the public wireless LAN connection authentication procedure to be performed, the mobile terminal transmits the IP address, the IPsec pre-shared key, and the Mobile IP pre-shared key transmitted from the connection authentication server to the mobile radio terminal.
- an authentication relay unit for transmitting an IP address transmitted from the mobile radio terminal device to the connection authentication server.
- the mobile wireless terminal device can obtain the IP address of the virtual private network relay device, and the virtual private network relay device can obtain the IP address of the mobile wireless terminal device. Therefore, the mobile wireless terminal device and the virtual private network relay device can start key exchange in the IPsec main mode using their respective IP addresses. Further, according to this configuration, the mobile wireless terminal device and the virtual private network relay device can obtain the same IPsec pre-shared secret key, and the mobile wireless terminal device can access the public wireless LAN system of the mobile wireless terminal device. The IPsec pre-shared secret key can be updated each time the connection is made. As a result, security can be prevented from lowering, and no special work by the user and the administrator is required.
- the IP address, the IPsec pre-shared secret key, and the MIP pre-shared secret key are exchanged between the mobile radio terminal device and the connection authentication server using the secure communication path established by the connection authentication procedure.
- the connection authentication server uses the secure communication path established by the connection authentication procedure.
- a home agent includes a public network, a private network, and a public wireless LAN system, and a network relay device installed in the private network via the public network. Establish a Psec tunnel and establish an IPsec tunnel with the mobile wireless terminal to relay the connection of the mobile wireless terminal from the public wireless LAN system to the private network.
- a wireless LAN access point that relays a connection authentication procedure of a public wireless LAN performed between the mobile wireless terminal device and the connection authentication server.
- a MIP shared key acquisition unit that receives a pre-shared secret key used for registering the mobile IP of the mobile wireless terminal from a connection authentication server, and registers a mobile IP terminal from the mobile wireless terminal using the pre-shared secret key.
- a MIP processing unit for processing.
- the home agent can acquire the MIP pre-shared secret key, and also obtains the MIP pre-shared secret key every time the mobile wireless terminal device connects to the public wireless LAN system. Because it can be updated, security degradation can be prevented, no special work of users and administrators is required, and the time required to establish an IPsec tunnel in a Mopile VPN connection environment can be reduced. it can.
- the present invention is suitable as a mobile radio communication system that provides a mopile VPN environment in which a mobile radio terminal device accesses a private network via a public network from a public wireless LAN system.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP20050703432 EP1694013A1 (en) | 2004-01-15 | 2005-01-11 | Mobile radio communication system, mobile radio terminal device, virtual private network relay device, and connection authentication server |
