CA2221665C - Method of mutual authentication for secure wireless service provision - Google Patents
Method of mutual authentication for secure wireless service provision Download PDFInfo
- Publication number
- CA2221665C CA2221665C CA002221665A CA2221665A CA2221665C CA 2221665 C CA2221665 C CA 2221665C CA 002221665 A CA002221665 A CA 002221665A CA 2221665 A CA2221665 A CA 2221665A CA 2221665 C CA2221665 C CA 2221665C
- Authority
- CA
- Canada
- Prior art keywords
- subscriber
- password
- network
- mobile station
- activation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/26—Network addressing or numbering for mobility support
- H04W8/265—Network addressing or numbering for mobility support for initial activation of new user
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/38—Graded-service arrangements, i.e. some subscribers prevented from establishing certain connections
- H04M3/382—Graded-service arrangements, i.e. some subscribers prevented from establishing certain connections using authorisation codes or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Abstract
A mutual authentication process assures that a subscriber does not provide sensitive activation information to an imposter network and a network does not provide sensitive activation information to an imposter subscriber. The mutual authentication is facilitated by a pair of passwords that are communicated between the activation center of the network and the subscriber via a secure channel.
Description
METHOD OF MUTUAL AUTHENTICATION FOR SECURE
WIRELESS SERVICE PROVISTON
The present invention is directed to a method of mutual authentication before providing services. More particularly, the present invention is directed to a method in which a subscriber is provided with password information via a secure channel prior to a service provisioning operation.
It is known in the wireless communications area to provide over-the-air activation capabilities for a mobile station. In particular, it is known for a subscriber who has obtained possession of a mobile station, either by purchase or lease, to initiate an activation process via wireless communication to an activation center. An example of a system in which over-the-air activation is performed is illustrated in FIG. 1. Mobile station 120 can communicate via wireless communications with base station 130 in the wireless network. The base station is coupled to a mobile switching center 140. The switching center controls the flow of communications to and from the base station 130.
A message center 150 is coupled to the mobile switching center 140 and incorporates an over-the-air processor module 155. A Home Location Register (HLR) 160 is coupled to both the MSC 140 and the message center 150.
An activation center 170 is coupled to the over-the-air processor module 155. Over-the-air programming of a mobile station is generally described in United States Patent No. 6,122,503 entitled A Method and Apparatus for Over-the-Air Programming of Telecommunication Services issued September 19, 2000.
The mobile stations typically have two identification numbers associated therewith. First, a Mobile Identification Number (MIN) which corresponds to the telephone number to be encoded into the station in the Activation Process. In addition, an Electronic Serial Number (ESN) is encoded into the station. The ESN
is assigned by the manufacturer of the station. Thus, when programmed the ESN and MIN operate to specifically identify a mobile station.
In its known configuration, over-the-air activation may be prone to instances of fraud. For instance, the subscriber can be defrauded by believing he is communicating via the mobile station to a legitimate network provider and as a result, might provide critical personal information such as a social security number or credit card information to a pirating party.
Alternatively, the network provider can be defrauded by a mobile station which has cloned the ESN information from an actual subscriber so that the provider gives service to the fraudulent party.
FIG. 1 illustrates that the mobile station may communicate not only with a legitimate base station 130, but its communications may be intercepted by a pirate base station 110. In such circumstances, the pirate base station may seek to emulate the network with which the subscriber wishes to communicate. By pirating the communication originating from mobile station 120, the pirate base station obtains identification information with regard to the mobile station, namely the ESN and a cryptographic authentication key. Also, to the extent that the pirate emulates an activation center, the subscriber of the mobile station 120 may be coaxed to provide personal data, such as credit card data, which the pirate can then subsequently use to their own advantage. The pirate can alternatively use the ESN, to replicate an actual subscriber station and defraud the service provider.
Thus, there is a need for providing mutual authentication between a subscriber and the activation center, namely the subscriber must be able to confirm that it is communicating with the actual activation center and the activation center must be able to confirm that it is communicating with a legitimate subscriber.
SUMMARY OF THE INVENTION
The present invention provides a method for mutually authenticating the subscriber and activation center so as to avoid pirating of critical information during an over-the-air activation process and to avoid the theft of service. In accordance with the method of the present invention, the subscriber and the activation center communicate via a secure channel so as to determine a network password and a subscriber password which are to be used during an activation process.
Subsequently, when the subscriber initiates the over-the-air activation process the activation center is to forward the network password. If the subscriber does not receive a network password or the network password received does not match that previously agreed to with the activation center, then the activation process is terminated. Subsequently, the activation center requests transmission of the subscriber password. The activation center then verifies that the appropriate subscriber password has been received for the ESN
associated with the contacting mobile station. If the received subscriber password does not match the password previously assigned, then the activation process is terminated.
The order of the exchange of passwords could be reversed, namely the subscriber could send the subscriber password first. However, this would means that the subscriber might still be vulernable to a pirating party.
In one embodiment of the present invention, the subscriber and activation center communicate via the Public Switch Telephone Network (PSTN) which is generally secure from pirates. The over-the-air activation center can either assign a subscriber password/network password pair or, alternatively the activation center may allow the subscriber to select a network or subscriber password so as to enhance the subscriber's ability to recall the activation passwords.
In another embodiment, the network password and subscriber password are assigned to the mobile station prior to transferring possession of the mobile station to the subscriber. In one advantageous embodiment the packaging for the mobile station includes information setting forth the network password and the subscriber password. The subscriber will then use this information which has been securely provided to the user, to access the full activation process for the mobile station.
Since the subscriber password and network password need only be used during the activation process, once the mobile station has been activated, then the subscriber password and network password pair become superfluous. Thus, the activation center can assign either the same network password or the same subscriber password to another subscriber.
By providing this secure communication of a network password/subscriber password pair, the present invention provides the ability to mutually authenticate the mobile station and the network at the beginning of an activation process.
