CA2532083C - Transparent access authentication in 2g and 2.5g mobile access networks - Google Patents
Transparent access authentication in 2g and 2.5g mobile access networks Download PDFInfo
- Publication number
- CA2532083C CA2532083C CA2532083A CA2532083A CA2532083C CA 2532083 C CA2532083 C CA 2532083C CA 2532083 A CA2532083 A CA 2532083A CA 2532083 A CA2532083 A CA 2532083A CA 2532083 C CA2532083 C CA 2532083C
- Authority
- CA
- Canada
- Prior art keywords
- network
- address
- server
- imsi
- match
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 claims abstract description 17
- 238000011156 evaluation Methods 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 description 10
- 230000011664 signaling Effects 0.000 description 4
- 230000005012 migration Effects 0.000 description 3
- 238000013508 migration Methods 0.000 description 3
- 230000002596 correlated effect Effects 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 238000000508 aqueous-phase reforming Methods 0.000 description 1
- 238000012508 change request Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 208000014674 injury Diseases 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000344 soap Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/1016—IP multimedia subsystem [IMS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
- H04L65/1033—Signalling gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1073—Registration or de-registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/72—Subscriber identity
Abstract
The present invention relates to a method for application layer authentication of subscribers connected to the authenticating network domain by a 2G or 2.5G GPRS core network or a 3G UMTS network, characterised by using data which are assembled by the network layer during establishment of a PDP context in GPRS networks. The invention comprises System of units in a mobile telecommunication network, including at least a first authentication unit which is connected via a data line to a second unit which assembles data according to the described method.
Description
1 .' 1 x / 26 6 12:59 +31-T-34@-3973 CA 02532083 2006-01-12 FAG, 13/60 7O4u2OD5 MI o 10 PA EP040$574 '~'03O1 ACT 2-7C ~nsp xe~nt 1Gc~ss u k~entxcat ,an j) 2d 2 F 5Q obL Le ;4cc9sE N~twor s The preserLt irw xxtior relates tC method axed system fcr transparent access authentication in 2E and 25G vcbi1~
Zccess Networks. This nc1udes communication nctwoz3cs of tae GSM-, GPRS- ancT 'J 4TS ~ staxidard well, known to ski11 ed pex vr~a .
In stx~.dardisation of Uni~rersa1 Mobile Telecommunication System (T.TS ReL S) comp -ehex,sive means ~.re .foreseen to pexfo'rn authentication on the application 1yer with no need to :,n.terwar~t with the u d r:Ly1r rac :o and tray port networks The m cJ a scna as ~ based on the a~sumptiori that spec1 f is envirox rent is pr par d to depIoyrteni o p Mud. t media Sip s item (JMS) eerv Lces . It ino1udes the use of IMS SIM (ISIM) application, which ix to ri zequires Re1.99tJICC's .n the connected end d~vice tc a,idie the authentication end key agreement (AK) zn cage of dep1oytent of CMS aid IMS baEect s rvicee ~n a n two~k exivixonrneAt which ig characterised by the use o SIB
cad, the stanc1ardi ed auto itioation mechanj: rn wii1 not he appU+cablc .
TIC Tec1nic1 specjfcatiaa c? T5 33x203 'cces Security :or 1P-based Serv Lacs" , Ra1ea e , , June 2 a 03 , XP-OD2264O8, d,SC1o eS method or trar.spare t acce~e ~uhenticatioEL of ub crLbt x conr~ eted to an autbentioat rz network domain by a GPRS core network or an tJITS ewox1c, tile method u,ng data, which are asaerib,ed by a network Zay~r duriii aetabiis rAeut v a PD1 context in APRs networ}s , AMENDED SHEET
10/10 2006 TUE 12:55 [TX/RX NO 5038] EJO13 iO/13!2006 12:58 +31-7p-,340_3973 02532083 2006-01-12' ~7~O4-2OD5 EP0408574 27/Ut1 az MI 00;t0 FAX
TO 1 'CT
It ya the cb j ect o1 the nvsntio~, to p ovidt rn ihod nd ~y$tem :vr tra~iBgarent ~.CCess auehei tioation wb.i h ~ 1ow t tv rua uth~xitication tranparently to the exd dovice, without requiring prvpr etary exte~,sioxas and, furmt,on~ or netwox']c or c:, iexit ide This object is achiev c1 by prcr iding a method end system as de$2r bad :Lrl the rindepei dent a1aims AMENDED SHEET
10/10 2006 TUE 12:55 [TX/RX NO 5038] Ej014 Other features which are considered to be characteristic for the invention are set forth in the dependent claims.