US10/586,343 US7941843B2 (en) | 2004-01-15 | 2005-01-11 | Mobile wireless communication system, mobile wireless terminal apparatus, virtual private network relay apparatus and connection authentication server |
CN2005800020038A CN1910877B (zh) | 2004-01-15 | 2005-01-11 | 移动无线终端装置、虚拟专用网中继装置、无线局域网接入点、连接认证服务器、本地代理 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004008507A JP3955025B2 (ja) | 2004-01-15 | 2004-01-15 | 移動無線端末装置、仮想私設網中継装置及び接続認証サーバ |
JP2004-008507 | 2004-01-15 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005069567A1 true WO2005069567A1 (ja) | 2005-07-28 |
Family
ID=34792230
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/000193 WO2005069567A1 (ja) | 2004-01-15 | 2005-01-11 | 移動無線通信システム、移動無線端末装置、仮想私設網中継装置及び接続認証サーバ |
Country Status (5)
Country | Link |
---|---|
US (1) | US7941843B2 (ja) |
EP (1) | EP1694013A1 (ja) |
JP (1) | JP3955025B2 (ja) |
CN (1) | CN1910877B (ja) |
WO (1) | WO2005069567A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009515448A (ja) * | 2005-11-04 | 2009-04-09 | シーメンス アクチエンゲゼルシヤフト | モビリティキーを提供する方法とサーバ |
Families Citing this family (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060230279A1 (en) * | 2005-03-30 | 2006-10-12 | Morris Robert P | Methods, systems, and computer program products for establishing trusted access to a communication network |
US8621577B2 (en) * | 2005-08-19 | 2013-12-31 | Samsung Electronics Co., Ltd. | Method for performing multiple pre-shared key based authentication at once and system for executing the method |
JP4754964B2 (ja) * | 2005-12-28 | 2011-08-24 | 富士通株式会社 | 無線網制御装置及び無線網制御システム |
US8406220B2 (en) * | 2005-12-30 | 2013-03-26 | Honeywell International Inc. | Method and system for integration of wireless devices with a distributed control system |
US7734050B2 (en) * | 2006-03-27 | 2010-06-08 | Nissan Technical Center North America, Inc. | Digital certificate pool |
US7742603B2 (en) * | 2006-03-27 | 2010-06-22 | Nissan Technical Center North America, Inc. | Security for anonymous vehicular broadcast messages |
JP4763560B2 (ja) | 2006-09-14 | 2011-08-31 | 富士通株式会社 | 接続支援装置 |
US8032753B2 (en) * | 2006-11-23 | 2011-10-04 | Electronics And Telecommunications Research Institute | Server and system for transmitting certificate stored in fixed terminal to mobile terminal and method using the same |
JP5003505B2 (ja) * | 2007-04-10 | 2012-08-15 | ソニー株式会社 | 接続認証システム、端末装置、接続認証サーバ、接続認証方法、及びプログラム |
US20120254615A1 (en) * | 2011-03-31 | 2012-10-04 | Motorola Solutions, Inc. | Using a dynamically-generated symmetric key to establish internet protocol security for communications between a mobile subscriber and a supporting wireless communications network |
US10277630B2 (en) * | 2011-06-03 | 2019-04-30 | The Boeing Company | MobileNet |
US9021578B1 (en) * | 2011-09-13 | 2015-04-28 | Symantec Corporation | Systems and methods for securing internet access on restricted mobile platforms |
DE102011119680A1 (de) * | 2011-11-29 | 2013-05-29 | Abb Ag | VolP-Telefonie-Unterputz-Elektro-Installationsgerät |
KR101640209B1 (ko) * | 2012-01-20 | 2016-07-18 | 한국전자통신연구원 | 휴대 모바일 가상사설망 서비스 지원장치 및 그 방법 |
WO2013187709A1 (en) * | 2012-06-13 | 2013-12-19 | Samsung Electronics Co., Ltd. | Method and system for securing control packets and data packets in a mobile broadband network environment |
US20150163704A1 (en) * | 2013-12-11 | 2015-06-11 | Qualcomm Incorporated | Handover from cellular to wlan in integrated network |
AU2014361864B2 (en) * | 2013-12-13 | 2019-04-18 | M87, Inc. | Methods and systems of secure connections for joining hybrid cellular and non-cellular networks |
US9525664B2 (en) * | 2014-02-28 | 2016-12-20 | Symantec Corporation | Systems and methods for providing secure access to local network devices |
