US20050232191A1 - Method and apparatus for protecting identities of mobile devices on a wireless network - Google Patents
Method and apparatus for protecting identities of mobile devices on a wireless network Download PDFInfo
- Publication number
- US20050232191A1 US20050232191A1 US11/166,987 US16698705A US2005232191A1 US 20050232191 A1 US20050232191 A1 US 20050232191A1 US 16698705 A US16698705 A US 16698705A US 2005232191 A1 US2005232191 A1 US 2005232191A1
- Authority
- US
- United States
- Prior art keywords
- request
- identifier
- network
- mobile device
- cryptographic key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0414—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Definitions
- the present invention pertains to the internetworking of computers, communication devices, and other processing systems. More particularly, the present invention relates to protecting the identities of mobile devices on a wireless network having access to a wired network.
- FIG. 1 illustrates an example of a network environment in which this may be done.
- a number (N) of mobile devices 1 - 1 through 1 -N operate on a wireless network 2 .
- Each of the mobile devices 1 may be, for example, any one of a cellular telephone, personal digital assistant (PDA), notebook (laptop) computer, two-way pager, or other wireless device.
- the wireless network 2 is coupled to a conventional wired computer network 3 through a proxy gateway 4 .
- the wired network 3 may be, for example, the Internet, a corporate intranet, a wide area network (WAN), a local area network (LAN), a public switched telephone network (PSTN), or a combination thereof.
- WAN wide area network
- LAN local area network
- PSTN public switched telephone network
- the proxy gateway 4 uses well-known techniques to enable communication between the mobile devices 1 and a number (M) of processing systems 5 - 1 through 5 -M operating on the wired network 3 .
- the physical computing platforms which embody the proxy gateway 4 and processing systems 5 may include, for example, conventional personal computers (PCs) and/or server-class computer systems.
- the proxy gateway 4 may convert/translate between the languages and protocols used by processing systems 5 , such as hypertext markup Language (HTML) and hypertext transport protocol (HTTP), and the languages and protocols used by the mobile devices 1 , such as wireless markup language (WML) and wireless access protocol (WAP).
- HTML hypertext markup Language
- HTTP hypertext transport protocol
- WML wireless markup language
- WAP wireless access protocol
- the proxy gateway 4 operates as a proxy for transmitting various requests on behalf of the mobile devices 1 and the processing devices 5 , as described further below.
- An example of a device which can serve as the proxy gateway 4 is the UP.Link Server, from Openwave Systems of Redwood City, Calif. Note that while proxy gateway 4 is shown as a single entity, the proxy and gateway functions can be distributed between separate physical platforms. Furthermore, both functions do not necessarily have to be used in a given network environment.
- Processing systems 5 include one or more “origin servers” (e.g., 5 - 1 ) and one or more “service initiators” (e.g., 5 -M).
- Origin servers provide content, such as hypermedia documents, to mobile devices 1 in response to standard (e.g., HTTP) requests from the mobile devices 1 .
- Service initiators “push” content to the mobile devices 1 , i.e., they send content to the mobile devices 1 without the content having been explicitly requested by the mobile devices 1 .
- an origin server and a service initiator may be implemented within the same computing platform and are often implemented within a single network domain.
- One problem associated with a network environment such as this is that data identifying each of the mobile devices 1 is commonly distributed to many other processing systems, such as processing systems 5 on the wired network 3 . This identification data can be used for a variety of purposes, some of which are undesirable for the users of the mobile devices.
- the proxy gateway 4 may add identification data to the meta-data (e.g., HTTP request headers) of that request, which is passed on to the origin server 5 , as shown in FIG. 2A .
- This scenario is referred to as the “pull” scenario.
- the identification data may be a direct reference to the source address of the client (e.g., the client's mobile telephone number in the case of wireless access), or it may be the identity of the client as determined from the provisioning system controlling the proxy.
- the rules governing the addition of this identification data are normally controlled by a “white list” within the proxy gateway 4 .
- the white list is a list of domain name references to which service is permitted.
- the client identity data may also be used as a rendezvous address for services making requests to the client, such as WAP push requests.
- the client identity information may be used in a number of legitimate ways, such as: to allow devices responding to requests to authenticate the requesting mobile devices; to track the devices' requests and develop client profiles on an origin server; to tailor a response to the request and to the identity of the client; to allow access for services that make subsequent requests to the client, such as the “Posting” of documents or WAP push requests; or, to allow the client to be accessed by another communication medium, such as a short message service (SMS) message or a telephone call.
- SMS short message service
- the client identity passed as part of a pull request may be subsequently used in a push scenario to gain access to the client via a service proxy or gateway.
- the problem is that the same identity is normally given to all servers, regardless of the intended use of the service.
- the client is made vulnerable in several ways.
- disclosure of the client identity allows unsolicited access to be made to the client, such as in the form of phone calls, SMS messages, or WAP push requests, without prior authorization being given for those services.
- This situation is illustrated in FIG. 2B , in which a request from a service initiator 5 includes the client identity previously acquired from the proxy gateway 4 , which is used to gain access to the mobile device 1 .
- client preferences may be gathered by groups of unrelated servers using the identity supplied by the proxy gateway.
- the client identity may not be changed for an individual proxy. Once established for a single server, the client identity is valid for all servers. Consequently, it is difficult to control misuse on an individual service provider basis without assigning a new identity to the client (which may be impossible or impractical).
- pseudonyms One attempt at solving this privacy problem is the use of pseudonyms.
- the pseudonym approach works by encrypting the client information at the source.
- this technique does not account for cases in which client identity information is added by network elements along the path of the request.
- only a single pseudonym is in operation at any one time, such that a client identity cannot be encrypted on a per-URI (uniform resource identifier) basis.
- the pseudonym technique is not designed to regulate any form of push service.
- P3P Platform for Privacy Preferences Project
- W3C World Wide Web Consortium
- the present invention includes a method and apparatus for operating a processing system on a network.
- an identifier of a mobile device on a wireless network is encrypted, and used to validate a request from a service initiator directed to the mobile device.
- FIG. 1 illustrates a network environment in which mobile devices can communicate with origin servers and service initiators
- FIG. 2A shows a “pull” scenario, in which a client requests information from an origin server
- FIG. 2B shows a “push” scenario, in which a service initiator sends a requests directed to a client
- FIG. 3 is a block diagram showing the encoding of client identity within pull requests
- FIG. 4 is a block diagram showing the use of pull requests with different encoded client identities for different URIs, and push requests using encoded client identities;
- FIG. 5 is a flow diagram showing a pull process that may be performed by the proxy gateway
- FIG. 6 is a flow diagram showing a push process that may be performed by the service proxy gateway.
- FIG. 7 is a high-level block diagram of a processing system representing any of the processing systems shown in FIG. 1 .
- references to “one embodiment” or “an embodiment” mean that the feature being referred to is included in at least one embodiment of the present invention. Further, separate references to “one embodiment” in this description do not necessarily refer to the same embodiment; however, neither are such embodiments mutually exclusive, unless so stated and except as will be readily apparent to those skilled in the art. Thus, the present invention can include any variety of combinations and/or integrations of the embodiments described herein.
- the client identity passed as part of a pull request may be subsequently used for undesirable and/or unauthorized purposes.
- the solution described herein protects the identities of the mobile devices to prevent that from occurring.
- the described solution allows the regulation of unauthorized and or unsolicited push services directed to the mobile devices. Further, push services can be regulated on a per-URI basis.
- the solution described herein includes hashing the client identity data on each client request on a per-URI basis.
- This solution may be implemented within a network environment such as shown in FIG. 1 .
- a proxy gateway such as shown in FIG. 1 can be configured to perform the described actions.
- a proxy gateway 34 coupling a wireless network to a wired network maintains a white list, which includes data associating a set of service initiators with a set of cryptographic keys. A different unique key is assigned to each service initiator URI.
- the proxy gateway 34 Upon receiving a request directed to an origin server 5 from a mobile device 1 (the client), the proxy gateway 34 identifies the cryptographic key of the target origin server 5 and sends to that origin server 5 a proxy request on behalf of the mobile device 1 .
- the proxy request includes an identifier of the mobile device, which the proxy gateway 34 has encrypted using the cryptographic key corresponding to the target origin server 5 .
- Request # 1 sent by the client 1 directed to origin server 5 -A is modified by the proxy gateway 34 to form a proxy request that includes the encrypted identity (“1234”) of the client 1 , which is then sent to origin server 5 -A.
- the client identity is encrypted using the key associated with origin server 5 -A.