The present invention describes a. method for application 5. layer authentication of. subscribers, connected to the authenticating network domain by a 2G or 2.5G General Packet Radio Service (GPRS) core network or a 3G UMTS network. The authentication will be based on data which is assembled by the network layer during establishment of a PDP context in GPRS networks. This information is secured by standard SIM
card application. As the same mechanisms are used for, authentication in 3G networks, the further described mechanism is also applicable there. No standard would be touched in any way while using a 2G or 2.5G-access network, because no authentication on application layer is foreseen in the standard. For UMTS Rel.5 standards and following, the standard foresees specific methods. The use of the further described method. would be, possible,: although. the standardised .authentication mechhan-ism needs to be switched off. Switching off the standardised authentication mechanism could be interpreted as standard sensitive, but subsequent use of the further described mechanism would be standard compliant' again.
Further, a migration path to UMTS Rel.5 standardised.
authentication and the concept for parallel us.e of both mechanisms is described.
The invention will now be described in further detail with reference.to the drawings.
Figure 1 depicts the general architecture of the system for carrying out the invention;
Zccess Networks. This nc1udes communication nctwoz3cs of tae GSM-, GPRS- ancT 'J 4TS ~ staxidard well, known to ski11 ed pex vr~a .
In stx~.dardisation of Uni~rersa1 Mobile Telecommunication System (T.TS ReL S) comp -ehex,sive means ~.re .foreseen to pexfo'rn authentication on the application 1yer with no need to :,n.terwar~t with the u d r:Ly1r rac :o and tray port networks The m cJ a scna as ~ based on the a~sumptiori that spec1 f is envirox rent is pr par d to depIoyrteni o p Mud. t media Sip s item (JMS) eerv Lces . It ino1udes the use of IMS SIM (ISIM) application, which ix to ri zequires Re1.99tJICC's .n the connected end d~vice tc a,idie the authentication end key agreement (AK) zn cage of dep1oytent of CMS aid IMS baEect s rvicee ~n a n two~k exivixonrneAt which ig characterised by the use o SIB
cad, the stanc1ardi ed auto itioation mechanj: rn wii1 not he appU+cablc .
TIC Tec1nic1 specjfcatiaa c? T5 33x203 'cces Security :or 1P-based Serv Lacs" , Ra1ea e , , June 2 a 03 , XP-OD2264O8, d,SC1o eS method or trar.spare t acce~e ~uhenticatioEL of ub crLbt x conr~ eted to an autbentioat rz network domain by a GPRS core network or an tJITS ewox1c, tile method u,ng data, which are asaerib,ed by a network Zay~r duriii aetabiis rAeut v a PD1 context in APRs networ}s , AMENDED SHEET
10/10 2006 TUE 12:55 [TX/RX NO 5038] EJO13 iO/13!2006 12:58 +31-7p-,340_3973 02532083 2006-01-12' ~7~O4-2OD5 EP0408574 27/Ut1 az MI 00;t0 FAX
TO 1 'CT
It ya the cb j ect o1 the nvsntio~, to p ovidt rn ihod nd ~y$tem :vr tra~iBgarent ~.CCess auehei tioation wb.i h ~ 1ow t tv rua uth~xitication tranparently to the exd dovice, without requiring prvpr etary exte~,sioxas and, furmt,on~ or netwox']c or c:, iexit ide This object is achiev c1 by prcr iding a method end system as de$2r bad :Lrl the rindepei dent a1aims AMENDED SHEET
10/10 2006 TUE 12:55 [TX/RX NO 5038] Ej014 Other features which are considered to be characteristic for the invention are set forth in the dependent claims.
The present invention describes a. method for application 5. layer authentication of. subscribers, connected to the authenticating network domain by a 2G or 2.5G General Packet Radio Service (GPRS) core network or a 3G UMTS network. The authentication will be based on data which is assembled by the network layer during establishment of a PDP context in GPRS networks. This information is secured by standard SIM
card application. As the same mechanisms are used for, authentication in 3G networks, the further described mechanism is also applicable there. No standard would be touched in any way while using a 2G or 2.5G-access network, because no authentication on application layer is foreseen in the standard. For UMTS Rel.5 standards and following, the standard foresees specific methods. The use of the further described method. would be, possible,: although. the standardised .authentication mechhan-ism needs to be switched off. Switching off the standardised authentication mechanism could be interpreted as standard sensitive, but subsequent use of the further described mechanism would be standard compliant' again.