SUl~iARY OF THE DRAWINGS
FIG. 1 illustrates a wireless system in block diagram form in which over-the-air activation is performed.
FIG. 2 illustrates an embodiment of the present invention in which mutual authentication information is passed between a subscriber and an activation center.
FIG. 3 describes the flow of a process for providing mutual authentication information to a subscriber.
FIG. 4 illustrates a flow of a process for mutually authenticating subscriber network in accordance wit~ the present invention.
DETAILED DESCRIPTION
So as to reduce the risk of piracy in an over-the-air activation process, the present invention provides that the subscriber must authenticate itself to the activation center, and the activation center must authenticate itself to the subscriber before proceeding with the activation process where sensitive information may be exchanged.
In accordance with one embodiment of the present invention, the subscriber, prior to the activation process, obtains information regarding a network password and a subscriber password. This authentication information is shared between the activation center and the subscriber prior to the activation process. In particular, in one embodiment illustrated in FIG. 2, where all of the elements which are the same as those in FIG. 1 bear the same reference numerals, the mobile station subscriber establishes a secure channel of communication to activation center 170 via, for example, a telephone 125 and the Public Switched Telephone Network (PSTN) 180.
As illustrated in FIG. 3, the subscriber and the activation center coordinate on the passwords to be used for mutual authentication. In accordance with step 310, a subscriber can call an activation center via the PSTN.
For instance, the subscriber may place a call to a land-line 1-800 number established by the carrier associated with the activation center. Such a land-line number could be provided to the subscriber via advertisements or in the materials or packaging provided with the mobile station. In step 320, the activation center verifies the subscriber. This can be done in a number of different ways. In one embodiment, the network or activation center first requests the name of the subscriber. This request can be provided by live operator or may be done using an IVR (Interactive Voice Response) unit. In fact, this entire procedure may be automated to reduce costs. The activation center can then use the name provided and ANI (Automatic Number Information) provided by the land-line connection to verify that the subscriber is legitimate. The network assures that the person is calling from a telephone number associated with a legitimate address that belongs to or is inhabited by the user. This may require a communication to a " white-pages directory " database service. However, the present invention is not limited to verification utilizing ANI processes. After the subscriber has been verified, then the activation center associates a network password and a subscriber password with the subscriber information in the Home Location Register (HLR) as in step 330. In one variation, the network generates two random, one-time passwords or pass phrases. The passwords are not repeated and are non-deterministic so that third parties cannot replay the information. However, they should not be too complex.
Since they are used only once, they have no value to a third party following activation of the legitimate subscriber. However, if a subscriber obtains passwords it would be advantageous to circumscribe the amount of time during which they can be used. For example, the subscriber could be given 48 hours to activate the phone from the time that the passwords are assigned. If the mobile station is not activated in that time then the passwords would expire and the subscriber would not be able to complete an activation process using those passwords. Alternatively, once the subscriber has been verified it would be possible for the subscriber to select the two passwords or there could be some combination of selection of the passwords via interaction of the activation center and the subscriber so as to enhance the subscriber's ability to remember and utilize the passwords. The subscriber would then be instructed to use these passwords in the activation process.
FIG. 4 illustrates one embodiment for a process flow for the activation process subsequent to the assignment of the passwords. In step 410, the subscriber contacts the activation center via the mobile station to begin the activation process. During the activation process the activation center sends a network password to the subscriber, step 420. To do so, the network looks up the pre-stored password for the subscriber after the subscriber has been identified by the activation center either by the mobile station ESN, or by the subscriber's name for example. The network then provides the pre-stored network password to the subscriber. The subscriber then verifies the network password, step 430. The subscriber specifically checks to see if the network password provided is in fact, the one provided via the secure channel pre-activation process described with relationship to FIG. 3. above.
If the network password does not match, then the subscriber terminates the call, step 435. Under those circumstances it is presumed that the subscriber has encountered a fraudulent network. The subscriber could then contact the carrier's customer service center to report this event. If, however, the network password is verified and the mobile station provides notice of that fact to the activation center, then the activation center can ultimately receive the subscriber password.
This could be provided by the subscriber in response to a prompt from the network. It could take the form of a voice prompt and the subscriber could enter the password via the keypad or could speak it. The activation center then verifies the subscriber password against the password previously stored in the database. If the received subscriber password does not match that stored then the network can terminate the process. If the subscriber password matches then the activation. process proceeds whereby the service provisioning process continues with the assignment of the MIN, the receipt of credit information, etc.
By employing this password pair in a secure communication between the activation center and the subscriber, it is possible to provide the mutual authentication of the subscriber in the network which is desirable to defeat piracy in the wireless context. The subscriber does not divulge sensitive information to a network imposter. The network does not activate an imposter.
In the embodiment described above, the password information, that is mutual authentication information, is provided to the subscriber via a land-line communication. However, alternative methods for providing this password pair to the subscriber are possible. For instance, it would be possible to provide the password pair to the subscriber via the packaging associated with the mobile station. Presumably, potential imposters would not have access to the packaging materials for the mobile station prior to the activation of the station. In another embodiment, this could be done via alternative data communication paths between the subscriber and the activation center, e.g., facsimile transmissions, on-line data transmissions, etc. These will provide the subscriber and the activation center with a secure channel for transmitting the mutual authentication information. Once the mutual authentication information is agreed upon and that information is properly stored at the activation center, then the mobile station and the activation center can proceed with an activation process with the assurance that the subscriber will not mistakenly provide sensitive activation information to an imposter network and the network will not provide sensitive information, e.g., MIN information (to an imposter subscriber).
WIRELESS SERVICE PROVISTON
The present invention is directed to a method of mutual authentication before providing services. More particularly, the present invention is directed to a method in which a subscriber is provided with password information via a secure channel prior to a service provisioning operation.