- Origin server 5 -B has a different URI from origin server 5 -A, however, and as a result, it has a different cryptographic key associated with it. Accordingly, for Request # 2 the client identity is encrypted using the key associated with origin server 5 -B.
- Request # 2 sent by the client 1 directed to origin server 5 -B is modified by the proxy gateway 34 to form a proxy request to origin server 5 -B, which includes an encrypted identity (“78901”) of the client 1 different from that used for origin server 5 -A.
- a service initiator and an origin server are associated together using the proxy gateway's white list, as described further below.
- the proxy gateway 34 uses a unique cryptographic key to encrypt the client identifier for all pull requests directed to that URI, and the service proxy gateway 35 applies the same key to determine the validity of all push requests originating from that URI.
- a service proxy gateway 35 receives a push request from a service initiator directed to a mobile device 1 , it uses the cryptographic key associated with that service initiator to decode the encrypted client identity contained within the request. If the decoded client identity matches the client identity of the target mobile device 1 , the request is considered the valid. Otherwise the request is considered to be invalid, and fulfillment of the request is barred.
- the client identity is used as the rendezvous identity for services making request to clients.
- the true (unencrypted) client identity of each mobile device 1 may be stored in any of a number of possible locations, such as in the proxy gateway 34 and/or the service proxy gateway 35 , in the mobile device 1 , or elsewhere on the network.
- proxy gateway 34 and the service proxy gateway 35 can be implemented within the same physical platform and may even be the same device.
- Service initiator 5 -D reuses the encrypted client identity information provided in prior pull requests to initiate a push request to the client 1 (Request # 4 ).
- Service initiator 5 -F does the same, except that it uses a different identity for the client 1 , supplied in Request # 3 .
- Request # 3 and Request # 4 are valid push requests.
- service initiator 5 -F attempts to use the client identity associated with service initiator 5 -D (as illustrated by Request # 5 )
- the service request is invalid and is therefore barred by the service proxy gateway 35 .
- the request is invalid and is therefore barred, as illustrated by service initiator 5 -G and Request # 6 .
- client identifiers derived from the mobile device, the network, or the proxy gateways, which may be encoded in this way prior to release to origin servers or service initiators.
- client identifier may be an international mobile subscriber identifier (IMSI), an electronic serial number (ESN), a mobile services ISDN number (MSISDN), a mobile identity number (MIN), or an Internet protocol (IP) address version 4 (IPv4) or version 6 (IPv6).
- IMSI international mobile subscriber identifier
- ESN electronic serial number
- MSISDN mobile services ISDN number
- MIN mobile identity number
- IP Internet protocol address version 4
- IPv6 version 6
- the client identifier may be a unique alphanumeric subscriber identifier formed by using the server operator's internal account number of the subscriber, or formed by combining provisioning data, user data, and naming authority domain (e.g., “alice _mag01@csp.com”).
- a service initiator and an origin server may be associated together in the proxy gateway's white list, along with the corresponding cryptographic key.
- An example of how such a white list may appear in a proxy gateway is set forth in the following table: Service Initiator URI White List URI Key www.yahoo-push.com www.yahoo.* 123456789123456789 Calendar.yahoo.* Messenger.yahoo.id/* My.yahoo.com/* www.icq.* *.icq.com 9876543211234565789 www.trusted-host.com www.mytelco.* 0
- the service proxy gateway 35 On receipt of a request from a service initiator, the service proxy gateway 35 will verify the domain of the service initiator against the white list. Once a valid entry has been determined, the gateway will use the key associated with the entry to decrypt the service rendezvous identity and compare it to the target client's true identity to decide whether to proceed with the request. If a decryption fails, the service initiator is informed in the response that the identifier supplied in the request was unrecognized. Note that the encrypted identity should be logged with all events generated by the proxy gateway at the same points as the clear text identity is logged for a transaction.
- FIG. 5 shows a process that may be performed by the proxy gateway 34 for the pull scenario, in accordance with the above-described technique.
- the proxy gateway receives a pull request (e.g., an HTTP GET request) from a mobile device.
- the proxy gateway consults its white list to identify the key associated with the origin server targeted by the request.
- the proxy gateway hashes (encodes) the client identifier of the mobile device with the identified key and incorporates the encrypted result into a proxy request.
- the proxy gateway sends the proxy request to the target origin server.
- the proxy gateway sends the information returned by the origin server (or other appropriate information) to the requesting mobile device at block 506 . Otherwise, the proxy gateway sends an appropriate error message to mobile device at block 507 .
- FIG. 6 shows a process that may be performed by the service proxy gateway 35 for the push scenario, in accordance with the above-described technique.
- the service proxy gateway receives a request from a service initiator to push information to a mobile device.
- the request includes a client identifier for the target mobile device, encrypted as described above.
- the service proxy gateway determines at block 602 whether its white list includes a stored key for the URI of the requesting service initiator. If there is no stored key for that service initiator, then the request is determined to be invalid at block 606 . In that case, action on the request is prevented, and the requesting service initiator is notified that the request has been barred.
- the service proxy gateway uses the key to decrypt the client identifier in the request. As noted above, this key is the same key as used to encrypt the client identity for all pull requests to origin servers having the URI of the service initiator.
- the service proxy gateway determines whether the decrypted client identifier matches the true client identifier for the target mobile device. If the two client identifiers match, then the push request is determined to be invalid at block 605 , and action on the request is allowed to proceed. Otherwise, the request is determined to be invalid and is therefore barred at block 606 , as described above.
- the hashing algorithm used to encode and decode the client identity is symmetric. That is, the same key is used for encryption and decryption for a given client and URI.
- a simple addition algorithm may be used. Examples of suitable algorithms include: the Kerberos authentication system, International Data Encryption Algorithm (IDEA), and Data Encryption Standard (DES).
- the key should be chosen to be approximately the same length has the client identity to be encrypted.
- IDEA and DES are examples of block cipher algorithms in which the entity being encrypted and the key material (perhaps 128 bits in length) are both divided into blocks of 16 bits (two bytes) and exclusive-OR'ed (XOR'ed) together. Two sites communicating with the same client should not be able to determine that it corresponds to the same user.
- a user of a mobile device Alice, which is provisioned on a proxy gateway designated “magXYZ” in the communication service provider's domain, tries to access the URI, www.yahoo.com.
- this URI has the key, 123456789123456789, or 0xACD05F15 in hexadecimal (“hex”) (where the “0x” denotes hex), as assigned in the above-described white list table.
- the unencrypted client identifier may be, for example, Alice _mag@csp.com.
- HTTP version 1.1 may appear as follows:
- the encrypted client identifier in this example is 0xEEBE3676098F31740BA43A661AFE307A, which appears after the “x-up-subno:” header in the last line of the request.
- the encoding breakdown for the encrypted identifier is as follows:
- the symmetric encoding is applied.
- the client identifier 0xEEBE3676098F31740BA43A661AFE307A is used as a push address
- an identical XOR function is applied using the same key, 0xACD05F15, such that the original client identifier is generated.
- 0xEEBE XOR 0xACD0 produces ASCII code “A”+ASCII code “I”.
- the push identifier is the encoded client identifier.
- the source of the push request is looked up in the white list table, and the key is extracted and applied again to decode the identifier to the true/original subscriber identifier.
- FIG. 7 is a high-level block diagram of a processing system representative of any of the processing systems shown in FIG. 1 . Note that FIG. 7 is not intended to represent any one specific physical arrangement of components, as such details are not germane to the present invention and are well within the knowledge of those skilled in the art.
- the illustrated processing system includes one or more processors 71 , i.e., a central processing unit (CPU), read-only memory (ROM) 72 , random access memory (RAM) 73 , and a mass storage device 74 , coupled to each other on a bus system 78 .
- the bus system 78 may include one or more buses connected to each other through various bridges, controllers and/or adapters, such as are well-known in the art.
- the bus system 78 may include a “system bus”, which may be connected through an adapter to one or more expansion buses, such as a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus.
- PCI peripheral component interconnect
- EISA extended industry standard architecture
- a mass storage device 74 Also coupled to the bus system 78 are a mass storage device 74 , one or more input/output (I/O) devices 75 - 1 through 75 -N, and one or more data communication devices 76 and 79 , to communicate with remote processing systems via one or more communication links 77 and 80 , respectively.
- I/O devices 75 could include, for example, any one or more of: a display device, a keyboard, a pointing device (e.g., mouse, trackball, or touchpad), or an audio speaker.
- the processor(s) 71 may be, or may include, for example, one or more conventional general-purpose or special-purpose programmable microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), or programmable logic devices (PLDs), or a combination of such devices.
