WO2003053024A1 - Communicating data securely within a mobile communications network - Google Patents

Communicating data securely within a mobile communications network Download PDF

Info

Publication number
WO2003053024A1
WO2003053024A1 PCT/IB2002/005402 IB0205402W WO03053024A1 WO 2003053024 A1 WO2003053024 A1 WO 2003053024A1 IB 0205402 W IB0205402 W IB 0205402W WO 03053024 A1 WO03053024 A1 WO 03053024A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
wireless device
information
database server
server
Prior art date
Application number
PCT/IB2002/005402
Other languages
French (fr)
Inventor
Dipankar Ray
Charles M. Feltner
John Curtin
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to AU2002366420A priority Critical patent/AU2002366420A1/en
Publication of WO2003053024A1 publication Critical patent/WO2003053024A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party

Definitions

  • the present invention relates in general to the field of wireless data communications, and in particular, by way of example but not limitation, to storing and communicating data securely between a wireless device and a database server using wireless communication links.
  • GPRS General Packet Radio Service
  • WCDMA Wideband Call Division Multiple Access
  • a wireless device has conventionally been used as a wireless modem for enabling a computing device to remotely log on to a corporate Local Area Network (LAN) to access proprietary business information.
  • Computer users have also used a wireless device to remotely dial into any server or computer to remotely access and control any information that may be stored in that server.
  • a user would therefore dial in using a wireless modem and log in using an appropriate user id and associated password to the server to retrieve and access any necessary information.
  • the serving mobile telecommunications network merely becomes a medium or transportation channel to connect the user to the home server or network.
  • MSN Passport is such a service allowing users to store and retrieve personal information within the MSN server.
  • the MSN server is placed out on the world-wide web (WWW) and an authorized user having access to the Internet may freely access and retrieve any information that may be stored within this public server.
  • WAP wireless application protocol
  • a mobile user is also able to retrieve her proprietary or personal information from the MSN Passport portal over a wireless communication network.
  • WAP wireless application protocol
  • a wireless communications system becomes a crucial factor in determining the quality of the system and the integrity of the data that are being stored in those servers.
  • all information communicated between a wireless device and a particular server may be encrypted and protected, the wireless device itself can be misplaced or stolen to allow unauthorized access.
  • an interception or debugging of a communication link can also allow further unauthorized access to such information.
  • a third party vendor such as MSN Passport, can also inadvertently provide unauthorized access to the information stored in its own database server.
  • most users do not wish to trust or rely on a third party vendor to protect and maintain their proprietary information.
  • the existing wireless communications network does not provide any additional security measures or mechanism for securely communicating data with a wireless device.
  • a method and apparatus to more securely store and communicate data between a wireless device and a data server using a mobile communications network.
  • the present invention provides a method and apparatus for securely storing and communicating data within a wireless communications network.
  • the present invention is directed to storing particular information securely within a publicly available database server by encrypting the data using a particular data access key.
  • a separate authentication center associated with a serving mobile communications network maintains such data access key for that particular information and determines whether a particular wireless device has authority to access such information.
  • a wireless device or user registers with a mobile communications network by authenticating itself with the mobile authentication center.
  • a session key (first key) is generated by the authentication center and provided to the wireless device.
  • the wireless device uses this session key to identify itself whenever it wishes to access particular information stored within the centralized database server.
  • the wireless device therefore sends a request signal to the database server using its assigned session key and further identifying a particular database record to be accessed.
  • the database server in response to said request, sends an authentication request to the mobile authentication center using the received session key.
  • the mobile authentication center verifies the authenticity of the provided session key and further determines whether the identified wireless device has appropriate authority to access said particular information.
  • the mobile authentication center In response to an affirmative determination, the mobile authentication center provides the wireless device with a group key (second key). The mobile authentication center further instructs the database server to provide the wireless device with the requested information. The database server, in response to said response, provides the wireless device with the information associated with the identified database record. The wireless device decrypts the received information using the group key provided by the authentication center. As a result, the encryption key and the encrypted data are securely provided to the wireless device via using two different signaling paths.
  • said second key is generated from said session key (first key) and said data access key.
  • said mobile authentication center assigns a valid time period for said generated session key for said wireless device.
  • said mobile authentication center generates a database key (third key) and provides it to the database server for further encrypting the requested information to be transmitted to the wireless device.
  • the database server requests and obtains authorization from said authentication server for allowing the wireless device to store and update information associated with a particular database record within said database server.
  • FIGURE 1 is a block diagram of a public land mobile network communicating with a database server and a computer network;
  • FIGURE 2 is a block diagram of an authentication center associated within a mobile network communicating with a database server in accordance with the teachings of the present invention.
  • FIGURE 3 is a block diagram of a wireless device registering and performing authentication with the mobile authentication center
  • FIGURE 4 is a block diagram of a wireless device requesting and gaining access to securely stored data within the database server;
  • FIGURE 5 is a signal sequence diagram illustrating the signals transmitted to request and to gain access to securely stored data within the database server;
  • FIGURE 6 is a block diagram illustrating the data structure for storing a data access key for particular data record within the authentication center
  • FIGURE 7 is a block diagram illustrating the data structure for storing a particular user with an associated authentication center within the database server.
  • FIGURE 8 is a block diagram of a wireless device storing data securely within the database server.
  • FIG. 1 is a block diagram of a public land mobile network (PLMN) 10 communicating with a database server 20 and a computer network 30.
  • PLMN public land mobile network
  • a mobile station or wireless device 40 establishes a circuit switch connection or wireless application protocol (WAP) connection with a particular portal 50.
  • a serving base station transceiver (BTS) 60 providing radio service for a service area establishes two way radio channel connections 70 with a wireless device 40 located therein.
  • a call connection is then forwarded over to an associated base station controller (BSC) 80, which is in turn, connected over to a mobile switching center (MSC) 90.
  • BSC base station controller
  • MSC mobile switching center
  • the wireless device 40 is able to surf the web 30 and be connected to a specific local area network (LAN) and associated computer servers and databases.
  • LAN local area network
  • the wireless device 40 establishes a voice connection with a particular computer network by dialing a specific modem number associated thereto. Accordingly, the wireless device 40 remotely dials into a particular computer server 100 by establishing a circuit connection through a serving public switched telephone network (PSTN) 110. Using a pair of modems, the wireless device is then able to retrieve and have access to the data stored within the computer network 100.
  • PSTN public switched telephone network
  • the serving mobile network 10 does not provide any additional or separate security measures to wireless devices and users.
  • FIG. 2 showing a block diagram illustrating a wireless device 40 communicating with a serving mobile network 10 and accessing data stored securely within a database server 160.
  • An Authentication, Authorization and Accounting (AAA) center 120 also referred hereinafter as the authentication center, is associated with a serving mobile network 10 in accordance with the teachings of the present invention.
  • the AAA center 120 is also communicably coupled to the database server 160.
  • the database server 160 also may be coupled to an access server 150 for acting as a gateway for receiving and transmitting signals.
  • the access server may also be capable of communicating with a serving MSC 90 or any other telecommunications node via an interworking function (lWF) 170.
  • LWF interworking function
  • the access server 150 and the database server 160 are shown as two separate entities or nodes within a wireless/wireline Internet 140 environment.
  • the two functions can be co-located or performed by a single node or platform.
  • a mobile switching center (MSC) and associated communications entities illustrated in Fig. 2 herein are a representative of but one particular embodiment.
  • Other communications nodes performing similar functions such as Gateway GPRS Support Node (GGSN) for providing packet switching capability within an GSM system or Packet Data Support Node (PSDN) for providing similar capability within a CDMA system may be used with no change in the principles being discussed.
  • GGSN Gateway GPRS Support Node
  • PSDN Packet Data Support Node
  • the database server 160 also referred to as the DB content server, stores particular data encrypted using a user specified key (data access key).
  • the data access key itself is unknown to the database server and stored separately within the authentication center 120.
  • any access to the database server and its contents is useless without also having access to the relevant data access key stored separately in the authentication center associated with that user's home mobile network.
  • Figure 3 illustrating a wireless device 40 registering and performing authentication with it's authentication center 120 in accordance with the teachings of the present invention.
  • the wireless device 40 such as a mobile terminal or wireless Personal Directory Assistant (PDA) performs a registration and authentication process with a serving mobile network 10 by transmitting a request signal 200 to an associated authentication center 120.
  • a request signal may further include subscriber or user identification data as well as an associated password.
  • the step of transmitting such a request signal 200 could be performed in a number of different ways, using for example, Short Message System (SMS) or other unstructured data messages, WAP signals, or other types of data packet communications.
  • SMS Short Message System
  • WAP signals or other types of data packet communications.
  • the authentication center (AAA) 120 determines whether the requesting wireless device or associated user is allowed to have access to a database server by referencing an internal database record 210.
  • the authentication center In response to an affirmative determination, the authentication center (AAA) generates a session key for that particular wireless device using a random key generator (KEY G) 220. The generated session key (first key) is then provided back to the wireless device via a reply signal 240. The authentication center 120 may further assign a time period with which the assigned session key may be maintained and used by the wireless device.
  • a random key generator KY G 220.
  • the authentication center 120 may further assign a time period with which the assigned session key may be maintained and used by the wireless device.
  • the wireless device or the authentication center may be assigned with a new session key or be deleted from the database record 210.
  • the assigned time period may be renewed or extended each time the wireless device perform an authorized transaction. Accordingly, the assigned time period may expire only when the wireless device has been inactive during the assigned time period.
  • a secured session key is stored on both the wireless device and the authentication center for the duration of the session.
  • the step of registrating and authenticating a subscriber or user is performed within a serving mobile communications network.
  • the database server 160 and associated access server 150 located within a wireless or wireline Internet are not communicated with during the above described registration and authentication process.
