WO2021224624A1 - Authentification de dispositifs à des services tiers - Google Patents

Authentification de dispositifs à des services tiers Download PDF

Info

Publication number
WO2021224624A1
WO2021224624A1 PCT/GB2021/051093 GB2021051093W WO2021224624A1 WO 2021224624 A1 WO2021224624 A1 WO 2021224624A1 GB 2021051093 W GB2021051093 W GB 2021051093W WO 2021224624 A1 WO2021224624 A1 WO 2021224624A1
Authority
WO
WIPO (PCT)
Prior art keywords
host device
subscribed
cellular network
secure module
database system
Prior art date
Application number
PCT/GB2021/051093
Other languages
English (en)
Inventor
Carlos Hugo Baptista MORGADO
Michael MOORFIELD
Original Assignee
Truphone Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Truphone Limited filed Critical Truphone Limited
Publication of WO2021224624A1 publication Critical patent/WO2021224624A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Definitions

  • the present invention relates to telecommunications and in particular, but not exclusively, to the authentication of a host device to a third-party service.
  • UICC Universal Integrated Circuit Card
  • eUICC embedded Universal Integrated Circuit Card
  • eSIM embedded Subscriber Identification Module
  • iUICC integrated Universal Integrated Circuit Card
  • MVNO Mobile Virtual Network Operator
  • the UICC is in the form of a small card that can be inserted and removed from the device.
  • the eUICC is also a small card that is inserted into devices in a non removable way.
  • the iUICC consists of a system-on-chip solution in which the UICC capabilities run on the chipset.
  • the soft SIM comprises a collection of software applications and data that performs all the functionality of a SIM card but does not reside in any kind of secure data storage or use a secure processor and is, instead, stored in the memory and processor of the communications device itself (i.e. there is no SIM hardware).
  • a secure module may be a UICC, an eUICC, an iUCC or a soft SIM, all of which can be included in host devices such as IoT devices, M2M devices and consumer devices.
  • the secure module may support any cellular network access technology (e.g., 2G, 3G, 4G, 5G, Low Power).
  • Figure 1 is a schematic diagram illustrating a host device comprising a secure module according to an example
  • Figure 2 is a flow diagram illustrating a method according to an example
  • Figure 3 is a schematic diagram illustrating the method according to an example
  • Figure 4 is a schematic diagram illustrating the method according to another example.
  • a method for authentication of a host device to a third-party service there is provided a method for authentication of a host device to a third-party service.
  • a secure module suitable for use in the method for authentication of the host device to a third- party service.
  • a host device comprising a secure module suitable for use in the method for authentication of the host device to a third party service.
  • a database system with at least one memory and least one processor suitable for use in the method for authentication of the host device to a third-party service.
  • a cellular network suitable for use in the method for authentication of the host device to a third- party service.
  • FIG. 1 illustrates a secure module 100 included in a host device 110.
  • the secure module 100 comprises computer- readable storage 120 and at least one processor 130.
  • the host device 110 which may also be referred to as a user device or a consumer device, also comprises at least one processor 140 and computer-readable storage 150.
  • the computer-readable storages 120 and 150 may be referred to as computer-readable storage mediums, or simply storage.
  • the computer-readable storages 120 and 150 may each comprise one or more physical storage mediums or may be virtualised storage wherein a the storage mediums are embodied in a plurality of physical devices but formatted as logically contiguous blocks.
  • the computer-readable storage 150 may comprise instructions which, when executed by the at least one processor 140, cause the at least one processor 140 to trigger a method for authentication of the host device to third party services.
  • the host device 110 may be a mobile device, for example a smart telephone or tablet computer.
  • the host device 110 may be in a fixed or non-fixed position, for example an appliance in a home or industrial setting.
  • the host device 110 may further comprise other components, not shown in Figure 1 for the ease of explanation, including, but not limited to, one or more communications modules, a user interface, one or more sensors including a microphone, camera, barometer, a depth sensor, and so forth.
  • the secure module 100 is allocated to the host device 110 before the host device 110 or the secure module 100 are provided to a user.
  • the secure module 100 may be referred to as pre-allocated. This pre-allocating of the secure module 100 to the host device 110 may occur, for example, during manufacture of either of the host device 110 or the secure module 100.
  • the host device 110 may be provided with a secure module 100 which can be any of a UICC, an eUICC, a soft SIM or an iUICC.
  • a database system in the cellular network which comprises subscriber records, may include identifier details of the host device, including for example, the ICCID, an IMSI, an MSISDN, and an IMEI.
  • the method for authentication of host devices to third party services will be described below in relation to Figure 2.
