WO2002019593A2 - End-user authentication independent of network service provider - Google Patents

End-user authentication independent of network service provider Download PDF

Info

Publication number
WO2002019593A2
WO2002019593A2 PCT/SE2001/001814 SE0101814W WO0219593A2 WO 2002019593 A2 WO2002019593 A2 WO 2002019593A2 SE 0101814 W SE0101814 W SE 0101814W WO 0219593 A2 WO0219593 A2 WO 0219593A2
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
token
external application
authentication server
user
Prior art date
Application number
PCT/SE2001/001814
Other languages
French (fr)
Other versions
WO2002019593A3 (en
Inventor
Jose-Luis Mariz-Rios
Jose-Luis Ruiz-Sanchez
Ulf Schuberth
Jürgen KNORR
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to EP01961535A priority Critical patent/EP1314278A2/en
Priority to AU2001282795A priority patent/AU2001282795A1/en
Publication of WO2002019593A2 publication Critical patent/WO2002019593A2/en
Publication of WO2002019593A3 publication Critical patent/WO2002019593A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates generally to methods and apparatus for providing end- user authentication services for network access providers and more particularly methods and apparatus that apply network security procedures to authenticate users who are requesting access to network applications.
  • a private network is typically a network in which access to host sites of the private network is limited to authorized users.
  • security procedures including authentication procedures, should be carried out to ensure that only authorized users from authorized hosts can gain access to the private network. For example, when a user requests access to a host site of the private network from a remote location, the user must be authenticated before the user is granted access to the host site.
  • passwords are strings of characters that may be recognized by automatic means to permit a user to access protected files or other system resource.
  • Most sophisticated systems use authentication schemes based on passwords.
  • a password may be generated at a remote site that is requesting access to a host site of the private network.
  • Some systems utilize either symmetric or asymmetric cryptographic techniques to create and authenticate the password.
  • the continuous development of data networks has generated a wide range of computer services. In some cases, the services are restricted to a number of users providing service on a first-come, first-served basis. In other cases, the services are accessed on a commercial basis, i.e., the users pay to utilize the services. In the latter case, users must authenticate themselves using a service provision system of a service provider before they can gain access to the desired services. Typically, this requires the user to provide a unique username and password. The service provider verifies the username and password entered by the user against a database maintained by the service provider and grants access if the entered information matches the information in the database. In this manner, the service provider ensures that only users entitled to access the services can do so.
  • the mobile station e.g., GSM phone
  • SIM Subscriber Identity Module
  • the SIM contains subscriber information, including data that permits the mobile station to gain access to the GSM network and utilize subscriber-based function of the network (e.g., calling party identification, voice mail, etc.).
  • Weak authentication also known as single-factor authentication, uses a single method to authenticate a user.
  • Weak authentication encompasses static passwords and one-time passwords.
  • Static passwords can be broken by software programs, including keyboard strike monitoring programs, cracking programs for guessing passwords, and network sniffing programs.
  • Static passwords can be protected from such software programs by generating a one-time password (one per session) that can not be calculated from previous passwords, e.g., by using a pseudo-random sequence as a calculation factor.
  • the one-time password is generated from a "real" password that would never be transmitted over the network, and such a "real" password thus constitutes secret data that is shared by the user and the network.
  • Strong authentication also known as two-factor authentication, is safer than weak authentication because it authenticates the user by two methods, typically a token and a password.
  • Systems that generate one time passcodes from a token and a password are already available in the market, such as Security Dynamic's Secure ID, Safeword's Safeword DES Gold Card, and Digital Pathway's Defender.
  • the token may be a hardware device and the password may be a Personal Identification Number ("PIN") code needed to access the hardware device.
  • PIN Personal Identification Number
  • the token typically contains some unique identification code.
  • a passcode is generated by encrypting the user's PIN and the token's identification code. The network would then use the passcode to verify the user's identity.
  • Strong authentication can be made still safer, for example, by introducing explicit authentication, in which the network generates a random factor as input to the user's password generation operation. This is known as a "challenge-response" procedure, in which the network challenges the user to give a correct response.
  • the life of the passcode can be short, e.g., one minute, and the authentication process can be repeated periodically during the session.
  • more sophisticated keys and algorithms based either in symmetric or asymmetric cryptography, can be used. Nevertheless, increased sophistication usually requires additional time and processing power to perform the authentication task.
  • weak and strong authentication techniques have limitations. For example, static login/password methods provide weak security, and strong authentication methods require a user to hold additional devices, i.e., token devices. Some strong authentication mechanisms require specific hardware, e.g., smart card readers. Furthermore, some strong authentication methods require specific hardware and software configurations that create administrative burdens.
  • the token can be embedded in the hardware needed to access the network, like embedding a SIM card in a GSM phone.
  • Reliable authentication can also be achieved by using two different communication channels.
  • One communication channel can be used to access a private service network and the other communication channel can be used to authenticate the user requesting access.
  • one of the communication channels can be an unsecured channel connected to a data network over an access network and the other communication channel can be a secured channel that would exchange security information between a mobile station and the data network over a Public Land Mobile Network ("PLMN").
  • PLMN Public Land Mobile Network
  • the authentication would take place over the secure channel, making it more difficult to steal authentication information.
  • the secure channel would be released and could be used by others.
  • Such an authentication scheme could be implemented using a GSM network as the secured communication path. This is discussed in commonly assigned, co-pending U.S. Patent Application No. 09/386,253, which was filed on August 31, 1999, by Jose Luis Mariz Rios and Jose Luis Ruiz Sanchez, entitled “GSM Security for Packet Data Networks", and which is incorporated in its entirety here by reference.
  • GSM Service Provider the provider of cellular communication services
  • the SIM based on smart- card technology, is personalized and distributed to the end-user by the GSM Service Provider.
  • GSM-based identification of end-users can be re-used for applications that reside outside of the cellular system ("External Applications").
  • Example Applications A typical implementation is shown in Figure 1.
  • the end-user 100 uses a remote access device, such as a computer 102, to send an access request 104 to an External Application 106 through an Access Network 108, such as the Internet.
  • the access request 104 is forwarded to an Authentication Server 110 that identifies the end-user 100 through his her Cellular Terminal 112 via communication over the GSM network 114.
  • Typical examples of External Applications 106 that can utilize GSM- based authentication schemes include Internet services that require safe identification of the end-user, such as Internet banking and remote access to corporate local area networks ("LANs").
  • LANs corporate local area networks
  • a simple authentication scheme is based on the generation of a Token 116 in the Authentication Server 110.
  • the Token 116 typically a number or alphanumeric string that is preferably randomly generated, is sent in plain text over the GSM network 114 to the cellular terminal 112 of the end-user 100.
  • the end-user 100 returns this Token 116 to the External Application 106 using the computer 102 connected to the External Application 106 through the access network 108. If the generated and returned Token is the same, the result of the authentication is positive.
  • the advantage with such simple authentication schemes is that they are straightforward to implement and can be operated and controlled by the provider of the External Application, with minimal involvement of the GSM Service Provider.
  • SAT SIM Application Toolkit
  • the GSM Service Provider can store tailor-made software on the SIM card ("SAT Application").
  • the Authentication Server communicates with the SAT application over the GSM network, and identifies the end-user via an interaction on the cellular terminal. The result of the authentication procedure is communicated to the External Application.
  • the GSM Service Provider issues the SIM card, and, for security purposes, may desire to retain the control of this component.
  • the GSM Service Provider is the only entity that will have access to the SIM card to insert SAT applications.
  • a SAT-based authentication mechanism requires a back-end Authentication Server, and from the perspective of the GSM Service Provider, the Authentication Server should remain under the control of the GSM Service Provider.
  • the Authentication Server will contain the same secret key of the end-user as the one stored on the SIM card, and can therefore not be under the control of an external party.
  • the provider of the External Application requires (in the majority of cases) to be in control of the authentication procedure for the External Application, and the associated end-user data base. From this perspective, it is the provider of the External Application that should control the Authentication Server.
  • a system to authenticate an end-user comprising an external application in communication with a first communication device through a first communication network.
  • An authentication server is also in communication with the external application.
  • the authentication server is adapted to receive an authentication request from the extemal application in response to an access attempt by the first communication device.
  • the authentication server generates a token in response to the authentication request and sends the token through the external application to the first communication device.
  • An authentication gateway is in communication with a second communication device through a second communication network.
  • the authentication gateway is adapted to receive a token from the second communication device and transmit the token to the authentication server. When the token is received from the authentication gateway, the received token is compared to the token generated by the authentication server.
  • the token is generated and verified by the authentication server, the authentication server and external application being controlled by a first common entity.
  • the token may be encrypted throughout all communication paths, and the authentication server can simultaneously support encrypted and unencrypted tokens.
  • a secret key may be stored in an authentication gateway, and the secret key may be used to decrypt the token transmitted from the first communication device to the authentication gateway, the authentication gateway and the first communication network being controlled by a second common entity. .
  • the first common entity may be distinct from the second common entity, and advertisements related to the external application can be presented to the end-user via the first communication device.
  • a method for authenticating an end-user comprises the steps of requesting access to an External Application; sending an authentication request from the External Application to the Authentication Server; generating a random Generated Token in the Authentication Server; presenting the Generated Token to the end-user via the External Application; and entering the end-user's PIN and the Generated Token.
  • the method further includes calculating a cryptographic response based on the PIN, Generated Token, and Secret Key, and the calculation uses a cryptographic algorithm and the Secret Key resides within the SAT application; transmitting the response to an Authentication Gateway and an Authentication Server.
  • the method still further includes decrypting the response with the Secret Key in the Authentication Gateway and decrypting the response with the PIN in the Authentication Server, with the decrypted response resulting in a Returned Token.
  • the Returned Token is compared with the Generated Token, and access to the External Application may be granted if the Returned Token and the Generated Token are the same and if the Returned Token is received within a pre-defined time.
  • a network architecture for authenticating an end-user comprising at least one gateway connected to at least one communication network, wherein the at least one gateway provides authentication services to the at least one communication network.
