Patent Application
20090119506
The present disclosure generally relates to communication via packet data service networks. More particularly, and not by way of any limitation, the present disclosure is directed to a mobile communications device and related data service network employing a method and system for securely asserting one or more aliases of a resource identifier.
A more complete understanding of the embodiments of the present disclosure may be had by reference to the following Detailed Description when taken in conjunction with the accompanying drawings wherein:
A method and apparatus of the present disclosure will now be described with reference to various examples of how the embodiments can best be made and used. Identical reference numerals are used throughout the description and several views of the drawings to indicate identical or corresponding parts, wherein the various elements are not necessarily drawn to scale.
According to a first aspect, the present disclosure relates to a method for secure assertion of a user identifier alias. The method comprises receiving at an application server from a first device a first user identifier, a first device identifier and a first authentication key associated with the first device; receiving at the application server from the first device a second user identifier, the first device identifier and a second authentication key associated with the first device; comparing the first authentication key to the second authentication key; and storing the second user identifier at the application server as an alias of the first user identifier if the first authentication key matches the second authentication key.
In certain embodiments, the first device and the application server communicate via a wireless data path, which may include a wireless packet service data path, a wide area cellular network, or both. The method may further comprise receiving at the application server, from a second device, the second user identifier, a second device identifier and a second authentication key; and storing the second device at the application server as an associated device for the second user identifier. The method may further comprise receiving at the application server from the second device the second user identifier, the second device identifier, the second authentication key and a third user identifier; and storing the third user identifier as an alias for the second user identifier. Finally, the method may further comprise transmitting to the second device a communication directed to the second user identifier.
According to a second aspect, the present disclosure relates to a method for secure assertion of a user identifier alias. The method comprises sending to an application server from a first device a first user identifier, a first device identifier and a first authentication key associated with the first device; sending to the application server from the first device a second user identifier, the first device identifier and the first authentication key; and receiving at the first device a communication directed to the second user identifier as a result of an alias relationship at the application server between the first user identifier and the second user identifier.
According to a third aspect, the present disclosure relates to an application server comprising means for receiving at the application server from a first device a first user identifier, a first device identifier and a first authentication key associated with the first device; means for receiving at the application server from the first device a second user identifier, the first device identifier and a second authentication key associated with the first device; means for comparing the first authentication key to the second authentication key; and means for storing the second user identifier at the application server as an alias of the first user identifier if the first authentication key matches the second authentication key.
More generally, the present disclosure relates to authentication of devices such as phones, PDAs and computers, having associated user identifiers, to a network based application server interacting with corresponding applications on the devices in order to provide certain communication-related services to a user of the devices. To do this, it is preferable that the network based application server have access to information relating to the relationship of the user identities and devices associated with a user and their relevance to particular applications. Generally, such applications will support end-to-end secure communication between the devices and the network based application server for the purposes of configuration of the service, state synchronization, notification of settings and indication of the presence and status of applications on the devices.
Session Initiation Protocol (SIP) and other internet based communication technologies support both multiple user identities (e.g., Public User IDs or URIs) being registered for a single user and multiple devices registered with the same user identity (URI). Employment of multiple user identities enables a user to have different user identities to give to family, friends, and co-workers. Communication filtering and diverting services can be set up based upon the user identity to which a particular communication is addressed. A user may, for example, configure their call forwarding service to allow the address they provided to family members to reach them directly at their mobile phone, while friends are forwarded to their personal voicemail and co-workers are forwarded to their office phone. Association of multiple devices with a single URI relieves the user of the burden of maintaining different user identities for their home phone, personal mobile phone, work phone, corporate mobile devices, vacation home phone, laptop computer Voice over IP (VoIP) client and fax machine. Instead, the user can make him or herself available via whichever device(s) they happen to be using, or proximate to, at a given time. This functionality also reduces the burden of maintaining large lists of device oriented contacts per user in an address book and making determinations as to which device may be the best option for reaching a particular user at a particular time. Multiple user identities and multiple device associations can potentially be combined with service provider network based filtering and call forwarding applications to provide simple easy to use applications that give the user powerful control over the manner in which their incoming and outgoing communications are handled.
The teachings of the present disclosure are relevant within a wide variety of contexts. Systems based upon SIP are capable of providing the user with the ability to explicitly register multiple SIP URIs with a SIP core network using the SIP Registration mechanism specified in RFC 3261 and/or provided to the device through network provisioning notification using the P-Associated-URI header defined in RFC 3455. Mechanisms such as HTTP (GET and PUT etc), XCAP (RFC 4825), SIP based Event mechanisms such as SIP PUBLISH (RFC 3903) and SUBSCRIBE/NOTIFY (RFC 3265) amongst others, can be used to provide communication of such application level data between the device and the application server.
