Patent Application
20060129813
The present invention relates generally to mobile networks and more particularly, to the field of authentication of electronic devices in mobile networks.
Electronic devices in mobile networks need to be authenticated to the network infrastructure. At present, electronic devices are generally authenticated via a mobile network controller (also known as a mobile router) at a Customer Enterprise Network (CEN) where the CEN hosts an Authentication Authorization and Accounting (AAA) server and provides authentication of the electronic devices. However, this is possible only if the mobile network controller (MNC) has connectivity to the CEN.
At present, the known methods of authenticating electronic devices when there is no connectivity to the CEN are ineffective. One method of authenticating electronic devices when there is no connectivity to the CEN is to mirror or copy an entire AAA server and place it in a location that the electronic device can receive authentication services such as in a vehicle near the electronic device. However, providing an entire AAA server by mirroring the entire AAA database in a vehicle to address the current problem of authentication when there is no connectivity to the CEN is not a feasible solution. From a cost standpoint, it is not possible for vehicles to possess entire AAA servers. Further, a compromised vehicle would mean an entire AAA database may be compromised. This would force users and electronic devices to be given new credentials whenever a vehicle or a mobile router is compromised. This would greatly increase the time and effort required to recreate the database every time a vehicle is compromised. Most importantly, from a security standpoint, an entire network comprising of a possibly large number of mobile devices and mobile networks, is vulnerable when an AAA database is comprised.
A second method of authenticating electronic devices when there is no connectivity to the CEN is to use a RADIUS (remote authentication dial-in user service) proxy which enables an intermediate server to act as a RADIUS client for all electronic devices. However, the RADIUS proxy has several disadvantages. A box only acts either as a proxy or a server at any given time. Further, the RADIUS method does not address the problem of dynamically changing the authentication server, depending on the local availability of credentials. Accordingly, there exists a need for a solution that addresses the shortcomings of these methods.
Before describing in detail authentication in accordance with the present invention, it should be observed that the present invention resides primarily in combinations of method steps and apparatus components related to authentication. Accordingly, the apparatus components and method steps have been represented where appropriate by conventional symbols in the drawings, showing only those specific details that are pertinent to understanding the present invention so as not to obscure the disclosure with details that will be readily apparent to those of ordinary skill in the art having the benefit of the description herein.
In this document, relational terms such as first and second, top and bottom, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. The terms “comprises,” “comprising,” or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. An element proceeded by “comprises . . . a” does not, without more constraints, preclude the existence of additional identical elements in the process, method, article, or apparatus that comprises the element.
Methods for authenticating an electronic device in a mobile network are disclosed. According to
As used herein, an electronic device may be any suitable type of wireless communications device capable of communicating with other electronic devices, for instance, a laptop computer, a personal digital assistant, a voice handset, or any other suitable device as will be appreciated by those of skill in the art. Further, the electronic device may be one of a local node, and a visiting node. An electronic device is a local node for a given MNC if it has its “home network” (known in the art as the network from which the permanent IP address of the electronic device is obtained) on the mobile network served by that MNC. An electronic device is a visiting node for that MNC when it does not have its home on that mobile network.
Upon sending the authentication request, a search for the authentication credential to validate the electronic device is made. In one embodiment, the authentication credential can be one of a device ID, password, and encrypted key. As is known to one of ordinary skill in the art, other types of authentication credentials may be used. The electronic device may be seeking authentication to the MNC. An electronic device can also send the authentication request through an access point on a subnet where the access point co-located with the MNC on the subnet will forward the authentication request to the MNC. According to another embodiment of the invention as shown in
According to another embodiment of the invention, if the authentication credential is not found in the local database, the first MNC searches for connectivity to a network infrastructure 220. The network infrastructure comprises one of a Customer Enterprise Network (CEN), Authentication Authorization and Accounting (AAA) server or the like. According to another embodiment of the invention, if connectivity is found 220, the first MNC fulfills the authentication request by authenticating the electronic device using the network infrastructure 225. The electronic device may be authenticated by validating relevant authentication credentials of the electronic device at the network infrastructure. The local database at the first MNC is updated periodically, whenever connectivity to the CEN is established and there are changes in authentication credentials. There may be other ways of updating the local database as well, for instance, the AAA server in the CEN proactively pushing changes in the authentication credentials to the first MNC. Alternatively, the CEN may periodically contact the first MNC to update the local database with authentication credentials. When an electronic device behind a first MNC comes in the realm of a different mobile network, the electronic device becomes a visiting node. As used herein, for an electronic device to be “behind” an MNC means to be on the mobile network served by the MNC. The first MNC may not be able to authenticate the electronic device on the mobile network from its local database. In case of a failure of the first MNC to connect to the CEN, the visiting mobile node will not be authenticated by the local database stored in a first MNC because the visiting mobile node is not normally found at this MNC and the local database does not have the authentication credentials for the visiting mobile node. A second MNC may have credentials to authenticate this visiting mobile node. For example, a particular visiting mobile node located at a vehicle can be a home mobile node at another vehicle.
According to another embodiment of the invention, if connectivity is not found, the first MNC searches for a stored alternate authentication server 230. The stored alternate authentication server may be found at the first MNC. The stored alternate authentication server may be another MNC through which the visiting node was authenticated earlier. In another embodiment of the invention, if the stored alternate authentication server is present, the electronic device is authenticated through the stored alternate authentication server 235.
Pursuant to another embodiment of the invention, if the stored alternate authentication server is not present, the first MNC searches for an alternate authentication server 240. The alternate authentication server may be present at another MNC. The first MNC maintains a list of unique identifiers for each of the MNCs found in the search. Upon finding the alternate authentication server 245, the electronic device is authenticated through the alternate authentication server 250. Protected authentication credentials are used in authenticating the electronic device. Encryption is one way of protecting authentication credentials. After authentication, the information of the alternate authentication server is stored 255 at the first MNC. The particular alternate authentication server now gets stored at the first MNC to become a “stored alternate authentication server.” This is done to handle future authentication requests.
According to another embodiment of the invention, if the alternate authentication server is not found, restricted access is provided to the electronic device 260. In the case where the electronic device is responsible for sending the authentication request through an access point, the access point may send a RADIUS message to the MNC for authenticating the device.
According to
According to
Once the need for scanning is established, another embodiment of the invention further comprises searching for at least one MNC multicast group 415. The MNC multicast group is allocated for authentication message exchanges among a number of MNC that have subscribed to the group. If the MNC multicast group is available, the query is sent to the MNC multicast group 420. The query is sent along with a list of the MNCs scanned and a unique identifier of the electronic device. Upon sending the query, if at least one positive response is received from the MNC multicast group 425, at least one second MNC is selected 430 from the MNC multicast group. The selection of the second MNC is followed by a scan for an alternate authentication server 465 at the second MNC.
According to another embodiment of the invention, if there is no positive response from the MNC multicast group, a scan for a second MNC is made 435. If the second MNC is found within a timeout window 440, a determination is made of whether there is a secure communication channel between the first MNC and the second MNC 445. The existence of a secure communication channel may be determined by a number of means including the availability of a shared key between the first MNC and the second MNC, the existence of a peer-to-peer virtual private network, and a number of other well-known secure methods. If such a secure communication channel does not exist, the communication channel is established 450 and the query is then sent to the second MNC. To establish a secure communications channel, as per one embodiment of the invention, the first MNC may create a shared key with the second MNC and by doing so establishes a secure communication channel with the second MNC. The query is sent to the second MNC 455 with a unique identifier of the electronic device. If an affirmative response is received from the second MNC 460, the electronic device is authenticated.
According to another embodiment of the invention, if the MNC multicast group is not available, a scan for a second MNC is made 435. If the second MNC is found within a timeout window 440, a determination is made of whether there is a secure communication channel between the first MNC and the second MNC 445. If the secure communication channel does not exist, the communication channel is established 450 and the query is then sent to the second MNC. The query is sent to the second MNC 455 with a unique identifier of the electronic device. If an affirmative response is received from the second MNC 460, the electronic device is authenticated.
According to another embodiment of the invention, if the second MNC is not found within a timeout window 440, restricted access is provided to the electronic device, similar to 260.
According to
According to an embodiment of the invention, if the first MNC is included in the untrusted list 510, the query is denied and a negative response is returned to the first MNC.
According to another embodiment of the invention, if the first MNC is not included in the untrusted list 510, a search is made for an authentication credential at a local database on the second MNC 515. According to another embodiment, if the authentication credential is found on the local database, a positive response is returned to the first MNC 550. Next, a determination is made whether there exists a communication channel with the first MNC, for a secure exchange of authentication messages. If the communication channel already exists 560, the authentication request is received from the first MNC 570. The electronic device is authenticated 575 and a successful response is returned to the first MNC 580. Authentication credentials encrypted with shared keys may be used in authenticating the electronic device. If the communication channel does not exist, the communication channel is established first 560, and authentication 575 follows the establishment of the communication channel. If the communication channel cannot be established, the first MNC is placed on the untrusted list 565.
According to another embodiment of the invention, if the authentication credential is not found, a search is made to find connectivity to a network infrastructure 520. If the connectivity is found, a positive response is returned to the first MNC 550, and the similar process as described in the embodiment above regarding authenticating the electronic device follows. The local database at the first MNC is updated periodically, whenever the connectivity to the CEN is established. Also, the CEN may periodically contact the first MNC to update the local database with authentication credentials.
According to another embodiment of the invention, if the connectivity is absent, a search is made for an alternate authentication server 530. If the alternate authentication server is found within a timeout period 535, information pertaining to the alternate authentication server is stored at the second MNC 545. Upon storing the information, a positive response is returned to the first MNC 550. Next, a determination is made whether there is a communication channel with the first MNC to ensure secure exchange of authentication messages. If the communication channel exists 555, the authentication request is received from the first MNC 570, the device is authenticated 575 and a successful response is returned to the first MNC 580. Authentication credentials encrypted with shared keys are used in authenticating the electronic device. According to another embodiment of the invention, if the communication channel does not exist, an attempt is made to establish the communication channel 560. If the communication channel can be established, the authentication request is received from the first MNC 570, the device is authenticated 575 and a successful response is returned to the first MNC 580. According to another embodiment of the invention, if the communication channel cannot be established, the first MNC is placed on the untrusted list 565.
According to another embodiment of the invention, if the alternate authentication server is not found, a negative response is returned to the first MNC 540, and the authentication is denied. Further, an authentication failure would also be indicated when the authentication credentials do not successfully authenticate.
It will be appreciated the authentication described herein may be comprised of one or more conventional processors and unique stored program instructions that control the one or more processors to implement, in conjunction with certain non-processor circuits, some, most, or all of the functions of the authentication described herein. The non-processor circuits may include, but are not limited to, a radio receiver, a radio transmitter, signal drivers, clock circuits, power source circuits, and user input devices. As such, these functions may be interpreted as steps of a method to perform authentication. Alternatively, some or all functions could be implemented by a state machine that has no stored program instructions, or in one or more application specific integrated circuits (ASICs), in which each function or some combinations of certain of the functions are implemented as custom logic. Of course, a combination of the two approaches could be used. Thus, methods and means for these functions have been described herein. Further, it is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions and programs and ICs with minimal experimentation.
In the foregoing specification, the invention and its benefits and advantages have been described with reference to specific embodiments. However, one of ordinary skill in the art appreciates that various modifications and changes can be made without departing from the scope of the present invention as set forth in the claims below. Accordingly, the specification and figures are to be regarded in an illustrative rather than a restrictive sense, and all such modifications are intended to be included within the scope of present invention. The benefits, advantages, solutions to problems, and any element(s) that may cause any benefit, advantage, or solution to occur or become more pronounced are not to be construed as a critical, required, or essential features or elements of any or all the claims. The invention is defined solely by the appended claims including any amendments made during the pendency of this application and all equivalents of those claims as issued.