  • at least one server connected to at least one external application, wherein the at least one server provides authentication services to the at least one external application.
  • At least one switch connects the at least one gateway to the at least one server, wherein any of the at least one gateways is accessible, through the at least one switch, by the at least one server.
  • a system for authenticating an end-user comprises an external application in commumcation with a first communication device through a first communication network.
  • An authentication server is in communication with the external application.
  • the authentication server receives an authentication request from the external application in response to an access attempt by the first communication device.
  • the authentication server generates a token in response to the authentication request and sends the token through the external application to the first communication device.
  • An authentication gateway is in communication with a second communication device through a second communication network. The authentication gateway receives a first message from the second communication device and transmits a second message to the authentication server.
  • the first message is based on the token and an end-user's PIN code
  • the second message is compared to a result of a computation based on the token generated by the authentication server and a PIN code stored in the authentication server and associated with the end-user.
  • Figure 1 is a block diagram that illustrates a method of authenticating a user known to the art
  • Figure 2 is a block diagram that illustrates a method of authenticating a user according to an exemplary embodiment of the present invention
  • Figure 3 is a block diagram that illustrates a method of implementing a service to provide user authentication to a plurality of External Applications through a plurality of GSM networks; and Figure 4 is a flow diagram of the method for authenticating an end-user.
  • a SAT-based authentication method whereby end-user authentication is based on three components: a secret PIN, a Secret Key, and a random number (Token). Control of these components is divided between two nodes: an Authentication Gateway (under the control of the GSM Service Provider), and an Authentication Server (under the control of the provider of the External Application). Preferably, communication between the Authentication Gateway and Authentication Server is encrypted.
  • An exemplary architecture is depicted in Figure 2.
  • the PIN includes a secret string of keystrokes (e.g., an alphanumeric string) that is known by the end-user.
  • the PIN can be stored and/or checked in the Authentication Gateway, in the Authentication Server, or locally on the SIM card.
  • the Secret Key is stored on the SIM-card in connection with the SAT apphcation and, in the case of symmetric keys, in the Authentication Gateway.
  • the Token (e.g., a random numeric or alphanumeric string) is generated and checked in the Authentication Server.
  • an end-user 200 requests access (via an access request 202) to the External Application 204 and identifies himself/herself, e.g., by his/her Mobile Subscriber ISDN number ("MSISDN ”) or other suitably unique user name.
  • MSISDN Mobile Subscriber ISDN number
  • an access device 208 transmits an access request 202 to an External Application 204 through an access network 206.
  • the access network 206 can be a GSM network, a PSTN, or other communication network, including a LAN.
  • Access device 208 can be any suitable network terminating device, including, for example, telephones, computers, and personal digital assistants ("PDA").
  • the External Application 204 sends an authentication request 210 to the Authentication Server 212.
  • the Authentication Server 212 generates a random Token 214 and presents the Token to the end-user 200 via the External Application 204.
  • the end-user 200 reads the Token 214 from the External Application 204 and may select an "Authentication-option" from a menu on the authenticating device 216 (this option can be presented on the menu with the SAT application).
  • the SAT application advantageously prompts the end-user 200 for a PIN and then for a Token. After the end-user 200 has entered the PIN and Token, the SAT application generates a response based on the PIN, Token, and Secret Key, using a predetermined cryptographic algorithm (e.g., Triple DES).
  • a predetermined cryptographic algorithm e.g., Triple DES
  • the response may be based only on the Token and Secret Key.
  • the authenticating device 216 sends the response 218 back to the Authentication Gateway 222 via the GSM network 220.
  • the response 218 is decrypted with the Secret Key (and the PIN, if available) in the Authentication Gateway 222, which forwards the decrypted response, now a Returned Token, to the Authentication Server 212.
  • the response forwarded from the Authentication Gateway 222 to the Authentication Server 212 is decrypted by the Authentication Server 212 to produce the Returned Token.
  • the Authentication Server 212 compares the Returned Token with the Generated Token. If the correct Token is returned within a pre-defined period of time (e.g., one minute), the result of the authentication request is positive and is communicated to the External Application 204 in the form of an authentication result 224.
  • the Returned Token can be generated using non-reversible cryptographic algorithms.
  • a common cryptographic transformation such as a hash function, that uses the Generated Token and/or PIN as input can be used to calculate the Returned Token.
  • the Authentication Server 212 may also use the same hash function to calculate the expected response, again based on the Generated Token and/or PIN. The expected response would then be compared to the Returned Token.
  • the Network Initiated scenario differs from the Mobile Initiated case in the way the SAT dialogue on the authenticating device 216 is activated.
  • the SAT dialogue is initiated by the end-user, e.g., by selecting an "Authentication-option" from a menu displayed on the cellular terminal.
  • the dialogue is initiated from the Authentication Server 212, via the Authentication Gateway 222, and further to the SIM card/cellular terminal via a message sent from the Authentication Gateway 222 over the GSM Network.
  • FIG. 4 is a flowchart of the steps of a method of authenticating an end-user that is in accordance with Applicants' invention.
  • an External Apphcation receives an access request.
  • this access request will be the result of an end-user's actively accessing the External Application, such as an internet banking website.
  • the External Application sends an authentication request to an Authentication Server in step 402.
  • the Authentication Server and the External Application may both be software tasks running on the same computer, or they may be on separate computers connected by a network.
  • the network may be a LAN or a telecommunication network.
  • the Authentication Server In step 403, the Authentication Server generates a Token that preferably token is a pseudo-random sequence, e.g., of numbers and letters.
  • the Token in step 404, is transmitted to the accessing device.
  • the end-user reads the Token from the accessing device and enters it into the authenticating device.
  • the end-user may also need to enter a PIN into the authentication device to verify his identity, but the Token could also be transmitted without user intervention by cable, infra-red, or radio-frequency methods known to the art.
  • the authenticating device Once the Token is entered into the authenticating device, the authenticating device generates a cryptographic response based on the Token, a Secret Key resident in the authenticating device, and possibly the PIN (step 405).
  • the Secret Key is preferably embedded within the authentication device, but may also be encoded in a smart card or other access card that is held by the end-user and read by the authentication device.
  • step 406 the response is sent to an Authentication Gateway and the Authentication Server.
  • step 407 the Authentication Gateway decrypts the response based on the Secret Key.
  • the Authentication Server decrypts the Token based on the PIN or, if the PIN is not used in generating the response, the Authentication Server receives the Token from the
  • Authentication Gateway As previously noted, one-way algorithms, such as hash functions, can also be used in place of reversible cryptographic algorithms. If the received Token matches the generated Token, access to the External Application is granted. The Authentication Server may also require that the response be received in a pre-determined period of time. If this is required and the response is received late, access to the external application may be denied.
  • the Token should be long enough so that it cannot be guessed by an intruder within the time allowed for response.
  • the length of the Token is related to the cryptographic function used to combine it with the PIN and the encryption algorithm in the SIM- Authentication Gateway communication.
  • the Token should also be short enough so that the end-user can successfully enter it into the authenticating device within the allowed response time.
  • Applicants' invention has significant benefits over the prior art.
  • the provider of the External Application is in control of the Authentication Server and the associated end-user database (MSISDNs, and optionally, the associated user names and/or PINs).
  • the provider of the External Application has the final control of the authentication procedure (comparing the Generated and Returned Token in the Authentication Server). This ensures that the provider of the External Application has full control over access to its content.
  • the Service Provider While the provider of the External Application retains control of the application, the Service Provider remains in control of the SIM card, SAT application, and the associated Secret Key. Via the Authentication Gateway, the GSM Service Provider gains access to a prime advertising channel. Advertisements related to accessed External Applications can be presented to the end-user via a SAT interaction on the Cellular Terminal.
  • the Token is transported in encrypted form throughout the transmission path SIM - GSM Network - Authentication Gateway - Authentication Server.
  • every authentication request results in strong two-factor authentication of the end-user: it is verified that the end-user knows the PIN, and holds the SIM card.
  • the PIN is stored and checked locally on the SIM card or in the Authentication Gateway, the end-user will only need to remember one password (PIN) for all External Applications that utilize the authentication method.
  • PIN password
  • the MSISDN is used as user name, there will not be any need to remember application-specific user-names.
  • the Authentication Server in the proposed SAT-based scheme performs the same Token-based authentication check as in simple solutions, where the Token is sent in clear text over the GSM network. This makes it possible to support both solutions in the same Authentication Server. It also enables smooth migration from the simple solution to the more advanced SAT-solution, as more and more end-users acquire SAT-enabled SHVIs (and Cellular Terminals).
  • a method of service-provider independent authentication is complicated by the fact that there are currently more than 350 GSM networks in operation, a number that is constantly increasing. For a provider of an External Application, whose end-users can have subscriptions with any GSM network, relations must be maintained with a large number of GSM networks. This is needed both for simple authentication schemes (based on sending random Tokens in clear text over GSM), as well as for the more advanced SAT-based mechanism just described. The solution is to launch an operator-independent Authentication Service.
  • Figure 3 is an exemplary network architecture that could be used to provide an Authentication Service.
  • the provider of the Authentication Service supplies Authentication Servers 310a, 31 Ob, 310c, 31 Od, 31 Oe, 31 Of to providers of External Apphcations 320a, 320b, 320c, 320d, 320e, 320f, such as Internet banks, enterprises offering remote intranet/extranet access, providers of high- valued Internet content, etc.
  • These Authentication Servers 310a- 31 Of can preferably support both the simple, clear-text Token-based authentication mechanism, as well as the more advanced SAT mechanism.
  • each Authentication Server 31 Oa-31 Of can concurrently service more than one External Application 320a-320f.
  • the Authentication Service also supplies Authentication Gateways 340a, 340b, 340c, 340d, 340e to GSM Service Providers 330a-330d to handle the SAT-based authentication mechanism.
  • Authentication Gateways 340a-340e can also be made available for a network-based authentication mechanism for networks other than GSM.
  • the Authentication Service operates one or more central switches 350 to provide simplified connectivity between providers of External Applications 320a-320f and GSM Service Providers 330a-330d. While the system shown in Figure 3 employs only one switch, the system could be duplicated to accommodate multiple switches with appropriate inter-switch connectivity. A variety of inter-switch connection schemes are known to the art.
  • the Authentication Service is also responsible for monitoring the overall quality and security of the service, including the connections between the Authentication Servers 310a-310f and Authentication Gateways 340a-340e.
  • the first and second access device and network can be the same, thereby allowing an External Application to be accessed by a mobile phone.
  • the invention can be embodied in other network technologies.
  • mobile networks that use a subscriber module, analogous to a SDVI, to identify an end-user can use Applicants' invention.
  • additional services, such as advertising can be provided to the GSM device during the authentication process.