It is known in the wireless communications area to provide over-the-air activation capabilities for a mobile station. In particular, it is known for a subscriber who has obtained possession of a mobile station, either by purchase or lease, to initiate an activation process via wireless communication to an activation center. An example of a system in which over-the-air activation is performed is illustrated in FIG. 1. Mobile station 120 can communicate via wireless communications with base station 130 in the wireless network. The base station is coupled to a mobile switching center 140. The switching center controls the flow of communications to and from the base station 130.
A message center 150 is coupled to the mobile switching center 140 and incorporates an over-the-air processor module 155. A Home Location Register (HLR) 160 is coupled to both the MSC 140 and the message center 150.
An activation center 170 is coupled to the over-the-air processor module 155. Over-the-air programming of a mobile station is generally described in United States Patent No. 6,122,503 entitled A Method and Apparatus for Over-the-Air Programming of Telecommunication Services issued September 19, 2000.
The mobile stations typically have two identification numbers associated therewith. First, a Mobile Identification Number (MIN) which corresponds to the telephone number to be encoded into the station in the Activation Process. In addition, an Electronic Serial Number (ESN) is encoded into the station. The ESN
is assigned by the manufacturer of the station. Thus, when programmed the ESN and MIN operate to specifically identify a mobile station.
In its known configuration, over-the-air activation may be prone to instances of fraud. For instance, the subscriber can be defrauded by believing he is communicating via the mobile station to a legitimate network provider and as a result, might provide critical personal information such as a social security number or credit card information to a pirating party.
Alternatively, the network provider can be defrauded by a mobile station which has cloned the ESN information from an actual subscriber so that the provider gives service to the fraudulent party.
FIG. 1 illustrates that the mobile station may communicate not only with a legitimate base station 130, but its communications may be intercepted by a pirate base station 110. In such circumstances, the pirate base station may seek to emulate the network with which the subscriber wishes to communicate. By pirating the communication originating from mobile station 120, the pirate base station obtains identification information with regard to the mobile station, namely the ESN and a cryptographic authentication key. Also, to the extent that the pirate emulates an activation center, the subscriber of the mobile station 120 may be coaxed to provide personal data, such as credit card data, which the pirate can then subsequently use to their own advantage. The pirate can alternatively use the ESN, to replicate an actual subscriber station and defraud the service provider.
Thus, there is a need for providing mutual authentication between a subscriber and the activation center, namely the subscriber must be able to confirm that it is communicating with the actual activation center and the activation center must be able to confirm that it is communicating with a legitimate subscriber.
SUMMARY OF THE INVENTION
The present invention provides a method for mutually authenticating the subscriber and activation center so as to avoid pirating of critical information during an over-the-air activation process and to avoid the theft of service. In accordance with the method of the present invention, the subscriber and the activation center communicate via a secure channel so as to determine a network password and a subscriber password which are to be used during an activation process.
Subsequently, when the subscriber initiates the over-the-air activation process the activation center is to forward the network password. If the subscriber does not receive a network password or the network password received does not match that previously agreed to with the activation center, then the activation process is terminated. Subsequently, the activation center requests transmission of the subscriber password. The activation center then verifies that the appropriate subscriber password has been received for the ESN
associated with the contacting mobile station. If the received subscriber password does not match the password previously assigned, then the activation process is terminated.
The order of the exchange of passwords could be reversed, namely the subscriber could send the subscriber password first. However, this would means that the subscriber might still be vulernable to a pirating party.
In one embodiment of the present invention, the subscriber and activation center communicate via the Public Switch Telephone Network (PSTN) which is generally secure from pirates. The over-the-air activation center can either assign a subscriber password/network password pair or, alternatively the activation center may allow the subscriber to select a network or subscriber password so as to enhance the subscriber's ability to recall the activation passwords.
In another embodiment, the network password and subscriber password are assigned to the mobile station prior to transferring possession of the mobile station to the subscriber. In one advantageous embodiment the packaging for the mobile station includes information setting forth the network password and the subscriber password. The subscriber will then use this information which has been securely provided to the user, to access the full activation process for the mobile station.
Since the subscriber password and network password need only be used during the activation process, once the mobile station has been activated, then the subscriber password and network password pair become superfluous. Thus, the activation center can assign either the same network password or the same subscriber password to another subscriber.
By providing this secure communication of a network password/subscriber password pair, the present invention provides the ability to mutually authenticate the mobile station and the network at the beginning of an activation process.
SUl~iARY OF THE DRAWINGS
FIG. 1 illustrates a wireless system in block diagram form in which over-the-air activation is performed.
FIG. 2 illustrates an embodiment of the present invention in which mutual authentication information is passed between a subscriber and an activation center.
FIG. 3 describes the flow of a process for providing mutual authentication information to a subscriber.
FIG. 4 illustrates a flow of a process for mutually authenticating subscriber network in accordance wit~ the present invention.
DETAILED DESCRIPTION
So as to reduce the risk of piracy in an over-the-air activation process, the present invention provides that the subscriber must authenticate itself to the activation center, and the activation center must authenticate itself to the subscriber before proceeding with the activation process where sensitive information may be exchanged.
In accordance with one embodiment of the present invention, the subscriber, prior to the activation process, obtains information regarding a network password and a subscriber password. This authentication information is shared between the activation center and the subscriber prior to the activation process. In particular, in one embodiment illustrated in FIG. 2, where all of the elements which are the same as those in FIG. 1 bear the same reference numerals, the mobile station subscriber establishes a secure channel of communication to activation center 170 via, for example, a telephone 125 and the Public Switched Telephone Network (PSTN) 180.
As illustrated in FIG. 3, the subscriber and the activation center coordinate on the passwords to be used for mutual authentication. In accordance with step 310, a subscriber can call an activation center via the PSTN.