US10015720B2 (en) * | 2014-03-14 | 2018-07-03 | GoTenna, Inc. | System and method for digital communication between computing devices |
US9621547B2 (en) | 2014-12-22 | 2017-04-11 | Mcafee, Inc. | Trust establishment between a trusted execution environment and peripheral devices |
US9763088B2 (en) * | 2014-12-31 | 2017-09-12 | Ruckus Wireless, Inc. | Mesh network with personal pre-shared keys |
WO2016159954A1 (en) | 2015-03-30 | 2016-10-06 | Ruckus Wireless, Inc. | Zero-touch onboarding in a mesh network |
US10051000B2 (en) * | 2015-07-28 | 2018-08-14 | Citrix Systems, Inc. | Efficient use of IPsec tunnels in multi-path environment |
CN105306437B (zh) * | 2015-09-17 | 2019-04-12 | 成都索贝数码科技股份有限公司 | 一种网络安全加密及校验方法 |
US10791093B2 (en) * | 2016-04-29 | 2020-09-29 | Avago Technologies International Sales Pte. Limited | Home network traffic isolation |
US20180198786A1 (en) * | 2017-01-11 | 2018-07-12 | Pulse Secure, Llc | Associating layer 2 and layer 3 sessions for access control |
US10992670B1 (en) * | 2018-11-12 | 2021-04-27 | Amazon Technologies, Inc. | Authenticating identities for establishing secure network tunnels |
CN112751674B (zh) * | 2020-12-30 | 2023-05-02 | 上海优咔网络科技有限公司 | 虚拟专用网络接入认证方法、系统、设备及可读存储介质 |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001177514A (ja) * | 1999-12-17 | 2001-06-29 | Ntt Docomo Inc | 通信方法および通信装置 |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2364477B (en) * | 2000-01-18 | 2003-11-05 | Ericsson Telefon Ab L M | Virtual private networks |
JP4201466B2 (ja) * | 2000-07-26 | 2008-12-24 | 富士通株式会社 | モバイルipネットワークにおけるvpnシステム及びvpnの設定方法 |
KR100416541B1 (ko) * | 2000-11-30 | 2004-02-05 | 삼성전자주식회사 | 홈게이트웨이와 홈포탈서버를 이용한 홈네트워크 접근방법 및 그 장치 |
US6915437B2 (en) * | 2000-12-20 | 2005-07-05 | Microsoft Corporation | System and method for improved network security |
US20020136226A1 (en) * | 2001-03-26 | 2002-09-26 | Bluesocket, Inc. | Methods and systems for enabling seamless roaming of mobile devices among wireless networks |
KR100450973B1 (ko) * | 2001-11-07 | 2004-10-02 | 삼성전자주식회사 | 무선 통신시스템에서 이동 단말기와 홈에이전트간의인증을 위한 방법 |
CN1268093C (zh) * | 2002-03-08 | 2006-08-02 | 华为技术有限公司 | 无线局域网加密密钥的分发方法 |
US6839338B1 (en) * | 2002-03-20 | 2005-01-04 | Utstarcom Incorporated | Method to provide dynamic internet protocol security policy service |
ES2236471T3 (es) * | 2002-06-04 | 2005-07-16 | Alcatel | Un metodo, un servidor de acceso a red, un servidor de autenticacion-autorizacion-contabilidad y un producto de programa de ordenador para apoderar mensajes de autenticacion-autorizacion-contabilidad de usuario via un servidor de acceso a red. |
US7287269B2 (en) * | 2002-07-29 | 2007-10-23 | International Buiness Machines Corporation | System and method for authenticating and configuring computing devices |
US7685317B2 (en) * | 2002-09-30 | 2010-03-23 | Intel Corporation | Layering mobile and virtual private networks using dynamic IP address management |
US7441043B1 (en) * | 2002-12-31 | 2008-10-21 | At&T Corp. | System and method to support networking functions for mobile hosts that access multiple networks |
US7478427B2 (en) * | 2003-05-05 | 2009-01-13 | Alcatel-Lucent Usa Inc. | Method and apparatus for providing adaptive VPN to enable different security levels in virtual private networks (VPNs) |
US20060185013A1 (en) * | 2003-06-18 | 2006-08-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Method, system and apparatus to support hierarchical mobile ip services |
US7574603B2 (en) * | 2003-11-14 | 2009-08-11 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