  • the step of registering and assigning a secured session key is performed within the wireless device's secured mobile network. Accordingly, even though the data may be stored in a public portal or server, the authentication process and the step of assigning an encryption key (session key) is performed and controlled separately within the serving mobile network.
  • FIG. 4 is a block diagram illustrating a wireless device requesting and retrieving secured information stored within a public database server.
  • the wireless device 40 after having received the session key from the authentication center 120, the wireless device 40 transmits an access request signal 300 towards an access server 150 associated with a particular database server 160.
  • the transmitted access request signal 300 includes the session key previously assigned by the authentication center 120 and any other separate user ID and password required by the database server 160.
  • a direct signal link 300 is shown between the wireless device 40 and the access server 150 in Fig.4. However, it is to be understood that all such signals may have to be transported over a serving mobile communications network 10 and transmitted over to the wireless/wireline internet 140 as further described in Figs. 1 and 2.
  • the access server 150 acting as a signal gateway for the database server 160, may verify the user identification data and any associated password provided by the wireless device 40 and determines that this particular wireless device or user has access to this particular database server.
  • a database (DB) request signal 310 along with the session key is then forwarded over to the identified database server 160.
  • the database server 160 then forwards an authentication request 330 along with the received session key to the authentication center 120.
  • the purpose of this request is to determine whether this particular wireless device or user has authority to access this particular database record.
  • the authentication center then references its database record 210 and determines whether this particular wireless device or user has the authority to access the identified database record.
  • a company may post all of its internal and proprietary information on the database server 160. However, its employees may have different access and authority levels based on their need-to-know basis and, accordingly, assigned with different access levels to different data records.
  • the authentication center 120 verifies the validity of the session key and determines whether the wireless device or user associated with this particular session key is allowed to have access to that requested information.
  • the authentication center then generates a group key from the data access key used to encrypted the requested data stored within the database server 160 and the previously assigned session key.
  • the authentication center 120 then transmits a signal 370 to provide the requesting wireless device with the generated group key.
  • the authentication center 120 further transmits an acknowledgement signal 320 to the database server 160 authorizing the requested data access.
  • the database server 160 then retrieves and provides the access server 150 with the requested data via a database reply signal 340.
  • the access server 150 thereafter forwards the received signal to the requesting wireless device 40.
  • the data itself remains encrypted throughout the transmission to the wireless device 40. Accordingly, the database server 160 merely retrieves the encrypted data stored within its server upon receiving the authorization from the authentication server 120 and forwards the encrypted data to the requesting wireless device 40.
  • the wireless device 40 uses the previously received session key and recently received group key, the wireless device 40 then generates or retrieves the data access key therefrom. Using the generated data access key, the wireless device 40 is able to decrypt the received data and granted access to the requested information.
  • the key generator 220 randomly generates a database key using the data access key assigned to that particular data and the session key previously assigned to the requesting wireless device.
  • the group key is then randomly generated from the assigned session key, the database access key, and the above generated database key.
  • the group key is transmitted to the wireless device 40 as fully described above and the database key is similarly provided back to the database server in its acknowledgement signal 320.
  • the database server uses the received database key, the database server further encrypts the already encrypted data stored therein.
  • the encrypted data are then provided to the requesting wireless device 40.
  • the wireless device 40 is then able to decrypt the received data with a temporary key generated from the previously assigned session key and group key.
  • the data access key need not be provided to the wireless device and additional security measures are provided therefrom. Even using the same session key, in the event the wireless device attempts to access the same data within the database server, a different group key and database key will be generated by the authentication center 120. Accordingly, since the session key is never provided to the wireless device, an authorized disclosure of the group key will not allow the wireless device to have additional access to the stored data.
  • FIGURE 5 is a signal sequence diagram illustrating the signals transmitted to request and to gain access to securely stored data within the database server.
  • the wireless device 40 registers and performs authentication with an associated authentication center 120 via transmitting an authentication request signal 200 thereto.
  • the authentication request signal 200 may include an user id number and associated password.
  • the authentication center 120 validates and authenticates the subscriber and generates a session key.
  • the generated session key along with a valid time period 240 are then communicated back to the wireless device 40.
  • an appropriate hash function algorithm may also be provided to the requesting wireless device 40. Alternatively, such a hash function algorithm may already be included in the wireless device 40.
  • the wireless device 40 may utilize the received hash function to decrypt and/or encrypt certain data using the received session key along with any other required keys.
  • the wireless device 40 transmits a data access request signal 300 to the access server 150 serving the particular database server 160.
  • the transmitted data access request signal 300 includes the session key assigned from the authentication center 120 and data id specifying a particular database record. It may further contain appropriate user id data along with password data required by the access server 150.
  • the access server 150 forwards the received database request 310 to the database server 160.
  • the database server 160 transmits a separate authentication request 320 querying the authentication center 120 to verify whether this particular user assigned with the received session key is allowed to access the identified database record.
  • a group key 370 is transmitted directly from the authentication center 120 to the wireless device 40.
  • An appropriate response signal 330 is also provided to the querying database server 160.
  • a database key may also be generated and provided back to the database server 160.
  • the database server further encrypts the stored data and provides the encrypted data to the access server 150 via a database reply signal 340.
  • the reply signal carrying the requested data 350 is then similarly provided back to the wireless device 40.
  • the wireless device decrypts the received encrypted data and is granted access thereto 400.
  • FIGURE 6 is a block diagram illustrating the data structure for storing a data access key for a particular data record within the authentication center.
  • a master database access table 400 is maintained within the authentication center.
  • a particular user group 410 having the authority to access a particular database record or id 420 is correlated within the master database table.
  • a data access key 430 used to encrypt the actual data stored within the database server is further correlated and stored within the master database table.
  • each record 415 within the master database table 400 specifies which user group 410 is allowed to have access to which particular data record 420 stored within an associated database server encrypted using an associated access key 430.
  • the authentication center may also include a user group table 480 wherein one or more users are correlated with or assigned to a particular user group. As illustrated, a particular user group 440 is assigned with User ID 450, User ID1 452 and User ID2454, etc. As a result, in response to a request from a database server to determine whether a particular user has authority to access a particular database record, the authentication center determines with which group ID, for example, this particular user is associated by referencing the user group table 480. By referencing the master database table, the authentication center is then able to determine whether this particular user belonging to a particular group has authority to access this identified database record. Additionally, the authentication center may also include a session key table.
  • the assigned session key is stored and correlated with that user id in the session key table 490.
  • the authentication center subsequently uses this session key table 490 to verify whether a particular user attempting to access a database server identifying itself with a particular session is indeed the right user assigned with that session key value.
  • FIGURE 7 is a block diagram illustrating the data structure for identifying a particular authentication center associated with a particular user or wireless device within the database server. Since different users or wireless devices may be associated with different mobile communication networks and authentication centers, an authentication center table 500 is maintained within the database server for associating a particular user 510 with a particular authentication center 520. By referencing this authentication center table 500 in response to receiving a data access request from a particular user, the database server determines with which authentication center it needs to communicate in order to receive the appropriate authorization. As another embodiment of the teachings of the present invention, session keys may further be correlated with a particular authentication server. As an illustration, the authentication center table 530 alternatively stores one or more session keys 540 by correlating them with a particular authentication center 550. In response to receiving a data request signal with a particular session key from a wireless device, the database server may reference the authentication center table 530 to determine with which authentication center it needs to communicate.
  • Fig. 8 illustrating a block diagram of a wireless device storing data securely within the database server in accordance with the teachings of the present invention.
  • the mobile station 40 transmits a data store request signal 600 to the access server 150 associated with a particular database content server 160.
  • the transmitted data store request signal 600 includes the session key that was previously assigned by the authentication center during user registration.
  • the data store or update request 610 is then communicated from the access server 150 to the database server 160.
  • the database server 160 verifies that the user has storage permission for the requested data by sending the received session key, the access rights for the requested data and a transaction identifier to the authentication center 120.
  • the authentication center 120 validates the session key and the user access privileges regarding that particular data record. Upon successful verification, the authentication center determines the associated data access key for that particular data record and creates a database key using the determined data access key and the assigned session key. A group key is further generated based on the session key, the data access key, and the database key. The generated group key is then transmitted to the requesting mobile station 40 via separate signaling link 630. Similarly, the generated database key is transmitted back to the database server 160 via a replay signal 640. Accordingly, the mobile station receives the group key as an indication of approval on its request 600 to update and store data within the database server 160. The authentication center 120 may further transmit the received transaction identifier within the group key signal 630.
  • the mobile station 40 Using the received group key along with the previously assigned session key, the mobile station 40 encrypts the data to be stored in the database server 160. The encrypted data is then transmitted to the access server via a signaling link 650. The secured data received from the mobile station 40 is then forwarded over from the access server 150 to the database server 160 via a signal 660. The database server then applies the received database key to the received data stream from the mobile station 40 and stores the results.
  • the result of applying the database key to the secured data received from the mobile station 40 is data stored and encrypted using the data access key.
  • the data access key itself is never disclosed or generated at the database server.
  • data is securely transmitted from the mobile station 40 to the database server 160 and securely stored using an encryption key that is only known to the authentication center 120.