In certain embodiments, information about user identities, device identities and their relationships may be “piggy-backed” onto existing communication mechanisms between devices and the application server. Since most devices and applications will support some initial device to application server communication shortly after the device is powered on or the relevant application is started, use of this mechanism may require minimal, if any, additional load on the network. In general, the present disclosure is directed to systems and networks within which a device and/or user identity may be authenticated by a trusted server or network, but an application server elsewhere within the network may not be operable to fully and reliably authenticate the identity of the device and/or a user identity itself. Thus, the present disclosure provides an apparatus and method by which such an application server can improve the likelihood that a device asserting authority on behalf of a particular user identifier is, in fact, authorized to assert such authority. In order to improve security, certain embodiments of the present disclosure make use of authenticated and private communication between the devices and the application server. Such security can be provided, for example, by means of encryption. Those of skill in the art will appreciate that a number of security enhancement mechanisms could be employed in connection with the foregoing systems, including but not limited to CHAP and HMAC.
The present disclosure provides for the use of one or more authentication keys which are used to authenticate user and device combinations. The authentication key(s) may be generated the first time a device or application establishes an interaction with an application server and provided to the application server at that time. Subsequent initial interactions with the application server for a different alias URI for the same user and/or device may be authenticated so long as a previously-authenticated alias URI is still valid.
The new alias URI is authenticated by reference to a valid alias URI (Assoc-id) and will include the associated key (Assoc-Key) that was previously provided in the initial communication using the previous alias URI. Thus, multiple alias URIs can be communicated by the same device to the application server, which can verify by the shared associated key that they are indeed true alias URIs of the same user and same device and not impostors. A popular representation of synchronization and other application data in this kind of device to application server communications is XML (Extensible Markup Language). XML is used in the specific examples set forth below but other data representation formats are envisioned and possible.
Referring now to the drawings, and more particularly to
Application server 112 may, in certain implementations, enable a corporate user to access or effectuate any of the services from a remote location using suitable equipment such as mobile communications devices 116, 120, 122. By way of example, mobile communications device 116 may be a data-enabled wireless handheld device capable of receiving and sending messages, web browsing, interfacing with corporate application servers, et cetera. A secure communication link with end-to-end encryption may be established that is mediated through an external IP network, i.e., a public packet-switched network such as the Internet, as well as the wireless packet data service network 102 operable with mobile communications device 116 via suitable wireless network infrastructure that includes a base station (BS) 114.
For purposes of the present disclosure, the wireless packet data service network 102 may be implemented in any known or heretofore unknown mobile communications technologies and network protocols. For instance, the wireless packet data service network 102 may be comprised of a General Packet Radio Service (GPRS) network that provides a packet radio access for mobile devices using the cellular infrastructure of a Global System for Mobile Communications (GSM)-based carrier network. In other implementations, the wireless packet data service network 102 may comprise an Enhanced Data Rates for GSM Evolution (EDGE) network, an Integrated Digital Enhanced Network (IDEN), a Code Division Multiple Access (CDMA) network, Universal Mobile Telecommunications System Terrestrial Radio Access Network (UTRAN), Evolved UTRAN (E-UTRAN), 802.1x WLAN, or any 3rd Generation (3G) network.
Although the above transaction can be effectuated within a wide variety of contexts, and for a variety of purposes, the transaction is described below within the context of Push-to-talk over Cellular (PoC) functionality in the SIP protocol as an illustrative example. Within this context, a first PoC Client registers PoC-UserA1@networkA.net with the SIP/IP Core and Publishes, using SIP PUBLISH method, the PoC Service Settings for PoC-UserA1@networkA.net. The PoC Service Settings document has an already defined <entity> element with an “id” attribute.