- the mass storage device 74 may be, or may include, any one or more devices suitable for storing large volumes of data in a non-volatile manner, such as a magnetic disk or tape, magneto-optical (MO) storage device, or any of various types of Digital Video Disk (DVD) or Compact Disk (CD) based storage, or a combination of such devices.
- the data communication devices 76 and 79 may be any devices suitable for enabling the processing system to communicate data with a remote processing system over a data communication link, such as a wireless transceiver (e.g., if implemented in a mobile device), a conventional telephone modem, a wireless modem, an Integrated Services Digital Network (ISDN) adapter, a Digital Subscriber Line (DSL) modem, a cable modem, a satellite transceiver, an Ethernet adapter, or the like.
- ISDN Integrated Services Digital Network
- DSL Digital Subscriber Line
- At least one of communication links 77 and 80 may be a wireless link, such as to provide the connection between mobile devices 1 and wireless network 2 in FIG. 1 .
- FIG. 7 shows two communication devices 76 and 79 , more than one data communication device would not necessarily be required.
- a proxy gateway or service proxy gateway does require at least two communication interfaces (i.e., one to connect to the wireless network and one to connect to the wired network), although these interfaces potentially can be implemented in a single physical device.
Abstract
A method and apparatus for protecting the identities of mobile devices on a wireless network are described. A proxy gateway couples the wireless network to a wired network and maintains data associating a set of service initiators with a set of cryptographic keys. Upon receiving a request from a mobile client device directed to an origin server on the wired network, the proxy gateway identifies the cryptographic key for that origin server and sends to the origin server a proxy request. The proxy request includes an identifier of the mobile device, encrypted using the cryptographic key. When the proxy gateway receives a request from a service initiator on the wired network to push information to a mobile device, it uses the cryptographic key for that service initiator to decode a client identifier in the request and thereby determine whether the request is valid.
Description
- This is a continuation of U.S. patent application Ser. No. 09/866,037, filed on May 24, 2001, which is incorporated herein by reference.
- The present invention pertains to the internetworking of computers, communication devices, and other processing systems. More particularly, the present invention relates to protecting the identities of mobile devices on a wireless network having access to a wired network.
- Present technology allows mobile devices operating on wireless networks to access information stored on a separate, wired network, such as the Internet.
FIG. 1 illustrates an example of a network environment in which this may be done. A number (N) of mobile devices 1-1 through 1-N operate on awireless network 2. Each of themobile devices 1 may be, for example, any one of a cellular telephone, personal digital assistant (PDA), notebook (laptop) computer, two-way pager, or other wireless device. Thewireless network 2 is coupled to a conventionalwired computer network 3 through aproxy gateway 4. Thewired network 3 may be, for example, the Internet, a corporate intranet, a wide area network (WAN), a local area network (LAN), a public switched telephone network (PSTN), or a combination thereof. - The
proxy gateway 4 uses well-known techniques to enable communication between themobile devices 1 and a number (M) of processing systems 5-1 through 5-M operating on thewired network 3. The physical computing platforms which embody theproxy gateway 4 andprocessing systems 5 may include, for example, conventional personal computers (PCs) and/or server-class computer systems. Among other operations, theproxy gateway 4 may convert/translate between the languages and protocols used byprocessing systems 5, such as hypertext markup Language (HTML) and hypertext transport protocol (HTTP), and the languages and protocols used by themobile devices 1, such as wireless markup language (WML) and wireless access protocol (WAP). Accordingly, in one embodiment theproxy gateway 4 operates as a proxy for transmitting various requests on behalf of themobile devices 1 and theprocessing devices 5, as described further below. An example of a device which can serve as theproxy gateway 4 is the UP.Link Server, from Openwave Systems of Redwood City, Calif. Note that whileproxy gateway 4 is shown as a single entity, the proxy and gateway functions can be distributed between separate physical platforms. Furthermore, both functions do not necessarily have to be used in a given network environment. -
Processing systems 5 include one or more “origin servers” (e.g., 5-1) and one or more “service initiators” (e.g., 5-M). Origin servers provide content, such as hypermedia documents, tomobile devices 1 in response to standard (e.g., HTTP) requests from themobile devices 1. Service initiators “push” content to themobile devices 1, i.e., they send content to themobile devices 1 without the content having been explicitly requested by themobile devices 1. Note that an origin server and a service initiator may be implemented within the same computing platform and are often implemented within a single network domain. - One problem associated with a network environment such as this is that data identifying each of the
mobile devices 1 is commonly distributed to many other processing systems, such asprocessing systems 5 on thewired network 3. This identification data can be used for a variety of purposes, some of which are undesirable for the users of the mobile devices. - When a mobile device (a “client”) makes a request for content via the
proxy gateway 4, theproxy gateway 4 may add identification data to the meta-data (e.g., HTTP request headers) of that request, which is passed on to theorigin server 5, as shown inFIG. 2A . This scenario is referred to as the “pull” scenario. The identification data may be a direct reference to the source address of the client (e.g., the client's mobile telephone number in the case of wireless access), or it may be the identity of the client as determined from the provisioning system controlling the proxy. The rules governing the addition of this identification data are normally controlled by a “white list” within theproxy gateway 4. The white list is a list of domain name references to which service is permitted. The client identity data may also be used as a rendezvous address for services making requests to the client, such as WAP push requests. - The client identity information may be used in a number of legitimate ways, such as: to allow devices responding to requests to authenticate the requesting mobile devices; to track the devices' requests and develop client profiles on an origin server; to tailor a response to the request and to the identity of the client; to allow access for services that make subsequent requests to the client, such as the “Posting” of documents or WAP push requests; or, to allow the client to be accessed by another communication medium, such as a short message service (SMS) message or a telephone call. Thus, the client identity passed as part of a pull request may be subsequently used in a push scenario to gain access to the client via a service proxy or gateway.
- The problem is that the same identity is normally given to all servers, regardless of the intended use of the service. As a result, the client is made vulnerable in several ways. For example, disclosure of the client identity allows unsolicited access to be made to the client, such as in the form of phone calls, SMS messages, or WAP push requests, without prior authorization being given for those services. This situation is illustrated in
FIG. 2B , in which a request from aservice initiator 5 includes the client identity previously acquired from theproxy gateway 4, which is used to gain access to themobile device 1. In addition, client preferences may be gathered by groups of unrelated servers using the identity supplied by the proxy gateway. Furthermore, the client identity may not be changed for an individual proxy. Once established for a single server, the client identity is valid for all servers. Consequently, it is difficult to control misuse on an individual service provider basis without assigning a new identity to the client (which may be impossible or impractical). - One attempt at solving this privacy problem is the use of pseudonyms. The pseudonym approach works by encrypting the client information at the source. However, this technique does not account for cases in which client identity information is added by network elements along the path of the request. In addition, only a single pseudonym is in operation at any one time, such that a client identity cannot be encrypted on a per-URI (uniform resource identifier) basis. In addition, the pseudonym technique is not designed to regulate any form of push service.
- Another partial solution to the privacy problem is known as Platform for Privacy Preferences Project (P3P). According to this approach, a P3P client negotiates the release of personal data with the origin server prior to completing a request. The privacy policy acceptable to the client and the privacy policy of the server are both expressed in schema defined by the P3P group within the World Wide Web Consortium (W3C). This approach, however, does not prevent a client's identity from being communicated to an origin server. In addition, as with pseudonyms, there is no way to regulate a service which may initiate a request toward the client.
- What is needed, therefore, is a solution which overcomes these and other shortcomings of the prior art.
- The present invention includes a method and apparatus for operating a processing system on a network. In the processing system, an identifier of a mobile device on a wireless network is encrypted, and used to validate a request from a service initiator directed to the mobile device.
- Other features of the present invention will be apparent from the accompanying drawings and from the detailed description which follows.
- The present invention is illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
-
FIG. 1 illustrates a network environment in which mobile devices can communicate with origin servers and service initiators; -
FIG. 2A shows a “pull” scenario, in which a client requests information from an origin server; -
FIG. 2B shows a “push” scenario, in which a service initiator sends a requests directed to a client; -
FIG. 3 is a block diagram showing the encoding of client identity within pull requests; -
FIG. 4 is a block diagram showing the use of pull requests with different encoded client identities for different URIs, and push requests using encoded client identities; -
FIG. 5 is a flow diagram showing a pull process that may be performed by the proxy gateway; -
FIG. 6 is a flow diagram showing a push process that may be performed by the service proxy gateway; and -
FIG. 7 is a high-level block diagram of a processing system representing any of the processing systems shown inFIG. 1 . - A method and apparatus for protecting the identities of mobile devices on a wireless network are described. Note that in this description, references to “one embodiment” or “an embodiment” mean that the feature being referred to is included in at least one embodiment of the present invention. Further, separate references to “one embodiment” in this description do not necessarily refer to the same embodiment; however, neither are such embodiments mutually exclusive, unless so stated and except as will be readily apparent to those skilled in the art. Thus, the present invention can include any variety of combinations and/or integrations of the embodiments described herein.