Abstract

Data is securely stored encrypted within a database server or portal within a public network. A wireless device firs t registers with an authentication center maintained separ ately from the database server to obtain a session key. Th e obtained session key is then used by the wireless device to request particular data from the database server. The database server, in response to said request, queries the authentication center to verify the authenticity of the wi reless device. The authentication center verifies the rece ived session key with the identified wireless device and p rovides the wireless device with a second group key. The a uthentication center further instructs the database server to comply with the data request and provide the wireless device with the encrypted data. The wireless device therea fter uses the received group key to decrypt the received d ata from the database server and is allowed access to the secured data.

Description

COMMUNICATING DATA SECURELY WITHIN A MOBILE COMMUNICATIONS
NETWORK
BACKGROUND OF THE INVENTION Technical Field of the Invention
The present invention relates in general to the field of wireless data communications, and in particular, by way of example but not limitation, to storing and communicating data securely between a wireless device and a database server using wireless communication links. Description of Related Art
With the advent of wireless communications and improvements made in the relevant technologies, more and more subscribers are relying on wireless devices to not only make voice call connections but also to access the Internet and to communicate other types of data. As an illustration, with the introduction of packet- switched wireless networks, mobile users are able to establish separate data communications links for exchanging data packets within a serving mobile telecommunications network. The General Packet Radio Service (GPRS) networks deployed as a 2.5 generation(G) wireless solution can, for example, provide communication speed between 50 Kbit/s to 144 Kbit/s. A higher 3G wireless solution, such as Wideband Call Division Multiple Access (WCDMA), also promises to deliver throughput between 384 Kbit/s to 2 Mbit/s. As a result, mobile subscribers are able to surf the web and communicate video or other multi-media messages using high-speed data access on their wireless devices.
With such an increase in data communication throughput in a wireless communication environment, more and more companies and information holders are also allowing their proprietary and confidential information to be accessible via wireless devices. In this regard, a wireless device has conventionally been used as a wireless modem for enabling a computing device to remotely log on to a corporate Local Area Network (LAN) to access proprietary business information. Computer users have also used a wireless device to remotely dial into any server or computer to remotely access and control any information that may be stored in that server. A user would therefore dial in using a wireless modem and log in using an appropriate user id and associated password to the server to retrieve and access any necessary information. In that regard, the serving mobile telecommunications network merely becomes a medium or transportation channel to connect the user to the home server or network.
However, in order to speed up the access time and to ensure that the data can be made available within a mobile service area, computer users have also placed their desired information out on a third party domain or server. As an example, MSN Passport is such a service allowing users to store and retrieve personal information within the MSN server. The MSN server is placed out on the world-wide web (WWW) and an authorized user having access to the Internet may freely access and retrieve any information that may be stored within this public server. Using a wireless application protocol (WAP), a mobile user is also able to retrieve her proprietary or personal information from the MSN Passport portal over a wireless communication network. There are also a number of other web-portals and services enabling users to create, store and retrieve information within a particular server via the Internet.
In a similar manner, more and more companies are posting their proprietary and business information on a public server or portal and allowing its employees to gain access to the desired information via wireless connection. Accordingly, regardless of a user's current location, the user may log on to the Internet and access her proprietary and/or personal information without having to dial in or log in remotely to her computer server.
However, the security of a wireless communications system becomes a crucial factor in determining the quality of the system and the integrity of the data that are being stored in those servers. Although all information communicated between a wireless device and a particular server may be encrypted and protected, the wireless device itself can be misplaced or stolen to allow unauthorized access. Furthermore, an interception or debugging of a communication link can also allow further unauthorized access to such information. A third party vendor, such as MSN Passport, can also inadvertently provide unauthorized access to the information stored in its own database server. Lastly, most users do not wish to trust or rely on a third party vendor to protect and maintain their proprietary information. In this regard, other than providing a transparent communication link to a particular portal, the existing wireless communications network does not provide any additional security measures or mechanism for securely communicating data with a wireless device. There is accordingly a need for a method and apparatus to more securely store and communicate data between a wireless device and a data server using a mobile communications network.
SUMMARY OF THE INVENTION
The present invention provides a method and apparatus for securely storing and communicating data within a wireless communications network. The present invention is directed to storing particular information securely within a publicly available database server by encrypting the data using a particular data access key. A separate authentication center associated with a serving mobile communications network maintains such data access key for that particular information and determines whether a particular wireless device has authority to access such information.
In certain embodiment(s), a wireless device or user registers with a mobile communications network by authenticating itself with the mobile authentication center. In response to an affirmative registration, a session key (first key) is generated by the authentication center and provided to the wireless device. The wireless device then uses this session key to identify itself whenever it wishes to access particular information stored within the centralized database server. In order to access said information, the wireless device therefore sends a request signal to the database server using its assigned session key and further identifying a particular database record to be accessed. The database server, in response to said request, sends an authentication request to the mobile authentication center using the received session key. The mobile authentication center verifies the authenticity of the provided session key and further determines whether the identified wireless device has appropriate authority to access said particular information. In response to an affirmative determination, the mobile authentication center provides the wireless device with a group key (second key). The mobile authentication center further instructs the database server to provide the wireless device with the requested information. The database server, in response to said response, provides the wireless device with the information associated with the identified database record. The wireless device decrypts the received information using the group key provided by the authentication center. As a result, the encryption key and the encrypted data are securely provided to the wireless device via using two different signaling paths.
In one embodiment, said second key is generated from said session key (first key) and said data access key.
In another embodiment, said mobile authentication center assigns a valid time period for said generated session key for said wireless device.
In yet another embodiment, said mobile authentication center generates a database key (third key) and provides it to the database server for further encrypting the requested information to be transmitted to the wireless device.
In yet another embodiment, the database server requests and obtains authorization from said authentication server for allowing the wireless device to store and update information associated with a particular database record within said database server.
BRIEF DESCRIPTION OF THE DRAWINGS
A more complete understanding of the method and apparatus of the present invention may be had by reference to the following detailed description when taken in conjunction with the accompanying drawings wherein:
FIGURE 1 is a block diagram of a public land mobile network communicating with a database server and a computer network;
FIGURE 2 is a block diagram of an authentication center associated within a mobile network communicating with a database server in accordance with the teachings of the present invention.
FIGURE 3 is a block diagram of a wireless device registering and performing authentication with the mobile authentication center;
FIGURE 4 is a block diagram of a wireless device requesting and gaining access to securely stored data within the database server; FIGURE 5 is a signal sequence diagram illustrating the signals transmitted to request and to gain access to securely stored data within the database server;
FIGURE 6 is a block diagram illustrating the data structure for storing a data access key for particular data record within the authentication center; FIGURE 7 is a block diagram illustrating the data structure for storing a particular user with an associated authentication center within the database server; and
FIGURE 8 is a block diagram of a wireless device storing data securely within the database server.
DETAILED DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of a public land mobile network (PLMN) 10 communicating with a database server 20 and a computer network 30.
Within a conventional manner, a mobile station or wireless device 40 establishes a circuit switch connection or wireless application protocol (WAP) connection with a particular portal 50. Accordingly, a serving base station transceiver (BTS) 60 providing radio service for a service area establishes two way radio channel connections 70 with a wireless device 40 located therein. A call connection is then forwarded over to an associated base station controller (BSC) 80, which is in turn, connected over to a mobile switching center (MSC) 90. The MSC then switches this call connection over to a designated portal 50. Through this portal, such as