Abstract

A system and method for verifying the identity of an end-user. The end-user requests to access an external application. The external application sends an authentication request to an authentication server, which generates a random token. The generated token is transmitted to the end-user. The end-user enters the generated token and a personal identification number into a cellular terminal connected to a GSM network. At least the token is encrypted using a secret key stored within the cellular terminal and transmitted through the GSM network to an authentication gateway. The token is decrypted by the authentication gateway using either the same secret key or a key matched to the secret key. The token is then transmitted to the authentication server where the received key is compared to the generated key. The results of the comparison are transmitted to the external application.

Description

SERVICE PROVIDER-INBEPENBENT SAT-BASEB END-USER AUTHENTICATION
BACKGROUND The present invention relates generally to methods and apparatus for providing end- user authentication services for network access providers and more particularly methods and apparatus that apply network security procedures to authenticate users who are requesting access to network applications.
The number of users who access data networks from remote locations increases each day. In many cases, a data network provider may wish to restrict network access to a group of users (such as customers, employees, etc.) and thereby create a private network. A private network is typically a network in which access to host sites of the private network is limited to authorized users. When a private network is connected to a public network, security procedures, including authentication procedures, should be carried out to ensure that only authorized users from authorized hosts can gain access to the private network. For example, when a user requests access to a host site of the private network from a remote location, the user must be authenticated before the user is granted access to the host site.
Some conventional authentication procedures use passwords. A password is a string of characters that may be recognized by automatic means to permit a user to access protected files or other system resource. Most sophisticated systems use authentication schemes based on passwords.
A password may be generated at a remote site that is requesting access to a host site of the private network. Some systems utilize either symmetric or asymmetric cryptographic techniques to create and authenticate the password. The continuous development of data networks has generated a wide range of computer services. In some cases, the services are restricted to a number of users providing service on a first-come, first-served basis. In other cases, the services are accessed on a commercial basis, i.e., the users pay to utilize the services. In the latter case, users must authenticate themselves using a service provision system of a service provider before they can gain access to the desired services. Typically, this requires the user to provide a unique username and password. The service provider verifies the username and password entered by the user against a database maintained by the service provider and grants access if the entered information matches the information in the database. In this manner, the service provider ensures that only users entitled to access the services can do so.
Cellular communication systems control resources of a network in a similar fashion. For example, in a Global System for Mobile Communication ("GSM") network, the mobile station (e.g., GSM phone) includes a Subscriber Identity Module ("SIM"). The SIM contains subscriber information, including data that permits the mobile station to gain access to the GSM network and utilize subscriber-based function of the network (e.g., calling party identification, voice mail, etc.).
Remote access to public or private data networks is growing tremendously, especially through dial-up connections such as public switched telephone networks ("PSTN") or the higher speed integrated services digital networks ("ISDN"). However, these dial-up connections are inherently insecure because they transmit data over open communication lines. Additionally, software for breaching security is quite advanced and more widely used than it was in the past. For example, software is available for guessing the passwords of authorized users of the network. Network diagnostic equipment can also be used to capture the user names and passwords of authorized users. Once user names and passwords become known, unauthorized users can pose as authorized users and gain access to the network. This problem can be overcome by using known authentication techniques.
Weak authentication, also known as single-factor authentication, uses a single method to authenticate a user. Weak authentication encompasses static passwords and one-time passwords. Static passwords can be broken by software programs, including keyboard strike monitoring programs, cracking programs for guessing passwords, and network sniffing programs. Static passwords can be protected from such software programs by generating a one-time password (one per session) that can not be calculated from previous passwords, e.g., by using a pseudo-random sequence as a calculation factor. The one-time password is generated from a "real" password that would never be transmitted over the network, and such a "real" password thus constitutes secret data that is shared by the user and the network.
Strong authentication, also known as two-factor authentication, is safer than weak authentication because it authenticates the user by two methods, typically a token and a password. Systems that generate one time passcodes from a token and a password are already available in the market, such as Security Dynamic's Secure ID, Safeword's Safeword DES Gold Card, and Digital Pathway's Defender. For example, the token may be a hardware device and the password may be a Personal Identification Number ("PIN") code needed to access the hardware device. The token typically contains some unique identification code. A passcode is generated by encrypting the user's PIN and the token's identification code. The network would then use the passcode to verify the user's identity. Strong authentication can be made still safer, for example, by introducing explicit authentication, in which the network generates a random factor as input to the user's password generation operation. This is known as a "challenge-response" procedure, in which the network challenges the user to give a correct response. Second, the life of the passcode can be short, e.g., one minute, and the authentication process can be repeated periodically during the session. Third, more sophisticated keys and algorithms, based either in symmetric or asymmetric cryptography, can be used. Nevertheless, increased sophistication usually requires additional time and processing power to perform the authentication task.
Both weak and strong authentication techniques have limitations. For example, static login/password methods provide weak security, and strong authentication methods require a user to hold additional devices, i.e., token devices. Some strong authentication mechanisms require specific hardware, e.g., smart card readers. Furthermore, some strong authentication methods require specific hardware and software configurations that create administrative burdens.
Some of these limitations and burdens can be overcome, or at least made more acceptable to the user, by combining different forms of authentication. For example, the token can be embedded in the hardware needed to access the network, like embedding a SIM card in a GSM phone.
Reliable authentication can also be achieved by using two different communication channels. One communication channel can be used to access a private service network and the other communication channel can be used to authenticate the user requesting access. In this case, one of the communication channels can be an unsecured channel connected to a data network over an access network and the other communication channel can be a secured channel that would exchange security information between a mobile station and the data network over a Public Land Mobile Network ("PLMN"). Under these circumstances, the authentication would take place over the secure channel, making it more difficult to steal authentication information. Once the authentication is completed, the secure channel would be released and could be used by others. Such an authentication scheme could be implemented using a GSM network as the secured communication path. This is discussed in commonly assigned, co-pending U.S. Patent Application No. 09/386,253, which was filed on August 31, 1999, by Jose Luis Mariz Rios and Jose Luis Ruiz Sanchez, entitled "GSM Security for Packet Data Networks", and which is incorporated in its entirety here by reference.
In GSM, the provider of cellular communication services ("GSM Service Provider") identifies the end-user by a SIM in the end-user's cellular terminal. The SIM, based on smart- card technology, is personalized and distributed to the end-user by the GSM Service Provider. The GSM-based identification of end-users can be re-used for applications that reside outside of the cellular system ("External Applications").. A typical implementation is shown in Figure 1. The end-user 100 uses a remote access device, such as a computer 102, to send an access request 104 to an External Application 106 through an Access Network 108, such as the Internet. The access request 104 is forwarded to an Authentication Server 110 that identifies the end-user 100 through his her Cellular Terminal 112 via communication over the GSM network 114. Typical examples of External Applications 106 that can utilize GSM- based authentication schemes include Internet services that require safe identification of the end-user, such as Internet banking and remote access to corporate local area networks ("LANs").
A simple authentication scheme is based on the generation of a Token 116 in the Authentication Server 110. The Token 116, typically a number or alphanumeric string that is preferably randomly generated, is sent in plain text over the GSM network 114 to the cellular terminal 112 of the end-user 100. The end-user 100 returns this Token 116 to the External Application 106 using the computer 102 connected to the External Application 106 through the access network 108. If the generated and returned Token is the same, the result of the authentication is positive. The advantage with such simple authentication schemes is that they are straightforward to implement and can be operated and controlled by the provider of the External Application, with minimal involvement of the GSM Service Provider.
More advanced authentication solutions can be implemented using SIM Application Toolkit ("SAT") technology. With SAT, the GSM Service Provider can store tailor-made software on the SIM card ("SAT Application"). The Authentication Server communicates with the SAT application over the GSM network, and identifies the end-user via an interaction on the cellular terminal. The result of the authentication procedure is communicated to the External Application.
An issue associated with SAT-based authentication mechanisms is that the GSM Service Provider and the provider of the External Application may be separate entities. This creates concerns regarding the division of liabilities between the entities, and a question of "who should control what" in the security chain.
The GSM Service Provider issues the SIM card, and, for security purposes, may desire to retain the control of this component. Hence, the GSM Service Provider is the only entity that will have access to the SIM card to insert SAT applications. A SAT-based authentication mechanism requires a back-end Authentication Server, and from the perspective of the GSM Service Provider, the Authentication Server should remain under the control of the GSM Service Provider. For example, in a symmetric authentication solution, the Authentication Server will contain the same secret key of the end-user as the one stored on the SIM card, and can therefore not be under the control of an external party.
The provider of the External Application, on the other hand, requires (in the majority of cases) to be in control of the authentication procedure for the External Application, and the associated end-user data base. From this perspective, it is the provider of the External Application that should control the Authentication Server.
These and other drawbacks of previous systems and methods are alleviated by Applicants' invention that provides service provider-independent SAT-based authentication.
SUMMARY In accordance with one aspect of the present invention, there is provided a system to authenticate an end-user. The system comprises an external application in communication with a first communication device through a first communication network. An authentication server is also in communication with the external application. The authentication server is adapted to receive an authentication request from the extemal application in response to an access attempt by the first communication device. The authentication server generates a token in response to the authentication request and sends the token through the external application to the first communication device. An authentication gateway is in communication with a second communication device through a second communication network. The authentication gateway is adapted to receive a token from the second communication device and transmit the token to the authentication server. When the token is received from the authentication gateway, the received token is compared to the token generated by the authentication server.
In accordance with another aspect of the present invention, the token is generated and verified by the authentication server, the authentication server and external application being controlled by a first common entity. The token may be encrypted throughout all communication paths, and the authentication server can simultaneously support encrypted and unencrypted tokens. A secret key may be stored in an authentication gateway, and the secret key may be used to decrypt the token transmitted from the first communication device to the authentication gateway, the authentication gateway and the first communication network being controlled by a second common entity. .
In accordance with other aspects of the present invention, the first common entity may be distinct from the second common entity, and advertisements related to the external application can be presented to the end-user via the first communication device.
In accordance with yet another aspect of the present invention, a method for authenticating an end-user comprises the steps of requesting access to an External Application; sending an authentication request from the External Application to the Authentication Server; generating a random Generated Token in the Authentication Server; presenting the Generated Token to the end-user via the External Application; and entering the end-user's PIN and the Generated Token. The method further includes calculating a cryptographic response based on the PIN, Generated Token, and Secret Key, and the calculation uses a cryptographic algorithm and the Secret Key resides within the SAT application; transmitting the response to an Authentication Gateway and an Authentication Server. The method still further includes decrypting the response with the Secret Key in the Authentication Gateway and decrypting the response with the PIN in the Authentication Server, with the decrypted response resulting in a Returned Token. In addition, the Returned Token is compared with the Generated Token, and access to the External Application may be granted if the Returned Token and the Generated Token are the same and if the Returned Token is received within a pre-defined time.