- As noted above, one problem with the prior art is that the client identity passed as part of a pull request may be subsequently used for undesirable and/or unauthorized purposes. The solution described herein protects the identities of the mobile devices to prevent that from occurring. Among other advantages, the described solution allows the regulation of unauthorized and or unsolicited push services directed to the mobile devices. Further, push services can be regulated on a per-URI basis.
- The solution described herein includes hashing the client identity data on each client request on a per-URI basis. This solution may be implemented within a network environment such as shown in
FIG. 1 . In particular, a proxy gateway such as shown inFIG. 1 can be configured to perform the described actions. Thus, referring toFIG. 3 , aproxy gateway 34 coupling a wireless network to a wired network maintains a white list, which includes data associating a set of service initiators with a set of cryptographic keys. A different unique key is assigned to each service initiator URI. Upon receiving a request directed to anorigin server 5 from a mobile device 1 (the client), theproxy gateway 34 identifies the cryptographic key of thetarget origin server 5 and sends to that origin server 5 a proxy request on behalf of themobile device 1. The proxy request includes an identifier of the mobile device, which theproxy gateway 34 has encrypted using the cryptographic key corresponding to thetarget origin server 5. - For example, as shown in
FIG. 3 ,Request # 1 sent by theclient 1 directed to origin server 5-A is modified by theproxy gateway 34 to form a proxy request that includes the encrypted identity (“1234”) of theclient 1, which is then sent to origin server 5-A. Forrequest # 1, the client identity is encrypted using the key associated with origin server 5-A. Origin server 5-B has a different URI from origin server 5-A, however, and as a result, it has a different cryptographic key associated with it. Accordingly, forRequest # 2 the client identity is encrypted using the key associated with origin server 5-B. Consequently,Request # 2 sent by theclient 1 directed to origin server 5-B is modified by theproxy gateway 34 to form a proxy request to origin server 5-B, which includes an encrypted identity (“78901”) of theclient 1 different from that used for origin server 5-A. - This technique is further illustrated in
FIG. 4 . A service initiator and an origin server are associated together using the proxy gateway's white list, as described further below. Hence, for a given URI (which may include one or more origin servers and one or more service initiators), theproxy gateway 34 uses a unique cryptographic key to encrypt the client identifier for all pull requests directed to that URI, and theservice proxy gateway 35 applies the same key to determine the validity of all push requests originating from that URI. When aservice proxy gateway 35 receives a push request from a service initiator directed to amobile device 1, it uses the cryptographic key associated with that service initiator to decode the encrypted client identity contained within the request. If the decoded client identity matches the client identity of the targetmobile device 1, the request is considered the valid. Otherwise the request is considered to be invalid, and fulfillment of the request is barred. - Thus, in the push scenario, the client identity is used as the rendezvous identity for services making request to clients. Note that the true (unencrypted) client identity of each
mobile device 1 may be stored in any of a number of possible locations, such as in theproxy gateway 34 and/or theservice proxy gateway 35, in themobile device 1, or elsewhere on the network. Also, note thatproxy gateway 34 and theservice proxy gateway 35 can be implemented within the same physical platform and may even be the same device. - Referring still to
FIG. 4 , consider the following example. Service initiator 5-D reuses the encrypted client identity information provided in prior pull requests to initiate a push request to the client 1 (Request #4). Service initiator 5-F does the same, except that it uses a different identity for theclient 1, supplied inRequest # 3.Request # 3 andRequest # 4 are valid push requests. However, when service initiator 5-F attempts to use the client identity associated with service initiator 5-D (as illustrated by Request #5), the service request is invalid and is therefore barred by theservice proxy gateway 35. When a service initiator attempts to use a client identity obtained from any other source, the request is invalid and is therefore barred, as illustrated by service initiator 5-G andRequest # 6. - There are various types of client identifiers, derived from the mobile device, the network, or the proxy gateways, which may be encoded in this way prior to release to origin servers or service initiators. For example, the client identifier may be an international mobile subscriber identifier (IMSI), an electronic serial number (ESN), a mobile services ISDN number (MSISDN), a mobile identity number (MIN), or an Internet protocol (IP) address version 4 (IPv4) or version 6 (IPv6). Alternatively, the client identifier may be a unique alphanumeric subscriber identifier formed by using the server operator's internal account number of the subscriber, or formed by combining provisioning data, user data, and naming authority domain (e.g., “alice _mag01@csp.com”).
- As noted above, a service initiator and an origin server may be associated together in the proxy gateway's white list, along with the corresponding cryptographic key. An example of how such a white list may appear in a proxy gateway is set forth in the following table:
Service Initiator URI White List URI Key www.yahoo-push.com www.yahoo.* 123456789123456789 Calendar.yahoo.* Messenger.yahoo.id/* My.yahoo.com/* www.icq.* *.icq.com 9876543211234565789 www.trusted-host.com www.mytelco.* 0 - Multiple domains used in the pull environment can be linked to a single service initiator, as shown. As each pull request is made, the key hashes the subscriber number. If there is no key (i.e., the key is “0”), the client identity is transmitted to the origin server in clear text; this approach maintains backward compatibility and enables operation in a trusted manner inside the gateway operator's domain.
- On receipt of a request from a service initiator, the
service proxy gateway 35 will verify the domain of the service initiator against the white list. Once a valid entry has been determined, the gateway will use the key associated with the entry to decrypt the service rendezvous identity and compare it to the target client's true identity to decide whether to proceed with the request. If a decryption fails, the service initiator is informed in the response that the identifier supplied in the request was unrecognized. Note that the encrypted identity should be logged with all events generated by the proxy gateway at the same points as the clear text identity is logged for a transaction. -
FIG. 5 shows a process that may be performed by theproxy gateway 34 for the pull scenario, in accordance with the above-described technique. Atblock 501, the proxy gateway receives a pull request (e.g., an HTTP GET request) from a mobile device. Atblock 502, the proxy gateway consults its white list to identify the key associated with the origin server targeted by the request. Atblock 503, the proxy gateway hashes (encodes) the client identifier of the mobile device with the identified key and incorporates the encrypted result into a proxy request. Atblock 504, the proxy gateway sends the proxy request to the target origin server. If a response to the request is subsequently received from the origin server within a specified timeout period (block 505), the proxy gateway sends the information returned by the origin server (or other appropriate information) to the requesting mobile device atblock 506. Otherwise, the proxy gateway sends an appropriate error message to mobile device atblock 507. -
FIG. 6 shows a process that may be performed by theservice proxy gateway 35 for the push scenario, in accordance with the above-described technique. Atblock 601, the service proxy gateway receives a request from a service initiator to push information to a mobile device. The request includes a client identifier for the target mobile device, encrypted as described above. The service proxy gateway then determines atblock 602 whether its white list includes a stored key for the URI of the requesting service initiator. If there is no stored key for that service initiator, then the request is determined to be invalid atblock 606. In that case, action on the request is prevented, and the requesting service initiator is notified that the request has been barred. If there is a stored key for that service initiator, then atblock 603 the service proxy gateway uses the key to decrypt the client identifier in the request. As noted above, this key is the same key as used to encrypt the client identity for all pull requests to origin servers having the URI of the service initiator. Atblock 604, the service proxy gateway determines whether the decrypted client identifier matches the true client identifier for the target mobile device. If the two client identifiers match, then the push request is determined to be invalid atblock 605, and action on the request is allowed to proceed. Otherwise, the request is determined to be invalid and is therefore barred atblock 606, as described above. - The hashing algorithm used to encode and decode the client identity is symmetric. That is, the same key is used for encryption and decryption for a given client and URI. A simple addition algorithm may be used. Examples of suitable algorithms include: the Kerberos authentication system, International Data Encryption Algorithm (IDEA), and Data Encryption Standard (DES). The key should be chosen to be approximately the same length has the client identity to be encrypted. Thus, IDEA and DES are examples of block cipher algorithms in which the entity being encrypted and the key material (perhaps 128 bits in length) are both divided into blocks of 16 bits (two bytes) and exclusive-OR'ed (XOR'ed) together. Two sites communicating with the same client should not be able to determine that it corresponds to the same user.
