US2009217048A1PendingUtilityA1

Wireless device authentication between different networks

48
Assignee: BCE INCPriority: Dec 23, 2005Filed: Dec 23, 2005Published: Aug 27, 2009
Est. expiryDec 23, 2025(expired)· nominal 20-yr term from priority
Inventors:Brian N. Smith
H04L 63/18H04L 63/0807H04L 63/06H04L 63/0815H04W 12/041H04W 12/0433H04W 12/068
48
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method and system for roaming between heterogeneous networks. The method involves authenticating a mobile communication device on a first network, providing the device with a single-use token that can be used to sign-on to a second network without requiring conventional re-authentication over the second network. The method and system allows a token or set of tokens to be sent to a mobile device over a secure and trusted channel. The token can then be sent over another network, operating over a different protocol to an authentication system where its contents are verified and authorization to access the new network is generated such that the token does not need to be processed by the new network. Hence the mobile device does not need to re-authenticate to the new network.

Claims

exact text as granted — not AI-modified
1 . A method of performing authentication of a wireless mobile communication device on a network, comprising:
 providing a token to the mobile communication device over a first network;   receiving the token from the mobile communication device over a second network; and   authenticating the mobile communication device for access to the second network by verifying the token.   
   
   
       2 . The method of  claim 1 , wherein providing the token to the mobile communication device comprises providing a username and password for access to the second network. 
   
   
       3 . The method of  claim 1 , further including providing encryption keys for establishing a secure channel between the mobile communication device and the second network. 
   
   
       4 . The method of  claim 3 , wherein providing the encryption keys comprises providing the encryption keys with the token. 
   
   
       5 . The method of  claim 1 , wherein providing the token to the mobile communication device comprises generating the token at the request of the mobile communication device. 
   
   
       6 . The method of  claim 1 , wherein the token comprises a header and a token content and wherein providing the token to the mobile communication device further comprises encrypting the token contents. 
   
   
       7 . The method of  claim 6 , wherein encrypting the token contents comprises employing a PKI method. 
   
   
       8 . The method of  claim 6 , wherein authenticating the mobile communication device for access to the second network by verifying the token comprises decrypting the token contents. 
   
   
       9 . The method of  claim 6 , wherein encrypting the token contents comprises applying a hash function to the token contents. 
   
   
       10 . The method of  claim 9 , wherein the hash function is MD5 or SHA. 
   
   
       11 . The method of  claim 1 , wherein providing a token to the mobile communication device comprises providing a plurality of tokens to the mobile communication device. 
   
   
       12 . The method of  claim 11 , wherein providing the plurality of tokens to the mobile communication device comprises providing a plurality of tokens having different expiry times. 
   
   
       13 . The method of  claim 11 , wherein providing the plurality of tokens to the mobile communication device comprises providing a plurality of tokens, each of which provides authentication to a different second network. 
   
   
       14 . The method of  claim 1 , wherein authenticating the mobile communication device comprises transmitting an ACCESS-ACCEPT message to the second network and the mobile communication device. 
   
   
       15 . The method of  claim 1 , wherein providing the token to the mobile communication device comprises providing the token over a secure channel. 
   
   
       16 . The method of  claim 1 , wherein the first network operates under a CDMA 1×RTT, W-CDMA, CDMA EVDO, or GSM protocol. 
   
   
       17 . The method of  claim 1 , wherein the second network operates under an IEEE 802.11, IEEE 802.15, IEEE 802.16, or IEEE 802.20 protocol. 
   
   
       18 . The method of  claim 1 , further comprising having the mobile communication device remain authenticated to both the first and second network. 
   
   
       19 . The method of  claim 18 , wherein having the mobile communication device remain authenticated to both the first and second networks is enabled by a communication according to the IPv6 protocol. 
   
   
       20 . The method of  claim 1 , wherein authenticating the mobile communication device for access to the second network further comprises authenticating under an authentication protocol, if verification of the token is unsuccessful. 
   
   
       21 . The method of  claim 20 , wherein authenticating under an authentication protocol comprises authenticating under CHAP, PAP, EAP or EAPOW protocols. 
   
   
       22 . An authentication system, comprising:
 a token generation module to provide a token to a mobile communication device over a first network;   an authenticator to receive the token from the mobile communication device over a second network, to verify a token contents, and to grant the mobile communication device access to the second network based on the verification of the token contents.   
   
   
       23 . The system of  claim 22 , wherein the token contents comprises a username and password for access to the second network. 
   
   
       24 . The system of  claim 22 , wherein the token expires after a predetermined expiry time. 
   
   
       25 . The system of  claim 22 , wherein the token generation module is further operable to receive a request from the mobile communication device. 
   
   
       26 . The system of  claim 22 , wherein the token generation module is further operable to encrypt the token contents. 
   
   
       27 . The system of  claim 26 , wherein to encrypt the token contents, the token generation module is operable to employ a PKI method. 
   
   
       28 . The system of  claim 26 , wherein the authenticator is further operable to decrypt the token. 
   
   
       29 . The system of  claim 26 , wherein the token generation module is further operable to apply a hash function to the token contents. 
   
   
       30 . The system of  claim 29 , wherein the hash function is MD5 or SHA. 
   
   
       31 . The system of  claim 22 , wherein the token generation module provides a plurality of tokens to the mobile communication device. 
   
   
       32 . The system of  claim 31 , wherein the plurality of tokens have different expiry times. 
   
   
       33 . The system of  claim 31 , wherein each of the plurality of tokens are for authentication to a different second network. 
   
   
       34 . The system of  claim 22  is included in a RADIUS server. 
   
   
       35 . The system of  claim 22  is included in a DIAMETER server. 
   
   
       36 . The system of  claim 34 , wherein the authenticator transmits an ACCESS-ACCEPT message to the second network and the mobile communication device. 
   
   
       37 . The system of  claim 22 , wherein the token is provided over a secure channel. 
   
   
       38 . The system of  claim 22 , wherein the first network operates under a CDMA 1×RTT, W-CDMA, CDMA EVDO, or GSM protocol. 
   
   
       39 . The system of  claim 22 , wherein the second network operates under an IEEE 802.11, IEEE 802.15, IEEE 802.16, or IEEE 802.20 protocol. 
   
   
       40 . The system of  claim 22 , wherein, if verification of the token contents is unsuccessful, the authenticator switches to an authentication protocol. 
   
   
       41 . The system of  claim 40 , wherein the authentication protocol is CHAP, PAP, EAP or EAPOW. 
   
   
       42 . The system of  claim 22 , wherein the token generation module is associated to the first network. 
   
   
       43 . The system of  claim 22 , wherein the token generation module is associated to the second network. 
   
   
       44 . The system of  claim 22 , wherein the authenticator is associated to the first network. 
   
   
       45 . The system of  claim 22 , wherein the authenticator is associated to the second network. 
   
   
       46 . A method for authenticating to a heterogeneous network, comprising:
 receiving a token over a first network to which a mobile communication device is authenticated;   sending the token to an authenticator over a second heterogeneous network;   receiving authorization to access the second network from the authenticator based on a verification of contents of the token.   
   
   
       47 . The method of  claim 46 , wherein the token contents include a username and password for access to the second network. 
   
   
       48 . The method of  claim 46 , wherein the token expires at a predetermined expiry time. 
   
   
       49 . The method of  claim 46 , wherein receiving the token is preceded by initiating a request for a token. 
   
   
       50 . The method of  claim 46 , wherein a plurality of tokens are received. 
   
   
       51 . The method of  claim 50 , wherein the plurality of tokens are each for access to a different network. 
   
   
       52 . The method of  claim 50 , wherein the plurality of tokens each expire at different times. 
   
   
       53 . The method of  claim 50 , wherein sending the token includes selecting one of the plurality of tokens. 
   
   
       54 . The method of  claim 46 , wherein receiving authorization includes receiving an ACCESS-ACCEPT message. 
   
   
       55 . The method of  claim 46 , wherein the token is provided over a secure channel. 
   
   
       56 . The method of  claim 46 , wherein the first network operates under a CDMA 1×RTT, W-CDMA, CDMA EVDO, or GSM protocol. 
   
   
       57 . The method of  claim 46 , wherein the second network operates under an IEEE 802.11, IEEE 802.15, IEEE 802.16, or IEEE 802.20 protocol. 
   
   
       58 . The method of  claim 46 , wherein, if verification of the token contents is unsuccessful, authentication of the mobile communication device to the second network proceeds under an authentication protocol. 
   
   
       59 . The method of  claim 58 , wherein the authentication protocol is CHAP, PAP, EAP or EAPOW. 
   
   
       60 . A mobile communication device, comprising:
 means to receive a token over a first network, the token containing credentials for authentication to a second network; and   means to forward the token over the second network for authentication.   
   
   
       61 . A communications network having authentication functions; comprising:
 an authentication system having a token generation module to provide a token to a mobile communication device over the communications network; and an authenticator to receive the token from the mobile communication device over a separate network, to verify a token contents, and to grant the mobile communication device access to the separate network based on the verification of the token contents.   
   
   
       62 . A communication system, comprising:
 a mobile communication device;   a first network to which the mobile communication is authenticated; and   an authentication system having a token generation module to provide a token to a mobile communication device over the first network; and an authenticator to receive the token from the mobile communication device over a separate network, to verify a token contents, and to grant the mobile communication device access to the separate network based on the verification of the token contents.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.