Further, a migration path to UMTS Rel.5 standardised.
authentication and the concept for parallel us.e of both mechanisms is described.
The invention will now be described in further detail with reference.to the drawings.
Figure 1 depicts the general architecture of the system for carrying out the invention;
3' _ Figure 2 depicts an embodiment of_the invention with migration to. IMS compliant architecture.
With reference to Figure 1, during PDP context establishment the Serving'GPRS Support Node (SG'SN) is authenticating the subscriber using the A3/A8 algorithm based on the end devices SIM card in ca-se of GSM and 2.5G GPRS and EDGE access network.
The Gateway GPRS Support Node 1 (GGSN).receives a context } 10 creation request and queries a Radius (Registration) server 2 (Remote Authentif.ication Dial-In User Service) to get an IP
address assigned for the particular PDP context. Within the .context the Radius server 2 receives the. MSISDN and/or the IMSI of-the subscriber: So. in the session database 3 of the Radius server 2 there is stored for e=acli PDP 'context a pair-of=IE address and IMSI/MSISDN. Based on the tunnel endpoint ID (TEID) the GGSN I filters all.packets running through the PDP ggntext=once established, for the correct IP_source address. This means the GGSN 1 checks matching TEID/IP
address pairs, thus preventing falsification of source } addresses and so called "IP spoofing" for the complete lifecycle of the PDP context. The TEID unambiguously identifies a tunnel endpoint in. the receiving.GTP-U (GPRS
Tunnelling Protocol - User) or GTP-C (GPRS Tunnelling Protocol - Control) protocol entity. The receiving side. of a GTP tunnel locally assigns the TEID value for the transmitting side to use.=The-TEID values are exchanged between tunnel endpoints using GTP-C messages (or RANAP
(Radio' Access Network Application Part.) in the UTRAN (UMTS
terrestrial-. Radio Access Network In the-application domain a subscriber database. 4 exists that stores all 'PubIDs.the subscriber is using in the domain, referring it to his PriviD, which is unique in the respective application _domain. The PrivID is correlated with an MSISDN
and/or IMSI.
In=the request the user gives his Priv'ID for registration.
Upon receiving, the registration request, the registration proxy 5 queries the subscriber database 4 containing the subscribers IDs (both public and private) together with the MSISDN/IMSI. This data is stored in a table on the proxy server. platform.
Subsequently the proxy server 5 queries the session,database 3 of the Radius- server 2 in order to get the assigned IP
address of that session and the IMSI/MSISDN already authenticated by the network's Home Location. Register (HLR).
The = authentication - of the. HLR "guarantees further that the IP
address can be considered to be authenticated as well.. Also this information is stored in the table on the=proxy server platform.
Now the.proxy_server 5 starts the authentication procedure according to the invention.
First, the proxy server 5 checks IMSI/MSISDN from Radius server 2 database 3 and application domain database 4 for match. -If the pairs are not. matching, the subscriber has tried to'register with an incorrect PrivID, which is not correlated with his IMSI/MSISDN, if the pairs are matching the next step is performed..
Second step is, checking the. subscribers I-P address in the IP
network layer, meaning in the IP packet overhead field for source address for match with theIP address assigned by the Radius server 3. As the IP address was assigned to an IMSI/MSISDN-authenticated session, also the IP address can be considered as authenticated.
With reference to Figure 1, during PDP context establishment the Serving'GPRS Support Node (SG'SN) is authenticating the subscriber using the A3/A8 algorithm based on the end devices SIM card in ca-se of GSM and 2.5G GPRS and EDGE access network.
The Gateway GPRS Support Node 1 (GGSN).receives a context } 10 creation request and queries a Radius (Registration) server 2 (Remote Authentif.ication Dial-In User Service) to get an IP
address assigned for the particular PDP context. Within the .context the Radius server 2 receives the. MSISDN and/or the IMSI of-the subscriber: So. in the session database 3 of the Radius server 2 there is stored for e=acli PDP 'context a pair-of=IE address and IMSI/MSISDN. Based on the tunnel endpoint ID (TEID) the GGSN I filters all.packets running through the PDP ggntext=once established, for the correct IP_source address. This means the GGSN 1 checks matching TEID/IP
address pairs, thus preventing falsification of source } addresses and so called "IP spoofing" for the complete lifecycle of the PDP context. The TEID unambiguously identifies a tunnel endpoint in. the receiving.GTP-U (GPRS
Tunnelling Protocol - User) or GTP-C (GPRS Tunnelling Protocol - Control) protocol entity. The receiving side. of a GTP tunnel locally assigns the TEID value for the transmitting side to use.=The-TEID values are exchanged between tunnel endpoints using GTP-C messages (or RANAP
(Radio' Access Network Application Part.) in the UTRAN (UMTS
terrestrial-. Radio Access Network In the-application domain a subscriber database. 4 exists that stores all 'PubIDs.the subscriber is using in the domain, referring it to his PriviD, which is unique in the respective application _domain. The PrivID is correlated with an MSISDN
and/or IMSI.