Phone.com, the wireless device 40 is able to surf the web 30 and be connected to a specific local area network (LAN) and associated computer servers and databases.
Alternatively, the wireless device 40 establishes a voice connection with a particular computer network by dialing a specific modem number associated thereto. Accordingly, the wireless device 40 remotely dials into a particular computer server 100 by establishing a circuit connection through a serving public switched telephone network (PSTN) 110. Using a pair of modems, the wireless device is then able to retrieve and have access to the data stored within the computer network 100.
However, in a conventional manner as described above, other than existing security measures provided by the computer networks 30, the serving mobile network 10 does not provide any additional or separate security measures to wireless devices and users.
Reference is now made to Figure 2 showing a block diagram illustrating a wireless device 40 communicating with a serving mobile network 10 and accessing data stored securely within a database server 160. An Authentication, Authorization and Accounting (AAA) center 120, also referred hereinafter as the authentication center, is associated with a serving mobile network 10 in accordance with the teachings of the present invention. The AAA center 120 is also communicably coupled to the database server 160. The database server 160 also may be coupled to an access server 150 for acting as a gateway for receiving and transmitting signals. The access server may also be capable of communicating with a serving MSC 90 or any other telecommunications node via an interworking function (lWF) 170. For exemplary reasons, the access server 150 and the database server 160 are shown as two separate entities or nodes within a wireless/wireline Internet 140 environment. However, the two functions can be co-located or performed by a single node or platform. Furthermore, a mobile switching center (MSC) and associated communications entities illustrated in Fig. 2 herein are a representative of but one particular embodiment. Other communications nodes performing similar functions, such as Gateway GPRS Support Node (GGSN) for providing packet switching capability within an GSM system or Packet Data Support Node (PSDN) for providing similar capability within a CDMA system may be used with no change in the principles being discussed.
In accordance with the teachings of the present invention, the database server 160, also referred to as the DB content server, stores particular data encrypted using a user specified key (data access key). The data access key itself is unknown to the database server and stored separately within the authentication center 120. As a result, any access to the database server and its contents is useless without also having access to the relevant data access key stored separately in the authentication center associated with that user's home mobile network. Reference is now made to Figure 3 illustrating a wireless device 40 registering and performing authentication with it's authentication center 120 in accordance with the teachings of the present invention. The wireless device 40, such as a mobile terminal or wireless Personal Directory Assistant (PDA), performs a registration and authentication process with a serving mobile network 10 by transmitting a request signal 200 to an associated authentication center 120. Such a request signal may further include subscriber or user identification data as well as an associated password. The step of transmitting such a request signal 200 could be performed in a number of different ways, using for example, Short Message System (SMS) or other unstructured data messages, WAP signals, or other types of data packet communications. The authentication center (AAA) 120 then determines whether the requesting wireless device or associated user is allowed to have access to a database server by referencing an internal database record 210. In response to an affirmative determination, the authentication center (AAA) generates a session key for that particular wireless device using a random key generator (KEY G) 220. The generated session key (first key) is then provided back to the wireless device via a reply signal 240. The authentication center 120 may further assign a time period with which the assigned session key may be maintained and used by the wireless device.
Upon expiration of the assigned time period, the wireless device or the authentication center may be assigned with a new session key or be deleted from the database record 210. As a further embodiment, the assigned time period may be renewed or extended each time the wireless device perform an authorized transaction. Accordingly, the assigned time period may expire only when the wireless device has been inactive during the assigned time period.
As a result, a secured session key is stored on both the wireless device and the authentication center for the duration of the session. As described above, the step of registrating and authenticating a subscriber or user is performed within a serving mobile communications network. The database server 160 and associated access server 150 located within a wireless or wireline Internet are not communicated with during the above described registration and authentication process. Furthermore, the step of registering and assigning a secured session key is performed within the wireless device's secured mobile network. Accordingly, even though the data may be stored in a public portal or server, the authentication process and the step of assigning an encryption key (session key) is performed and controlled separately within the serving mobile network. Since the data stored securely within the database server 160 are already encrypted using a data access key only known to the authentication center 120, the session key provided to the wireless device itself does not provide any unauthorized access to the data stored within the database server 160. Figure 4 is a block diagram illustrating a wireless device requesting and retrieving secured information stored within a public database server. In accordance with the teachings of the present invention, after having received the session key from the authentication center 120, the wireless device 40 transmits an access request signal 300 towards an access server 150 associated with a particular database server 160. The transmitted access request signal 300 includes the session key previously assigned by the authentication center 120 and any other separate user ID and password required by the database server 160. For illustrative purposes, a direct signal link 300 is shown between the wireless device 40 and the access server 150 in Fig.4. However, it is to be understood that all such signals may have to be transported over a serving mobile communications network 10 and transmitted over to the wireless/wireline internet 140 as further described in Figs. 1 and 2.
The access server 150, acting as a signal gateway for the database server 160, may verify the user identification data and any associated password provided by the wireless device 40 and determines that this particular wireless device or user has access to this particular database server. A database (DB) request signal 310 along with the session key is then forwarded over to the identified database server 160. In accordance with the teachings of the present invention, the database server 160 then forwards an authentication request 330 along with the received session key to the authentication center 120. The purpose of this request is to determine whether this particular wireless device or user has authority to access this particular database record. In response to such a request, the authentication center then references its database record 210 and determines whether this particular wireless device or user has the authority to access the identified database record. As an illustration, a company may post all of its internal and proprietary information on the database server 160. However, its employees may have different access and authority levels based on their need-to-know basis and, accordingly, assigned with different access levels to different data records.
As a result, the authentication center 120 verifies the validity of the session key and determines whether the wireless device or user associated with this particular session key is allowed to have access to that requested information. The authentication center then generates a group key from the data access key used to encrypted the requested data stored within the database server 160 and the previously assigned session key. The authentication center 120 then transmits a signal 370 to provide the requesting wireless device with the generated group key. The authentication center 120 further transmits an acknowledgement signal 320 to the database server 160 authorizing the requested data access.
The database server 160 then retrieves and provides the access server 150 with the requested data via a database reply signal 340. The access server 150 thereafter forwards the received signal to the requesting wireless device 40. In accordance with the teachings of the present invention, the data itself remains encrypted throughout the transmission to the wireless device 40. Accordingly, the database server 160 merely retrieves the encrypted data stored within its server upon receiving the authorization from the authentication server 120 and forwards the encrypted data to the requesting wireless device 40. Using the previously received session key and recently received group key, the wireless device 40 then generates or retrieves the data access key therefrom. Using the generated data access key, the wireless device 40 is able to decrypt the received data and granted access to the requested information.