  • the at least one processor 140 may possess proactive capacity in the sense that it is able to interact directly with external elements and cause the secure module 100 to send proactive commands to a cellular network, including data for the purposes of identification or authentication to a cellular network.
  • the at least one processor 140 of the host device 110 is configured to trigger the execution of the method for authentication of host devices to third party services.
  • the secure module 100 is included in a host device 110 that may be a consumer device, or a machine or object in an IoT or M2M context.
  • FIG. 2 is a flow diagram illustrating a method 200 for authentication of host devices to third party services according to an example. It is to be appreciated, and will be apparent from the following description, that part of the method 200 may be performed by a host device 110 comprising a secure module 100 according to the example shown in Figure 1, and other parts of the method 200 may be performed by a cellular network. The method 200 will now be described with reference to the blocks 210 to 290 of the flow chart shown in Figure 2.
  • the method 200 includes a host device 100 including a pre allocated secure module 100 which is registered with a cellular network starting a data session.
  • the host device 110 is provisioned with an International Mobile Equipment Identity, IMEI.
  • the secure module 100 is provisioned with at least an International Mobile Subscriber Identity, IMSI, an integrated circuit card identifier, ICCID, and a Mobile Station International Subscriber Directory Number, MSISDN.
  • the method 200 includes the host device 110 being assigned an IP address by the cellular network. Assigning an IP address may be considered as part of establishing the data session. Assigning an IP address to the host device 110 also includes storing data representing an association between the IP address and one or more parameters associated with the host device 110 such as the IMEI, IMSI, ICCID and MSISDN. This association is stored in a database system comprising user subscription information and network state.
  • the database system may comprise at least one subscriber record, wherein the subscriber records include identifier details of respective subscribed host devices such as an ICCID, an IMEI, one or more IMSIs, and an MSISDN.
  • Storing the IP address in the database system may include storing the IP address in association with a respective subscriber record. This may include storing the IP address in a file containing the respective subscriber record, and/or generating metadata associating the subscriber record with the IP address.
  • the host device 110 may then query a web service of the cellular network to request that the host device 110 is notarized, as shown at a third block 230.
  • the host device 110 may be notarized in the sense that it is confirmed that the host device 110 is registered with the cellular network. Being notarized may also be referred to as being verified or validated.
  • Querying the web service may comprise the host device 110 sending a query request to a notary node in the cellular network, wherein the query request is sent over HTTP or HTTPS.
  • the notary node may also serve on other TCP/IP based transports such as MQTT.
  • the web service is to be understood as a software service running on the notary node which is available over HTTP or HTTPS, or other TCP/IP based transports such as MQTT.
  • the software service running on the notary node may operate in a manner which is interoperable with one or more different applications and devices on a network using encoding technologies such as Extensible Markup Language, XML, JavaScript Object Notation Web Token, JWT, ITU-T X.509 Certificate, or others.
  • the notary node which provides notary services for notarizing the host device 110, receives the query request and queries a database system in the cellular network to obtain identifier details of the host device 110.
  • the query request is initiated from the IP address which has been attributed to the host device 110 and is known to the notary node as part of the connection parameters.
  • the IP address is then used when querying the database system to identify at least one subscriber record comprising the identifier details associated with this IP address.
  • the identifier details include at least the ICCID, and may also include other information such as, an IMEI, an IMSI, an MSISDN, or any other relevant information associated with the host device 110 which may be used to identify a subscription.
  • the method 200 comprises the cellular network identifying the host device 110 which initiated the data session to which the IP address was assigned.
  • the method 200 comprises the database system in the cellular network responding to the notary node, the response including the ICCID of the secure module 100 included in the host device 110.
  • the method 200 comprises the notary node retrieving further identifier details associated with the host device 110 from a database system in the cellular network comprising subscriber records, the further identifier details comprising any of, the IMEI of the host device, an IMSI, and an MSISDN of the secure module 100.
  • the notary node then creates a result with the identifier details associated with the IP address, which was attributed to the host device 110.