The intent of the “id” attribute is to uniquely identify the entity to which these particular settings belong. In this case, mobile communication device 116 includes the concatenation of PoC-UserA1@networkA.net with the unique identity of the device using the URN format of the sip.instance feature tag defined in draft-ietf-sip-outbound. This uniquely identifies that these settings are for the user identity PoC-UserA1@networkA.net on the device with the sip.instance identity urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6b. Mobile communication device 116 also includes the new XML element <ref-id-key> containing the sub elements <assoc-id> and <assoc-key>. Since this is the first URI to be communicated to the PoC Server, mobile communication device 116 sets the “id” attribute of the <Assoc-id> element to the same as the “id” attribute of the <entity> element (POC-UserA1@networkA.net>;+sip.instance=<urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6b) and generates the random key a5so6iw78py68use2wdvb and includes it in the “key” attribute of the <assoc-key> element. Example XML for this transaction may have the following form:
Once an authentication key has been generated and communicated to application server 112, mobile communication device 116 can use the registered authentication key to authenticate other identifiers to application server 112. In message 158, mobile communication device 116 sends a communication to application server 112 comprising a second user ID (UserA2), a device ID (Dev1) and the authentication key (“KEY1”). This communication is shown in further detail in
Within the PoC context presented as an illustrative example, mobile communication device 116 registers PoC-UserA2@networkA.net with the SIP/IP Core and Publishes using SIP PUBLISH method the PoC Service Settings for PoC-UserA2@networkA.net. In this case, mobile communication device 116 includes the concatenation of PoC-UserA2@networkA.net with the unique identity of the device using the sip.instance feature tag which uniquely identifies that these settings are for the user identity PoC-UserA2@networkA.net on the device with the sip.instance identity urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6b. Since the URI PoC-UserA1@networkA.net is still valid for the PoC Service and is an alias of PoC-UserA2@networkA.net, mobile communication device 116 sets the “id” attribute of the <Assoc-id> element to PoC-UserA1@networkA.net>;+sip.instance=<urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6b) and includes the previously used random key a5so6iw78py68use2wdvb in the “key” attribute of the <assoc-key> element. Example XML for this transaction may have the following form:
In message 162, mobile communication device 116 sends a communication to application server 112 comprising a third user ID (UserA3), the first device ID (Dev1) and the original authentication key (“KEY1”). This communication is shown in further detail in
Within the PoC context described above, mobile communication device 116 registers PoC-UserA3@networkA.net with the SIP/IP Core and Publishes using SIP PUBLISH method the PoC Service Settings for PoC-UserA3@networkA.net. In this case, mobile communication device 116 includes the concatenation of PoC-UserA3@networkA.net with the unique identity of the device using the sip.instance feature tag, which uniquely identifies that these settings are for the user identity PoC-UserA3@networkA.net on the device with the sip.instance identity urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6b. Since the URI PoC-UserA1@networkA.net is still valid for the PoC Service and is an alias of PoC-UserA3@networkA.net, mobile communication device 116 sets the “id” attribute of the <Assoc-id> element to PoC-UserA1@networkA.net>;+sip.instance=<urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6b) and includes the previously used random key a5so6iw78py68use2wdvb in the “key” attribute of the <assoc-key> element. Example XML for this transaction may have the following form:
In one embodiment, a subsequent registration may be able to refer to the first identity which created the group, or any identity associated with the group already. However if the URI PoC-UserA1@enetworkA.net was no longer still valid for the PoC Service but PoC-UserA2@networkA.net was still valid for the PoC Service and was an alias of PoC-UserA3@networkA.net, mobile communication device 116 would then set the “id” attribute of the <Assoc-id> element to PoC-UserA2@networkA.net>;+sip.instance=<urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6b) and include the previously used random key a5so6iw78py68use2wdvb in the “key” attribute of the <assoc-key> element. Thus, so long as there is still a valid alias address communicated to the PoC Server, the mechanism still functions, even if the first URI communicated is no longer valid.
The authentication keys stored at application server 112 enable valid devices to set up new aliases efficiently and also serve to prevent unauthorized devices from setting up unauthorized aliases. The latter functionality is shown in detail in connection with messages 166-172. Message 166 represents an initial request for service from mobile communication device 122 to authentication server 104. Message 168 represents the response from authentication server 104 to mobile communication device 122. Once mobile communication device 122 is registered and authenticated to authentication server 104, mobile communication device 122 can communicate with application server 112. Message 170 represents an attempt by mobile communication device 122 to create a new user “UserX” as an alias of UserA1. This communication is shown in further detail in
In certain applications, a previously-created user ID may expire, be de-registered or otherwise become invalid either because of the occurrence of a particular event or sequence of events, the expiration of a predetermined time period, or an express instruction to cancel, delete or de-register the ID. An example of such a situation is shown in detail in
Returning to
Message 182 represents an initial request for service from mobile communication device 120 to authentication server 104. Message 184 represents the response from authentication server 104 to mobile communication device 120. Once mobile communication device 120 is registered and authenticated to authentication server 104, mobile communication device 120 can communicate with application server 112. As noted above, the authentication systems and methods described herein are operable to help reduce potential security issues that may be presented by the use of alias relationships between devices and user identifiers, but are not necessarily operable to correct security weaknesses found elsewhere in the network. Thus, the present methods and systems do not necessarily provide mechanisms for independent authentication of the authority or identity of any particular entity, except in relation to that entity's authority to act on behalf of another entity. Thus, the teachings of the present disclosure will generally be implemented in connection with additional security and authentication measures.