In=the request the user gives his Priv'ID for registration.
Upon receiving, the registration request, the registration proxy 5 queries the subscriber database 4 containing the subscribers IDs (both public and private) together with the MSISDN/IMSI. This data is stored in a table on the proxy server. platform.
Subsequently the proxy server 5 queries the session,database 3 of the Radius- server 2 in order to get the assigned IP
address of that session and the IMSI/MSISDN already authenticated by the network's Home Location. Register (HLR).
The = authentication - of the. HLR "guarantees further that the IP
address can be considered to be authenticated as well.. Also this information is stored in the table on the=proxy server platform.
Now the.proxy_server 5 starts the authentication procedure according to the invention.
First, the proxy server 5 checks IMSI/MSISDN from Radius server 2 database 3 and application domain database 4 for match. -If the pairs are not. matching, the subscriber has tried to'register with an incorrect PrivID, which is not correlated with his IMSI/MSISDN, if the pairs are matching the next step is performed..
Second step is, checking the. subscribers I-P address in the IP
network layer, meaning in the IP packet overhead field for source address for match with theIP address assigned by the Radius server 3. As the IP address was assigned to an IMSI/MSISDN-authenticated session, also the IP address can be considered as authenticated.
If the pairs are not matching, the subscriber used an incorrect IP address, if the pairs are'matching the subsequent step is performed.
The.proxy server 5 parses the application layer for IP
addresses given in the headers of e.g. SIP registration message, SDP message bodies, etc and checks for match with the IP address in, which was already checked for match with the IP address assigned by the Radius server 2. If the pairs are not matching the subscriber used incorrect signalling .information, e. g. response addresses., etc. If the pairs are matching, the session setup can be considered as authenticated.
In.all subsequent messages arriving at the proxy server 5, it checks for match of 1P = addres=s 'in the IP packet-overhead field for source=addre-ss with that in-the application layer protocol header fields.and verifies the , matching pairs-against the IP. address assigned by=the Radius server 2.
It PubIDs are used in the following session, the PublDs are' checked against the PrivID which was stored in a-table on the proxy server platform after querying the application domains database 4. .
The described functionality gives the network:-operator the opportunity to run-.authentication transparently to the end' device,, without requiring proprietary extensions and functions on network or client side.. In case of SIP based signalling, the migration'to fully standard compliant UMTS
Rel.5 mechanisms and a strategy for parallel operation is necessary, this will be described now.
The.proxy server 5 parses the application layer for IP
addresses given in the headers of e.g. SIP registration message, SDP message bodies, etc and checks for match with the IP address in, which was already checked for match with the IP address assigned by the Radius server 2. If the pairs are not matching the subscriber used incorrect signalling .information, e. g. response addresses., etc. If the pairs are matching, the session setup can be considered as authenticated.
In.all subsequent messages arriving at the proxy server 5, it checks for match of 1P = addres=s 'in the IP packet-overhead field for source=addre-ss with that in-the application layer protocol header fields.and verifies the , matching pairs-against the IP. address assigned by=the Radius server 2.
It PubIDs are used in the following session, the PublDs are' checked against the PrivID which was stored in a-table on the proxy server platform after querying the application domains database 4. .
The described functionality gives the network:-operator the opportunity to run-.authentication transparently to the end' device,, without requiring proprietary extensions and functions on network or client side.. In case of SIP based signalling, the migration'to fully standard compliant UMTS
Rel.5 mechanisms and a strategy for parallel operation is necessary, this will be described now.
As the IMS=domain as s-tandardised.for UMTS Rel.5.will include its own autheri'tication mechanism, it is necessary to support a scenario where the*s.ubscribers are migrating to ISIM
enabled end-devices.. To exploit the benefits of'the standardised authentication mechanism,. both.. mechanisms have to be supported in parallel.
This is done by an additional. function that checks each incoming signalling message, firstfor..the protocol, if."itis any other protocol than SIP, the session is routed to the proxy server 5. -With reference. to Figure 2,the.same routing decision is taken if the message is based can SIP, but the client does not support standardised UMTS Rel.5=authentication. If the client:
does support 'standardised authentication method, e.g. is ISIM
enabled, the.message is routed to- the. standard-compliant Proxy Call State Control Function (P-CSCF). First triggerfor :routing decisions is the protocol type, as described above.