  • the result includes at least the ICCID of the secure module 100 and a cryptographic signature of the cellular network.
  • the result may also include identifier details such as the IMEI of the host device 110, an IMSI associated with the secure module 100, a MSISDN associated with the secure module 100, or other identifiers. If the subscriber record of the host device 110 including secure module 100 is not found in the database system, the notary node responds to the host device 110 with an HTTP error, or other TCP/IP based transports such as MQTT.
  • the method 200 then comprises, at an eighth block 280, the notary node using the identifier details, retrieved from the database system, and the cryptographic signature of the cellular network and returning a token to the host device 110 for authentication to a third party.
  • the token may comprise at least the cryptographic signature of the cellular network and the ICCID of the secure module 100.
  • a JavaScript Object Notation Web Token, JWT with at least the cellular network cryptographic signature and the ICCID of the secure module 100 included in the host device 110.
  • the JWT is stored in the memory 150 of the host device 110.
  • the JWT may depend on the identifier details.
  • the JWT is to be understood as a standard for serializing and transmitting structured data over a network connection.
  • JWT is used for creating access tokens that assert a given number of claims that can be typically used to pass identity of authenticated users between an identity provider and a service provider, or any other type of claims as required, for example by business processes.
  • the method 200 is shown to include the host device 110 using the token to be authenticated to a third party.
  • the use of the token may be via preloading of shared keys, preloading of private Certificate Authority Roots of Trust, Public Key Infrastructure, or other suitable methods to verify the cellular network cryptographic signature and accept the identifier details claims.
  • Figure 3 shows schematically a process of a host device 110 including a secure module 100 querying a web service of the cellular network 301 to be notarized according to an example.
  • the host device 110 is registered with the cellular network 301 and requests a data session.
  • the data session is established, including assigning an IP address to the host device 110.
  • This IP address is stored in a database system 307 in association with a subscriber record corresponding to the host device 110.
  • the host device 110 sends a query request 303 to a notary node 302 in the cellular network 301 infrastructure.
  • the host device 110 and secure element 100 may contact other network elements such as the Serving GPRS Support Node, SGSN, as described in the relevant 3 GPP standards.
  • the query request 303 is sent to the notary node 302 via a Packet Data Network Gateway, PDN-GW 308, that is located within the cellular network 301 infrastructure.
  • PDN-GW Packet Data Network Gateway
  • the PDN-GW is in communication with a radio access network, RAN, within the cellular network 301 infrastructure.
  • the query request 303 from the host device 110 is transmitted via the RAN and PDN-GW 308 to the notary node 302.
  • the notary node 302 in turn performs a query 304 to a network database system 307 comprising subscriber records to retrieve the ICCID, and in some examples, other identifier details of the host device 110 which includes the secure module 100, as described above with respect to the seventh block 270 in the method 200 are retrieved from a network database system 309 when the notary note performs a query 310 and the database system 309 performs a response 311.
  • the notary node also sends a query to Charging Function elements in the cellular network 301, this will be described further with respect to Figure 4.
  • the cellular network 301 identifies the host device 110 by identifying a subscriber record stored in the database system 307 which is associated with the IP address which is assigned to the host device.
  • the database system 307 in the cellular network 301 performs a response 305 to the notary node 302. If the host device 110 is a subscribed host device, the response 305 to the query 304 from the notary node 302 includes at least the ICCID associated with the host device 110.
  • the notary node 302 After performing the notarization of the host device 110, the notary node 302 responds to the query request from the host device 110, for example, via the PDN-GW 308.
  • the response 306 to the host device 100 includes a token for authentication of the host device to a third party.
  • the query request 303 from the host device 110 to the notary node 302, as described in relation to block 230 of method 200, is initiated by a host device which is not a host device with an active IP connection to the notary node 302, provided via a GSM data session authenticated using the secure module 100, the notary node 302 replies with an unauthorized error instead of a valid JWT.
  • the method 200 may be triggered upon a host device 110, including a secure module 100, sending a query request for access to a third-party service, in some examples this is initiated upon host device boot up.
  • Third party services may include for example, cloud computing services provided by suppliers which are external to the cellular network 301.
  • the method 200 may also be triggered by user action in a host device 110 including a pre-allocated secure module 100, the host device 110 being already booted and registered with a cellular network 301.