As another embodiment of the present invention, after the authentication center determines that the wireless device 40 has access to that particular database record, the key generator 220 randomly generates a database key using the data access key assigned to that particular data and the session key previously assigned to the requesting wireless device. The group key is then randomly generated from the assigned session key, the database access key, and the above generated database key. The group key is transmitted to the wireless device 40 as fully described above and the database key is similarly provided back to the database server in its acknowledgement signal 320. Using the received database key, the database server further encrypts the already encrypted data stored therein. The encrypted data are then provided to the requesting wireless device 40. The wireless device 40 is then able to decrypt the received data with a temporary key generated from the previously assigned session key and group key. By further encrypting the stored data using the database key, the data access key need not be provided to the wireless device and additional security measures are provided therefrom. Even using the same session key, in the event the wireless device attempts to access the same data within the database server, a different group key and database key will be generated by the authentication center 120. Accordingly, since the session key is never provided to the wireless device, an authorized disclosure of the group key will not allow the wireless device to have additional access to the stored data.
FIGURE 5 is a signal sequence diagram illustrating the signals transmitted to request and to gain access to securely stored data within the database server. In accordance with the teachings of the present invention, the wireless device 40 registers and performs authentication with an associated authentication center 120 via transmitting an authentication request signal 200 thereto. The authentication request signal 200, for example, may include an user id number and associated password. The authentication center 120 validates and authenticates the subscriber and generates a session key. The generated session key along with a valid time period 240 are then communicated back to the wireless device 40. Additionally, an appropriate hash function algorithm may also be provided to the requesting wireless device 40. Alternatively, such a hash function algorithm may already be included in the wireless device 40. As an illustration, the wireless device 40 may utilize the received hash function to decrypt and/or encrypt certain data using the received session key along with any other required keys.
In response to a need to access particular data within a database server 160, the wireless device 40 transmits a data access request signal 300 to the access server 150 serving the particular database server 160. The transmitted data access request signal 300 includes the session key assigned from the authentication center 120 and data id specifying a particular database record. It may further contain appropriate user id data along with password data required by the access server 150. After verifying the relevant user id, the access server 150 forwards the received database request 310 to the database server 160. In accordance with the teachings of the present invention, the database server 160 then transmits a separate authentication request 320 querying the authentication center 120 to verify whether this particular user assigned with the received session key is allowed to access the identified database record. In response to a determination that this user has authority to access that particular data, a group key 370 is transmitted directly from the authentication center 120 to the wireless device 40. An appropriate response signal 330 is also provided to the querying database server 160. As fully described above, a database key may also be generated and provided back to the database server 160.
Using the provided database key, the database server further encrypts the stored data and provides the encrypted data to the access server 150 via a database reply signal 340. The reply signal carrying the requested data 350 is then similarly provided back to the wireless device 40. Using the group key received via a separate signal path 370 from the authentication center 120, the wireless device decrypts the received encrypted data and is granted access thereto 400.
FIGURE 6 is a block diagram illustrating the data structure for storing a data access key for a particular data record within the authentication center. In accordance with the teachings of the present invention, a master database access table 400 is maintained within the authentication center. As an illustration, a particular user group 410 having the authority to access a particular database record or id 420 is correlated within the master database table. A data access key 430 used to encrypt the actual data stored within the database server is further correlated and stored within the master database table. Accordingly, each record 415 within the master database table 400 specifies which user group 410 is allowed to have access to which particular data record 420 stored within an associated database server encrypted using an associated access key 430.
The authentication center may also include a user group table 480 wherein one or more users are correlated with or assigned to a particular user group. As illustrated, a particular user group 440 is assigned with User ID 450, User ID1 452 and User ID2454, etc. As a result, in response to a request from a database server to determine whether a particular user has authority to access a particular database record, the authentication center determines with which group ID, for example, this particular user is associated by referencing the user group table 480. By referencing the master database table, the authentication center is then able to determine whether this particular user belonging to a particular group has authority to access this identified database record. Additionally, the authentication center may also include a session key table. After generating and assigning a particular session key 470 for a newly registering wireless device or user 460, the assigned session key is stored and correlated with that user id in the session key table 490. The authentication center subsequently uses this session key table 490 to verify whether a particular user attempting to access a database server identifying itself with a particular session is indeed the right user assigned with that session key value.
FIGURE 7 is a block diagram illustrating the data structure for identifying a particular authentication center associated with a particular user or wireless device within the database server. Since different users or wireless devices may be associated with different mobile communication networks and authentication centers, an authentication center table 500 is maintained within the database server for associating a particular user 510 with a particular authentication center 520. By referencing this authentication center table 500 in response to receiving a data access request from a particular user, the database server determines with which authentication center it needs to communicate in order to receive the appropriate authorization. As another embodiment of the teachings of the present invention, session keys may further be correlated with a particular authentication server. As an illustration, the authentication center table 530 alternatively stores one or more session keys 540 by correlating them with a particular authentication center 550. In response to receiving a data request signal with a particular session key from a wireless device, the database server may reference the authentication center table 530 to determine with which authentication center it needs to communicate.
Reference is now made to Fig. 8 illustrating a block diagram of a wireless device storing data securely within the database server in accordance with the teachings of the present invention. In order for the mobile station 40 to store and update the database server 160 with certain data, it transmits a data store request signal 600 to the access server 150 associated with a particular database content server 160. The transmitted data store request signal 600 includes the session key that was previously assigned by the authentication center during user registration. The data store or update request 610 is then communicated from the access server 150 to the database server 160. The database server 160, in turn, verifies that the user has storage permission for the requested data by sending the received session key, the access rights for the requested data and a transaction identifier to the authentication center 120. When the authentication request signal 620 is received, the authentication center 120 validates the session key and the user access privileges regarding that particular data record. Upon successful verification, the authentication center determines the associated data access key for that particular data record and creates a database key using the determined data access key and the assigned session key. A group key is further generated based on the session key, the data access key, and the database key. The generated group key is then transmitted to the requesting mobile station 40 via separate signaling link 630. Similarly, the generated database key is transmitted back to the database server 160 via a replay signal 640. Accordingly, the mobile station receives the group key as an indication of approval on its request 600 to update and store data within the database server 160. The authentication center 120 may further transmit the received transaction identifier within the group key signal 630.
Using the received group key along with the previously assigned session key, the mobile station 40 encrypts the data to be stored in the database server 160. The encrypted data is then transmitted to the access server via a signaling link 650. The secured data received from the mobile station 40 is then forwarded over from the access server 150 to the database server 160 via a signal 660. The database server then applies the received database key to the received data stream from the mobile station 40 and stores the results.
Accordingly, the result of applying the database key to the secured data received from the mobile station 40 is data stored and encrypted using the data access key. However, the data access key itself is never disclosed or generated at the database server. As a result, data is securely transmitted from the mobile station 40 to the database server 160 and securely stored using an encryption key that is only known to the authentication center 120.
Although a preferred embodiment of the method and apparatus of the present invention has been illustrated in the accompanying Drawings and described in the foregoing Detailed Description, it will be understood that the invention is not limited to the embodiment disclosed, but is capable of numerous rearrangements, modifications and substitutions without departing from the spirit of the invention as set forth and defined by the following claims. Thus, although the description of this invention is made in the context of a public land mobile network (PLMN) utilizing a GSM network, it should be realized that the teachings of the present invention apply as well to any wireless communications network and associated computer and database networks.