Further triggers could be the key exchange mechanism used for s.etting up the secured connection between UE and P-CSCF ( if the-end devic-e is starting key agreement, it can be considered as standard.compliant'and the request is routed to the P-CSCF), or other elements included in the UMTS Rel.5 header as well as any private extension, 'which is, however, . possible-but not = necessary. If .trigger points-available in signalling should be insufficient, also database lookups can be used to base routing. decisions on.
The. authenticationprocedure is as follows -30. First, .;d decision is required by which node P-CSCF 6.or proxy -. server 5 the register shall be routed .
For this, a routing module 7 is provided which will 'be the standard entry point for all messages. The routing module 7 decides by evaluation of PrivID.which node will handle the message. The.. routing module 7-refers to- subdomains (e.g=.
user@gprs.tmo.de and user@tmo.umts.de) within the domain part of the Network Access Identifier (NAI), see 3GPP
.5 specification 23.228. This =requires that NAIs for 3G
subscribers have to provide subdomains.
The routing module 7 shall set a routing entry, by using only the PrivID, subsequent messages shall be identified by the IP
source address listed in the routing table.
The routing module 7 identifies the responsible proxy function, i.e. proxy server-5 or P-CSCF 6, by evaluating the PrivID (URls:subdomains') This rises the request towards IMSI/MSISDN`and URIs to be chosen according to this functionality.
In case other protocols shall be.used:beside SIP, such as e.g. SMTP, HTTP, SOAP (.NET), etc, the proxy server 5.must be extended, and_ authenticate the-.sub-scribers by use of the IP
address, subsequently resolving the IMSI/MSISDN and matching of the- particular identifier of the protocol, which is stored in the subscriber profile of the subscriber database 4. This requires the population of the subscriber profile with the required data elements and extension of the routing module to enable protocol; dependent routing.
In case.separate access-networks are used, the application platform has to know which type of access'hetwork is used to adapt service delivery accordingly. This requires that a change request has to be stated against the. SGSN to enable it to send the.access type to the GGSN-which includes it in the radius request, so the access network type will be available in the session database 3. This enables all applications to request the -ac-ces s network type and use. it, e.g. ' for Quality -of Service -(QoS) means.
enabled end-devices.. To exploit the benefits of'the standardised authentication mechanism,. both.. mechanisms have to be supported in parallel.
This is done by an additional. function that checks each incoming signalling message, firstfor..the protocol, if."itis any other protocol than SIP, the session is routed to the proxy server 5. -With reference. to Figure 2,the.same routing decision is taken if the message is based can SIP, but the client does not support standardised UMTS Rel.5=authentication. If the client:
does support 'standardised authentication method, e.g. is ISIM
enabled, the.message is routed to- the. standard-compliant Proxy Call State Control Function (P-CSCF). First triggerfor :routing decisions is the protocol type, as described above.
Further triggers could be the key exchange mechanism used for s.etting up the secured connection between UE and P-CSCF ( if the-end devic-e is starting key agreement, it can be considered as standard.compliant'and the request is routed to the P-CSCF), or other elements included in the UMTS Rel.5 header as well as any private extension, 'which is, however, . possible-but not = necessary. If .trigger points-available in signalling should be insufficient, also database lookups can be used to base routing. decisions on.
The. authenticationprocedure is as follows -30. First, .;d decision is required by which node P-CSCF 6.or proxy -. server 5 the register shall be routed .
For this, a routing module 7 is provided which will 'be the standard entry point for all messages. The routing module 7 decides by evaluation of PrivID.which node will handle the message. The.. routing module 7-refers to- subdomains (e.g=.
user@gprs.tmo.de and user@tmo.umts.de) within the domain part of the Network Access Identifier (NAI), see 3GPP
.5 specification 23.228. This =requires that NAIs for 3G
subscribers have to provide subdomains.
The routing module 7 shall set a routing entry, by using only the PrivID, subsequent messages shall be identified by the IP
source address listed in the routing table.
The routing module 7 identifies the responsible proxy function, i.e. proxy server-5 or P-CSCF 6, by evaluating the PrivID (URls:subdomains') This rises the request towards IMSI/MSISDN`and URIs to be chosen according to this functionality.