In message 186, mobile communication device 120 sends a communication to application server 112 comprising a user ID (UserA3), a device ID (Dev2) and an authentication key (“KEY2”). This communication is shown in further detail in
Message 190 represents a communication from mobile communication device 120 to application server 112 comprising a fifth user ID (UserA5), a device ID (Dev2) and the original authentication key (“KEY2”). This communication is shown in further detail in
Subsequent in time to the expiration of UserA1 as set forth above, mobile communication device 116 may re-register UserA1 in a similar manner to that set forth above in connection with messages 154 and 156. This may occur periodically, or may be initiated by circumstances such as a power off or loss of radio coverage. Under such circumstances, registration of one or more of the user identities with the application server 112 may be effectuated using a new authentication key generated at mobile communication device 116. This transaction is shown in tabular form in
In block 232, an authentication key and identifier match has been found, and the second user identifier is therefore stored as an alias in association with the first user identifier and the first device identifier. Subsequently, the server will treat the second user identifier as an alias of the first user identifier. Alternately, in block 234, the server has determined that the user and/or device claiming to act on authority of the first user identifier does not, in fact, have such authority, thus indicating that the entity claiming to act on behalf of the first user identifier is an impostor. Thus, the server will not store a new alias record or treat the second user identifier as an alias of the first user identifier.
A microprocessor 302 providing for the overall control of an embodiment of mobile communication device 116 is operably coupled to a communication subsystem 304 which includes a receiver 308 and transmitter 314 as well as associated components such as one or more local oscillator (LO) modules 310 and a processing module such as a digital signal processor 312. As will be apparent to those skilled in the field of communications, the particular design of the communication module 304 may be dependent upon the communications network with which the mobile communication device 116 is intended to operate.
In one embodiment, the communication module 304 is operable with both voice and data communications. Regardless of the particular design, however, signals received by antenna 306 through base station 114 are provided to receiver 308, which may perform such common receiver functions as signal amplification, frequency down conversion, filtering, channel selection, analog-to-digital (A/D) conversion, and the like. Similarly, signals to be transmitted are processed, including modulation and encoding, for example, by digital signal processor 312, and provided to transmitter 314 for digital-to-analog (D/A) conversion, frequency up conversion, filtering, amplification and transmission over the air-radio interface via antenna 316.
Microprocessor 302 also interfaces with further device subsystems such as auxiliary input/output (I/O) 318, serial port 320, display 322, keyboard 324, speaker 326, microphone 328, random access memory (RAM) 330, a short-range communications subsystem 332, and any other device subsystems generally labeled as reference numeral 333. To control access, a Subscriber Identity Module (SIM) or Removable User Identity Module (RUIM) interface 334 is also provided in communication with the microprocessor 302. Access control methods may vary between different RATs (e.g., between Wi-fi and WiMAX).
In one implementation, SIM/RUIM interface 334 is operable with a SIM/RUIM card having a number of key configurations 344 and other information 346 such as identification and subscriber-related data. Operating system software and transport stack software may be embodied in a persistent storage module (i.e., non-volatile storage) such as Flash memory 335. In one implementation, flash memory 335 may be segregated into different areas, e.g., a storage area for computer programs 336 as well as data storage regions such as device state 337, address book 339, other personal information manager (PIM) data 341, and other data storage areas generally labeled as reference numeral 343. A key generation module 216 is operably connected to flash memory 335, which also includes transport stack 350.
It is believed that the operation and construction of the embodiments of the present disclosure will be apparent from the Detailed Description set forth above. While the exemplary embodiments shown and described may have been characterized as being preferred, it should be readily understood that various changes and modifications could be made therein without departing from the scope of the present disclosure as set forth in the following claims.
This application claims priority to U.S. Provisional Patent Application Ser. No. 60/977,952, filed Oct. 5, 2007, which is herein incorporated by reference.
| Number | Date | Country | |
|---|---|---|---|
| 60977952 | Oct 2007 | US |