In accordance with another aspect of the present invention, there is a network architecture for authenticating an end-user. The network comprises at least one gateway connected to at least one communication network, wherein the at least one gateway provides authentication services to the at least one communication network. In addition, there is at least one server connected to at least one external application, wherein the at least one server provides authentication services to the at least one external application. At least one switch connects the at least one gateway to the at least one server, wherein any of the at least one gateways is accessible, through the at least one switch, by the at least one server. In accordance with another aspect of the present invention, there is a system for authenticating an end-user. The system comprises an external application in commumcation with a first communication device through a first communication network. An authentication server is in communication with the external application. The authentication server receives an authentication request from the external application in response to an access attempt by the first communication device. The authentication server generates a token in response to the authentication request and sends the token through the external application to the first communication device. An authentication gateway is in communication with a second communication device through a second communication network. The authentication gateway receives a first message from the second communication device and transmits a second message to the authentication server. The first message is based on the token and an end-user's PIN code, and the second message is compared to a result of a computation based on the token generated by the authentication server and a PIN code stored in the authentication server and associated with the end-user.
BRIEF DESCRIPTION OF THE DRAWINGS
The features, objects, and advantages of the present invention will become apparent by reading this description in conjunction with the accompanying drawings, in which:
Figure 1 is a block diagram that illustrates a method of authenticating a user known to the art; Figure 2 is a block diagram that illustrates a method of authenticating a user according to an exemplary embodiment of the present invention;
Figure 3 is a block diagram that illustrates a method of implementing a service to provide user authentication to a plurality of External Applications through a plurality of GSM networks; and Figure 4 is a flow diagram of the method for authenticating an end-user.
DETAILED DESCRIPTION In the following description, the invention is described in terms of a GSM communication system, but it will be understood that Applicants' invention is not so limited. The invention can be embodied in other types of communication systems that have appropriate features. In accordance with one aspect of the present invention, there is provided a SAT-based authentication method, whereby end-user authentication is based on three components: a secret PIN, a Secret Key, and a random number (Token). Control of these components is divided between two nodes: an Authentication Gateway (under the control of the GSM Service Provider), and an Authentication Server (under the control of the provider of the External Application). Preferably, communication between the Authentication Gateway and Authentication Server is encrypted. An exemplary architecture is depicted in Figure 2.
The PIN includes a secret string of keystrokes (e.g., an alphanumeric string) that is known by the end-user. The PIN can be stored and/or checked in the Authentication Gateway, in the Authentication Server, or locally on the SIM card. The Secret Key is stored on the SIM-card in connection with the SAT apphcation and, in the case of symmetric keys, in the Authentication Gateway. The Token (e.g., a random numeric or alphanumeric string) is generated and checked in the Authentication Server.
As can be appreciated, there are two possible authentication scenarios: Mobile Initiated and Network Initiated. In the Mobile Initiated scenario, an end-user 200 requests access (via an access request 202) to the External Application 204 and identifies himself/herself, e.g., by his/her Mobile Subscriber ISDN number ("MSISDN ") or other suitably unique user name. Typically, an access device 208 transmits an access request 202 to an External Application 204 through an access network 206. As will be appreciated, the access network 206 can be a GSM network, a PSTN, or other communication network, including a LAN. Access device 208 can be any suitable network terminating device, including, for example, telephones, computers, and personal digital assistants ("PDA").
The External Application 204 sends an authentication request 210 to the Authentication Server 212. The Authentication Server 212 generates a random Token 214 and presents the Token to the end-user 200 via the External Application 204. The end-user 200 reads the Token 214 from the External Application 204 and may select an "Authentication-option" from a menu on the authenticating device 216 (this option can be presented on the menu with the SAT application). The SAT application advantageously prompts the end-user 200 for a PIN and then for a Token. After the end-user 200 has entered the PIN and Token, the SAT application generates a response based on the PIN, Token, and Secret Key, using a predetermined cryptographic algorithm (e.g., Triple DES). If the PIN is stored/checked locally on the SIM, the response may be based only on the Token and Secret Key. The authenticating device 216 sends the response 218 back to the Authentication Gateway 222 via the GSM network 220. The response 218 is decrypted with the Secret Key (and the PIN, if available) in the Authentication Gateway 222, which forwards the decrypted response, now a Returned Token, to the Authentication Server 212. (If the PIN is stored in the Authentication Server 212, then the response forwarded from the Authentication Gateway 222 to the Authentication Server 212 is decrypted by the Authentication Server 212 to produce the Returned Token.) The Authentication Server 212 compares the Returned Token with the Generated Token. If the correct Token is returned within a pre-defined period of time (e.g., one minute), the result of the authentication request is positive and is communicated to the External Application 204 in the form of an authentication result 224. As can be appreciated, the Returned Token can be generated using non-reversible cryptographic algorithms. For example, a common cryptographic transformation, such as a hash function, that uses the Generated Token and/or PIN as input can be used to calculate the Returned Token. The Authentication Server 212 may also use the same hash function to calculate the expected response, again based on the Generated Token and/or PIN. The expected response would then be compared to the Returned Token.
The Network Initiated scenario differs from the Mobile Initiated case in the way the SAT dialogue on the authenticating device 216 is activated. In the Mobile Initiated scenario (described above), the SAT dialogue is initiated by the end-user, e.g., by selecting an "Authentication-option" from a menu displayed on the cellular terminal. In the Network Initiated scenario, the dialogue is initiated from the Authentication Server 212, via the Authentication Gateway 222, and further to the SIM card/cellular terminal via a message sent from the Authentication Gateway 222 over the GSM Network.
Figure 4 is a flowchart of the steps of a method of authenticating an end-user that is in accordance with Applicants' invention. First, in step 401, an External Apphcation receives an access request. Typically, this access request will be the result of an end-user's actively accessing the External Application, such as an internet banking website. In response to the access request, the External Application sends an authentication request to an Authentication Server in step 402. As can be appreciated, the Authentication Server and the External Application may both be software tasks running on the same computer, or they may be on separate computers connected by a network. The network may be a LAN or a telecommunication network.
In step 403, the Authentication Server generates a Token that preferably token is a pseudo-random sequence, e.g., of numbers and letters. The Token, in step 404, is transmitted to the accessing device. Typically, the end-user reads the Token from the accessing device and enters it into the authenticating device. The end-user may also need to enter a PIN into the authentication device to verify his identity, but the Token could also be transmitted without user intervention by cable, infra-red, or radio-frequency methods known to the art. Once the Token is entered into the authenticating device, the authenticating device generates a cryptographic response based on the Token, a Secret Key resident in the authenticating device, and possibly the PIN (step 405). The Secret Key is preferably embedded within the authentication device, but may also be encoded in a smart card or other access card that is held by the end-user and read by the authentication device.
In step 406, the response is sent to an Authentication Gateway and the Authentication Server. In step 407, the Authentication Gateway decrypts the response based on the Secret Key. The Authentication Server decrypts the Token based on the PIN or, if the PIN is not used in generating the response, the Authentication Server receives the Token from the
Authentication Gateway. As previously noted, one-way algorithms, such as hash functions, can also be used in place of reversible cryptographic algorithms. If the received Token matches the generated Token, access to the External Application is granted. The Authentication Server may also require that the response be received in a pre-determined period of time. If this is required and the response is received late, access to the external application may be denied.
As can be appreciated, the Token should be long enough so that it cannot be guessed by an intruder within the time allowed for response. In addition, the length of the Token is related to the cryptographic function used to combine it with the PIN and the encryption algorithm in the SIM- Authentication Gateway communication. On the other hand, the Token should also be short enough so that the end-user can successfully enter it into the authenticating device within the allowed response time. As can be appreciated, Applicants' invention has significant benefits over the prior art. For example, the provider of the External Application is in control of the Authentication Server and the associated end-user database (MSISDNs, and optionally, the associated user names and/or PINs). In addition, the provider of the External Application has the final control of the authentication procedure (comparing the Generated and Returned Token in the Authentication Server). This ensures that the provider of the External Application has full control over access to its content.
While the provider of the External Application retains control of the application, the Service Provider remains in control of the SIM card, SAT application, and the associated Secret Key. Via the Authentication Gateway, the GSM Service Provider gains access to a prime advertising channel. Advertisements related to accessed External Applications can be presented to the end-user via a SAT interaction on the Cellular Terminal.
The Token is transported in encrypted form throughout the transmission path SIM - GSM Network - Authentication Gateway - Authentication Server. In addition, every authentication request results in strong two-factor authentication of the end-user: it is verified that the end-user knows the PIN, and holds the SIM card. In case the PIN is stored and checked locally on the SIM card or in the Authentication Gateway, the end-user will only need to remember one password (PIN) for all External Applications that utilize the authentication method. Also, in case the MSISDN is used as user name, there will not be any need to remember application-specific user-names.
The Authentication Server in the proposed SAT-based scheme performs the same Token-based authentication check as in simple solutions, where the Token is sent in clear text over the GSM network. This makes it possible to support both solutions in the same Authentication Server. It also enables smooth migration from the simple solution to the more advanced SAT-solution, as more and more end-users acquire SAT-enabled SHVIs (and Cellular Terminals).
A method of service-provider independent authentication is complicated by the fact that there are currently more than 350 GSM networks in operation, a number that is constantly increasing. For a provider of an External Application, whose end-users can have subscriptions with any GSM network, relations must be maintained with a large number of GSM networks. This is needed both for simple authentication schemes (based on sending random Tokens in clear text over GSM), as well as for the more advanced SAT-based mechanism just described. The solution is to launch an operator-independent Authentication Service.
Figure 3 is an exemplary network architecture that could be used to provide an Authentication Service. The provider of the Authentication Service supplies Authentication Servers 310a, 31 Ob, 310c, 31 Od, 31 Oe, 31 Of to providers of External Apphcations 320a, 320b, 320c, 320d, 320e, 320f, such as Internet banks, enterprises offering remote intranet/extranet access, providers of high- valued Internet content, etc. These Authentication Servers 310a- 31 Of can preferably support both the simple, clear-text Token-based authentication mechanism, as well as the more advanced SAT mechanism. In addition, each Authentication Server 31 Oa-31 Of can concurrently service more than one External Application 320a-320f. Preferably, it is the responsibility of the provider of the External Application 320a-320f to register end-users in a database, indicate which GSM Service Provider 330a, 330b, 330c, 330d each subscribes to, and which authentication mechanism each uses.
The Authentication Service also supplies Authentication Gateways 340a, 340b, 340c, 340d, 340e to GSM Service Providers 330a-330d to handle the SAT-based authentication mechanism. As can be appreciated, Authentication Gateways 340a-340e can also be made available for a network-based authentication mechanism for networks other than GSM.
In addition, the Authentication Service operates one or more central switches 350 to provide simplified connectivity between providers of External Applications 320a-320f and GSM Service Providers 330a-330d. While the system shown in Figure 3 employs only one switch, the system could be duplicated to accommodate multiple switches with appropriate inter-switch connectivity. A variety of inter-switch connection schemes are known to the art. The Authentication Service is also responsible for monitoring the overall quality and security of the service, including the connections between the Authentication Servers 310a-310f and Authentication Gateways 340a-340e.
Various embodiments of the invention have been described, and those skilled in the art will likely make additional embodiments of this invention. For example, the first and second access device and network can be the same, thereby allowing an External Application to be accessed by a mobile phone. In addition, the invention can be embodied in other network technologies. For example, mobile networks that use a subscriber module, analogous to a SDVI, to identify an end-user can use Applicants' invention. In addition, additional services, such as advertising, can be provided to the GSM device during the authentication process. These and other alternate embodiments are intended to fall within the scope of the claims which follow.