In case other protocols shall be.used:beside SIP, such as e.g. SMTP, HTTP, SOAP (.NET), etc, the proxy server 5.must be extended, and_ authenticate the-.sub-scribers by use of the IP
address, subsequently resolving the IMSI/MSISDN and matching of the- particular identifier of the protocol, which is stored in the subscriber profile of the subscriber database 4. This requires the population of the subscriber profile with the required data elements and extension of the routing module to enable protocol; dependent routing.
In case.separate access-networks are used, the application platform has to know which type of access'hetwork is used to adapt service delivery accordingly. This requires that a change request has to be stated against the. SGSN to enable it to send the.access type to the GGSN-which includes it in the radius request, so the access network type will be available in the session database 3. This enables all applications to request the -ac-ces s network type and use. it, e.g. ' for Quality -of Service -(QoS) means.
Abbreviations 2.5G. second and half generation (e. g. GPRS, EDGE) 2G second generation (e. g. GSM) 3G third generation (e. g. UMTS) AKA authentication and key agreement cc Circuit Switched IMS IP multimedia subsystem IMSI International Mobile Subscriber Identity ISIM IMS- SIM
MSISDN . Mobile Station =ISDN Number.
NAI Network Access Identifier ..P-CSCF Proxy-Call-State-Control-Function SIM (carrd) (GSM) Subscriber Identity Module (card) SIP Session Initiation Protocol TEID Turinel Endpoint ID
UE User Equipment UICC UMTS *IC Card UMTS Universal mobile telecommunication system URI % Uniform Ressource Locator
MSISDN . Mobile Station =ISDN Number.
NAI Network Access Identifier ..P-CSCF Proxy-Call-State-Control-Function SIM (carrd) (GSM) Subscriber Identity Module (card) SIP Session Initiation Protocol TEID Turinel Endpoint ID
UE User Equipment UICC UMTS *IC Card UMTS Universal mobile telecommunication system URI % Uniform Ressource Locator
Claims (9)
1. Method for transparent access authentication of subscribers connected to an authenticating network domain by a GPRS core network or an UMTS network, wherein the method using data which are assembled by a network layer during establishment of a PDP context in GPRS networks, characterised in that when a Gateway GPRS Support Node (1) receives a context creation request it queries a registration server (2) to get an IP address assigned for the particular PDP
context, and within the context the registration server (2) receives a Mobile Station ISDN Number, MSISDN, and/or an International Mobile Subscriber Identity, IMSI, of the subscriber and stores for each PDP context a pair of IP
address and IMSI/MSISDN in a session database (3), that a proxy server (5) is provided which checks IMSI/MSISDN from a registration server (2) session database (3) and IMSI/MISIDN from a application domain database (4) for match, that if the IMSI/MSISDN pairs are matching, the proxy server (5) checks a subscribers IP address assigned in the IP network layer or match with the IP address assigned by the registration server (2), and that the proxy server (5) parses the application layer for IP addresses given in the headers of registration messages and checks for match with the network layer IP
address which was already checked for match with the IP
address assigned by the radius server (2).
context, and within the context the registration server (2) receives a Mobile Station ISDN Number, MSISDN, and/or an International Mobile Subscriber Identity, IMSI, of the subscriber and stores for each PDP context a pair of IP
address and IMSI/MSISDN in a session database (3), that a proxy server (5) is provided which checks IMSI/MSISDN from a registration server (2) session database (3) and IMSI/MISIDN from a application domain database (4) for match, that if the IMSI/MSISDN pairs are matching, the proxy server (5) checks a subscribers IP address assigned in the IP network layer or match with the IP address assigned by the registration server (2), and that the proxy server (5) parses the application layer for IP addresses given in the headers of registration messages and checks for match with the network layer IP
address which was already checked for match with the IP
address assigned by the radius server (2).
2. Method according to claim 1, comprising the step that during PDP context establishment a Serving GPRS Support Node (SGSN) is authenticating the subscriber using the A3/A8 algorithm based on an end devices SIM card.
3. Method according to any preceding claim, comprising the step that in all subsequent messages arriving at the proxy server (5), it checks for match of IP address in the IP packet overhead field for source address with that in the application layer protocol header fields and verifies the matching pairs against the IP address assigned by the Radius server (2).
4. Method according to any preceding claim, that a routing module (7) is provided which is a standard entry point for all message and decides by evaluation of Private ID, PrivID, which network node will handle the message.
5. System of units in a mobile telecommunication network, characterised that at least a first authentication unit (2) is connected via a data line to a second unit (5; 6) which assembles data according to the method of claim 1.