For instance, the subscriber may place a call to a land-line 1-800 number established by the carrier associated with the activation center. Such a land-line number could be provided to the subscriber via advertisements or in the materials or packaging provided with the mobile station. In step 320, the activation center verifies the subscriber. This can be done in a number of different ways. In one embodiment, the network or activation center first requests the name of the subscriber. This request can be provided by live operator or may be done using an IVR (Interactive Voice Response) unit. In fact, this entire procedure may be automated to reduce costs. The activation center can then use the name provided and ANI (Automatic Number Information) provided by the land-line connection to verify that the subscriber is legitimate. The network assures that the person is calling from a telephone number associated with a legitimate address that belongs to or is inhabited by the user. This may require a communication to a " white-pages directory " database service. However, the present invention is not limited to verification utilizing ANI processes. After the subscriber has been verified, then the activation center associates a network password and a subscriber password with the subscriber information in the Home Location Register (HLR) as in step 330. In one variation, the network generates two random, one-time passwords or pass phrases. The passwords are not repeated and are non-deterministic so that third parties cannot replay the information. However, they should not be too complex.
Since they are used only once, they have no value to a third party following activation of the legitimate subscriber. However, if a subscriber obtains passwords it would be advantageous to circumscribe the amount of time during which they can be used. For example, the subscriber could be given 48 hours to activate the phone from the time that the passwords are assigned. If the mobile station is not activated in that time then the passwords would expire and the subscriber would not be able to complete an activation process using those passwords. Alternatively, once the subscriber has been verified it would be possible for the subscriber to select the two passwords or there could be some combination of selection of the passwords via interaction of the activation center and the subscriber so as to enhance the subscriber's ability to remember and utilize the passwords. The subscriber would then be instructed to use these passwords in the activation process.
FIG. 4 illustrates one embodiment for a process flow for the activation process subsequent to the assignment of the passwords. In step 410, the subscriber contacts the activation center via the mobile station to begin the activation process. During the activation process the activation center sends a network password to the subscriber, step 420. To do so, the network looks up the pre-stored password for the subscriber after the subscriber has been identified by the activation center either by the mobile station ESN, or by the subscriber's name for example. The network then provides the pre-stored network password to the subscriber. The subscriber then verifies the network password, step 430. The subscriber specifically checks to see if the network password provided is in fact, the one provided via the secure channel pre-activation process described with relationship to FIG. 3. above.
If the network password does not match, then the subscriber terminates the call, step 435. Under those circumstances it is presumed that the subscriber has encountered a fraudulent network. The subscriber could then contact the carrier's customer service center to report this event. If, however, the network password is verified and the mobile station provides notice of that fact to the activation center, then the activation center can ultimately receive the subscriber password.
This could be provided by the subscriber in response to a prompt from the network. It could take the form of a voice prompt and the subscriber could enter the password via the keypad or could speak it. The activation center then verifies the subscriber password against the password previously stored in the database. If the received subscriber password does not match that stored then the network can terminate the process. If the subscriber password matches then the activation. process proceeds whereby the service provisioning process continues with the assignment of the MIN, the receipt of credit information, etc.
By employing this password pair in a secure communication between the activation center and the subscriber, it is possible to provide the mutual authentication of the subscriber in the network which is desirable to defeat piracy in the wireless context. The subscriber does not divulge sensitive information to a network imposter. The network does not activate an imposter.
In the embodiment described above, the password information, that is mutual authentication information, is provided to the subscriber via a land-line communication. However, alternative methods for providing this password pair to the subscriber are possible. For instance, it would be possible to provide the password pair to the subscriber via the packaging associated with the mobile station. Presumably, potential imposters would not have access to the packaging materials for the mobile station prior to the activation of the station. In another embodiment, this could be done via alternative data communication paths between the subscriber and the activation center, e.g., facsimile transmissions, on-line data transmissions, etc. These will provide the subscriber and the activation center with a secure channel for transmitting the mutual authentication information. Once the mutual authentication information is agreed upon and that information is properly stored at the activation center, then the mobile station and the activation center can proceed with an activation process with the assurance that the subscriber will not mistakenly provide sensitive activation information to an imposter network and the network will not provide sensitive information, e.g., MIN information (to an imposter subscriber).
Claims (16)
1. A method for securing mobile station provisioning comprising the steps of:
prior to a mobile station activation operation, providing to a subscriber of said mobile station a subscriber password and a network password;
subsequent to the providing of the subscriber password and the network password, receiving a request for mobile station provisioning;
upon receipt of said request requesting transmission of a subscriber password and verifying a received subscriber password;
and wherein mobile station provisioning proceeds if the subscriber password is verified.
prior to a mobile station activation operation, providing to a subscriber of said mobile station a subscriber password and a network password;
subsequent to the providing of the subscriber password and the network password, receiving a request for mobile station provisioning;
upon receipt of said request requesting transmission of a subscriber password and verifying a received subscriber password;
and wherein mobile station provisioning proceeds if the subscriber password is verified.
2. The method of claim 1 comprising the further steps of:
transmitting a network password to a subscriber; and receiving notice of verification of said network password, wherein mobile station provisioning proceeds only if notice of verification of the network password is received.
transmitting a network password to a subscriber; and receiving notice of verification of said network password, wherein mobile station provisioning proceeds only if notice of verification of the network password is received.
3. The method of claim 1 wherein said step of providing a subscriber password and network password comprises the steps of:
generating a subscriber password and a network password;
correlating the generated subscriber password and network password with a mobile station identifier;
securely transmitting the subscriber password and network password to the subscriber associated with said mobile station.
generating a subscriber password and a network password;
correlating the generated subscriber password and network password with a mobile station identifier;
securely transmitting the subscriber password and network password to the subscriber associated with said mobile station.
4. The method of claim 3 wherein said step of transmitting comprises communicating the subscriber password and network password to the subscriber via a land-line telephone.
5. The method of claim 3 wherein said step of transmitting comprises the steps of:
receiving a call via a land-line telephone from the subscriber;
verifying the subscriber; and communicating said subscriber password and said network password to said subscriber during said call after verifying the subscriber.
receiving a call via a land-line telephone from the subscriber;
verifying the subscriber; and communicating said subscriber password and said network password to said subscriber during said call after verifying the subscriber.