Claims

WE CLAIM:
1. A system for authenticating an end-user, comprising: an external application in communication with a first communication device through a first communication network; an authentication server in communication with the external application, the authentication server being adapted to receive an authentication request from the external application in response to an access attempt by the first communication device, and the authentication server generating a token in response to the authentication request and sending the token through the external application to the first communication device; and an authentication gateway in communication with a second communication device through a second communication network, the authentication gateway being adapted to receive a token from the second communication device and to transmit the token to the authentication server, wherein the token received from the authentication gateway is compared to the token generated by the authentication server.
2. The system of claim 1, wherein the authentication server and external application are controlled by a first common entity.
3. The system of claim 1, wherein the authentication server and the external application are controlled by different entities.
4. The system of claim 1, wherein the token is encrypted throughout all communication paths.
5. The system of claim 4, wherein the authentication server can simultaneously support encrypted and unencrypted tokens.
6. The system of claim 5, wherein a secret key is stored in an authentication gateway, the secret key is used to decrypt the token transmitted from the first communication device to the authentication gateway, and the authentication gateway and the first communication network are controlled by a second common entity.
7. The system of claim 6, wherein the first common entity is distinct from the second common entity.
8. The system of claim 7, wherein advertisements related to the external application are presentable to the end-user via the second communication device.
9. The system of claim 7, wherein the second communication network is a GSM network.
10. A method for authenticating an end-user, comprising the steps of: sending an authentication request from an external application to an authentication server; generating a token in the authentication server; presenting the generated token to a first communication device via the external application; generating a cryptographic response based on at least the generated token and a secret key residing within a second communication device; transmitting the cryptographic response from the second communication device to an authentication gateway and the authentication server; decrypting the cryptographic response in the authentication gateway and the authentication server to provide a returned token; comparing the returned token with the generated token; and granting access to the external application if the returned token corresponds to the generated token.
11. The method of claim 10, wherein the returned token must be received by the authentication server within a pre-determined time period.
12. A network architecture for authenticating an end-user, comprising: at least one gateway connected to at least one communication network, wherein the at least one gateway provides authentication services to the at least one commumcation network; at least one server connected to at least one external application, wherein the at least one server provides authentication services to the at least one external application; and at least one switch connecting the at least one gateway to the at least one server, wherein any of the at least one gateways is accessible, through the at least one switch, by the at least one server.
13. The network architecture of claim 12, wherein each of the at least one gateways is controlled by a unique entity.
14. A system for authenticating an end-user, comprising: an external application in communication with a first communication device through a first communication network; an authentication server in communication with the external application, the authentication server receiving an authentication request from the external application in response to an access attempt by the first communication device, and the authentication server generating a token in response to the authentication request and sending the token through the external application to the first communication device; and an authentication gateway in communication with a second communication device through a second communication network, the authentication gateway receiving a first message from the second communication device and transmitting a second message to the authentication server; wherein the first message is based on the token and an end-user's PIN code, and the second message is compared to a result of a computation based on the token generated by the authentication server and a PIN code stored in the authentication server and associated with the end-user.
15. The system of claim 14, wherein the first message is based on the token, the end- user's PIN code, and a secret key.
PCT/SE2001/001814 2000-08-30 2001-08-24 End-user authentication independent of network service provider WO2002019593A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP01961535A EP1314278A2 (en) 2000-08-30 2001-08-24 End-user authentication independent of network service provider
AU2001282795A AU2001282795A1 (en) 2000-08-30 2001-08-24 End-user authentication independent of network service provider

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US65136400A 2000-08-30 2000-08-30
US09/651,364 2000-08-30

Publications (2)

Publication Number Publication Date
WO2002019593A2 true WO2002019593A2 (en) 2002-03-07
WO2002019593A3 WO2002019593A3 (en) 2002-09-06

Family

ID=24612590

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2001/001814 WO2002019593A2 (en) 2000-08-30 2001-08-24 End-user authentication independent of network service provider

Country Status (3)

Country Link
EP (1) EP1314278A2 (en)
AU (1) AU2001282795A1 (en)
WO (1) WO2002019593A2 (en)

Cited By (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002093967A1 (en) * 2001-05-14 2002-11-21 Nokia Corporation Authentication in data communication
WO2003088577A1 (en) * 2002-04-16 2003-10-23 Nokia Corporation Method and system for authenticating user of data transfer device
WO2004017560A1 (en) * 2002-08-15 2004-02-26 Telefonaktiebolaget Lm Ericsson (Publ) Monitoring of digital content provided from a content provider over a network
WO2004043107A1 (en) * 2002-11-08 2004-05-21 Nokia Corporation Context linking scheme
GB2397731A (en) * 2003-01-22 2004-07-28 Ebizz Consulting Ltd Authenticating a user access request to a secure service over a primary communication channel using data sent over a secondary communication channel
WO2004102901A1 (en) 2003-05-14 2004-11-25 Philips Intellectual Property & Standards Gmbh Methods and devices for counting user equipment units in a mobile radio telecommunication network
WO2005041608A1 (en) * 2003-10-23 2005-05-06 Siltanet Ltd Method of user authentication
WO2005064882A2 (en) * 2003-12-29 2005-07-14 Telefonaktiebolaget Lm Ericsson (Publ) Apparatuses and method for single sign-on access to a service network through an access network
WO2006077075A1 (en) * 2005-01-19 2006-07-27 Giesecke & Devrient Gmbh Subscriber card for internet web log services
WO2006108831A1 (en) * 2005-04-14 2006-10-19 Vodafone Holding Gmbh Method for confirming a service request
FR2900019A1 (en) * 2006-04-12 2007-10-19 Alcatel Sa Mobile telephone authenticating method, involves controlling identity of mobile telephone based on sent information to verify that mobile telephone is authorized to require service
WO2007136277A1 (en) * 2006-05-18 2007-11-29 Fronde Anywhere Limited Authentication method for wireless transactions
WO2007143795A1 (en) 2006-06-16 2007-12-21 Fmt Worldwide Pty Ltd An authentication system and process
DE102006037167A1 (en) * 2006-08-09 2008-02-14 Deutsche Telekom Ag Method and system for carrying out a payment transaction with a means of payment
EP1919157A1 (en) * 2006-11-06 2008-05-07 Axalto SA Authentication based on a single message
US20080119276A1 (en) * 2006-11-16 2008-05-22 Alderucci Dean P Using a first device to verify whether a second device is communicating with a server
CN100418324C (en) * 2004-03-19 2008-09-10 富士通株式会社 Data transmissions in communication networks using multiple tokens
CN100461780C (en) * 2003-07-17 2009-02-11 华为技术有限公司 A safety authentication method based on media gateway control protocol
WO2009022052A1 (en) * 2007-08-15 2009-02-19 Elisa Oyj Network access for a visiting user
EP2086658A2 (en) * 2006-11-15 2009-08-12 Cfph, Llc Systems and methods for determining that a gaming device is communicating with a gaming server
WO2010003202A2 (en) 2008-07-07 2010-01-14 Nobre Tacito Pereira System, method and device to authenticate relationships by electronic means
WO2010031142A1 (en) * 2008-09-22 2010-03-25 Joseph Elie Tefaye Method and system for user authentication
FR2940580A1 (en) * 2008-12-23 2010-06-25 Solleu Yann Le Service e.g. web access service, access controlling method for mobile telephone, involves informing validity of activation code received from telephony terminal of subscriber to service editor, and allowing editor to access service
US20110016320A1 (en) * 2008-01-28 2011-01-20 Paycool International Ltd. Method for authentication and signature of a user in an application service, using a mobile telephone as a second factor in addition to and independently of a first factor
US7942739B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Storing information from a verification device and accessing the information from a gaming device to verify that the gaming device is communicating with a server
US7942738B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Verifying a gaming device is in communications with a gaming server
US7942741B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Verifying whether a device is communicating with a server
US7942740B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device
US7942742B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Accessing identification information to verify a gaming device is in communications with a server
US8012015B2 (en) 2006-11-15 2011-09-06 Cfph, Llc Verifying whether a gaming device is communicating with a gaming server
EP2453379A1 (en) * 2010-11-15 2012-05-16 Deutsche Telekom AG Method, system, user equipment and program for authenticating a user
WO2012162843A1 (en) 2011-06-03 2012-12-06 Research In Motion Limted System and method for accessing private networks
WO2013044307A1 (en) * 2011-09-30 2013-04-04 Cocoon Data Holdings Limited A system and method for distributing secured data
CN103220257A (en) * 2012-01-19 2013-07-24 中国石油天然气集团公司 Communication method of computer, network host and communication system
EP2795560A1 (en) * 2011-12-19 2014-10-29 Sagemcom Documents SAS Method of pairing an electronic apparatus and a user account within an on-line service
EP2770458A3 (en) * 2013-02-20 2014-11-12 Fmr Llc Mobile Security Fob
WO2014197403A1 (en) * 2013-06-03 2014-12-11 Tangome, Inc. Communication facilitator
EP2849403A1 (en) * 2013-09-13 2015-03-18 Alcatel Lucent Method and system for controlling the exchange of privacy-sensitive information
FR3028334A1 (en) * 2015-04-07 2016-05-13 Orange METHOD FOR THE STRONG AUTHENTICATION OF A USER OF A CONSUMER EQUIPMENT VIA AN AUTHENTICATION EQUIPMENT EQUIPPED WITH A SECURITY MODULE
US10440627B2 (en) 2014-04-17 2019-10-08 Twilio Inc. System and method for enabling multi-modal communication
US10469670B2 (en) 2012-07-24 2019-11-05 Twilio Inc. Method and system for preventing illicit use of a telephony platform
US10560495B2 (en) 2008-04-02 2020-02-11 Twilio Inc. System and method for processing telephony sessions
EP1807966B1 (en) * 2004-10-20 2020-05-27 Salt Group Pty Ltd. Authentication method
US10694042B2 (en) 2008-04-02 2020-06-23 Twilio Inc. System and method for processing media requests during telephony sessions
CN112154634A (en) * 2018-05-18 2020-12-29 瑞典爱立信有限公司 Application access control