Claims

WHAT IS CLAIMED IS:
1. A method of communicating data securely within a wireless communications network, comprising the steps of: receiving a first authentication request from a mobile station; providing a first key to said mobile station in response to said authentication; receiving a second authentication request from a database server, said second authentication request further including said first key provided by said mobile station and a particular database record to which said mobile station is requesting access; determining whether said mobile station has authority to access said particular database record; and in response to said affirmative determination, instructing said database server to provide information associated with said requested database record to said mobile station wherein said information is encrypted; and providing said mobile station with a second key enabling said mobile station to decrypt said information received from said database server using said second key.
2. The method of Claim 1 wherein said step of providing said first key to said mobile station further comprises the step of providing a time out period for said first key to said mobile station.
3. The method of Claim 1 wherein said information stored in said database server is encrypted using a data access key and said second key is generated from said data access key and said first key.
4. The method of Claim 1 wherein said step of instructing said database server to provide information to said mobile station further comprises the step of providing said database server with a third key wherein said third key is used by said database server to further encrypt said information.
5. The method of Claim 4 wherein said information stored in said database server is encrypted using a data access key and wherein said third key is generated from said data access key and said first key and said second key is generated from said data access key, said first key and said third key.
6. The method of Claim 1 further comprising the steps of: receiving a third authentication request from said database server requesting authorization to update said particular database record by said mobile station; determining whether said mobile station has authority to update said database record; and in response to an affirmative determination, instructing said database server to allow said mobile station to update information associated with said database record; and providing said mobile station with said second key enabling said mobile station to encrypt any information to be transmitted over to the database server to be updated at said database record.
7. The method of Claim 1 wherein said information stored in said database record is encrypted using a data access key and said second key provided to said mobile station is generated from said data access key and said first key.
8. The method of storing and communicating data securely within a mobile telecommunications network wherein said mobile telecommunications network provides wireless service to a wireless device and further includes a mobile authentication server, comprising the steps of: storing particular information within a database server wherein said data is stored encrypted using a first encryption key; receiving a request from said wireless device to access said information within said database server; in response to said request, transmitting a authentication request from said database server to said mobile authentication server; receiving authentication approval from said authentication server regarding said wireless device for said requested information; and providing said requested information to said wireless device without decrypting said information.
9. The method of Claim 8 wherein said step of receiving said authentication approval from said authentication server further comprises the steps of: receiving a second encryption key from said authentication server; encrypting said stored information using said second encryption key; and providing said encrypted information to said wireless device.
10. The method of Claim 8 wherein said step of receiving said request from said wireless device to access said information further comprises the step of receiving a session key generated by said authentication server from said wireless device.
11. The method of Claim 10 wherein said step of transmitting said request to said authentication server further comprises the step of including said session key within said request.
12. The method of Claim 8 further comprising the steps of: receiving a second request from said wireless device to store particular information within said database server; transmitting a second authentication request to said authentication server; receiving second authentication approval from said authentication server instructing said database server to allow said wireless device to update said database server with said requested information; receiving said particular information from said wireless device wherein said information being encrypted using a particular encryption key; and storing said encrypted information within said database server.
13. An authentication server for communicating data securely within a wireless communications network providing wireless service to a wireless device and communicatable within a database server associated within a data communications network, comprising: a session key generator for generating a particular session key to be used by said wireless device in response to said wireless device registering with said authentication server; a database record for correlating a particular database record with a particular first encryption key; wherein said database record further correlating identities of authorized users with said particular database record; an encryption key generator for generating a second encryption key to be provided to said wireless device for decrypting certain information associated with said database record stored within said database server.
14. The authentication server of Claim 13 further comprising a clock module for assigning a time period for said session key generated for said wireless device for said assigned time period.
15. The authentication server of Claim 13 wherein said encryption key generator generates said second encryption key from said session key and said first encryption key.
16. The authentication server of Claim 13 further comprises an interface module for receiving an authentication request from said database server wherein said authentication request further includes said session key associated with said wireless device and particular database record to which said mobile device requested access.
17. The authentication server of Claim 16 further comprising a second encryption key generator for generating a third encryption key to be provided to said database server in response to said authentication request wherein said third encryption key used by said database server for further encrypting said information stored within said database server associated with said requested database record.
18. The authentication server of Claim 17 wherein said encryption key generator generates said second encryption key from said session key, said first encryption key and said third encryption key.
19. A database server for storing and communicating data securely with a wireless device associated within a mobile communications network, said mobile communications network including a mobile authentication server, comprising: means for storing particular information within said database server wherein said data is stored encrypted using a first encryption key; means for receiving a request from said wireless device to access said stored information within said database server; means for transmitting an authentication request to said mobile authentication server in response to said request; means for receiving authentication approval from said authentication server regarding said wireless device for said requested information; and means for providing said requested information to said wireless device without decrypting said information.
20. The database server of claim 19 wherein said means for receiving said authentication approval from said authentication server further comprises: means for receiving a second encryption key from said authentication server; means for encrypting said stored information using said second encryption key; and means for providing said encrypted information to said wireless device.
21. The database server of Claim 19 wherein said request from said wireless device to access said information further comprises a session key generated by said authentication server from said wireless device.
22. The database server of Claim 21 wherein said request to said authentication server further comprises said session key received from said wireless device.
PCT/IB2002/005402 2001-12-18 2002-12-16 Communicating data securely within a mobile communications network WO2003053024A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002366420A AU2002366420A1 (en) 2001-12-18 2002-12-16 Communicating data securely within a mobile communications network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/025,586 2001-12-18
US10/025,586 US20030112977A1 (en) 2001-12-18 2001-12-18 Communicating data securely within a mobile communications network