  • a database system 307 comprising at least one memory and at least one processor.
  • the at least one memory comprising at least one subscriber record, and computer-readable instructions to perform at least part of the method 200 for authentication of devices to third party services.
  • the database system is configured to: receive a query request 304 from the notary node 302 the query request 304 including an IP address assigned to a host device; identify a subscriber record associated with the IP address, the subscriber record comprising at least an ICCID of a secure module included in the host device; respond to the notary node 302, the response to the notary node 302 comprising at least the ICCID of the secure module 100 included in the host device 110.
  • a non-transitory computer-readable storage medium comprising computer-readable instructions which, when executed by at least one processor, cause the at least one processor to: receive a query request from the notary node 302, the query request including an IP address assigned to a host device; identify a subscriber record associated with the IP address, the subscriber record comprising at least an ICCID of a secure module included in the host device; respond to the notary node 302, the response to the notary node 302 including at least the ICCID of the secure module 100 included in the host device 110.
  • a cellular network comprising: a notary node 302 providing functions of receiving query requests from a host device 110 to be notarized, and responding to said query requests from the host device 110, wherein the query response includes a token for authenticating the host device to a third party; a database system 307 providing functions of receiving query requests from the notary node 302, and responding to the notary node 302, the response to the notary node 302 comprising at least the ICCID of the secure module 100 included in the host device 110
  • a non-transitory computer-readable storage medium comprising computer-readable instructions which, when executed by at least one processor, cause the at least one processor to: receive a query request to obtain the identifier details of a secure module 100 included in a host device 110; respond to the query request, the query response including the identifier details of the secure module 100 included in the host device 110.
  • the notary node 302 sends the query request to the database system 307 and also queries Charging Function elements 400 in the cellular network 301, via the PDN-GW 308.
  • the Charging Function elements 400 may include a Remote Authentication Dial in User Service Server, RADIUS 401, within the cellular network infrastructure 301.
  • the RADIUS is a node which provides several functions including: receiving user connection requests; providing user authentication; and providing configuration information for the subscriber to enable delivery of the requested ICCID.
  • the RADIUS 401 may communicate with a multi-layer cloud-based portal 402 within the cellular network infrastructure.
  • the portal 402 is a platform providing functions of provision and management of host devices connected to the cellular network.
  • the RADIUS 401 Upon receiving the query request from the PDN-GW, the RADIUS 401 authenticates the host device 110 and sends the configuration information to the portal 402, to enable identification of the ICCID associated with the host device 110.
  • the portal 402 transmits the configuration information to the database system 307 and this information may be used to identify at least the ICCID of the secure module 100, associated with the host device 110. In this way it becomes possible for a user to subscribe to third party services over the internet and be provided a token within the network to access the given third party service. This is because the RADIUS is able to authenticate a host device to enable access to the third party services on demand.
  • the RADIUS may be able to access information relating to updates of a subscription of the host device.
  • the RADIUS may access information, or be provided with data, indicating that the host device is to be enabled to access a third party service which was previously not accessible to the host device.
  • the RADIUS may then authenticate the host device and provide configuration information via the portal to the database system to enable the ICCID to be provided to the notary node.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Power Engineering (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Procédé d'authentification d'un dispositif hôte abonné à un service tiers. Le procédé comprend l'attribution d'une adresse IP au dispositif hôte abonné, le stockage de l'adresse IP en association avec un enregistrement d'abonné, la réception d'une demande d'interrogation pour la notarisation du dispositif hôte, l'interrogation d'un système de base de données pour obtenir des détails d'identifiant du dispositif hôte abonné et la fourniture d'un jeton pour authentifier le dispositif hôte abonné au tiers. L'invention concerne également un système de base de données, un nœud notaire et un dispositif hôte selon le procédé.
PCT/GB2021/051093 2020-05-05 2021-05-05 Authentification de dispositifs à des services tiers WO2021224624A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB2006669.2A GB2594930A (en) 2020-05-05 2020-05-05 Authentication of devices to third party services
GB2006669.2 2020-05-05