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5668876A (en) * 1994-06-24 1997-09-16 Telefonaktiebolaget Lm Ericsson User authentication method and apparatus
WO1999044114A1 (en) * 1998-02-25 1999-09-02 Telefonaktiebolaget Lm Ericsson Method, arrangement and apparatus for authentication through a communications network
US6061650A (en) * 1996-09-10 2000-05-09 Nortel Networks Corporation Method and apparatus for transparently providing mobile network functionality
US6078908A (en) * 1997-04-29 2000-06-20 Schmitz; Kim Method for authorizing in data transmission systems
WO2000044130A1 (en) * 1999-01-20 2000-07-27 Netcom Ab A method, system and arrangement for providing services on the internet
WO2002001516A2 (en) * 2000-06-26 2002-01-03 Intel Corporation Method and apparatus for using a cellular telephone as an authentification device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5668876A (en) * 1994-06-24 1997-09-16 Telefonaktiebolaget Lm Ericsson User authentication method and apparatus
US6061650A (en) * 1996-09-10 2000-05-09 Nortel Networks Corporation Method and apparatus for transparently providing mobile network functionality
US6078908A (en) * 1997-04-29 2000-06-20 Schmitz; Kim Method for authorizing in data transmission systems
WO1999044114A1 (en) * 1998-02-25 1999-09-02 Telefonaktiebolaget Lm Ericsson Method, arrangement and apparatus for authentication through a communications network
WO2000044130A1 (en) * 1999-01-20 2000-07-27 Netcom Ab A method, system and arrangement for providing services on the internet
WO2002001516A2 (en) * 2000-06-26 2002-01-03 Intel Corporation Method and apparatus for using a cellular telephone as an authentification device