6. System according to claim 5, wherein the first unit comprises a registration server (2).
7. System according to claim 5 or 6, wherein the first unit (2) is connected to a session database (3).
8. System according to any of claims 5 to 7, wherein the second unit comprises a proxy server (5).
9. System according to any of claims 5 to 8, wherein the second unit comprises a Proxy Call State Control Function.
(6).
according to any of claims 5 to 9, wherein the second unit (5; 6) is connected to a subscriber database (4).
11. System according to any of claims 5 to 10, wherein a routing module (7) is provided which decides by evaluation of Private ID, PivID, which network node will handle the message.
(6).
according to any of claims 5 to 9, wherein the second unit (5; 6) is connected to a subscriber database (4).
11. System according to any of claims 5 to 10, wherein a routing module (7) is provided which decides by evaluation of Private ID, PivID, which network node will handle the message.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP03017348 | 2003-07-31 | ||
| EP03017348.8 | 2003-07-31 | ||
| PCT/EP2004/008574 WO2005015875A1 (en) | 2003-07-31 | 2004-07-30 | Transparent access authentication in gprs core networks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2532083A1 CA2532083A1 (en) | 2005-02-17 |
| CA2532083C true CA2532083C (en) | 2012-02-07 |
Family
ID=34130043
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA2532083A Expired - Fee Related CA2532083C (en) | 2003-07-31 | 2004-07-30 | Transparent access authentication in 2g and 2.5g mobile access networks |
Country Status (10)
| Country | Link |
|---|---|
| US (1) | US7770216B2 (en) |
| EP (1) | EP1649661B1 (en) |
| CN (1) | CN100589480C (en) |
| AT (1) | ATE370602T1 (en) |
| CA (1) | CA2532083C (en) |
| DE (1) | DE602004008293T2 (en) |
| ES (1) | ES2293316T3 (en) |
| PL (1) | PL1649661T3 (en) |
| PT (1) | PT1649661E (en) |
| WO (1) | WO2005015875A1 (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7843860B2 (en) * | 2004-11-10 | 2010-11-30 | Telefonaktiebolaget L M Ericsson (Publ) | Arrangement, nodes and a method relating to services access over a communication system |
| US20060174004A1 (en) * | 2005-01-31 | 2006-08-03 | Nokia Corporation | System and method for optimizing access network authentication for high rate packet data session |
| US7685633B2 (en) * | 2005-02-25 | 2010-03-23 | Microsoft Corporation | Providing consistent application aware firewall traversal |
| US20070055874A1 (en) * | 2005-09-05 | 2007-03-08 | Nokia Corporation | Bundled subscriber authentication in next generation communication networks |
| EP1982543B1 (en) * | 2006-02-10 | 2017-06-07 | Telefonaktiebolaget LM Ericsson (publ) | Performance monitoring of location-based service in a mobile telecommunications network |
| CN101018128A (en) * | 2006-02-10 | 2007-08-15 | 朗迅科技公司 | Removable user identity module authenticating to the Internet protocol multi-media sub-system (IMS) |
| EP1959629B1 (en) * | 2007-02-13 | 2016-04-13 | Vodafone GmbH | Method for authenticating a user for access to server based applications from mobile device, gateway and identity management unit |
| US8036230B2 (en) * | 2007-11-05 | 2011-10-11 | Cisco Technology, Inc. | System and method for providing single IP tunnel |
| CN101453399B (en) * | 2007-11-30 | 2012-07-04 | 华为技术有限公司 | Virtual network configuration method and apparatus |
| US9699158B2 (en) | 2011-09-22 | 2017-07-04 | Russell S. Goodwin | Network user identification and authentication |
| CN103166953B (en) * | 2012-12-03 | 2016-08-03 | 上海斐讯数据通信技术有限公司 | A kind of network safety system and method |
| CN108024248B (en) * | 2016-10-31 | 2022-11-08 | 中兴通讯股份有限公司 | Authentication method and device for Internet of things platform |
| US11438168B2 (en) * | 2018-04-05 | 2022-09-06 | T-Mobile Usa, Inc. | Authentication token request with referred application instance public key |
| WO2023094373A1 (en) * | 2021-11-26 | 2023-06-01 | Abb Schweiz Ag | Method for device commissioning in a network system and network system |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH09271066A (en) * | 1996-03-29 | 1997-10-14 | Sony Corp | Communication method, communication system, communication terminal equipment and communication management equipment |