6. In a system for over-the-air activation of a mobile station, a method for mutual authentication of a subscriber and a network comprising the steps of:
provisioning a network password and a subscriber password to a subscriber associated with the mobile station;
at the time of activation sending said network password to the mobile station;
receiving a subscriber password from the mobile station;
verifying the received subscriber password by comparing the received subscriber password to the subscriber password provisioned to the mobile station's subscriber; and authorizing activation if said received subscriber password matches the provisioned subscriber password.
provisioning a network password and a subscriber password to a subscriber associated with the mobile station;
at the time of activation sending said network password to the mobile station;
receiving a subscriber password from the mobile station;
verifying the received subscriber password by comparing the received subscriber password to the subscriber password provisioned to the mobile station's subscriber; and authorizing activation if said received subscriber password matches the provisioned subscriber password.
7. The method of claim 6 comprising the further steps of receiving notification of verification of said network password.
8. The method of claim 6 wherein said step of provisioning includes the steps of:
receiving a secure call from the subscriber; and correlating in a database subscriber information, mobile station information, the network password and the subscriber password.
receiving a secure call from the subscriber; and correlating in a database subscriber information, mobile station information, the network password and the subscriber password.
9. The method of claim 8 wherein said secure call is via a land-line.
10. The method of claim 8 wherein one of said network password and said subscriber password is selected by the subscriber.
11. The method of claim 8 wherein the network selects said network password and said subscriber password and communicates said passwords to the subscriber during said secure call.
12. The method of claim 11 wherein said secure call is via a land-line.
13. The method of claim 6 wherein said step of provisioning comprises:
providing to said subscriber with the mobile station the network password and subscriber password;
and correlating in a database subscriber information, mobile station information, the subscriber password and the network password.
providing to said subscriber with the mobile station the network password and subscriber password;
and correlating in a database subscriber information, mobile station information, the subscriber password and the network password.
14. The method of claim 13 wherein said mobile station information includes an ESN associated with said mobile station.
15. A method for mutual authentication for mobile station provisioning comprising the steps of:
during a password generation session at a network node, establishing a secure communication with a subscriber;
generating a subscriber password and a network password; and transmitting said subscriber password and said network password to said subscriber; and during a provisioning session at a network node, receiving a first password from the mobile station;
transmitting a second password to said mobile station; and provisioning said mobile station with activation data if said first password matches said subscriber password and said second password matches said network password.
during a password generation session at a network node, establishing a secure communication with a subscriber;
generating a subscriber password and a network password; and transmitting said subscriber password and said network password to said subscriber; and during a provisioning session at a network node, receiving a first password from the mobile station;
transmitting a second password to said mobile station; and provisioning said mobile station with activation data if said first password matches said subscriber password and said second password matches said network password.
16. The method of claim 15 wherein said step of establishing a secure communication comprises receiving a call via a land-line telephone; and verifying said subscriber.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US08/777,341 US5875394A (en) | 1996-12-27 | 1996-12-27 | Method of mutual authentication for secure wireless service provision |
| US777,341 | 1996-12-27 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2221665A1 CA2221665A1 (en) | 1998-06-27 |
| CA2221665C true CA2221665C (en) | 2003-01-07 |
Family
ID=25109980
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002221665A Expired - Lifetime CA2221665C (en) | 1996-12-27 | 1997-11-20 | Method of mutual authentication for secure wireless service provision |
Country Status (4)
| Country | Link |
|---|---|
| US (1) | US5875394A (en) |
| BR (1) | BR9706409A (en) |
| CA (1) | CA2221665C (en) |
| TW (1) | TW376615B (en) |
Families Citing this family (89)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6249252B1 (en) | 1996-09-09 | 2001-06-19 | Tracbeam Llc | Wireless location using multiple location estimators |
| US7903029B2 (en) | 1996-09-09 | 2011-03-08 | Tracbeam Llc | Wireless location routing applications and architecture therefor |
| US7714778B2 (en) * | 1997-08-20 | 2010-05-11 | Tracbeam Llc | Wireless location gateway and applications therefor |
| US6236365B1 (en) * | 1996-09-09 | 2001-05-22 | Tracbeam, Llc | Location of a mobile station using a plurality of commercial wireless infrastructures |
| WO1998010307A1 (en) * | 1996-09-09 | 1998-03-12 | Dennis Jay Dupray | Location of a mobile station |
| US9134398B2 (en) | 1996-09-09 | 2015-09-15 | Tracbeam Llc | Wireless location using network centric location estimators |
| US6393270B1 (en) * | 1996-10-11 | 2002-05-21 | Bellsouth Intellectual Property Corp. | Network authentication method for over the air activation |