Cited By (100)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7444513B2 (en) 2001-05-14 2008-10-28 Nokia Corporiation Authentication in data communication
WO2002093967A1 (en) * 2001-05-14 2002-11-21 Nokia Corporation Authentication in data communication
WO2003088577A1 (en) * 2002-04-16 2003-10-23 Nokia Corporation Method and system for authenticating user of data transfer device
US7395050B2 (en) 2002-04-16 2008-07-01 Nokia Corporation Method and system for authenticating user of data transfer device
WO2004017560A1 (en) * 2002-08-15 2004-02-26 Telefonaktiebolaget Lm Ericsson (Publ) Monitoring of digital content provided from a content provider over a network
KR100755981B1 (en) * 2002-11-08 2007-09-06 노키아 코포레이션 Context linking scheme
WO2004043107A1 (en) * 2002-11-08 2004-05-21 Nokia Corporation Context linking scheme
US7970423B2 (en) 2002-11-08 2011-06-28 Nokia Corporation Context linking scheme
CN1711793B (en) * 2002-11-08 2015-03-11 诺基亚公司 Method and apparatus for linking a service context to a terminal connection
GB2397731A (en) * 2003-01-22 2004-07-28 Ebizz Consulting Ltd Authenticating a user access request to a secure service over a primary communication channel using data sent over a secondary communication channel
GB2397731B (en) * 2003-01-22 2006-02-22 Ebizz Consulting Ltd Authentication system
KR101110799B1 (en) * 2003-05-14 2012-03-08 코닌클리즈케 필립스 일렉트로닉스 엔.브이. Methods and devices for counting user equipment units in a mobile radio telecommunication network
US7958542B2 (en) 2003-05-14 2011-06-07 Koninklijke Philips Electronics N.V. Methods and devices for counting user equipment units in a mobile radio telecommunication network
WO2004102901A1 (en) 2003-05-14 2004-11-25 Philips Intellectual Property & Standards Gmbh Methods and devices for counting user equipment units in a mobile radio telecommunication network
JP2007501584A (en) * 2003-05-14 2007-01-25 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Method and apparatus for counting user equipment units in a mobile radio telecommunications network
CN100461780C (en) * 2003-07-17 2009-02-11 华为技术有限公司 A safety authentication method based on media gateway control protocol
WO2005041608A1 (en) * 2003-10-23 2005-05-06 Siltanet Ltd Method of user authentication
WO2005064882A3 (en) * 2003-12-29 2007-12-27 Ericsson Telefon Ab L M Apparatuses and method for single sign-on access to a service network through an access network
EP2184934A1 (en) * 2003-12-29 2010-05-12 Telefonaktiebolaget L M Ericsson (PUBL) Method and apparatuses for single sign-on access to a service network through an access network
WO2005064882A2 (en) * 2003-12-29 2005-07-14 Telefonaktiebolaget Lm Ericsson (Publ) Apparatuses and method for single sign-on access to a service network through an access network
CN100418324C (en) * 2004-03-19 2008-09-10 富士通株式会社 Data transmissions in communication networks using multiple tokens
EP1807966B1 (en) * 2004-10-20 2020-05-27 Salt Group Pty Ltd. Authentication method
WO2006077075A1 (en) * 2005-01-19 2006-07-27 Giesecke & Devrient Gmbh Subscriber card for internet web log services
WO2006108831A1 (en) * 2005-04-14 2006-10-19 Vodafone Holding Gmbh Method for confirming a service request
FR2900019A1 (en) * 2006-04-12 2007-10-19 Alcatel Sa Mobile telephone authenticating method, involves controlling identity of mobile telephone based on sent information to verify that mobile telephone is authorized to require service
WO2007136277A1 (en) * 2006-05-18 2007-11-29 Fronde Anywhere Limited Authentication method for wireless transactions
AU2007260593B2 (en) * 2006-06-16 2012-01-19 Fmt Worldwide Pty Ltd An authentication system and process
US8943573B2 (en) 2006-06-16 2015-01-27 Fmt Worldwide Pty Ltd Authentication system and process
WO2007143795A1 (en) 2006-06-16 2007-12-21 Fmt Worldwide Pty Ltd An authentication system and process
DE102006037167A1 (en) * 2006-08-09 2008-02-14 Deutsche Telekom Ag Method and system for carrying out a payment transaction with a means of payment
EP1919157A1 (en) * 2006-11-06 2008-05-07 Axalto SA Authentication based on a single message
US7942738B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Verifying a gaming device is in communications with a gaming server
US9875341B2 (en) 2006-11-15 2018-01-23 Cfph, Llc Accessing information associated with a mobile gaming device to verify the mobile gaming device is in communications with an intended server
US11710365B2 (en) 2006-11-15 2023-07-25 Cfph, Llc Verifying whether a device is communicating with a server
US7942741B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Verifying whether a device is communicating with a server
US7942740B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device
US7942742B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Accessing identification information to verify a gaming device is in communications with a server
US9111411B2 (en) 2006-11-15 2015-08-18 Cfph, Llc Verifying a first device is in communications with a server by strong a value from the first device and accessing the value from a second device
US9590965B2 (en) 2006-11-15 2017-03-07 Cfph, Llc Determining that a gaming device is communicating with a gaming server
US8012015B2 (en) 2006-11-15 2011-09-06 Cfph, Llc Verifying whether a gaming device is communicating with a gaming server
US9064373B2 (en) 2006-11-15 2015-06-23 Cfph, Llc Storing information from a verification device and accessing the information from a gaming device to verify that the gaming device is communicating with a server
EP2086658A4 (en) * 2006-11-15 2011-01-05 Cfph Llc Systems and methods for determining that a gaming device is communicating with a gaming server
US10810823B2 (en) 2006-11-15 2020-10-20 Cfph, Llc Accessing known information via a devicve to determine if the device is communicating with a server
US10991196B2 (en) 2006-11-15 2021-04-27 Cfph, Llc Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device
EP2086658A2 (en) * 2006-11-15 2009-08-12 Cfph, Llc Systems and methods for determining that a gaming device is communicating with a gaming server
US10525357B2 (en) 2006-11-15 2020-01-07 Cfph, Llc Storing information from a verification device and accessing the information from a gaming device to verify that the gaming device is communicating with a server
US10212146B2 (en) 2006-11-15 2019-02-19 Cfph, Llc Determining that a gaming device is communicating with a gaming server
US10181237B2 (en) 2006-11-15 2019-01-15 Cfph, Llc Verifying a gaming device is in communications with a gaming server by passing an indicator between the gaming device and a verification device
US11083970B2 (en) 2006-11-15 2021-08-10 Cfph, Llc Storing information from a verification device and accessing the information from a gaming device to verify that the gaming device is communicating with a server
US9685036B2 (en) 2006-11-15 2017-06-20 Cfph, Llc Verifying a gaming device is in communications with a gaming server by passing an indicator between the gaming device and a verification device
US7942739B2 (en) 2006-11-15 2011-05-17 Cfph, Llc Storing information from a verification device and accessing the information from a gaming device to verify that the gaming device is communicating with a server
US9767640B2 (en) 2006-11-15 2017-09-19 Cfph, Llc Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device
US10068421B2 (en) 2006-11-16 2018-09-04 Cfph, Llc Using a first device to verify whether a second device is communicating with a server
US20080119276A1 (en) * 2006-11-16 2008-05-22 Alderucci Dean P Using a first device to verify whether a second device is communicating with a server
WO2009022052A1 (en) * 2007-08-15 2009-02-19 Elisa Oyj Network access for a visiting user
US8819432B2 (en) * 2008-01-28 2014-08-26 Paycool International Ltd. Method for authentication and signature of a user in an application service, using a mobile telephone as a second factor in addition to and independently of a first factor