US7546357B2 (en) * | 2004-01-07 | 2009-06-09 | Microsoft Corporation | Configuring network settings using portable storage media |
EP1712058A1 (en) * | 2004-02-06 | 2006-10-18 | Telecom Italia S.p.A. | Method and system for the secure and transparent provision of mobile ip services in an aaa environment |
-
2004
- 2004-01-15 JP JP2004008507A patent/JP3955025B2/ja not_active Expired - Fee Related
-
2005
- 2005-01-11 CN CN2005800020038A patent/CN1910877B/zh not_active Expired - Fee Related
- 2005-01-11 EP EP20050703432 patent/EP1694013A1/en not_active Withdrawn
- 2005-01-11 US US10/586,343 patent/US7941843B2/en not_active Expired - Fee Related
- 2005-01-11 WO PCT/JP2005/000193 patent/WO2005069567A1/ja not_active Application Discontinuation
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001177514A (ja) * | 1999-12-17 | 2001-06-29 | Ntt Docomo Inc | 通信方法および通信装置 |
Non-Patent Citations (1)
Title |
---|
FEDER P.M. ET AL.: "A seamless mobile VPN data solution for UMTS and WLAN users", 3G MOBILE COMMUNICATION TCHNOLOGIES, 4TH INTERNATIONAL CONFERENCE, 27 June 2003 (2003-06-27), pages 210 - 216, XP002987977 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009515448A (ja) * | 2005-11-04 | 2009-04-09 | シーメンス アクチエンゲゼルシヤフト | モビリティキーを提供する方法とサーバ |
JP4806028B2 (ja) * | 2005-11-04 | 2011-11-02 | シーメンス アクチエンゲゼルシヤフト | モビリティキーを提供する方法とサーバ |
Also Published As
Publication number | Publication date |
---|---|
CN1910877B (zh) | 2011-01-05 |
CN1910877A (zh) | 2007-02-07 |
EP1694013A1 (en) | 2006-08-23 |
US7941843B2 (en) | 2011-05-10 |
JP3955025B2 (ja) | 2007-08-08 |
US20080232382A1 (en) | 2008-09-25 |
JP2005204086A (ja) | 2005-07-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2005069567A1 (ja) | 移動無線通信システム、移動無線端末装置、仮想私設網中継装置及び接続認証サーバ | |
US10142842B2 (en) | Securing communications of a wireless access point and a mobile device | |
CA2414216C (en) | A secure ip access protocol framework and supporting network architecture | |
Arbaugh et al. | Your 80211 wireless network has no clothes | |
US7213263B2 (en) | System and method for secure network mobility | |
KR100759489B1 (ko) | 이동통신망에서 공개키 기반구조를 이용한 아이피보안터널의 보안 방법 및 장치 | |
JP4575679B2 (ja) | 無線ネットワークハンドオフ暗号鍵 | |
US8335490B2 (en) | Roaming Wi-Fi access in fixed network architectures | |
EP1495621B1 (en) | Security transmission protocol for a mobility ip network | |
US7028186B1 (en) | Key management methods for wireless LANs | |
EP2506491B1 (en) | Encryption information transmission terminal | |
WO2006098116A1 (ja) | 無線通信システムにおける認証方式、それを備える無線端末装置と無線基地局、それらを用いた無線通信システム及びプログラム | |
CA2414044C (en) | A secure ip access protocol framework and supporting network architecture | |
JPWO2008146395A1 (ja) | ネットワーク中継装置、通信端末及び暗号化通信方法 | |
US20080137863A1 (en) | Method and system for using a key management facility to negotiate a security association via an internet key exchange on behalf of another device | |
JP2010539839A (ja) | サーバ基盤移動インターネットプロトコルシステムにおけるセキュリティ方法 | |
JP2004312257A (ja) | 基地局、中継装置及び通信システム | |
JP4584776B2 (ja) | ゲートウェイ装置およびプログラム | |
Eronen et al. | An Extension for EAP-Only Authentication in IKEv2 | |
US20230308868A1 (en) | Method, devices and system for performing key management | |
WO2006080079A1 (ja) | 無線ネットワークシステムおよびそのユーザ認証方法 | |
Eronen et al. | RFC 5998: An Extension for EAP-Only Authentication in IKEv2 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200580002003.8 Country of ref document: CN |
|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2005703432 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10586343 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 2005703432 Country of ref document: EP |