| US8225089B2 (en) * | 1996-12-04 | 2012-07-17 | Otomaku Properties Ltd., L.L.C. | Electronic transaction systems utilizing a PEAD and a private key |
| WO1998031164A2 (en) | 1997-01-11 | 1998-07-16 | Tandem Computers, Incorporated | Method and apparatus for configuration of authentication center operations allowed by system access type in a mobile telephone system |
| US6085083A (en) * | 1997-01-11 | 2000-07-04 | Tandem Computers, Inc. | Method and apparatus for providing fraud protection mediation in a mobile telephone system |
| US6157831A (en) * | 1997-01-11 | 2000-12-05 | Compaq Computer Corp. | Method and apparatus for implementing configurable call forwarding bins in a mobile telephone system |
| US6047071A (en) * | 1997-04-15 | 2000-04-04 | Nokia Mobile Phones | Network-initiated change of mobile phone parameters |
| EP1000481A1 (en) * | 1997-05-09 | 2000-05-17 | Connotech Experts-Conseils Inc. | Initial secret key establishment including facilities for verification of identity |
| US6097939A (en) * | 1997-07-11 | 2000-08-01 | Compaq Computer Corporation | Method and apparatus for event data maintenance per MIN/ESN pair in a mobile telephone system |
| US6636489B1 (en) | 1997-11-03 | 2003-10-21 | Bell South Wireless Data. L.P. | Wireless management system and a method for an automated over-the-air managing process for wireless communication device |
| CA2228331C (en) * | 1998-01-30 | 2002-01-15 | Ibm Canada Limited-Ibm Canada Limitee | A token-based deadline enforcement system for electronic document submission |
| US6850916B1 (en) | 1998-04-27 | 2005-02-01 | Esignx Corporation | Portable electronic charge and authorization devices and methods therefor |
| US6665530B1 (en) * | 1998-07-31 | 2003-12-16 | Qualcomm Incorporated | System and method for preventing replay attacks in wireless communication |
| US6195547B1 (en) * | 1998-09-24 | 2001-02-27 | Telefonaktiebolaget Lm Ericsson (Publ) | System and method for a previously activated mobile station to challenge network mobile station knowledge during over the air activation |
| US7599681B2 (en) * | 1998-09-30 | 2009-10-06 | At&T Intellectual Property I, L.P. | Methods and apparatus of over-the-air programming of a wireless unit |
| US6550010B1 (en) | 1998-09-30 | 2003-04-15 | Bellsouth Intellectual Property Corp. | Method and apparatus for a unit locked against use until unlocked and/or activated on a selected network |
| AU767086B2 (en) * | 1998-09-30 | 2003-10-30 | Bellsouth Intellectual Property Corporation | Method and apparatus for a unit locked against use until unlocked and/or activated on a selected network |
| US7274928B2 (en) * | 1998-10-02 | 2007-09-25 | Telespree Communications | Portable cellular phone system having automatic initialization |
| US8135413B2 (en) | 1998-11-24 | 2012-03-13 | Tracbeam Llc | Platform and applications for wireless location and other complex services |
| US20030146871A1 (en) * | 1998-11-24 | 2003-08-07 | Tracbeam Llc | Wireless location using signal direction and time difference of arrival |
| US6141544A (en) * | 1998-11-30 | 2000-10-31 | Telefonaktiebolaget Lm Ericsson | System and method for over the air activation in a wireless telecommunications network |
| US7340057B2 (en) * | 2001-07-11 | 2008-03-04 | Openwave Systems Inc. | Method and apparatus for distributing authorization to provision mobile devices on a wireless network |
| US6647260B2 (en) * | 1999-04-09 | 2003-11-11 | Openwave Systems Inc. | Method and system facilitating web based provisioning of two-way mobile communications devices |
| ES2211234T3 (en) | 1999-06-04 | 2004-07-01 | Open Tv, Inc. | FLEXIBLE INTERFACE FOR THE SECURE ENTRY OF A PERSONALIZED IDENTIFICATION CODE. |
| CA2374829A1 (en) * | 1999-06-15 | 2000-12-21 | Bellsouth Intellectual Property Corporation | Methods and apparatus for over-the-air programming of a wireless unit |
| US6529727B1 (en) * | 1999-09-07 | 2003-03-04 | Ericsson Inc. | Automatic expiration of wireless communication service subscriptions |
| WO2002000316A1 (en) | 1999-09-24 | 2002-01-03 | Goldberg Sheldon F | Geographically constrained network services |
| AU3793501A (en) * | 1999-11-22 | 2001-06-04 | Ascom Hasler Mailing Systems, Inc. | Generation and management of customer pin's |
| US7024557B1 (en) * | 1999-12-30 | 2006-04-04 | Samsung Electronics Co., Ltd. | System and method for secure provisioning of a mobile station from a provisioning server using encryption |
| JP2001223691A (en) * | 2000-02-04 | 2001-08-17 | Sony Corp | Information processing system, information processing unit and its method, program storage medium and transmitter |
| PT1264490E (en) * | 2000-02-21 | 2007-10-02 | E Plus Mobilfunk Gmbh & Co Kg | Method for establishing the authenticity of the identity of a service user and device for carrying out the method |
| US6993658B1 (en) * | 2000-03-06 | 2006-01-31 | April System Design Ab | Use of personal communication devices for user authentication |
| US7024690B1 (en) * | 2000-04-28 | 2006-04-04 | 3Com Corporation | Protected mutual authentication over an unsecured wireless communication channel |
| WO2001084768A1 (en) * | 2000-05-01 | 2001-11-08 | Authenex, Inc. | Method of authenticating user |
| US10684350B2 (en) | 2000-06-02 | 2020-06-16 | Tracbeam Llc | Services and applications for a communications network |
| US9875492B2 (en) | 2001-05-22 | 2018-01-23 | Dennis J. Dupray | Real estate transaction system |
| US10641861B2 (en) | 2000-06-02 | 2020-05-05 | Dennis J. Dupray | Services and applications for a communications network |
| GB2366938B (en) * | 2000-08-03 | 2004-09-01 | Orange Personal Comm Serv Ltd | Authentication in a mobile communications network |
| JP3669293B2 (en) * | 2000-08-04 | 2005-07-06 | ソニー株式会社 | Wireless device mutual authentication system, wireless device mutual authentication method, and wireless device |
| US7739503B2 (en) | 2000-08-04 | 2010-06-15 | Sony Corporation | Authenticating method for short-distance radio devices and a short-distance radio device |