- Consider the following example. Assume that a user of a mobile device, Alice, which is provisioned on a proxy gateway designated “magXYZ” in the communication service provider's domain, tries to access the URI, www.yahoo.com. Assume further that this URI has the key, 123456789123456789, or 0xACD05F15 in hexadecimal (“hex”) (where the “0x” denotes hex), as assigned in the above-described white list table. The unencrypted client identifier may be, for example, Alice _mag@csp.com. Hence, a standard pull request from Alice's mobile device based on HTTP version 1.1 may appear as follows:
-
- GET http://www.yahoo.com/ HTTP/1.1
- Accept: application/vnd.wap.wmlc
- Request proxied from MAG/EFS
- GET http://www.yahoo.com/ HTTP/1.1
- Accept: application/vnd.wap.wmlc
- x-up-subno: ‘0xEEBE3676098F31740BA43A661AFE307A’
- The encrypted client identifier in this example is 0xEEBE3676098F31740BA43A661AFE307A, which appears after the “x-up-subno:” header in the last line of the request. The encoding breakdown for the encrypted identifier is as follows:
-
- “Al” XOR 0xACD0=0xEEBE
- “ic” XOR 0x5F15=0x3676
- “e_” XOR 0xACD0=0xC98F
- “ma” XOR 0x5F15=0x3174
- “g@” XOR 0xACD0=0xCBA4
- “cs” XOR 0x5F15=0x3A66
- “p.” XOR 0xACD0=0xDAFE
- “co” XOR 0x5F15=0x3C7A
- “m” XOR 0xACD0=0xC1
- For each client identifier that is to be protected in this manner, the symmetric encoding is applied. In the push scenario, when the client identifier 0xEEBE3676098F31740BA43A661AFE307A is used as a push address, an identical XOR function is applied using the same key, 0xACD05F15, such that the original client identifier is generated. For example, 0xEEBE XOR 0xACD0 produces ASCII code “A”+ASCII code “I”.
- An example of such a push request based on HTTP version 1.1 is as follows:
POST /cgi-bin/wap_push.cgi HTTP/1.1 Host: www.wireless-network.com Date: Sun, 13 May 2001 18:13:23 GMT Content-Type: multipart/related;boundary=asdlfkjiurwghasf;type=“application/xml” Content-Length: 353 --asdlfkjiurwghasf Content-Type: application/xml <?xml version=“1.0”?> <!DOCTYPE pap PUBLIC “-//WAPFORUM//DTD PAP 1.0//EN” “http://www.wapforum.org/DTD/pap_1.0.dtd”> <pap> <push-message push-id=“9fjeo39jf084@pi.com”> <address address- value=“wappush=0xEEBE3676098F31740BA43A661AFE307A/type=user@csp. com”></address> </push-message> </pap> --asdlfkjiurwghasf Content-Type: text/vnd.wap.wml <?xml version=“1.0”?> - As shown, the push identifier is the encoded client identifier. During processing by the proxy gateway, the source of the push request is looked up in the white list table, and the key is extracted and applied again to decode the identifier to the true/original subscriber identifier.
- As noted above, various types of processing systems may be used to implement the operations described herein, such as PCs, server-class computers, or (particularly in the case of mobile devices) cellular telephones, PDAs, two-way pagers, etc.
FIG. 7 is a high-level block diagram of a processing system representative of any of the processing systems shown inFIG. 1 . Note thatFIG. 7 is not intended to represent any one specific physical arrangement of components, as such details are not germane to the present invention and are well within the knowledge of those skilled in the art. - The illustrated processing system includes one or
more processors 71, i.e., a central processing unit (CPU), read-only memory (ROM) 72, random access memory (RAM) 73, and amass storage device 74, coupled to each other on abus system 78. Thebus system 78 may include one or more buses connected to each other through various bridges, controllers and/or adapters, such as are well-known in the art. For example, thebus system 78 may include a “system bus”, which may be connected through an adapter to one or more expansion buses, such as a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus. Also coupled to thebus system 78 are amass storage device 74, one or more input/output (I/O) devices 75-1 through 75-N, and one or moredata communication devices more communication links O devices 75 in addition to the data communication device. The I/O devices 75 could include, for example, any one or more of: a display device, a keyboard, a pointing device (e.g., mouse, trackball, or touchpad), or an audio speaker. - The processor(s) 71 may be, or may include, for example, one or more conventional general-purpose or special-purpose programmable microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), or programmable logic devices (PLDs), or a combination of such devices. The
mass storage device 74 may be, or may include, any one or more devices suitable for storing large volumes of data in a non-volatile manner, such as a magnetic disk or tape, magneto-optical (MO) storage device, or any of various types of Digital Video Disk (DVD) or Compact Disk (CD) based storage, or a combination of such devices. - The
data communication devices communication links mobile devices 1 andwireless network 2 inFIG. 1 . - Note that while
FIG. 7 shows twocommunication devices - It will be recognized that many of the features and techniques described above may be implemented in software. That is, the described operations may be carried out in a processing system in response to its processor(s) executing sequences of instructions contained in memory. The instructions may be executed from a memory such as
RAM 73 and may be loaded from a persistent store, such as amass storage device 74 and/or from one or more other remote processing systems. Likewise, hardwired circuitry may be used in place of software, or in combination with software, to implement the features described herein. Thus, the present invention is not limited to any specific combination of hardware circuitry and software, nor to any particular source of software executed by the processing systems. - Thus, a method and apparatus for protecting the identities of mobile devices on a wireless network have been described. Although the present invention has been described with reference to specific exemplary embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the invention as set forth in the claims. Accordingly, the specification and drawings are to be regarded in an illustrative sense rather than a restrictive sense.
Claims (20)
1. A method of operating a processing system on a network, the method comprising:
encrypting an identifier of a mobile device on a wireless network; and
using the encrypted identifier to validate a request from a service initiator directed to the mobile device.
2. A method as recited in claim 1 , further comprising maintaining a different cryptographic key for each of a plurality of service initiators.
3. A method as recited in claim 2 , further comprising using the same cryptographic key for each service initiator in a second plurality of service initiators.
4. A method as recited in claim 2 , wherein said encrypting comprises selecting and using one of the cryptographic keys to encrypt the identifier, the method further comprising including the encrypted identifier in a request to a remote processing system, based on a request from the mobile device.
5. A method as recited in claim 4 , wherein said using the encrypted identifier to validate a request from a service initiator comprises selecting and using one of the cryptographic keys associated with said service initiator to validate the request.
6. A method as recited in claim 5 , wherein said method is performed by a proxy server connected to the wireless network and to a wired network including the service initiator.
7. A method as recited in claim 1 , wherein said encrypting comprises:
hashing the identifier with a cryptographic key; and
including the encrypted identifier in a proxy request to a remote processing system based on an initial request received from the mobile device.
8. A method as recited in claim 7 , wherein said using the encrypted identifier to validate a request from a service initiator comprises using the cryptographic key to decrypt an identifier included in the request from the service initiator; and
determining whether the identifier in the request from the service initiator corresponds to the mobile device.
9. A method of operating a processing system on a network, the method comprising:
encrypting an identifier of a mobile device on a wireless network;
including the encrypted identifier in a proxy request to a remote processing system on a network, based on a request from the mobile device; and
using the encrypted identifier to control handling of requests by a plurality of remote processing systems on the network to provide information to the mobile device.
10. A method as recited in claim 9 , further comprising maintaining a different cryptographic key for each of the plurality of remote processing systems.
11. A method as recited in claim 10 , wherein said using the encrypted identifier to control handling of requests comprises, for each said request by a remote processing system, using one of the cryptographic keys corresponding to the remote processing system to validate the request.
12. A method of operating a proxy on a network, the method comprising:
storing an association of service providers and cryptographic keys;
receiving a request from a mobile device, the request directed to a remote server on the network;
using the stored association to identify a cryptographic key associated with the remote server;
using the identified cryptographic key to encode an identifier of the mobile device;
incorporating the encoded identifier into a proxy request; and
sending the proxy request to the remote server on behalf of the mobile device.
13. A method as recited in claim 12 , wherein said storing an association of service providers and cryptographic keys comprises storing a unique cryptographic key for each of a plurality of service providers.
14. A method as recited in claim 13 , wherein the stored association specifies a plurality of network addresses for at least one of the plurality of service providers, and wherein said using the stored association to identify a cryptographic key comprises identifying a cryptographic key associated with a network address to which the request is directed.
15. A method as recited in claim 12 , wherein said using the identified cryptographic key to encode an identifier of the mobile device comprises hashing the cryptographic key with the identifier of the mobile device.