Publications (1)

Publication Number Publication Date
WO2021224624A1 true WO2021224624A1 (fr) 2021-11-11

Family

ID=71080447

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2021/051093 WO2021224624A1 (fr) 2020-05-05 2021-05-05 Authentification de dispositifs à des services tiers

Country Status (2)

Country Link
GB (1) GB2594930A (fr)
WO (1) WO2021224624A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080127320A1 (en) * 2004-10-26 2008-05-29 Paolo De Lutiis Method and System For Transparently Authenticating a Mobile User to Access Web Services
US20150281362A1 (en) * 2014-03-31 2015-10-01 Cellco Partnership D/B/A Verizon Wireless System for mobile application notary service

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2795946B1 (fr) * 2011-12-23 2015-10-14 Telefonaktiebolaget L M Ericsson (PUBL) Procédés et appareils pour déterminer un jeton d'identité d'utilisateur pour identifier un utilisateur d'un réseau de communication
US11411941B2 (en) * 2019-01-04 2022-08-09 Comcast Cable Communications, Llc Establishing trust with network device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080127320A1 (en) * 2004-10-26 2008-05-29 Paolo De Lutiis Method and System For Transparently Authenticating a Mobile User to Access Web Services
US20150281362A1 (en) * 2014-03-31 2015-10-01 Cellco Partnership D/B/A Verizon Wireless System for mobile application notary service

Also Published As

Publication number Publication date
GB202006669D0 (en) 2020-06-17
GB2594930A (en) 2021-11-17

Similar Documents

Publication Publication Date Title
US10285050B2 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
CN109314855B (zh) 能够迁移订阅的方法
EP3284274B1 (fr) Procédé et appareil de gestion d'un profil d'un terminal dans un système de communication sans fil
EP3476142B1 (fr) Procédés et entités permettant de mettre fin à un abonnement
US11012860B2 (en) Method and an apparatus for publishing assertions in a distributed database of a mobile telecommunication network and for personalising internet-of-things devices
US11838752B2 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
US20210144551A1 (en) Method and apparatus for discussing digital certificate by esim terminal and server
EP3114862B1 (fr) Système de communication
US10862881B2 (en) Method of managing shared files and device for authenticating subscriber by using same
CN113541925B (zh) 通信系统、方法及装置
CN109561429B (zh) 一种鉴权方法及设备
WO2019161939A1 (fr) Procédés, dispositifs et programmes d'ordinateur pour fournir ou commander des profils d'opérateur dans des terminaux
EP3783861A1 (fr) Procédé et terminal de téléchargement et de gestion de données
CN112492592A (zh) 一种多个nrf场景下的授权方法
CN114175702A (zh) 动态切换网卡
JP6634530B2 (ja) アプリケーションサーバによって提供される端末アプリケーションの認証情報をアプレットにプロビジョニングする方法、及び対応するotaプラットフォーム
WO2021224624A1 (fr) Authentification de dispositifs à des services tiers
US20230057543A1 (en) Method and server for pushing data to mno
KR102025521B1 (ko) 가입자 인증 모듈을 관리하는 개체를 변경하는 방법 및 이를 이용하는 장치
CN115515125A (zh) 切片接入的控制方法、装置和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21730641

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21730641

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07/07/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21730641

Country of ref document: EP

Kind code of ref document: A1