| DE10038836A1 (en) * | 2000-08-04 | 2002-02-21 | Deutsches Krebsforsch | Method and measuring arrangement for determining the position of an axis of rotation of a body and method for aligning a patient table |
| JP2002198956A (en) * | 2000-12-27 | 2002-07-12 | Toshiba Corp | Communication equipment and its authentication method |
| US6934529B2 (en) * | 2001-02-20 | 2005-08-23 | Sevket Ilhan Bagoren | Replenishment of pre-paid wireless telephone accounts using short message service (SMS) |
| US20020116329A1 (en) * | 2001-02-20 | 2002-08-22 | Serbetcioglu Bekir Sami | Systems and methods for approval of credit/debit account transactions using a wireless device |
| US20020141586A1 (en) * | 2001-03-29 | 2002-10-03 | Aladdin Knowledge Systems Ltd. | Authentication employing the bluetooth communication protocol |
| US8082096B2 (en) | 2001-05-22 | 2011-12-20 | Tracbeam Llc | Wireless location routing applications and architecture therefor |
| JP4223698B2 (en) * | 2001-06-18 | 2009-02-12 | ソニー株式会社 | Information processing apparatus and method, information processing system, recording medium, and program |
| US7389412B2 (en) * | 2001-08-10 | 2008-06-17 | Interactive Technology Limited Of Hk | System and method for secure network roaming |
| US7127238B2 (en) * | 2001-08-31 | 2006-10-24 | Openwave Systems Inc. | Method and apparatus for using Caller ID information in a browser of a mobile communication device |
| US20040066920A1 (en) * | 2001-08-31 | 2004-04-08 | Vandermeijden Tom R. | Method and apparatus for automatically populating a contact database in a mobile communication device |
| US20040019786A1 (en) * | 2001-12-14 | 2004-01-29 | Zorn Glen W. | Lightweight extensible authentication protocol password preprocessing |
| US7197301B2 (en) * | 2002-03-04 | 2007-03-27 | Telespree Communications | Method and apparatus for secure immediate wireless access in a telecommunications network |
| US8046581B2 (en) * | 2002-03-04 | 2011-10-25 | Telespree Communications | Method and apparatus for secure immediate wireless access in a telecommunications network |
| US20030225686A1 (en) * | 2002-05-17 | 2003-12-04 | Cassandra Mollett | Systems and methods for selective validation of phone numbers |
| US20030216988A1 (en) * | 2002-05-17 | 2003-11-20 | Cassandra Mollett | Systems and methods for using phone number validation in a risk assessment |
| US20030216987A1 (en) * | 2002-05-17 | 2003-11-20 | Cassandra Mollett | Systems and methods for accessing and using phone number validation information |
| US8539580B2 (en) | 2002-06-19 | 2013-09-17 | International Business Machines Corporation | Method, system and program product for detecting intrusion of a wireless network |
| US20040073795A1 (en) * | 2002-10-10 | 2004-04-15 | Jablon David P. | Systems and methods for password-based connection |
| JP2004320162A (en) * | 2003-04-11 | 2004-11-11 | Sony Corp | Information communication system and method, information communication apparatus and method, and program |
| JP2004320161A (en) * | 2003-04-11 | 2004-11-11 | Sony Corp | Information communication system and method, information communication apparatus and method, and program |
| US20040225709A1 (en) * | 2003-05-06 | 2004-11-11 | Joseph Kubler | Automatically configuring security system |
| FI20040076A0 (en) * | 2004-01-20 | 2004-01-20 | Nokia Corp | Authentications in a communication system |
| US8923838B1 (en) * | 2004-08-19 | 2014-12-30 | Nuance Communications, Inc. | System, method and computer program product for activating a cellular phone account |
| US20060059344A1 (en) * | 2004-09-10 | 2006-03-16 | Nokia Corporation | Service authentication |
| US7415271B2 (en) * | 2004-10-08 | 2008-08-19 | General Motors Corporation | Method and system for performing failed wireless communication diagnostics |
| US7801517B2 (en) * | 2005-06-29 | 2010-09-21 | At&T Intellectual Property I, L.P. | Methods, systems, and computer program products for implementing a roaming controlled wireless network and services |
| US20070016777A1 (en) * | 2005-07-08 | 2007-01-18 | Henderson James D | Method of and system for biometric-based access to secure resources with dual authentication |
| WO2007075068A1 (en) * | 2005-09-30 | 2007-07-05 | Samsung Electronics Co., Ltd. | Method for authentication between ue and network in wireless communication system |
| SG133430A1 (en) * | 2005-12-19 | 2007-07-30 | Veritas Mobile Solutions Pte L | Method for secure transmittal of pins over telecommunications networks |
| US8392560B2 (en) * | 2006-04-28 | 2013-03-05 | Microsoft Corporation | Offering and provisioning secured wireless virtual private network services |
| US9830145B2 (en) | 2006-08-14 | 2017-11-28 | Federal Home Loan Mortgage Corporation (Freddie Mac) | Systems and methods for infrastructure and middleware provisioning |
| US8553853B2 (en) * | 2006-12-08 | 2013-10-08 | Verizon Services Corp. | Systems and methods for using the advanced intelligent network to redirect data network traffic |
| US8782414B2 (en) * | 2007-05-07 | 2014-07-15 | Microsoft Corporation | Mutually authenticated secure channel |
| US9386154B2 (en) * | 2007-12-21 | 2016-07-05 | Nuance Communications, Inc. | System, method and software program for enabling communications between customer service agents and users of communication devices |
| US20100063829A1 (en) * | 2008-09-08 | 2010-03-11 | Dupray Dennis J | Real estate transaction system |
| US8391464B1 (en) | 2010-06-24 | 2013-03-05 | Nuance Communications, Inc. | Customer service system, method, and software program product for responding to queries using natural language understanding |
| US9538493B2 (en) | 2010-08-23 | 2017-01-03 | Finetrak, Llc | Locating a mobile station and applications therefor |
| EP2710540A1 (en) | 2011-05-17 | 2014-03-26 | Accells Technologies (2009) Ltd. | System and method for performing a secure transaction |
| US8346672B1 (en) | 2012-04-10 | 2013-01-01 | Accells Technologies (2009), Ltd. | System and method for secure transaction process via mobile device |
| US9098850B2 (en) | 2011-05-17 | 2015-08-04 | Ping Identity Corporation | System and method for transaction security responsive to a signed authentication |
| AU2012303620B2 (en) | 2011-08-31 | 2017-09-14 | Ping Identity Corporation | System and method for secure transaction process via mobile device |
| JP6214781B2 (en) * | 2014-09-17 | 2017-10-18 | 健治 貞許 | Connection system and connection method |
| US9781105B2 (en) | 2015-05-04 | 2017-10-03 | Ping Identity Corporation | Fallback identity authentication techniques |
| US10819706B2 (en) * | 2018-07-09 | 2020-10-27 | Igt | System, apparatus and method for facilitating remote gaming communications in a venue |
Family Cites Families (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4901340A (en) * | 1988-09-19 | 1990-02-13 | Gte Mobilnet Incorporated | System for the extended provision of cellular mobile radiotelephone service |
| US5390245A (en) * | 1990-03-09 | 1995-02-14 | Telefonaktiebolaget L M Ericsson | Method of carrying out an authentication check between a base station and a mobile station in a mobile radio system |
| FR2662878B1 (en) * | 1990-05-30 | 1994-03-25 | Alcatel Cit | METHOD FOR ACCESSING A WIRELESS TELEPHONY SERVICE. |
| US5091942A (en) * | 1990-07-23 | 1992-02-25 | Ericsson Ge Mobile Communications Holding, Inc. | Authentication system for digital cellular communications |
| US5077790A (en) * | 1990-08-03 | 1991-12-31 | Motorola, Inc. | Secure over-the-air registration of cordless telephones |
| US5237612A (en) * | 1991-03-29 | 1993-08-17 | Ericsson Ge Mobile Communications Inc. | Cellular verification and validation system |
| US5241598A (en) * | 1991-05-22 | 1993-08-31 | Ericsson Ge Mobile Communications, Inc. | Rolling key resynchronization in cellular verification and validation system |
| US5319711A (en) * | 1992-08-19 | 1994-06-07 | Gte Laboratories Incorporated | Wireless device for verifying identification |
| US5299263A (en) * | 1993-03-04 | 1994-03-29 | Bell Communications Research, Inc. | Two-way public key authentication and key agreement for low-cost terminals |
| JP2757243B2 (en) * | 1993-03-26 | 1998-05-25 | 松下電器産業株式会社 | How to prevent unauthorized use in microcellular systems |
| US5455863A (en) * | 1993-06-29 | 1995-10-03 | Motorola, Inc. | Method and apparatus for efficient real-time authentication and encryption in a communication system |
| US5488649A (en) * | 1994-05-06 | 1996-01-30 | Motorola, Inc. | Method for validating a communication link |
| US5513245A (en) * | 1994-08-29 | 1996-04-30 | Sony Corporation | Automatic generation of private authentication key for wireless communication systems |
| US5603084C1 (en) * | 1995-03-02 | 2001-06-05 | Ericsson Inc | Method and apparatus for remotely programming a cellular radiotelephone |
| US5748742A (en) * | 1995-11-30 | 1998-05-05 | Amsc Subsidiary Corporation | Fraud detection and user validation system for mobile earth terminal communication device |
-
1996
- 1996-12-27 US US08/777,341 patent/US5875394A/en not_active Expired - Lifetime
-
1997
- 1997-11-20 CA CA002221665A patent/CA2221665C/en not_active Expired - Lifetime
- 1997-12-18 BR BR9706409A patent/BR9706409A/en not_active IP Right Cessation
- 1997-12-22 TW TW086119522A patent/TW376615B/en not_active IP Right Cessation
Also Published As
| Publication number | Publication date |
|---|---|
| CA2221665A1 (en) | 1998-06-27 |
| TW376615B (en) | 1999-12-11 |
| US5875394A (en) | 1999-02-23 |
| BR9706409A (en) | 1999-03-30 |
| MX9710347A (en) | 1998-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2221665C (en) | Method of mutual authentication for secure wireless service provision | |
| US5537474A (en) | Method and apparatus for authentication in a communication system | |
| US7904072B2 (en) | Method and apparatus for secure immediate wireless access in a telecommunications network | |
| JP4263384B2 (en) | Improved method for authentication of user subscription identification module | |
| JP4623915B2 (en) | Communication protection system and method | |
| US9332575B2 (en) | Method and apparatus for enabling connectivity in a communication network | |
| US5799084A (en) | System and method for authenticating cellular telephonic communication | |
| US7024226B2 (en) | Method for enabling PKI functions in a smart card | |
| US6225888B1 (en) | Authentication between communicating parties in a telecommunications network | |
| US20020187808A1 (en) | Method and arrangement for encrypting data transfer at an interface in mobile equipment in radio network, and mobile equipment in radio network | |
| US20030061503A1 (en) | Authentication for remote connections | |
| KR20080069210A (en) | Systems and methods for user interface access control | |
| JP2009515403A (en) | Remote activation of user accounts in telecommunications networks | |
| EP1114566A1 (en) | Method to authenticate a mobile station, a communications system and a mobile station | |
| JP4897864B2 (en) | Protection against CLI spoofing of services in mobile networks | |
| US20090061888A1 (en) | Transaction Method Between Two Servers Including a Prior Validating Step Using Two Mobile Telephones | |
| CN104735651B (en) | A kind of method, system and device of securely communicating data | |
| US7239688B1 (en) | Method, architectures and technique for authentication of telephone calls | |
| JP2001505749A (en) | Authentication between communicating parties in a telecommunications network | |
| WO2000024218A1 (en) | A method and a system for authentication | |
| KR100395161B1 (en) | Authentication Center, Authentication Method using smart card on mobile communications and method of supporting global roaming service | |
| MXPA97010347A (en) | Method for mutual authentication for safe supply of services inalambri | |
| US6208722B1 (en) | Method of accepting charges in individual connections and a telephone network and terminal | |
| WO1999007178A1 (en) | System and method for preventing replay attacks in wireless communication | |
| JPH06105366A (en) | Digtial mobile communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20171120 |
|
| MKEX | Expiry |
Effective date: 20171120 |