Publications (1)

Publication Number Publication Date
WO2003053024A1 true WO2003053024A1 (en) 2003-06-26

Family

ID=21826916

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2002/005402 WO2003053024A1 (en) 2001-12-18 2002-12-16 Communicating data securely within a mobile communications network

Country Status (3)

Country Link
US (1) US20030112977A1 (en)
AU (1) AU2002366420A1 (en)
WO (1) WO2003053024A1 (en)

Families Citing this family (55)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1271418A1 (en) * 2001-06-27 2003-01-02 Nokia Corporation Method for accessing a user operable device of controlled access
US20030105830A1 (en) * 2001-12-03 2003-06-05 Duc Pham Scalable network media access controller and methods
US7221764B2 (en) * 2002-02-14 2007-05-22 Agere Systems Inc. Security key distribution using key rollover strategies for wireless networks
CN1268093C (en) * 2002-03-08 2006-08-02 华为技术有限公司 Distribution method of wireless local area network encrypted keys
US8432893B2 (en) 2002-03-26 2013-04-30 Interdigital Technology Corporation RLAN wireless telecommunication system with RAN IP gateway and methods
US20030185177A1 (en) * 2002-03-26 2003-10-02 Interdigital Technology Corporation TDD-RLAN wireless telecommunication system with RAN IP gateway and methods
JP4574957B2 (en) * 2002-05-30 2010-11-04 株式会社東芝 Group management organization device, user device, service provider device, and program
US7106702B2 (en) * 2002-05-31 2006-09-12 Lucent Technologies Inc. On-demand dynamically updated user database and AAA function for high reliability networks
US6678828B1 (en) * 2002-07-22 2004-01-13 Vormetric, Inc. Secure network file access control system
US7334124B2 (en) * 2002-07-22 2008-02-19 Vormetric, Inc. Logical access block processing protocol for transparent secure file storage
WO2004023275A2 (en) * 2002-09-05 2004-03-18 Matsushita Electric Industrial Co., Ltd. Group management system, group management device, and member device
US20040059914A1 (en) * 2002-09-12 2004-03-25 Broadcom Corporation Using signal-generated location information to identify and authenticate available devices
US7143288B2 (en) * 2002-10-16 2006-11-28 Vormetric, Inc. Secure file system server architecture and methods
US7350077B2 (en) * 2002-11-26 2008-03-25 Cisco Technology, Inc. 802.11 using a compressed reassociation exchange to facilitate fast handoff
US7565688B2 (en) * 2002-12-23 2009-07-21 Hewlett-Packard Development Company, L.P. Network demonstration techniques
KR101105552B1 (en) * 2003-03-27 2012-01-17 톰슨 라이센싱 Secure roaming between wireless access points
JP4415594B2 (en) * 2003-07-23 2010-02-17 ソニー株式会社 Server apparatus, server apparatus program, and server apparatus information processing method
US7983242B2 (en) * 2003-08-18 2011-07-19 Qualcomm, Incorporated Packet data service with circuit-switched call notification
US20050086465A1 (en) * 2003-10-16 2005-04-21 Cisco Technology, Inc. System and method for protecting network management frames
US7434256B2 (en) * 2003-12-18 2008-10-07 Intel Corporation Security management for wireless clients
JP2005203928A (en) * 2004-01-14 2005-07-28 Nec Corp Information delivery system and method
KR100969241B1 (en) 2004-02-13 2010-07-09 노키아 코포레이션 Method and system for managing data on a network
JP3761557B2 (en) * 2004-04-08 2006-03-29 株式会社日立製作所 Key distribution method and system for encrypted communication
US8090829B1 (en) * 2004-04-23 2012-01-03 Oracle America, Inc. Determining a backup server for a session based on a deterministic mechanism and the session's key value
JP4570626B2 (en) * 2004-05-03 2010-10-27 リサーチ イン モーション リミテッド System and method for generating reproducible session keys
US20050273489A1 (en) * 2004-06-04 2005-12-08 Comverse, Ltd. Multimedia system for a mobile log
US20060075259A1 (en) * 2004-10-05 2006-04-06 Bajikar Sundeep M Method and system to generate a session key for a trusted channel within a computer system
JP4532237B2 (en) * 2004-10-29 2010-08-25 株式会社日立製作所 Computer and access control method in computer
KR100680177B1 (en) * 2004-12-30 2007-02-08 삼성전자주식회사 User authentication method and system being in home network
US7561694B1 (en) * 2005-04-18 2009-07-14 Sun Microsystems, Inc. Session mobility for wireless devices
KR100735221B1 (en) * 2005-08-12 2007-07-03 삼성전자주식회사 Content playing method for playing content on a plurality of terminals and terminal, and the system thereof
US7634253B2 (en) 2005-08-26 2009-12-15 Research In Motion Limited Data session authentication credentials update for a wireless communication device
US20070074047A1 (en) * 2005-09-26 2007-03-29 Brian Metzger Key rotation
US20070154016A1 (en) * 2006-01-05 2007-07-05 Nakhjiri Madjid F Token-based distributed generation of security keying material
US20070165582A1 (en) * 2006-01-18 2007-07-19 Puneet Batta System and method for authenticating a wireless computing device
WO2008036919A2 (en) * 2006-09-22 2008-03-27 Paymetric, Inc. System and method for rotating data in a crypto system
US8539559B2 (en) * 2006-11-27 2013-09-17 Futurewei Technologies, Inc. System for using an authorization token to separate authentication and authorization services
US10181055B2 (en) 2007-09-27 2019-01-15 Clevx, Llc Data security system with encryption
US10778417B2 (en) 2007-09-27 2020-09-15 Clevx, Llc Self-encrypting module with embedded wireless user authentication
US11190936B2 (en) * 2007-09-27 2021-11-30 Clevx, Llc Wireless authentication system
EP2254461A4 (en) * 2008-03-19 2012-12-26 Ericsson Telefon Ab L M Nfc communications for implanted medical data acquisition devices
US8578450B2 (en) * 2008-06-20 2013-11-05 At&T Intellectual Property Ii, L.P. Methods for distributing information using secure peer-to-peer communications
US8477941B1 (en) * 2008-07-10 2013-07-02 Sprint Communications Company L.P. Maintaining secure communication while transitioning networks
WO2010041991A1 (en) * 2008-10-06 2010-04-15 Telefonaktiebolaget L M Ericsson (Publ) Digital rights management in user-controlled environment
IT1398518B1 (en) * 2009-09-25 2013-03-01 Colombo SAFE MILANO
US8693689B2 (en) * 2010-11-01 2014-04-08 Microsoft Corporation Location brokering for providing security, privacy and services
US8789150B2 (en) 2011-09-22 2014-07-22 Kinesis Identity Security System Inc. System and method for user authentication
US8924711B2 (en) * 2012-04-04 2014-12-30 Zooz Mobile Ltd. Hack-deterring system for storing sensitive data records
WO2013187709A1 (en) * 2012-06-13 2013-12-19 Samsung Electronics Co., Ltd. Method and system for securing control packets and data packets in a mobile broadband network environment
US9173085B2 (en) 2012-07-06 2015-10-27 Blackberry Limited Methods and apparatus for use in transferring an assignment of a secure chip subscription managers
US9264480B1 (en) * 2012-11-13 2016-02-16 Microstrategy Incorporated File access
US10148430B1 (en) 2013-04-17 2018-12-04 Amazon Technologies, Inc Revocable stream ciphers for upgrading encryption in a shared resource environment
CN109218015B (en) * 2017-07-05 2021-08-06 普天信息技术有限公司 Multi-group selection short message encryption transmission method and device
JP6456451B1 (en) * 2017-09-25 2019-01-23 エヌ・ティ・ティ・コミュニケーションズ株式会社 COMMUNICATION DEVICE, COMMUNICATION METHOD, AND PROGRAM
JP6969676B2 (en) * 2018-04-19 2021-11-24 村田機械株式会社 Exclusive control system and exclusive control method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999000958A1 (en) * 1997-06-26 1999-01-07 British Telecommunications Plc Data communications
EP1102157A1 (en) * 1999-11-22 2001-05-23 Telefonaktiebolaget Lm Ericsson Method and arrangement for secure login in a telecommunications system