16. A method of operating a proxy on a network, the method comprising:
storing an association of service providers and cryptographic keys, including a plurality of cryptographic keys and one or more network addresses associated with each of the cryptographic keys;
receiving a request from a mobile client device, the request directed to a network address representing a remote server on the network;
using the stored association to identify a cryptographic key associated with the remote server;
generating a proxy request based on the request received from the mobile client device, by using the identified cryptographic key to encode an identifier of the mobile client device and incorporating the encoded identifier into the proxy request; and
sending the proxy request to the remote server on behalf of the mobile client device.
17. A method as recited in claim 16 , wherein said using the identified cryptographic key to encode an identifier of the mobile client device comprises hashing the cryptographic key with the identifier of the mobile client device.
18. A processing system coupled to a wireless network and to a wired network, the processing system comprising:
a processor; and
a storage facility coupled to the processor and storing instructions which configure the processing system to:
encrypt an identifier of a mobile device on the wireless network;
include the encrypted identifier in a proxy request to a remote processing system on the wired network, based on a request from the mobile device; and
use the encrypted identifier to control handling of requests by a plurality of remote processing systems on the wired network to provide information to the mobile device.
19. A processing system as recited in claim 18 , wherein the processing system further stores a plurality of cryptographic keys, including a different cryptographic key for each of the plurality of remote processing systems.
20. A processing system as recited in claim 19 , wherein said using the encrypted identifier to control handling of requests comprises, for each said request by a remote processing system, using one of the cryptographic keys corresponding to the remote processing system to validate the request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/166,987 US20050232191A1 (en) | 2001-05-24 | 2005-06-23 | Method and apparatus for protecting identities of mobile devices on a wireless network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/866,037 US6944760B2 (en) | 2001-05-24 | 2001-05-24 | Method and apparatus for protecting identities of mobile devices on a wireless network |
US11/166,987 US20050232191A1 (en) | 2001-05-24 | 2005-06-23 | Method and apparatus for protecting identities of mobile devices on a wireless network |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/866,037 Continuation US6944760B2 (en) | 2001-05-24 | 2001-05-24 | Method and apparatus for protecting identities of mobile devices on a wireless network |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050232191A1 true US20050232191A1 (en) | 2005-10-20 |
Family
ID=25346795
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/866,037 Expired - Lifetime US6944760B2 (en) | 2001-05-24 | 2001-05-24 | Method and apparatus for protecting identities of mobile devices on a wireless network |
US11/166,987 Abandoned US20050232191A1 (en) | 2001-05-24 | 2005-06-23 | Method and apparatus for protecting identities of mobile devices on a wireless network |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/866,037 Expired - Lifetime US6944760B2 (en) | 2001-05-24 | 2001-05-24 | Method and apparatus for protecting identities of mobile devices on a wireless network |
Country Status (2)
Country | Link |
---|---|
US (2) | US6944760B2 (en) |
EP (1) | EP1313286A3 (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040111376A1 (en) * | 2002-10-09 | 2004-06-10 | Nokia Corporation | Method and arrangement for concealing true identity of user in communications system |
US20050021526A1 (en) * | 2002-07-11 | 2005-01-27 | International Business Machines Corporation | Method for ensuring the availability of a service proposed by a service provider |
US20050129034A1 (en) * | 2003-12-11 | 2005-06-16 | Haruyuki Takeyoshi | Cooperation information managing apparatus and gateway apparatus for use in cooperation information managing system |
US20080077693A1 (en) * | 2006-09-22 | 2008-03-27 | International Business Machines Corporation | System and method for automatically generating a proxy interface object to communicate through a gateway software server to a remote software server |
US20080101278A1 (en) * | 2006-10-25 | 2008-05-01 | Henrik Bengtsson | Methods, systems, and devices for establishing a registrationless data communication connection between electronic devices |
US20080183800A1 (en) * | 2007-01-26 | 2008-07-31 | Microsoft Corporation | Mobile device management proxy system |
US20100138534A1 (en) * | 2008-11-25 | 2010-06-03 | Rishi Mutnuru | Systems and methods for monitor an access gateway |
US20110090849A1 (en) * | 2006-10-24 | 2011-04-21 | Chung-Zin Liu | Approach for QoS control on un-wanted services (e.g. VoIP or Multimedia) over wireless and wireless IP network |
US9866463B2 (en) | 2009-12-23 | 2018-01-09 | Citrix Systems, Inc. | Systems and methods for object rate limiting in multi-core system |
EP3939201A4 (en) * | 2019-05-13 | 2022-05-18 | Samsung Electronics Co., Ltd. | Electronic device and method for receiving push message stored in blockchain |
Families Citing this family (80)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6944760B2 (en) * | 2001-05-24 | 2005-09-13 | Openwave Systems Inc. | Method and apparatus for protecting identities of mobile devices on a wireless network |
US7085808B2 (en) * | 2001-06-07 | 2006-08-01 | Nokia Corporation | Method for distinguishing clients in a communication system, a communication system; and a communication device |
EP1271418A1 (en) * | 2001-06-27 | 2003-01-02 | Nokia Corporation | Method for accessing a user operable device of controlled access |
JP3923835B2 (en) * | 2001-07-24 | 2007-06-06 | 株式会社エヌ・ティ・ティ・ドコモ | Communication system, gateway, data relay method, program, and recording medium |
US9418361B2 (en) | 2001-08-21 | 2016-08-16 | Bookit Oy Ajanvarauspalvelu | Managing recurring payments from mobile terminals |
US10469591B2 (en) | 2001-08-21 | 2019-11-05 | Bookit Oy | Method and system for mediating and provisioning services |
US9406032B2 (en) * | 2001-08-21 | 2016-08-02 | Bookit Oy Ajanvarauspalvelu | Financial fraud prevention method and system |
FI118585B (en) | 2006-05-02 | 2007-12-31 | Bookit Oy Ajanvarauspalvelu | Procedure and system for combining text and audio messages in a communication dialogue |
US9807614B2 (en) | 2001-08-21 | 2017-10-31 | Bookit Oy Ajanvarauspalvelu | Using successive levels of authentication in online commerce |
FI118586B (en) | 2006-05-02 | 2007-12-31 | Bookit Oy Ajanvarauspalvelu | Procedure and system for combining text and audio messages in a communication dialogue |
FI20011680A (en) | 2001-08-21 | 2003-02-22 | Bookit Oy | Appointment method and system |
US8666380B2 (en) | 2001-08-21 | 2014-03-04 | Bookit Oy Ajanvarauspalvelu | Communication method and system |
US10902491B2 (en) | 2001-08-21 | 2021-01-26 | Bookit Oy | Product/service reservation and delivery facilitation with semantic analysis enabled dialog assistance |
US9406062B2 (en) * | 2001-08-21 | 2016-08-02 | Bookit Oy Ajanvarauspalvelu | Authentication method and system |
US9171307B2 (en) | 2002-08-21 | 2015-10-27 | Bookit Oy Ajanvarauspalvelu | Using successive levels of authentication in online commerce |
FI124899B (en) | 2008-07-04 | 2015-03-13 | Bookit Oy Ajanvarauspalvelu | Method and system for sending messages |
US8737959B2 (en) | 2001-08-21 | 2014-05-27 | Bookit Oy Ajanvarauspalvelu | Managing recurring payments from mobile terminals |
US8737958B2 (en) | 2001-08-21 | 2014-05-27 | Bookit Oy Ajanvarauspalvelu | Managing recurring payments from mobile terminals |
FI119168B (en) | 2006-04-21 | 2008-08-15 | Jukka Tapio Aula | SMS delivery method and system for queries and invitations |
US11004114B2 (en) | 2001-08-21 | 2021-05-11 | Bookit Oy | Components, system, platform and methodologies for mediating and provisioning services and product delivery and orchestrating, mediating and authenticating transactions and interactions |
FI117663B (en) | 2005-12-02 | 2006-12-29 | Bookit Oy Ajanvarauspalvelu | Message sending method for telecommunication network, involves converting reply address information to correspond to dialogue so that message transmission and reception are implemented in different parts of telecommunication system |
US9937531B2 (en) | 2009-03-10 | 2018-04-10 | Bookit Oy Ajanvarauspalvelu | Method and system for delivery of goods |
US8737955B2 (en) | 2001-08-21 | 2014-05-27 | Bookit Oy Ajanvarauspalvelu | Managing recurring payments from mobile terminals |
US8737954B2 (en) | 2001-08-21 | 2014-05-27 | Bookit Oy Ajanvarauspalvelu | Managing recurring payments from mobile terminals |
US10929784B2 (en) | 2001-08-21 | 2021-02-23 | Bookit Oy | Booking method and system |
US9578022B2 (en) | 2001-08-21 | 2017-02-21 | Bookit Oy Ajanvarauspalvelu | Multi-factor authentication techniques |
US9288315B2 (en) | 2001-08-21 | 2016-03-15 | Bookit Oy Ajanvarauspalvelu | Method and system for mediating and provisioning services |
US7187681B1 (en) * | 2002-06-11 | 2007-03-06 | Cisco Technology, Inc. | Method and apparatus for traffic quality and billing authorization by request token insertion |
US6792545B2 (en) * | 2002-06-20 | 2004-09-14 | Guidance Software, Inc. | Enterprise computer investigation system |
US20070011450A1 (en) * | 2004-09-14 | 2007-01-11 | Mccreight Shawn | System and method for concurrent discovery and survey of networked devices |
US7711728B2 (en) * | 2002-06-20 | 2010-05-04 | Guidance Software, Inc. | System and method for searching for static data in a computer investigation system |
US20040073604A1 (en) * | 2002-10-11 | 2004-04-15 | Kazuhiro Moriya | Cache control method of proxy server with white list |
US20040107143A1 (en) * | 2002-11-29 | 2004-06-03 | Aki Niemi | Method for authorizing indirect content download |
US7321920B2 (en) | 2003-03-21 | 2008-01-22 | Vocel, Inc. | Interactive messaging system |
US8051472B2 (en) * | 2003-12-17 | 2011-11-01 | Oracle International Corporation | Method and apparatus for personalization and identity management |
US20050166053A1 (en) * | 2004-01-28 | 2005-07-28 | Yahoo! Inc. | Method and system for associating a signature with a mobile device |
US7739301B2 (en) * | 2004-03-17 | 2010-06-15 | Netapp, Inc. | Method and apparatus for improving file system proxy performance and security by distributing information to clients via file handles |
US8521687B2 (en) * | 2004-08-03 | 2013-08-27 | International Business Machines Corporation | Apparatus, system, and method for selecting optimal replica sources in a grid computing environment |
WO2006019275A1 (en) | 2004-08-18 | 2006-02-23 | Sk Telecom Co., Ltd. | Method for providing contents in a mobile communication system and apparatus thereof |
US20060067244A1 (en) * | 2004-09-30 | 2006-03-30 | Microsoft Corporation | Registration identifier reuse |
US20060080439A1 (en) * | 2004-10-13 | 2006-04-13 | Andrew Chud | Method and system for reducing bandwidth needed to filter requested content |
US7353034B2 (en) | 2005-04-04 | 2008-04-01 | X One, Inc. | Location sharing and tracking using mobile phones or other wireless devices |
KR100606748B1 (en) * | 2005-05-27 | 2006-08-01 | 엘지전자 주식회사 | Method for certificating message, and terminal and system for the same |
WO2006126221A1 (en) * | 2005-05-27 | 2006-11-30 | Telecom Italia S.P.A. | System and method for performing mobile services, in particular push and pull services, in a wireless communication network |
US7594020B2 (en) * | 2005-05-31 | 2009-09-22 | Microsoft Corporation | Re-establishing a connection for an application layer via a service layer |
US20070055768A1 (en) * | 2005-08-23 | 2007-03-08 | Cisco Technology, Inc. | Method and system for monitoring a server |
US7809686B2 (en) * | 2005-10-06 | 2010-10-05 | Guidance Software, Inc. | Electronic discovery system and method |
US7849309B1 (en) | 2005-12-09 | 2010-12-07 | At&T Intellectual Property Ii, L.P. | Method of securing network access radio systems |
US7238754B1 (en) * | 2005-12-12 | 2007-07-03 | Equistar Chemicals, Lp | Solid state process to modify the melt characteristics of polyethylene resins and products |
WO2007139552A1 (en) | 2006-05-31 | 2007-12-06 | Citrix Systems, Inc. | Systems and methods for determining the charset encoding for decoding a request submission in a gateway |
US20080005226A1 (en) * | 2006-07-03 | 2008-01-03 | Srinivasan Subbian | A method and system for one-to-one communication through proxy |
WO2008022522A1 (en) * | 2006-08-18 | 2008-02-28 | Huawei Technologies Co., Ltd | Method and system for providing mobile service and management center server therefor |
US8892735B2 (en) * | 2006-09-28 | 2014-11-18 | Guidance Software, Inc. | Phone home servlet in a computer investigation system |
US8620315B1 (en) | 2006-09-29 | 2013-12-31 | Yahoo! Inc. | Multi-tiered anti-abuse registration for a mobile device user |
EP2031913B1 (en) | 2007-07-27 | 2011-01-12 | Research In Motion Limited | Apparatus and methods for coordination of wireless systems |
US8626867B2 (en) | 2007-07-27 | 2014-01-07 | Blackberry Limited | Apparatus and methods for operation of a wireless server |
ATE497670T1 (en) | 2007-07-27 | 2011-02-15 | Research In Motion Ltd | WIRELESS SYSTEMS MANAGEMENT |
EP2031909B1 (en) * | 2007-07-27 | 2011-02-16 | Research In Motion Limited | Remote control in a wireless communication system |
US8352550B2 (en) * | 2007-07-27 | 2013-01-08 | Research In Motion Limited | Wireless communication systems |
EP2034776B1 (en) * | 2007-07-27 | 2013-02-13 | Research In Motion Limited | Wireless communication system installation |
EP2031910A3 (en) * | 2007-07-27 | 2009-04-29 | Research In Motion Limited | Administration of wireless devices in a wireless communication system |
US20090034463A1 (en) * | 2007-07-27 | 2009-02-05 | Research In Motion Limited | Method and system for resource sharing |
US9270682B2 (en) | 2007-07-27 | 2016-02-23 | Blackberry Limited | Administration of policies for wireless devices in a wireless communication system |
US8086677B2 (en) * | 2007-07-27 | 2011-12-27 | Research In Motion Limited | Information exchange in wireless servers |
US8516095B2 (en) * | 2008-05-23 | 2013-08-20 | Research In Motion Limited | Remote administration of mobile wireless devices |
AP3366A (en) * | 2008-09-19 | 2015-07-31 | Knowledge Farm Investiments Cc | A method of communicating with a wireless device |
US7958247B2 (en) * | 2008-10-14 | 2011-06-07 | Hewlett-Packard Development Company, L.P. | HTTP push to simulate server-initiated sessions |
US8065361B2 (en) | 2009-02-27 | 2011-11-22 | Research In Motion Limited | Apparatus and methods using a data hub server with servers to source and access informational content |
US9407686B2 (en) * | 2009-02-27 | 2016-08-02 | Blackberry Limited | Device to-device transfer |
US9501775B2 (en) | 2009-03-10 | 2016-11-22 | Bookit Oy Ajanvarauspalvelu | Managing recurring payments from mobile terminals |
CN101854332B (en) * | 2009-03-30 | 2013-04-24 | 华为软件技术有限公司 | Method, device and system for processing streaming service |
US8571218B2 (en) | 2010-06-01 | 2013-10-29 | GreatCall, Inc. | Short message service cipher |
GB2512062A (en) | 2013-03-18 | 2014-09-24 | Ibm | A method for secure user authentication in a dynamic network |
US9286528B2 (en) | 2013-04-16 | 2016-03-15 | Imageware Systems, Inc. | Multi-modal biometric database searching methods |
EP2987109A4 (en) | 2013-04-16 | 2016-12-14 | Imageware Systems Inc | Conditional and situational biometric authentication and enrollment |
US10206098B2 (en) * | 2014-01-07 | 2019-02-12 | Cellco Partnership | System and methods of transaction originator identifier for on-line commercial transaction |
KR102225404B1 (en) * | 2014-05-23 | 2021-03-09 | 삼성전자주식회사 | Method and Apparatus of Speech Recognition Using Device Information |
US11290878B2 (en) | 2015-03-04 | 2022-03-29 | Smartcom Labs Oy | Components, system, platform and methodologies for mediating and provisioning services and product delivery and orchestrating, mediating and authenticating transactions and interactions |
US10341267B2 (en) * | 2016-06-20 | 2019-07-02 | Microsoft Technology Licensing, Llc | Anonymized identifiers for secure communication systems |
TWI602077B (en) | 2017-02-06 | 2017-10-11 | 蓋特資訊系統股份有限公司 | Method and system for protecting data |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6253326B1 (en) * | 1998-05-29 | 2001-06-26 | Palm, Inc. | Method and system for secure communications |
US20010036224A1 (en) * | 2000-02-07 | 2001-11-01 | Aaron Demello | System and method for the delivery of targeted data over wireless networks |
US20010047474A1 (en) * | 2000-05-23 | 2001-11-29 | Kabushiki Kaisha Toshiba | Communication control scheme using proxy device and security protocol in combination |
US20020186683A1 (en) * | 2001-04-02 | 2002-12-12 | Alan Buck | Firewall gateway for voice over internet telephony communications |
US6795924B1 (en) * | 1999-06-10 | 2004-09-21 | Telefonaktiebolaget Lm Ericsson | Sat back channel security solution |
US6944760B2 (en) * | 2001-05-24 | 2005-09-13 | Openwave Systems Inc. | Method and apparatus for protecting identities of mobile devices on a wireless network |
US6976177B2 (en) * | 2000-01-18 | 2005-12-13 | Telefonaktiebolaget Lm Ericsson (Publ) | Virtual private networks |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7093286B1 (en) | 1999-07-23 | 2006-08-15 | Openwave Systems Inc. | Method and system for exchanging sensitive information in a wireless communication system |
-
2001
- 2001-05-24 US US09/866,037 patent/US6944760B2/en not_active Expired - Lifetime
-
2002
- 2002-05-17 EP EP02011062A patent/EP1313286A3/en not_active Withdrawn
-
2005
- 2005-06-23 US US11/166,987 patent/US20050232191A1/en not_active Abandoned
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6253326B1 (en) * | 1998-05-29 | 2001-06-26 | Palm, Inc. | Method and system for secure communications |
US6795924B1 (en) * | 1999-06-10 | 2004-09-21 | Telefonaktiebolaget Lm Ericsson | Sat back channel security solution |
US6976177B2 (en) * | 2000-01-18 | 2005-12-13 | Telefonaktiebolaget Lm Ericsson (Publ) | Virtual private networks |
US20010036224A1 (en) * | 2000-02-07 | 2001-11-01 | Aaron Demello | System and method for the delivery of targeted data over wireless networks |
US20010047474A1 (en) * | 2000-05-23 | 2001-11-29 | Kabushiki Kaisha Toshiba | Communication control scheme using proxy device and security protocol in combination |
US20020186683A1 (en) * | 2001-04-02 | 2002-12-12 | Alan Buck | Firewall gateway for voice over internet telephony communications |
US6944760B2 (en) * | 2001-05-24 | 2005-09-13 | Openwave Systems Inc. | Method and apparatus for protecting identities of mobile devices on a wireless network |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050021526A1 (en) * | 2002-07-11 | 2005-01-27 | International Business Machines Corporation | Method for ensuring the availability of a service proposed by a service provider |
US20040111376A1 (en) * | 2002-10-09 | 2004-06-10 | Nokia Corporation | Method and arrangement for concealing true identity of user in communications system |
USRE45485E1 (en) * | 2002-10-09 | 2015-04-21 | Nokia Corporation | Method and arrangement for concealing true identity of user in communications system |
US7627533B2 (en) * | 2002-10-09 | 2009-12-01 | Nokia Corporation | Method and arrangement for concealing true identity of user in communications system |
US20050129034A1 (en) * | 2003-12-11 | 2005-06-16 | Haruyuki Takeyoshi | Cooperation information managing apparatus and gateway apparatus for use in cooperation information managing system |
US7577105B2 (en) * | 2003-12-11 | 2009-08-18 | Fujitsu Limited | Cooperation information managing apparatus and gateway apparatus for use in cooperation information managing system |
US20080077693A1 (en) * | 2006-09-22 | 2008-03-27 | International Business Machines Corporation | System and method for automatically generating a proxy interface object to communicate through a gateway software server to a remote software server |
US20110090849A1 (en) * | 2006-10-24 | 2011-04-21 | Chung-Zin Liu | Approach for QoS control on un-wanted services (e.g. VoIP or Multimedia) over wireless and wireless IP network |
US8792823B2 (en) * | 2006-10-24 | 2014-07-29 | Alcatel Lucent | Approach for quality of service control on un-wanted services (e.g. voice over internet protocol or multimedia) over wireline and wireless IP network |
US20080101278A1 (en) * | 2006-10-25 | 2008-05-01 | Henrik Bengtsson | Methods, systems, and devices for establishing a registrationless data communication connection between electronic devices |
US8085708B2 (en) * | 2006-10-25 | 2011-12-27 | Sony Ericsson Mobile Communications Ab | Methods, systems, and devices for establishing a registrationless data communication connection between electronic devices |
US7987471B2 (en) | 2007-01-26 | 2011-07-26 | Microsoft Corporation | Mobile device management proxy system |
WO2008091472A1 (en) * | 2007-01-26 | 2008-07-31 | Microsoft Corporation | Mobile device management proxy system |
US20080183800A1 (en) * | 2007-01-26 | 2008-07-31 | Microsoft Corporation | Mobile device management proxy system |
US20100138534A1 (en) * | 2008-11-25 | 2010-06-03 | Rishi Mutnuru | Systems and methods for monitor an access gateway |
US8849988B2 (en) * | 2008-11-25 | 2014-09-30 | Citrix Systems, Inc. | Systems and methods to monitor an access gateway |
US9866463B2 (en) | 2009-12-23 | 2018-01-09 | Citrix Systems, Inc. | Systems and methods for object rate limiting in multi-core system |
EP3939201A4 (en) * | 2019-05-13 | 2022-05-18 | Samsung Electronics Co., Ltd. | Electronic device and method for receiving push message stored in blockchain |
US11770240B2 (en) | 2019-05-13 | 2023-09-26 | Samsung Electronics Co., Ltd. | Electronic device and method for receiving push message stored in blockchain |
Also Published As
Publication number | Publication date |
---|---|
EP1313286A3 (en) | 2003-05-28 |
US20020191795A1 (en) | 2002-12-19 |
EP1313286A2 (en) | 2003-05-21 |
US6944760B2 (en) | 2005-09-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6944760B2 (en) | Method and apparatus for protecting identities of mobile devices on a wireless network | |
US9894046B2 (en) | Handling expired passwords | |
KR101050335B1 (en) | Method for generating and distributing encryption keys in mobile wireless system and corresponding mobile wireless system | |
JP4331848B2 (en) | Security method for communication network and secure data transfer method | |
EP1025675B1 (en) | Security of data connections | |
US7036010B2 (en) | Method and apparatus for a secure communications session with a remote system via an access-controlling intermediate system | |
KR100268095B1 (en) | Data communications system | |
US6775772B1 (en) | Piggy-backed key exchange protocol for providing secure low-overhead browser connections from a client to a server using a trusted third party | |
US6742127B2 (en) | Method and apparatus for maintaining security in a push server | |
JP4377100B2 (en) | Method, system and mobile terminal for data accuracy check | |
US6499108B1 (en) | Secure electronic mail system | |
US6732277B1 (en) | Method and apparatus for dynamically accessing security credentials and related information | |
US20030065956A1 (en) | Challenge-response data communication protocol | |
TW200307439A (en) | Mechanism for supporting wired and wireless methods for client and server side authentication | |
WO2001001644A1 (en) | Apparatus for securing user's information in a mobile communication system connected to the internet and method thereof | |
WO2001063387A2 (en) | Secure distributing services network system and method thereof | |
KR20050067175A (en) | Contact validation and trusted contact updating in mobile wireless communications devices | |
GB2357229A (en) | Security protocol with messages formatted according to a self describing markup language | |
CA2149067A1 (en) | User-identification and verification of data integrity in a wireless communication system | |
US8156340B1 (en) | System and method for securing system content by automated device authentication | |
CN1842993A (en) | Providing credentials | |
JP2005167412A (en) | Communication system, communication terminal and server apparatus used in communication system, and connection authentication method used for communication system | |
JP2005522937A (en) | Method and system for changing security information in a computer network | |
IES82842B2 (en) | MMSC Access Control | |
Itani et al. | SPECSA: a scalable, policy-driven, extensible, and customizable security architecture for wireless enterprise applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: UNWIRED PLANET, LLC, NEVADA Free format text: CONFIRMATORY ASSIGNMENT OF PATENT RIGHTS;ASSIGNOR:UNWIRED PLANET, INC.;REEL/FRAME:030379/0572 Effective date: 20130429 Owner name: UNWIRED PLANET, LLC, NEVADA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:UNWIRED PLANET, INC.;REEL/FRAME:030585/0969 Effective date: 20120914 |