US20110016320A1 (en) * 2008-01-28 2011-01-20 Paycool International Ltd. Method for authentication and signature of a user in an application service, using a mobile telephone as a second factor in addition to and independently of a first factor
US10560495B2 (en) 2008-04-02 2020-02-11 Twilio Inc. System and method for processing telephony sessions
US11611663B2 (en) 2008-04-02 2023-03-21 Twilio Inc. System and method for processing telephony sessions
US11856150B2 (en) 2008-04-02 2023-12-26 Twilio Inc. System and method for processing telephony sessions
US11843722B2 (en) 2008-04-02 2023-12-12 Twilio Inc. System and method for processing telephony sessions
US11831810B2 (en) 2008-04-02 2023-11-28 Twilio Inc. System and method for processing telephony sessions
US11765275B2 (en) 2008-04-02 2023-09-19 Twilio Inc. System and method for processing telephony sessions
US11722602B2 (en) 2008-04-02 2023-08-08 Twilio Inc. System and method for processing media requests during telephony sessions
US10893078B2 (en) 2008-04-02 2021-01-12 Twilio Inc. System and method for processing telephony sessions
US11706349B2 (en) 2008-04-02 2023-07-18 Twilio Inc. System and method for processing telephony sessions
US10694042B2 (en) 2008-04-02 2020-06-23 Twilio Inc. System and method for processing media requests during telephony sessions
US11575795B2 (en) 2008-04-02 2023-02-07 Twilio Inc. System and method for processing telephony sessions
US11444985B2 (en) 2008-04-02 2022-09-13 Twilio Inc. System and method for processing telephony sessions
US11283843B2 (en) 2008-04-02 2022-03-22 Twilio Inc. System and method for processing telephony sessions
US10893079B2 (en) 2008-04-02 2021-01-12 Twilio Inc. System and method for processing telephony sessions
US10986142B2 (en) 2008-04-02 2021-04-20 Twilio Inc. System and method for processing telephony sessions
WO2010003202A2 (en) 2008-07-07 2010-01-14 Nobre Tacito Pereira System, method and device to authenticate relationships by electronic means
WO2010031142A1 (en) * 2008-09-22 2010-03-25 Joseph Elie Tefaye Method and system for user authentication
FR2940580A1 (en) * 2008-12-23 2010-06-25 Solleu Yann Le Service e.g. web access service, access controlling method for mobile telephone, involves informing validity of activation code received from telephony terminal of subscriber to service editor, and allowing editor to access service
EP2453379A1 (en) * 2010-11-15 2012-05-16 Deutsche Telekom AG Method, system, user equipment and program for authenticating a user
EP2716094A1 (en) * 2011-06-03 2014-04-09 BlackBerry Limited System and method for accessing private networks
CN103583060A (en) * 2011-06-03 2014-02-12 黑莓有限公司 System and method for accessing private networks
US9118667B2 (en) 2011-06-03 2015-08-25 Blackberry Limited System and method for accessing private networks
EP2716094A4 (en) * 2011-06-03 2014-12-03 Blackberry Ltd System and method for accessing private networks
WO2012162843A1 (en) 2011-06-03 2012-12-06 Research In Motion Limted System and method for accessing private networks
WO2013044307A1 (en) * 2011-09-30 2013-04-04 Cocoon Data Holdings Limited A system and method for distributing secured data
EP2795560A1 (en) * 2011-12-19 2014-10-29 Sagemcom Documents SAS Method of pairing an electronic apparatus and a user account within an on-line service
CN103220257A (en) * 2012-01-19 2013-07-24 中国石油天然气集团公司 Communication method of computer, network host and communication system
US10469670B2 (en) 2012-07-24 2019-11-05 Twilio Inc. Method and system for preventing illicit use of a telephony platform
US11063972B2 (en) 2012-07-24 2021-07-13 Twilio Inc. Method and system for preventing illicit use of a telephony platform
US11882139B2 (en) 2012-07-24 2024-01-23 Twilio Inc. Method and system for preventing illicit use of a telephony platform
US9843578B2 (en) 2013-02-20 2017-12-12 Fmr Llc Mobile security fob
US9124582B2 (en) 2013-02-20 2015-09-01 Fmr Llc Mobile security fob
EP2770458A3 (en) * 2013-02-20 2014-11-12 Fmr Llc Mobile Security Fob
WO2014197403A1 (en) * 2013-06-03 2014-12-11 Tangome, Inc. Communication facilitator
EP2849403A1 (en) * 2013-09-13 2015-03-18 Alcatel Lucent Method and system for controlling the exchange of privacy-sensitive information
US10237057B2 (en) 2013-09-13 2019-03-19 Alcatel Lucent Method and system for controlling the exchange of privacy-sensitive information
WO2015036087A1 (en) * 2013-09-13 2015-03-19 Alcatel Lucent Method and system for controlling the exchange of privacy-sensitive information
US11653282B2 (en) 2014-04-17 2023-05-16 Twilio Inc. System and method for enabling multi-modal communication
US10440627B2 (en) 2014-04-17 2019-10-08 Twilio Inc. System and method for enabling multi-modal communication
US10873892B2 (en) 2014-04-17 2020-12-22 Twilio Inc. System and method for enabling multi-modal communication
FR3028334A1 (en) * 2015-04-07 2016-05-13 Orange METHOD FOR THE STRONG AUTHENTICATION OF A USER OF A CONSUMER EQUIPMENT VIA AN AUTHENTICATION EQUIPMENT EQUIPPED WITH A SECURITY MODULE
CN112154634A (en) * 2018-05-18 2020-12-29 瑞典爱立信有限公司 Application access control
US11785013B2 (en) 2018-05-18 2023-10-10 Telefonaktiebolaget Lm Ericsson (Publ) Application program access control

Also Published As

Publication number Publication date
WO2002019593A3 (en) 2002-09-06
AU2001282795A1 (en) 2002-03-13
EP1314278A2 (en) 2003-05-28

Similar Documents

Publication Publication Date Title
WO2002019593A2 (en) End-user authentication independent of network service provider
CN101009561B (en) System and method for IMX session control and authentication
FI115098B (en) Authentication in data communication
CN105376216B (en) A kind of remote access method, proxy server and client
EP2368339B1 (en) Secure transaction authentication
US7231203B2 (en) Method and software program product for mutual authentication in a communications network
US5497421A (en) Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system
US8423768B2 (en) Method for controlling the location information for authentication of a mobile station
CA2463286C (en) Multi-factor authentication system
US20060262929A1 (en) Method and system for identifying the identity of a user
KR20060135630A (en) Method and system for the authentication of a user of a data processing system
JP2002215582A (en) Method and device for authentication
CN103249045A (en) Identification method, device and system
US7913096B2 (en) Method and system for the cipher key controlled exploitation of data resources, related network and computer program products
Rao et al. Authentication using mobile phone as a security token
Di Pietro et al. A two-factor mobile authentication scheme for secure financial transactions
RU2354066C2 (en) Method and system for authentication of data processing system user
WO2001011817A2 (en) Network user authentication protocol
Pashalidis et al. Using GSM/UMTS for single sign-on
Rozenblit et al. Computer aided design system for VLSI interconnections
EP3582469B1 (en) Authentication using a mobile network operator system
FI115097B (en) Circuit authentication method in online data communication, involves forming authentication key for encrypting client credentials independent of client response using client's secret
Schuba et al. Internet id-flexible re-use of mobile phone authentication security for service access
FI110150B (en) Procedure for sending identification and verification data of data network resource users to data network resource
Ubisafe The Mobile Phone as Authentication Token

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PH PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2001961535

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2001961535

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWW Wipo information: withdrawn in national office

Ref document number: 2001961535

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP