US2016373444A1PendingUtilityA1

System and Method for Carrying Trusted Network-Provided Access Network Information in Session Initiation Protocol

46
Assignee: INVENTERGY INCPriority: Mar 28, 2006Filed: Jul 8, 2016Published: Dec 22, 2016
Est. expiryMar 28, 2026(expired)· nominal 20-yr term from priority
Inventors:Son Phan-Anh
H04L 63/0815H04L 63/0884H04L 63/0876H04L 61/4588H04L 63/08H04L 63/0492H04L 65/1016
46
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods, computer code products and systems for authenticating user equipment for access to a trusted network can include receiving a user identity uniquely identifying the user equipment. A proxying entity in the trusted network can generate a network-trusted header including the user identity and forward it to a serving entity in the network. The serving entity performs verification on the received carrier header and can compare the user identity with a list of approved user IDs and if a match is found, the user equipment can be authenticated for access to the network. IBCF that performs optional hiding for the proxying entity toward the Home IMS network can extract the proxying entity-generated parameter out of the encrypted token making it readable to the serving entity if it is encrypted in the carrier header. The proxying entity can also provide verification of the utilized header when processing the registration request from the user equipment. Alternatively the serving entity can be provisioned with data related to NBA support in various proxying entities or domains where proxying entities arc located so that the serving entity can decide to proceed with NBA procedure or not for registration received via certain proxying entities or visited networks.

Claims

exact text as granted — not AI-modified
1 - 22 . (canceled) 
     
     
         23 . A method for authenticating user equipment at a service layer, compromising:
 authenticating the user equipment at a network attachment layer,   storing, at an identity repository entity, a binding between a network attachment layer identity of the user equipment and a service layer identity of the user equipment in response to the network attachment layer authentication,   querying, at a proxying entity, during a service layer registration procedure, the service layer identity of the user equipment from the identity repository entity based on the network attachment layer identity of the user equipment,   embedding the service layer identity of the user equipment into a network-trusted header of a registration message,   transmitting the registration message to a serving entity,   retrieving, at the serving entity, a service layer identity of the user equipment from a user profile entity,   authenticating the user equipment at the service layer if the service layer identity of the user equipment transmitted in the network-trusted header of the registration message matches with the service layer identity of the user equipment retrieved from the user profile entity.   
     
     
         24 . The method according to  claim 23  wherein the network-trusted header comprises a network-trusted header of the Session Initiation Protocol, and wherein the network-trusted header comprises at least one of a P-Visited-Network-ID header, a Path header, or a P-Charging-Vector header. 
     
     
         25 . The method according to  claim 23 , wherein the network-trusted header includes a parameter into which user-specific location information can be inserted. 
     
     
         26 . The method according to  claim 23 , further comprising:
 digitally signing the received user identity by the proxying entity; and   verifying the digital signature at the serving entity.   
     
     
         27 . The method according to  claim 23 , wherein topology hiding is performed for the proxying entity towards the serving entity, thereby causing the network-trusted header to be encrypted. 
     
     
         28 . The method according to  claim 23 , wherein the serving entity performs a sanity check on the received network-trusted header. 
     
     
         29 . The method according to  claim 28 , wherein the serving entity performs the sanity check by checking the number of items in the list of that carrier headers against the known result derived from a normative IP Multimedia Subsystem Session Initiation Protocol signaling flow. 
     
     
         30 . The method according to  claim 23 , wherein the proxying entity performs a sanity check on the received registration message related to selected network-trusted header using rules and constraints derive from one of normative IP Multimedia Subsystem Session Initiation Protocol signaling flows and local knowledge. 
     
     
         31 . The method according to  claim 23 , wherein the proxying entity checks and can reject the registration message received from the user equipment if the registration message contains either more than one network-trusted header or any P-Visited-network-ID, Path or P-Charging-Vector. 
     
     
         32 . The method according to  claim 23 , wherein the proxying entity comprises a Proxy Call Session Control Function (P-CSCF). 
     
     
         33 . The method according to  claim 23 , wherein the serving entity comprises a Serving Call Session Control Function (S-CSCF). 
     
     
         34 . A control entity for interfacing an access network, configured to:
 receive a registration request for registering a user;   query an identity repository entity to obtain a unique user-specific location information associated with the user;   embed the unique user-specific location information into a network-trusted header in the registration request; and   forwarding the registration request towards a serving control entity.   
     
     
         35 . The control entity according to  claim 34 , wherein the control entity is further configured to embed the unique user-specific location information into network-trusted header. 
     
     
         36 . The control entity according to  claim 35 , wherein the control entity is further configured to embed the unique user-specific location information into one of a P-Visited-Network-ID header, a Path header, and a P-Charging-Vector header. 
     
     
         37 . A system for authenticating user equipment for access to a trusted network, the user equipment being identified unique location information, the system comprising:
 a proxying entity configured to:
 sanity check a registration request received from the user equipment; 
 receiving the location information of the user equipment; and 
 generating a network-trusted header including the received user-specific location information; and 
 forwarding the carrier header to a serving entity for authentication; and 
   the serving entity being configured to:
 sanity checking the received network-trusted header in the registration request; 
 if the serving entity's sanity check is successful, compare the location information to a list of approved location information; and 
 if the location information matches an entry in the list of approved references, authenticate the user equipment for access to the trusted network. 
   
     
     
         38 . The system according to  claim 37 , wherein the selected network-trusted header includes a parameter into which the user-specific location information can be inserted. 
     
     
         39 . The system according to  claim 38 , wherein the proxying entity is further configured to digitally sign the received user identity, and wherein the serving entity is further configured to verify the digital signature.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.