| US6977917B2 (en) * | 2000-03-10 | 2005-12-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for mapping an IP address to an MSISDN number within a service network |
| CA2423276C (en) | 2000-10-09 | 2012-04-03 | Nokia Corporation | Method and system for establishing a connection between network elements |
| US6678517B2 (en) * | 2001-06-21 | 2004-01-13 | Spatial Wireless, Inc. | Method and system for providing continuous voice and packet data services to a mobile station |
| US7574735B2 (en) * | 2002-02-13 | 2009-08-11 | Nokia Corporation | Method and network element for providing secure access to a packet data network |
| DE10223248A1 (en) * | 2002-05-22 | 2003-12-04 | Siemens Ag | Method for registering a communication terminal |
| US7155526B2 (en) * | 2002-06-19 | 2006-12-26 | Azaire Networks, Inc. | Method and system for transparently and securely interconnecting a WLAN radio access network into a GPRS/GSM core network |
| DE10297809D2 (en) | 2002-08-16 | 2005-07-07 | Ag Siemens | A method for authenticating a user of a communication terminal when registering in and using a service network |
| US6788676B2 (en) * | 2002-10-30 | 2004-09-07 | Nokia Corporation | User equipment device enabled for SIP signalling to provide multimedia services with QoS |
| US7417979B2 (en) * | 2003-01-11 | 2008-08-26 | At&T Mobility Ii Llc | Systems and methods for providing a home network conversion interface |
| US20040148416A1 (en) * | 2003-01-29 | 2004-07-29 | Jryki Aarnos | Method and apparatus for messaging between a client of an sip-based network and a client of a wireless village network |
-
2004
- 2004-07-30 PL PL04763655T patent/PL1649661T3/en unknown
- 2004-07-30 CN CN200480021472A patent/CN100589480C/en not_active Expired - Fee Related
- 2004-07-30 CA CA2532083A patent/CA2532083C/en not_active Expired - Fee Related
- 2004-07-30 US US10/566,584 patent/US7770216B2/en active Active
- 2004-07-30 ES ES04763655T patent/ES2293316T3/en active Active
- 2004-07-30 PT PT04763655T patent/PT1649661E/en unknown
- 2004-07-30 DE DE602004008293T patent/DE602004008293T2/en active Active
- 2004-07-30 WO PCT/EP2004/008574 patent/WO2005015875A1/en active IP Right Grant
- 2004-07-30 EP EP04763655A patent/EP1649661B1/en active Active
- 2004-07-30 AT AT04763655T patent/ATE370602T1/en active
Also Published As
| Publication number | Publication date |
|---|---|
| DE602004008293T2 (en) | 2008-05-08 |
| ATE370602T1 (en) | 2007-09-15 |
| CN1830191A (en) | 2006-09-06 |
| CA2532083A1 (en) | 2005-02-17 |
| PT1649661E (en) | 2007-11-22 |
| ES2293316T3 (en) | 2008-03-16 |
| PL1649661T3 (en) | 2008-01-31 |
| DE602004008293D1 (en) | 2007-09-27 |
| CN100589480C (en) | 2010-02-10 |
| US7770216B2 (en) | 2010-08-03 |
| US20060195898A1 (en) | 2006-08-31 |
| WO2005015875A1 (en) | 2005-02-17 |
| EP1649661A1 (en) | 2006-04-26 |
| EP1649661B1 (en) | 2007-08-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5016359B2 (en) | Method for providing access to an IP multimedia subsystem | |
| EP1810474B1 (en) | An arrangement, nodes and a method relating to services access over a communication system | |
| KR100886165B1 (en) | Method for the routing of communications to a voice over internet protocol terminal in a mobile communication system | |
| AU2006338680B2 (en) | Switching system and corresponding method for unicast or multicast end-to-end data and/or multimedia stream transmissions between network nodes | |
| US7647493B2 (en) | Communication system and method | |
| US20060174009A1 (en) | Method for establishing a multimedia session between a caller device and a receiver device of a multimedia sub-domain type network and a communications system implementing said method | |
| US20070183382A1 (en) | Auto-discovery of a non-advertised public network address | |
| CA2532083C (en) | Transparent access authentication in 2g and 2.5g mobile access networks | |
| US7283513B2 (en) | Call control network, access control server and call control method | |
| US20030214958A1 (en) | Linking of bearer and control for a multimedia session | |
| EP3082318B1 (en) | Communication method and device for preventing media stream circuity (tromboning) | |
| US7764963B2 (en) | GW coupled SIP proxy | |
| EP2081333A1 (en) | Assignment of IP adresses to extension devices in 3GPP mobile networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKLA | Lapsed |
Effective date: 20220802 |