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5708780A (en) * 1995-06-07 1998-01-13 Open Market, Inc. Internet server access control and monitoring systems
JP3361661B2 (en) * 1995-09-08 2003-01-07 株式会社キャディックス Authentication method on the network
AU5781599A (en) * 1998-08-23 2000-03-14 Open Entertainment, Inc. Transaction system for transporting media files from content provider sources tohome entertainment devices
US6546492B1 (en) * 1999-03-26 2003-04-08 Ericsson Inc. System for secure controlled electronic memory updates via networks
JP2000341263A (en) * 1999-05-27 2000-12-08 Sony Corp Information processing device and its method
US20020010769A1 (en) * 1999-06-23 2002-01-24 Kippenhan Roland Calvin Autonomous browsing agent
US6915272B1 (en) * 2000-02-23 2005-07-05 Nokia Corporation System and method of secure payment and delivery of goods and services
US6807277B1 (en) * 2000-06-12 2004-10-19 Surety, Llc Secure messaging system with return receipts
KR100461734B1 (en) * 2000-07-24 2004-12-13 유미특허법인 System for providing contents through internet and method thereof
JP4838414B2 (en) * 2000-10-11 2011-12-14 富士通株式会社 Authentication method
JP2002141895A (en) * 2000-11-01 2002-05-17 Sony Corp System and method for distributing contents
JP2002183089A (en) * 2000-12-11 2002-06-28 Mitsubishi Electric Corp Device and method for log-in authentication
US20030014631A1 (en) * 2001-07-16 2003-01-16 Steven Sprague Method and system for user and group authentication with pseudo-anonymity over a public network
US20030078927A1 (en) * 2001-10-18 2003-04-24 Hammond Christopher Reynolds System and method for using web based wizards and tools

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999000958A1 (en) * 1997-06-26 1999-01-07 British Telecommunications Plc Data communications
EP1102157A1 (en) * 1999-11-22 2001-05-23 Telefonaktiebolaget Lm Ericsson Method and arrangement for secure login in a telecommunications system

Also Published As

Publication number Publication date
AU2002366420A1 (en) 2003-06-30
US20030112977A1 (en) 2003-06-19

Similar Documents

Publication Publication Date Title
US20030112977A1 (en) Communicating data securely within a mobile communications network
EP1025675B1 (en) Security of data connections
US5689563A (en) Method and apparatus for efficient real-time authentication and encryption in a communication system
US9768961B2 (en) Encrypted indentifiers in a wireless communication system
US7444513B2 (en) Authentication in data communication
US8464052B2 (en) Systems and methods for providing security to different functions
US20040090930A1 (en) Authentication method and system for public wireless local area network system
AU2002226278B2 (en) Use of a public key key pair in the terminal for authentication and authorisation of the telecommunication user with the network operator and business partners
US20060089123A1 (en) Use of information on smartcards for authentication and encryption
US20060059344A1 (en) Service authentication
US8190124B2 (en) Authentication in a roaming environment
WO2005096644A1 (en) A method for establishing security association between the roaming subscriber and the server of the visited network
US20020169958A1 (en) Authentication in data communication
EP1606899A2 (en) Wlan session management techniques with secure rekeying and logoff
CA2379677A1 (en) System and method for local policy enforcement for internet service providers
US6961851B2 (en) Method and apparatus for providing communications security using a remote server
Kambourakis et al. Support of subscribers’ certificates in a hybrid WLAN-3G environment

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP