Secure distribution of non-privileged authentication credentials

Information

  • Patent Grant
  • 9338153
  • Patent Number
    9,338,153
  • Date Filed
    Wednesday, April 10, 2013
    11 years ago
  • Date Issued
    Tuesday, May 10, 2016
    8 years ago
Abstract
An authentication credentials push service (ACPS) that securely pushes non-privileged authentication credentials to registered client entities. The ACPS comprises a classification server and a push server to provide access to non-privileged authentication credentials absent a pull transaction. The classification server in the ACPS classifies authentication credentials as either privileged (i.e. private, forgeable) or non-privileged (i.e. non-forgeable, non-sensitive). Credentials identified as being of a privileged nature are treated with restricted access. Alternatively, credentials classified as being of a non-privileged nature are made available for the push service. Authentication servers register with the ACPS to become consumers of the push service. A push server within the ACPS pushes non-privileged authentication credentials to registered authentication servers at predetermined intervals. Individual authentication credentials push services (ACPS) have access to different authentication credentials. An authentication server can use a dynamic name service (DNS) lookup to find a specific authentication credentials push service (ACPS).
Description
BACKGROUND OF THE INVENTION

1. Field of the Invention


This invention relates generally to user authentication, secure user plan location (SUPL), authentication credentials, and public key infrastructure (PKI).


2. Background of Related Art


Authentication transactions are used to securely identify users, processes, and/or devices attempting to access a particular restricted service. Existing authentication transactions are implemented via a pull technology, i.e., a style of network communication in which clients request and pull information from centralized servers. Pull based authentication transactions may be executed via numerous pull based technologies, e.g., Home Location Registers (HLRs), Home Subscriber Servers (HSS), Triple A (AAA), Public Key Infrastructure (PKI) (a pull based technology that exposes the use of an online certificate status protocol (OCSP)), etc. Each existing pull based technology encompasses a well defined interface, designed to enable clients to query their service.



FIG. 5 depicts exemplary behavior of a conventional pull based technology.


In particular, a client entity (e.g. a client device, user, process, etc.) 500 in a pull based technology sends an initial request for data to a receiving authenticator server 511, as depicted in step 52 of FIG. 5. The receiving authenticator server 511 then processes the client request and returns a relevant response, as depicted in step 54 of FIG. 5.


In a conventional pull based authentication transaction, a client entity (e.g. a client device, user, process, etc.) initiates a request (a pull transaction) for information and/or verification of authentication credentials to an authentication server, to which the authentication server subsequently responds.



FIG. 6 depicts logic flow for existing pull based authentication transactions.


In particular, to implement a pull based authentication transaction, a secure tunnel 600 is first established between a client entity 500 and an authenticator server 511, over an access network 610, as depicted in step 60 of FIG. 6. As depicted in step 62, the client entity 500 at one end of the secure tunnel 600 sends authentication credentials and/or a restricted service 640 authorization request to the authenticator server 511 at the other end of the secure tunnel 600. Upon receiving the client request, the authenticator server 511 initiates one or more queries (pull transactions) to one or more authentication data stores 620, requesting public and/or private authentication credentials for the requesting client entity 500, as depicted in step 64. In step 66, the authenticator server 511 uses authentication credentials retrieved from the authentication credentials data store(s) 620 to verify authentication credentials received (in step 60) from the client entity 500. In step 68, the authenticator server 511 authenticates the client entity 500 and authorizes the client entity 500 to access the restricted service (i.e. a service contingent upon authentication) 640. In step 70, the client entity 500 proceeds to access the restricted service 640.


To minimize impacts on authentication servers and client entities, pull servers are often positioned at locations near one another. Positioning pull servers at nearby locations (i.e. server co-location) helps minimize round trip delay and network latency. Unfortunately, server co-location also results in reduced resiliency through geographic distribution.


SUMMARY OF THE INVENTION

A service to securely pushed non-privileged authentication credentials to registered client entities comprises an authentication credentials push service (ACPS). In accordance with the principles of the present invention, an authentication credentials push service (ACPS) distinguishes between privileged (i.e. private, forgeable) authentication credentials and non-privileged (i.e. non-forgeable, non-sensitive) authentication credentials, to provide access to non-privileged authentication credentials absent a pull transaction. The present invention improves the performance and reduces delay of authentication transactions by permitting authentication credentials that include only non-privileged authentication information to be freely distributed for use amongst authentication servers.


In accordance with the principles of the present invention, the authentication credentials push service (ACPS) comprises a classification server to classify authentication credentials as either privileged or non-privileged. The authentication credentials push service (ACPS) restricts access (i.e. access is permitted via a pull transaction) to all authentication credentials classified as privileged, and classifies all non-privileged authentication credentials as available for the push service.


In accordance with the principles of the present invention, authentication servers register with the authentication credentials push service (ACPS) to become consumers of the push service. The authentication credentials push service (ACPS) comprises a push server to push non-privileged authentication credentials to registered authentication servers at predetermined intervals.


In accordance with the principles of the present invention, individual authentication credentials push services (ACPS) have access to different authentication credentials. An authentication server can use a dynamic name service (DNS) lookup to find a specific authentication credentials push service (ACPS) to fulfill its authentication requirements.





BRIEF DESCRIPTION OF THE DRAWINGS

Features and advantages of the present invention become apparent to those skilled in the art from the following description with reference to the drawings, in which:



FIG. 1 depicts exemplary distribution of non-privileged authentication credentials via an authentication credentials push service (ACPS), in accordance with the principles of the present invention.



FIG. 2 depicts exemplary inbound and outbound messages exchanged for the authentication credentials push service (ACPS), in accordance with the principles of the present invention.



FIG. 3 depicts exemplary communication between an authentication credentials push service and a dynamic DNS service, in accordance with the principles of the present invention.



FIG. 4 shows an exemplary dynamic DNS registration removal of entry, in accordance with the principles of the present invention.



FIG. 5 depicts exemplary behavior of a conventional pull based technology.



FIG. 6 depicts logic flow for existing pull based authentication transactions.





DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

The present invention comprises an authentication credentials push service (ACPS) that securely pushes non-privileged (i.e. public) authentication credentials to registered client entities (i.e. authentication servers). The inventive authentication credentials push service (ACPS) distinguishes between privileged and non-privileged authentication credentials to provide access to non-privileged authentication credentials absent a pull transaction.


Various types of authentication credentials may be used to authenticate a transaction request. For instance, authentication credentials may include public and/or private authentication information. The present inventors have realized that conventional pull based authentication transactions do not distinguish amongst authentication credentials. Rather, most conventional authentication systems treat all authentication credentials as private/privileged information that may be shared only via a pull transaction.


However, the inventors herein realized that use of a pull transaction in the middle of an authentication transaction may cause significant transaction delay and may substantially degrade the performance of an authentication server. Moreover, insertion of a pull transaction in the middle of an authentication transaction often results in decreased scalability, decreased throughput, server co-location, and a lack of distinction amongst credentials.


For instance, an authentication transaction which must rely on an external pull transaction requires more system and network resources to complete the transaction. In particular, pull based authentication transactions require additional computer resources and time to request, receive, and process information during a pull transaction.


Further, pull based authentication transactions must request authentication credentials on an individual basis when credentials for individual users/devices require authentication at different server locations. Consequently, in many instances, authentication servers are unable to group pull transactions to improve efficiency, thereby resulting in reduced scalability.


When a pull transaction is implemented during an authentication transaction, the authentication transaction must go on hold until the external pull transaction is complete. Such a hold may add significant transaction delay, and may result in additional queuing capability and client entity impacts.


Moreover, an authentication server has no control over the responsiveness of a service from which a pull transaction is requested. For instance, due to other simultaneous activities, a pull server may experience abnormal delays. Abnormal delays at a pull server may lead to further downstream impacts on an authentication server and client entities.


The present inventors have appreciated that authentication servers sometimes require additional non-privileged authentication information (in addition to privileged authentication information) to authenticate transaction requests. However, conventional authentication services typically treat all authentication credentials as privileged/private information that may be shared only via a pull based transaction.


For instance, for authentication transactions in which additional non-privileged authentication information is required, conventional authentication servers may use inline queries to request (pull) this additional information from a designated service. In particular, an authentication server may use an inline query to acquire, e.g., an exposed Certificate Revocation List (CRL) (i.e. public information) relevant to a client entity requesting authentication. The authentication server may then use this Certificate Revocation List (CRL) for authentication purposes, e.g., an authentication server may verify the status of the certificate to authenticate a client entity. An authentication server may additionally initiate pull transactions to request device and/or user characteristics from a credentials database/other designated service.


However, use of a pull transaction in the middle of an authentication transaction may cause significant transaction delay and may substantially degrade the performance of an authentication server. In particular, insertion of a pull transaction in the middle of an authentication transaction often results in decreased scalability, decreased throughput, server co-location, and a lack of distinction amongst credentials. Even so, conventional authentication transactions use pull transactions to acquire nearly all authentication credentials used to fulfill authentication requests.


In accordance with the principles of the present invention, an authentication credentials push service (ACPS) distinguishes between privileged and non-privileged authentication credentials to provide access to non-privileged authentication credentials absent a pull transaction. The authentication credentials push service (ACPS) provides a service to securely push non-privileged authentication credentials to registered clients. By enabling non-privileged authentication credentials to be accessed without a pull transaction, the present invention minimizes the number of pull transactions required during an authentication transaction and thus reduces delay and improves the performance of authentication transactions.


In accordance with the principles of the present invention, to provide non-privileged authentication credentials via a push service, the authentication credentials push service (ACPS) comprises a classification server to classify authentication credentials as either ‘privileged’ or ‘non-privileged’. In particular, the classification server classifies credentials containing private, forgeable information, such as username/password combinations, etc., as privileged authentication credentials. Moreover, the classification server classifies authentication credentials containing only non-forgeable, non-sensitive information, such as information regarding a current state of a requesting client entity (e.g., an IP address, host name, operating system, etc.) as non-privileged authentication credentials. Non-privileged authentication credentials include credentials that may be made publicly available.


Non-privileged authentication credentials must be used in combination with privileged authentication credentials to authenticate a transaction request and are not sufficient for authentication when used alone. Nonetheless, non-privileged authentication credentials play a valid and important role in transaction authentication. For instance, non-privileged authentication credentials are often used to perform validity checks. Exemplary non-privileged authentication credentials include: certificate revocation status, public keys, certificates, location information, device information, etc.


In accordance with the principles of the present invention, the authentication credentials push service (ACPS) awards an access restriction to each authentication credential, based on a classification of its contents. In particular, a system administrator identifies which authentication credentials are classified as privileged and which are classified as non-privileged either via an authentication credentials push service (ACPS) system configuration or via user to machine interfaces (graphical user interfaces (GUI)). Credentials identified as being of a privileged nature are treated with restricted access (as is the case in the marketplace today). In accordance with conventional authentication transactions, privileged (restricted access) authentication credentials are typically accessible via pull based transactions, only. Privileged authentication credentials may also be used in out of band sequences (which the ACPS may additionally support). Alternatively, authentication credentials identified as being of a non-privileged nature are classified as being available for the push service.


In accordance with the principles of the present invention, clients (authentication servers) register with the authentication credentials push service (ACPS) to become consumers of the push service (i.e. to receive push notifications). Once registered, clients may optionally identify certain types of credentials, and/or certain users, devices, etc., for which they would like to receive push notifications.


In accordance with the principles of the present invention, the authentication credentials uses a push server to distribute push notifications containing non-privileged authentication credentials to registered client entities at predetermined intervals.



FIG. 1 depicts exemplary distribution of non-privileged authentication credentials via an authentication credentials push service (ACPS), in accordance with the principles of the present invention.


In particular, as depicted in step 10 of FIG. 1, the authentication credentials push service (ACPS) 100 acquires access to non-privileged authentication data (e.g. IP addresses, certification status, public keys, location information, etc.) 110 via an out of band means. As depicted in step 12, an authentication server 510 registers with the authentication credentials push service (ACPS) 100 to receive push notifications. As depicted in step 14, once registration is granted, the push server begins pushing non-privileged authentication credentials to the registered authentication server 510 at predetermined intervals. In step 16, a client entity (e.g. a client device, user, process, etc.) 500 sends a request for authentication to the authentication server 510. In response to the authentication request, the authentication server 510 initiates one or more queries (pull transactions) to one or more credentials servers 620, requesting privileged authentication credentials for the requesting client entity 500, as depicted in step 18. In step 20, the authentication server 510 uses privileged authentication credentials retrieved from the credentials server(s) 620, and any relevant non-privileged authentication credentials received in previous push notifications to authenticate the requesting client entity 500, e.g., client device, user, process, etc.


In accordance with the principles of the present invention, to improve performance and minimize delay during authentication transactions, authentication credentials that include only non-privileged information may be freely distributed for use by authentication servers 510.


In accordance with the principles of the present invention, the authentication credentials push service (ACPS) 100 uses a predefined application layer message format designed for transportation over secure transports, e.g., secure sockets layer (SSL)/transport layer security (TLS), internet protocol security (IPSec), etc. An inventive authentication credentials push service protocol (ACPP) makes use of simple object access protocol (SOAP) with attachments, and uses hypertext transfer protocol (secure) (http(s)) as a transport protocol.


The present invention does not define a credentials attribute tag for the authentication credentials push service (ACPS) protocol (ACPP). Instead, credentials tags are defined per installation to allow flexibility for non-privileged credentials used in each authentication context.


In accordance with the principles of the present invention, the authentication credentials push service (ACPS) 100 supports authentication credential pushes, authentication credential pulls, requests for registration, and other queries/requests as they are deemed necessary. The authentication credentials push service (ACPS) 100 additionally supports transmission of text and binary data (base 64 encoded).


In accordance with the principles of the present invention, the following requests are supported by the authentication credentials push service (ACPS) 100: registration requests (i.e. RegistrationReq), deregistration requests (i.e. DeregistrationReq), non-privileged user credentials requests (i.e. UserCredentialsReq), and poll user credentials requests (i.e. PollUserCredentialsReq).



FIG. 2 depicts exemplary inbound and outbound messages exchanged for the authentication credentials push service (ACPS), in accordance with the principles of the present invention.


As depicted in step 20 of FIG. 2, registration requests, deregistration requests, and poll user credentials requests are all inbound messages transmitted from authentication servers 510 to the inventive authentication credentials push service (ACPS) 100. Alternatively, as depicted in step 22, user credentials requests are outbound messages transmitted from the authentication credentials push service (ACPS) 100 to authentication servers 510.


In accordance with the principles of the present invention, to request registration to the inventive push service, an authentication server 510 initiates a registration request message to the authentication credentials push service (ACPS) 100. A registration request message preferably includes the following required elements: transaction ID, registrationReq, VASPID, VASID, timestamp, realm, and one or more user ID elements.


In particular, a transaction ID element is preferably included in the SOAP header of a registration request message. The transaction ID element holds a unique identifier for the registration request message and preferably holds up to 40 characters or more. Moreover, a registrationReq element in a registration request message identifies the message as a registration request. The registration request element is preferably defined as the root element of the SOAP body.


A VASPID element in a registration request message contains a user ID for a requesting authentication server 510. Similarly, the VASID element in a registration request message holds a password for a requesting authentication server 510.


The timestamp element in the registration request message holds the time that the registration request message was sent to the authentication credentials push service (ACPS) 100. Moreover, the one or more user ID elements included in a registration request message correspond to user IDs (e.g. cell phone numbers, etc.) supported by the requesting authentication server 510.


Finally, a realm element in a registration request message holds realm(s) or domain(s) that may be used to identify a block of authentication credentials. In accordance with the principles of the present invention, each registration request message must contain one or more realm elements or one or more user ID elements. A registration request message may include both realm and user ID elements, however only one of the two types of elements (realm and user ID) is required.


A registration request message may also include attributes to explicitly identify certain types of authentication credentials a requesting authentication server 510 wishes to receive in push notifications.


In accordance with the principles of the present invention, the authentication credentials push service (ACPS) 100 returns a registration response message in response to a registration request message received from an authentication server 510. A registration response message preferably includes the following elements: transactionID, registrationResponse, statusCode, statusText, and details.


In accordance with the principles of the present invention, a transaction ID element in a registration response message is identical to a transaction ID element in a corresponding registration request message. A transaction ID element is preferably included in the SOAP header of the registration response message and may hold up to 40 characters.


Moreover, a registrationRsp element in a registration response message indicates that the message is a registration response. The registrationRsp element is preferably defined as the root element of the SOAP body.


A statusCode element in a registration response message holds a registration status code, e.g., passed, failed, etc., relevant to a corresponding registration request. Similarly, the statusText element in the registration response message holds status text relevant to a corresponding registration request. Likewise, the details element holds details regarding the status of a corresponding registration request. In accordance with the principles of the present invention, a details element conditionally populates a registration response message.


A registration request message may additionally include any other miscellaneous data regarding a corresponding request for registration.


In accordance with the principles of the present invention, a deregistration request message is a message sent from an authentication server 510 to the authentication credentials push service (ACPS) 100, to request termination of service registration. A deregistration request message preferably includes the following required (i.e. required in an outbound message) elements: transaction ID, deregistrationReq, VASPID, VASID, and timestamp.


In accordance with the principles of the present invention, a transaction ID element is preferably included in the SOAP header of a deregistration request message. The transaction ID element holds a unique identifier for the deregistration request message and preferably holds up to 40 characters.


Moreover, a deregistrationReq element in a deregistration request message identifies the message as a deregistration request. The deregistrationReq element is preferably defined as the root element of the SOAP body.


A VASPID element in a deregistration request message holds a user ID for a requesting authentication server 510. Similarly, a VASID element in a deregistration request message holds a password for a requesting authentication server 510. The timestamp element in a deregistration request message holds the time that the deregistration request message was sent to the authentication credentials push service (ACPS) 100.


Other miscellaneous data regarding a request for deregistration may also be included in a deregistration request message.


In accordance with the principles of the present invention, the authentication credentials push service (ACPS) 100 returns a deregistration response message to an authentication server 510 in response to a deregistration request previously received therefrom. In accordance with the principles of the present invention, the following elements are preferably included (but are not required) in a deregistration response message: transactionID, deregistrationRsp, statusCode, statusText, and details.


In particular, a transaction ID element is preferably included in the SOAP header of a deregistration response message. In accordance with the principles of the present invention, a transaction ID element in a deregistration response message is identical to a transaction ID element in a corresponding deregistration request message. A transaction ID element preferably holds up to 40 characters.


Moreover, a deregistrationRsp element in a deregistration response message indicates that the message is a deregistration response. The deregistration response element is preferably defined as the root element of the SOAP body.


Moreover, a statusCode element in a deregistration response message holds a status code, e.g., passed, failed, etc., relevant to a corresponding deregistration request. Similarly, the statusText element in the deregistration response message holds status text relevant to the corresponding deregistration request. Likewise, the details element holds details regarding the status of the corresponding deregistration request. In accordance with the principles of the present invention, a details element conditionally populates a deregistration response message.


Other miscellaneous data regarding a request for deregistration may also be included in a deregistration response message.


In accordance with the principles of the present invention, the inventive authentication credentials push service (ACPS) 100 supports complete updates (i.e. updates that include all data, changed and unchanged) and delta updates (i.e. updates that include only data that has changed).


Moreover, the inventive authentication credentials push service (ACPS) 100 supports periodic and immediate credential push modes. In a periodic credential push mode, the authentication credentials push service (ACPS) 100 sends periodic credential updates to relevant authentication servers 510, based on a total number of updates and/or time intervals. Alternatively, in immediate credential push mode, the authentication credentials push service (ACPS) 100 pushes updated credentials to relevant authentication servers 510 as soon as updates are acquired.


In accordance with the principles of the present invention, a push server pushes user credentials request messages containing non-privileged authentication credentials to registered authentication servers 510 at predetermined intervals. A user credentials request message preferably comprises the following elements: transaction ID, message integrity code (an optional message element), userCredentialsReq, VASPID, VASID, timestamp, allCredentials, validityPeriod, one or more userID elements, one or more credentials elements, and one or more validityPeriod elements.


In accordance with the principles of the present invention, a transaction ID element is preferably included in the SOAP header of a user credentials request message. The transaction ID element holds a unique identifier for the user credentials request message and preferably holds up to 40 characters. Moreover, a message integrity code element in a user credentials request message contains a hash algorithm value of message contents and a pre-shared key. Contents of a pre-shared key are decided based upon configuration.


In accordance with the principles of the present invention, a userCredentialsReq element in a user credentials request message identifies the message as a user credentials request. The userCredentialsReq element is preferably defined as the root element of the SOAP body.


A VASPID element in a user credentials request message holds a user ID for the originating entity. Similarly, a VASID element in a user credentials request message holds a password for the originating entity. The timestamp element in a user credentials request message holds the time that the user credentials request message was sent to an authentication server 510.


Moreover, a userID element in a user credentials request message contains a unique identifier (e.g., a cell phone number) for a client entity for which authentication credentials are being transmitted. One or more userIDs may be included in a user credentials request message. Further, a user credentials request message includes one or more credentials elements for each userID element included therein.


In accordance with the principles of the present invention, the authentication credentials push service (ACPS) 100 may use the same request to pass credentials, regardless of whether a full list or an updated (only) list of credentials is currently available.


In particular, an allCredentials element in a user credentials request message may contain a value of ‘true’ or ‘false’ (i.e. the allCredentials element is a Boolean element). In accordance with the principles of the present invention, if the value of an allCredentials element is ‘false’, then the user credentials request message contains only updated credentials. Alternatively, if the value of an allCredentials element is ‘true’, then the user credentials request message contains a full list of credentials (i.e. updated and non-updated) for each userID element included therein.


Moreover, a validityPeriod element in a user credentials request message holds a timestamp indicating when a particular authentication credential was created. The authentication credentials request message includes a validityPeriod element for each authentication credential, per user and/or per attribute level, included therein. An authentication server 510 uses a validityPeriod element to determine the validity of pushed credentials.


In accordance with the principles of the present invention, an authentication server 510 returns a user credentials response message in response to a user credentials request message received from the authentication credentials push service (ACPS) 100. A user credentials response message preferably contains the following elements: transactionID, userCredentialsRsp, statusCode, statusText, and details.


In particular, a transaction ID element is preferably included in the SOAP header of a user credentials response message. In accordance with the principles of the present invention, a transaction ID element in a user credentials response message is identical to a transaction ID element in a corresponding user credentials request message. A transaction ID element preferably holds up to 40 characters or more.


Moreover, a userCredentialsRsp element in a user credentials response message indicates that the message is a user credentials response message. The userCredentialsRsp element is preferably defined as the root element of the SOAP body.


Moreover, a statusCode element in a user credentials response message holds a status code, e.g., passed, failed, etc., relevant to a corresponding user credentials request. Similarly, the statusText element in the user credentials response message holds status text relevant to the corresponding user credentials request. Likewise, the details element holds details regarding the status of the corresponding user credentials request. In accordance with the principles of the present invention, a details element conditionally populates a user credentials response message.


A user credentials response message may also include any other miscellaneous data regarding a corresponding user credentials request.


In accordance with the principles of the present invention, a registered authentication server 510 may send a poll user credentials request message to the authentication credentials push service (ACPS) 100 to request updated authentication credentials. A poll user credentials request message preferably comprises the following required elements: transaction ID, pollUserCredentialsReq, VASPID, VASID, Timestamp, Realm, allCredentials, ValidityPeriod, and one or more userIDs.


In accordance with the principles of the present invention, a transaction ID element is preferably included in the SOAP header of a poll user credentials request message. The transaction ID element holds a unique identifier for the poll user credentials request message and preferably holds up to 40 characters.


Moreover, a pollUserCredentialsReq in a poll user credentials request message identifies the message as a poll user credentials request. The pollUserCredentialsReq element is preferably defined as the root element of the SOAP body.


A VASPID element in a poll user credentials request message holds a user ID for a requesting authentication server 510. Similarly, a VASID element in a poll user credentials request message holds a password for the requesting authentication server 100. Moreover, a timestamp element in a poll user credentials request message holds the time that the poll user credentials request message was sent to the authentication credentials push service (ACPS) 100.


In accordance with the principles of the present invention, a poll user credentials request message includes one or more userID elements corresponding to user IDs (e.g. cell phone numbers, etc.) supported by the requesting authentication server 510.


A realm element in a poll user credentials request message holds realm(s) or domain(s) that may be used to identify a block of authentication credentials. In accordance with the principles of the present invention, each poll user credentials request message must contain one or more realm elements or one or more user ID elements. A poll user credentials request message may include both realm and user ID elements, however only one of the two types of elements (realm and user ID) is required.


A poll user credentials request message may also include attributes to explicitly identify certain types of authentication credentials that an authentication server wishes to receive in push notifications.


In accordance with the principles of the present invention, an allCredentials element in a poll user credentials request message may contain a true or false value (i.e. the allCredentials element is a Boolean element). In particular, when the value of an allCredentials element is ‘false’ in a poll user credentials request message, an authentication server 510 is requesting that only updated credentials be returned in a poll user credentials response message. Alternatively, when the value of an allCredentials element in a poll user credentials request message is ‘true’, an authentication server 510 is requesting that that a full list of credentials (updated and not updated) for indicated userIDs be returned in a poll user credentials response message.


Moreover, a validityPeriod element in a poll user credentials request message holds a timestamp. This validityPeriod element is used to request that the authentication credentials push service (ACPS) 100 return all credentials matching realm and/or userID values specified in the poll user credentials request message, that have been updated following the value in this validityPeriod (timestamp) element.


In accordance with the principles of the present invention, a poll user credentials response message is sent from the authentication credentials push service (ACPS) 100 to an authentication server 510 in response to a user credentials request message previously received therefrom. A poll user credentials response message preferably contains the following elements: transactionID, messageIntegrityCode, pollUserCredentialsRsp, VASPID, VASID, Timestamp, UserID, AllCredentials, Credentials, and ValidityPeriod.


In accordance with the principles of the present invention, a transaction ID element in a poll user credentials response message is identical to a transaction ID element in a corresponding poll user credentials request message. A transaction ID element is preferably included in the SOAP header of the poll user credentials response message and may hold up to 40 characters or more.


A message integrity code element in a poll user credentials response message contains a hash algorithm value of message contents and a pre-shared key. Contents of a pre-shared key are decided based upon configuration.


Moreover, a pollUserCredentialsRsp element is included in a poll user credentials response message to identify the message as a poll user credentials response. The pollUserCredentialsRsp element is preferably defined as the root element of the SOAP body.


The VASPID element in a poll user credentials response message holds a user ID for the originating entity. Similarly, the VASID element in a poll user credentials response message holds a password for the originating entity.


The timestamp element in a poll user credentials response message holds the time the poll user credentials response message is sent from the authentication credentials push service (ACPS) 100 to an authentication server 510.


Moreover, a userID element in a poll user credentials response message holds a unique identifier, e.g., a cell phone number, for a client entity for which authentication credentials are being transmitted. One or more userIDs may be included in a poll user credentials response message. Further, one or more credentials elements may be included in a poll user credentials response message for each userID indicated therein.


In accordance with the principles of the present invention, an allCredentials element in a poll user credentials response message contains a true or false value (i.e. the allCredentials element is a Boolean element). If the value of the allCredentials element is ‘false’, then only updates made to credentials are included in the poll user credentials response message. Alternatively, if the value of the allCredentials element is ‘true’, then the poll user credentials response message contains a full list of credentials (updated and non-updated) for each userID indicated therein.


Moreover, a validityPeriod element in a poll user credentials response message holds a timestamp that indicates when a particular authentication credential was created. A validity element is included in the poll user credentials response message for each authentication credential, per user and/or per attribute level, indicated therein.


In accordance with the principles of the present invention, each authentication credentials push service (ACPS) 100 gains access to non-privileged authentication credentials via an out of band means. Consequently, individual authentication credentials push services (ACPS) 100 may have access to different authentication credentials. In accordance with the principles of the present invention, authentication servers 510 may use a domain name system (DNS) service to lookup a specific authentication credentials push service (ACPS) 100 based on specific authentication requirements.


In accordance with the principles of the present invention, an authentication credentials push service (ACPS) 100 registers with a designated domain name system (DNS) service via standard dynamic DNS update (secure/non-secure) mechanisms. For instance, an authentication credentials push service (ACPS) 100 may register itself with one identifier for the authentication credentials push service (ACPS) 100, and may simultaneously maintain additional DNS registrations for typical network access and routing functions. By registering with a designated DNS service, an authentication credentials push service (ACPS) 100 identifies itself as being ‘available’. An authentication server 510 may then implement a DNS lookup to gain information necessary to connect with a particular authentication credentials push service (ACPS) 100.



FIG. 3 depicts exemplary communication between an authentication credentials push service and a dynamic DNS service, in accordance with the principles of the present invention.


In particular, as depicted in step 30 of FIG. 3, an authentication credentials push service (ACPS) 100 registers with a dynamic DNS service 300 (out of band). As portrayed in step 32, the authentication credentials push service (ACPS) 100 then sends a dynamic DNS (rfc 2136) update for address (A) and pointer (DNS) record type (PTR) records to the DNS server 300, and sets a time to live parameter (i.e. a health check interval). In step 34, the DNS server 300 sends a response to the authentication credentials push server (ACPS) 100 to acknowledge receipt of the update.


As depicted in step 36, the authentication credentials push service 100 then initiates a health check timer, based on the time to live parameter (TTL) sent to the DNS server 300 (in step 32). In accordance with the principles of the present invention, if the authentication credentials push service (ACPS) 100 fails before the health check timer (i.e. time to live parameter) has expired, then the DNS record expires and the DNS server 300 no longer forwards to the authentication credentials push service (ACPS) 100. Alternatively, as depicted in step 38, if the authentication credentials push service (ACPS) 100 does not fail before the health check timer (i.e. time to live parameter) has expired, then the authentication credentials push service (ACPS) 100 sends another update for address (A) and pointer (DNS) record type (PTR) records to the DNS server 300, along with a new time to live (TTL) parameter. In step 40, the DNS server 300 sends a response to the authentication credentials push server (ACPS) 100 to acknowledge receipt of the update.


If an authentication credentials push service (ACPS) 100 abnormally terminates (e.g. unexpectedly goes offline or can't complete a periodic update process for some reason), then the dynamic DNS record expires when the time to live (TTL) value expires.


For a graceful shutdown, the authentication credentials push service (ACPS) 100 sends out an additional update message to remove entries from the DDNS server 300.



FIG. 4 shows an exemplary dynamic DNS registration removal of entry, in accordance with the principles of the present invention.


In particular, as depicted in step 41 of FIG. 4, an authentication credentials push service (ACPS) 100 registers with a dynamic DNS service 300 (out of band). As portrayed in step 43, the authentication credentials push service (ACPS) 100 then sends a dynamic DNS (rfc 2136) update for the address (A) and pointer (DNS) record type (PTR) update class, set to ‘NONE’, to the DNS server 300. This update causes the address (A) and pointer (DNS) record type (PTR) resource records to be removed from the DNS server 300. In step 45, the DNS server 300 sends a response to the authentication credentials push server (ACPS) 100 to acknowledge receipt of the update.


An authentication credentials push service (ACPS) 100 performs the call flow depicted in FIG. 4 to remove itself from a pool of servers, when performing a graceful shutdown.


The invention has particular applicability to the arena of authentication, including web applications with authentication, whether it be consumers of authentication or the servers responsible for authentication, e.g., AAA, RADIUS, Diameter, HSS, VPN, etc.


While the invention has been described with reference to the exemplary embodiments thereof, those skilled in the art will be able to make various modifications to the described embodiments of the invention without departing from the true spirit and scope of the invention.

Claims
  • 1. A method of receiving authenticating credentials without requiring a pull transaction, comprising: requesting, from a physical credentials database of authentication credentials, by a physical authentication credentials push server, said authentication credentials including privileged authentication credentials and non-privileged authentication credentials;registering, in a physical registration database, a plurality of non-requesting physical authentication servers registered for receipt of a non-requested push of non-privileged authentication credential data from said physical authentication credentials push server, said push being performed absent a pull transaction by at least one non-requesting physical authentication server receiving said non-privileged authentication credentials;distinguishing, by said physical authentication credentials push server, between privileged and non-privileged authentication credentials within said physical credentials database; andpushing at predetermined intervals, from said physical authentication credentials push server, said non-privileged authentication credentials to said at least one non-requesting physical authentication server.
  • 2. The method of receiving authenticating credentials without requiring a pull transaction according to claim 1, wherein said privileged authentication credentials comprise: private, forgeable information.
  • 3. The method of receiving authenticating credentials without requiring a pull transaction according to claim 1, wherein said non-privileged authentication credentials comprise: non-sensitive, non-forgeable information.
  • 4. The method of receiving authenticating credentials according to claim 1, further comprising: restricting access to said privileged authentication credentials.
  • 5. The method of receiving authenticating credentials according to claim 1, further comprising: registering said physical authentication credentials push server with a domain name service (DNS) system.
  • 6. The method of receiving authenticating credentials according to claim 1, further comprising: communicating via a domain name service (DNS) lookup to acquire information sufficient to connect with said physical authentication credentials push server.
Parent Case Info

The present invention claims priority from U.S. Provisional No. 61/622,829, filed Apr. 11, 2012, entitled “Secure Distribution of Non-Privileged Authentication Credentials”, the entirety of which is expressly incorporated herein by reference.

US Referenced Citations (681)
Number Name Date Kind
1103073 O'Connell Jul 1914 A
4445118 Taylor et al. Apr 1984 A
4494119 Wimbush Jan 1985 A
4651156 Martinez Mar 1987 A
4706275 Kamil Nov 1987 A
4891638 Davis Jan 1990 A
4891650 Scheffer Jan 1990 A
4910767 Brugliera et al. Mar 1990 A
4952928 Carroll Aug 1990 A
4972484 Theile Nov 1990 A
5014206 Scribner May 1991 A
5043736 Darnell Aug 1991 A
5055851 Scheffer Oct 1991 A
5068656 Sutherland Nov 1991 A
5068891 Marshall Nov 1991 A
5070329 Jasinaki Dec 1991 A
5081667 Drori Jan 1992 A
5119104 Heller Jun 1992 A
5126722 Kamis Jun 1992 A
5144283 Arens Sep 1992 A
5161180 Chavous Nov 1992 A
5166972 Smith Nov 1992 A
5177478 Wagai Jan 1993 A
5193215 Olmer Mar 1993 A
5208756 Song May 1993 A
5214789 George May 1993 A
5218367 Scheffer Jun 1993 A
5223844 Mansell Jun 1993 A
5239570 Koster Aug 1993 A
5265630 Hartmann Nov 1993 A
5266944 Carroll Nov 1993 A
5283570 DeLuca Feb 1994 A
5289527 Tiedemann Feb 1994 A
5293642 Lo Mar 1994 A
5299132 Wortham Mar 1994 A
5301354 Schwendeman Apr 1994 A
5311516 Kuznicke May 1994 A
5325302 Izidon Jun 1994 A
5327529 Fults Jul 1994 A
5334974 Simms Aug 1994 A
5335246 Yokev Aug 1994 A
5343493 Karimullah Aug 1994 A
5347568 Moody Sep 1994 A
5351235 Lahtinen Sep 1994 A
5361212 Class Nov 1994 A
5363425 Mufti Nov 1994 A
5365451 Wang Nov 1994 A
5374936 Feng Dec 1994 A
5379451 Nakagoshi Jan 1995 A
5381338 Wysocki Jan 1995 A
5387993 Heller Feb 1995 A
5388147 Grimes Feb 1995 A
5390339 Bruckery Feb 1995 A
5394158 Chia Feb 1995 A
5396227 Carroll Mar 1995 A
5398190 Wortham Mar 1995 A
5406614 Hara Apr 1995 A
5418537 Bird May 1995 A
5422813 Schuchman Jun 1995 A
5423076 Westergren Jun 1995 A
5432841 Rimer Jul 1995 A
5434789 Fraker Jul 1995 A
5454024 Lebowitz Sep 1995 A
5461390 Hosher Oct 1995 A
5470233 Fruchterman Nov 1995 A
5479408 Will Dec 1995 A
5479482 Grimes Dec 1995 A
5485161 Vaughn Jan 1996 A
5485163 Singer Jan 1996 A
5488563 Chazelle Jan 1996 A
5494091 Freeman Feb 1996 A
5497149 Fast Mar 1996 A
5506886 Maine Apr 1996 A
5508931 Snider Apr 1996 A
5513243 Kage Apr 1996 A
5515287 Hakoyama May 1996 A
5517199 DiMattei May 1996 A
5519403 Bickley May 1996 A
5530655 Lokhoff Jun 1996 A
5530914 McPheters Jun 1996 A
5532690 Hertel Jul 1996 A
5535434 Siddoway Jul 1996 A
5539395 Buss Jul 1996 A
5539398 Hall Jul 1996 A
5539829 Lokhoff Jul 1996 A
5543776 L'Esperance Aug 1996 A
5546445 Dennison Aug 1996 A
5552772 Janky Sep 1996 A
5555286 Tendler Sep 1996 A
5568119 Schipper Oct 1996 A
5568153 Beliveau Oct 1996 A
5574648 Pilley Nov 1996 A
5579372 Angstrom Nov 1996 A
5588009 Will Dec 1996 A
5592535 Klotz Jan 1997 A
5594780 Wiedeman Jan 1997 A
5604486 Lauro Feb 1997 A
5606313 Allen Feb 1997 A
5606618 Lokhoff Feb 1997 A
5606850 Nakamura Mar 1997 A
5610815 Gudat Mar 1997 A
5614890 Fox Mar 1997 A
5615116 Gudat Mar 1997 A
5621793 Bednarek Apr 1997 A
5628051 Salin May 1997 A
5629693 Janky May 1997 A
5633912 Tsoi May 1997 A
5636276 Brugger Jun 1997 A
5661652 Sprague Aug 1997 A
5661755 Van de Kerkhof Aug 1997 A
5682600 Salin Oct 1997 A
5689245 Noreen Nov 1997 A
5699053 Jonsson Dec 1997 A
5704029 Wright, Jr. Dec 1997 A
5721781 Deo Feb 1998 A
5731785 Lemelson Mar 1998 A
5740534 Ayerst Apr 1998 A
5761618 Lynch Jun 1998 A
5765152 Erickson Jun 1998 A
5767795 Schaphorst Jun 1998 A
5768509 Gunluk Jun 1998 A
5771353 Eggleston Jun 1998 A
5774533 Patel Jun 1998 A
5774670 Montulli Jun 1998 A
5787357 Salin Jul 1998 A
5794142 Vanttila Aug 1998 A
5797094 Houde Aug 1998 A
5797096 Lupien Aug 1998 A
5802492 DeLorme Sep 1998 A
5806000 Vo Sep 1998 A
5809415 Rossmann Sep 1998 A
5812086 Bertiger Sep 1998 A
5812087 Krasner Sep 1998 A
5822700 Hult Oct 1998 A
5828740 Khuc Oct 1998 A
5835907 Newman Nov 1998 A
5841396 Krasner Nov 1998 A
5857201 Wright, Jr. Jan 1999 A
5864667 Barkan Jan 1999 A
5874914 Krasner Feb 1999 A
5896369 Warsta Apr 1999 A
5920821 Seazholtz Jul 1999 A
5922074 Richard Jul 1999 A
5930250 Klok Jul 1999 A
5930701 Skog Jul 1999 A
5943399 Banister Aug 1999 A
5945944 Krasner Aug 1999 A
5946629 Sawyer Aug 1999 A
5946630 Willars Aug 1999 A
5950130 Coursey Sep 1999 A
5950137 Kim Sep 1999 A
5953398 Hill Sep 1999 A
5960362 Grob Sep 1999 A
5974054 Couts Oct 1999 A
5978685 Laiho Nov 1999 A
5983099 Yao Nov 1999 A
5987323 Huotari Nov 1999 A
5998111 Abe Dec 1999 A
5999124 Sheynblat Dec 1999 A
6014602 Kithol Jan 2000 A
6032051 Hall Feb 2000 A
6035025 Hanson Mar 2000 A
6049710 Nilsson Apr 2000 A
6052081 Krasner Apr 2000 A
6058300 Hanson May 2000 A
6058338 Agashe et al. May 2000 A
6061018 Sheynblat May 2000 A
6061346 Nordman May 2000 A
6064336 Krasner May 2000 A
6064875 Morgan May 2000 A
6067045 Castelloe May 2000 A
6070067 Nguyen May 2000 A
6075982 Donovan Jun 2000 A
6081229 Soliman Jun 2000 A
6081508 West Jun 2000 A
6085320 Kaliski, Jr. Jul 2000 A
6101378 Barabash Aug 2000 A
6104931 Havinis Aug 2000 A
6108533 Brohoff Aug 2000 A
6122503 Daly Sep 2000 A
6122520 Want Sep 2000 A
6124810 Segal Sep 2000 A
6131028 Whitington Oct 2000 A
6131067 Girerd Oct 2000 A
6133874 Krasner Oct 2000 A
6134483 Vayanos Oct 2000 A
6138003 Kingdon Oct 2000 A
6148197 Bridges Nov 2000 A
6148198 Anderson Nov 2000 A
6149353 Nilsson Nov 2000 A
6150980 Krasner Nov 2000 A
6154172 Piccionelli Nov 2000 A
6169891 Gorham Jan 2001 B1
6169901 Boucher Jan 2001 B1
6169902 Kawamoto Jan 2001 B1
6173181 Losh Jan 2001 B1
6178505 Schneider Jan 2001 B1
6178506 Quick, Jr. Jan 2001 B1
6181935 Gossman Jan 2001 B1
6188354 Soliman Feb 2001 B1
6188752 Lesley Feb 2001 B1
6188909 Alanara Feb 2001 B1
6189098 Kaliski, Jr. Feb 2001 B1
6195557 Havinis Feb 2001 B1
6198431 Gibson Mar 2001 B1
6199045 Giniger Mar 2001 B1
6199113 Alegre Mar 2001 B1
6205330 Winbladh Mar 2001 B1
6208290 Krasner Mar 2001 B1
6208854 Roberts Mar 2001 B1
6215441 Moeglein Apr 2001 B1
6219557 Havinis Apr 2001 B1
6223046 Hamill-Keays Apr 2001 B1
6226529 Bruno May 2001 B1
6239742 Krasner May 2001 B1
6247135 Feague Jun 2001 B1
6249680 Wax Jun 2001 B1
6249744 Morita Jun 2001 B1
6249873 Richard Jun 2001 B1
6253203 O'Flaherty Jun 2001 B1
6260147 Quick, Jr. Jul 2001 B1
6266614 Alumbaugh Jul 2001 B1
6275692 Skog Aug 2001 B1
6275849 Ludwig Aug 2001 B1
6278701 Ayyagari Aug 2001 B1
6289373 Dezonno Sep 2001 B1
6297768 Allen, Jr. Oct 2001 B1
6307504 Sheynblat Oct 2001 B1
6308269 Proidl Oct 2001 B2
6313786 Sheynblat Nov 2001 B1
6317594 Gossman Nov 2001 B1
6321091 Holland Nov 2001 B1
6321092 Fitch Nov 2001 B1
6321257 Kotala Nov 2001 B1
6324524 Lent Nov 2001 B1
6327473 Soliman Dec 2001 B1
6327479 Mikkola Dec 2001 B1
6330454 Verdonk Dec 2001 B1
6333919 Gaffney Dec 2001 B2
6360093 Ross Mar 2002 B1
6360102 Havinis Mar 2002 B1
6363254 Jones Mar 2002 B1
6367019 Ansell Apr 2002 B1
6370389 Isomursu Apr 2002 B1
6377209 Krasner Apr 2002 B1
6400314 Krasner Jun 2002 B1
6400958 Isomursu Jun 2002 B1
6411254 Moeglein Jun 2002 B1
6421002 Krasner Jul 2002 B2
6427001 Contractor Jul 2002 B1
6433734 Krasner Aug 2002 B1
6434381 Moore Aug 2002 B1
6442391 Johansson Aug 2002 B1
6449473 Raivisto Sep 2002 B1
6449476 Hutchison, IV Sep 2002 B1
6456852 Bar Sep 2002 B2
6463272 Wallace Oct 2002 B1
6477150 Maggenti Nov 2002 B1
6504491 Christians Jan 2003 B1
6505049 Dorenbosch Jan 2003 B1
6510387 Fuchs Jan 2003 B2
6512922 Burg Jan 2003 B1
6512930 Sandegren Jan 2003 B2
6515623 Johnson Feb 2003 B2
6519466 Pande Feb 2003 B2
6522682 Kohli Feb 2003 B1
6526026 Menon Feb 2003 B1
6529500 Pandharipande Mar 2003 B1
6529829 Turetzky Mar 2003 B2
6531982 White Mar 2003 B1
6538757 Sansone Mar 2003 B1
6539200 Schiff Mar 2003 B1
6539232 Hendrey et al. Mar 2003 B2
6539304 Chansarkar Mar 2003 B1
6542464 Takeda Apr 2003 B1
6542734 Abrol Apr 2003 B1
6542743 Soliman Apr 2003 B1
6549776 Joong Apr 2003 B1
6549844 Egberts Apr 2003 B1
6553236 Dunko Apr 2003 B1
6556832 Soliman Apr 2003 B1
6560456 Lohtia May 2003 B1
6560461 Fomukong May 2003 B1
6560534 Abraham May 2003 B2
6564261 Gudjonsson May 2003 B1
6570530 Gaal May 2003 B2
6571095 Koodli May 2003 B1
6574558 Kohli Jun 2003 B2
6580390 Hay Jun 2003 B1
6584552 Kuno Jun 2003 B1
6587691 Granstam Jul 2003 B1
6594500 Bender Jul 2003 B2
6597311 Sheynblat Jul 2003 B2
6600927 Hamilton Jul 2003 B2
6603973 Foladare Aug 2003 B1
6606495 Korpi Aug 2003 B1
6606554 Edge Aug 2003 B2
6609004 Morse Aug 2003 B1
6611757 Brodie Aug 2003 B2
6618593 Drutman Sep 2003 B1
6618670 Chansarkar Sep 2003 B1
6621452 Knockeart Sep 2003 B2
6621810 Leung Sep 2003 B1
6628233 Knockeart Sep 2003 B2
6633255 Krasner Oct 2003 B2
6640184 Rabe Oct 2003 B1
6650288 Pitt Nov 2003 B1
6661372 Girerd Dec 2003 B1
6665539 Sih Dec 2003 B2
6665541 Krasner Dec 2003 B1
6671620 Garin Dec 2003 B1
6677894 Sheynblat Jan 2004 B2
6680694 Knockeart Jan 2004 B1
6680695 Turetzky Jan 2004 B2
6687504 Raith Feb 2004 B1
6691019 Seeley Feb 2004 B2
6694258 Johnson Feb 2004 B2
6697629 Grilli Feb 2004 B1
6698195 Hellinger Mar 2004 B1
6701144 Kirbas Mar 2004 B2
6703971 Pande Mar 2004 B2
6703972 Van Diggelen Mar 2004 B2
6704651 Van Diggelen Mar 2004 B2
6707421 Drury Mar 2004 B1
6714793 Carey Mar 2004 B1
6718174 Vayanos Apr 2004 B2
6720915 Sheynblat Apr 2004 B2
6721578 Minear Apr 2004 B2
6721871 Piispanen Apr 2004 B2
6724342 Bloebaum Apr 2004 B2
6725159 Krasner Apr 2004 B2
6728701 Stoica Apr 2004 B1
6731940 Nagendran May 2004 B1
6734821 Van Diggelen May 2004 B2
6738013 Orler May 2004 B2
6738800 Aquilon May 2004 B1
6741842 Goldberg May 2004 B2
6744856 Karnik Jun 2004 B2
6744858 Ryan Jun 2004 B1
6745038 Callaway, Jr. Jun 2004 B2
6747596 Orler Jun 2004 B2
6748195 Phillips Jun 2004 B1
6751464 Burg Jun 2004 B1
6756938 Zhao Jun 2004 B2
6757544 Rangarajan Jun 2004 B2
6757545 Nowak Jun 2004 B2
6757828 Jaffe Jun 2004 B1
6771742 McCalmont Aug 2004 B2
6771971 Smith Aug 2004 B2
6772340 Peinado Aug 2004 B1
6775255 Roy Aug 2004 B1
6775267 Kung Aug 2004 B1
6775534 Lindgren Aug 2004 B2
6775655 Peinado Aug 2004 B1
6775802 Gaal Aug 2004 B2
6778136 Gronemeyer Aug 2004 B2
6778885 Agashe Aug 2004 B2
6781963 Crockett Aug 2004 B2
6788249 Farmer Sep 2004 B1
6795444 Vo Sep 2004 B1
6795699 McGraw Sep 2004 B1
6799049 Zellner Sep 2004 B1
6799050 Krasner Sep 2004 B1
6801159 Swope Oct 2004 B2
6804524 Vandermeijden Oct 2004 B1
6807534 Erickson Oct 2004 B1
6810323 Bullock Oct 2004 B1
6813264 Vassilovski Nov 2004 B2
6813560 Van Diggelen Nov 2004 B2
6816111 Krasner Nov 2004 B2
6816580 Timmins Nov 2004 B2
6816710 Krasner Nov 2004 B2
6816719 Heinonen Nov 2004 B1
6816734 Wong Nov 2004 B2
6820069 Kogan Nov 2004 B1
6829475 Lee Dec 2004 B1
6832373 O'Neill Dec 2004 B2
6839020 Geier Jan 2005 B2
6839021 Sheynblat Jan 2005 B2
6839417 Weisman Jan 2005 B2
6842715 Gaal Jan 2005 B1
6847618 Laursen Jan 2005 B2
6847822 Dennison Jan 2005 B1
6853916 Fuchs Feb 2005 B2
6856282 Mauro Feb 2005 B2
6861980 Rowitch Mar 2005 B1
6865171 Nilsson Mar 2005 B1
6865395 Riley Mar 2005 B2
6867733 Sandhu Mar 2005 B2
6867734 Voor Mar 2005 B2
6873854 Crockett Mar 2005 B2
6876734 Summers Apr 2005 B1
6882850 McConnell et al. Apr 2005 B2
6885874 Grube Apr 2005 B2
6885940 Brodie Apr 2005 B2
6888497 King May 2005 B2
6888932 Snip May 2005 B2
6895238 Newell May 2005 B2
6895249 Gaal May 2005 B2
6900758 Mann May 2005 B1
6903684 Simic Jun 2005 B1
6904029 Fors Jun 2005 B2
6907224 Younis Jun 2005 B2
6907238 Leung Jun 2005 B2
6912230 Salkini Jun 2005 B1
6912395 Benes Jun 2005 B2
6912545 Lundy Jun 2005 B1
6915208 Garin Jul 2005 B2
6917331 Gronemeyer Jul 2005 B2
6930634 Peng Aug 2005 B2
6937187 Van Diggelen Aug 2005 B2
6937872 Krasner Aug 2005 B2
6940826 Simard Sep 2005 B1
6940950 Dickinson et al. Sep 2005 B2
6941144 Stein Sep 2005 B2
6944540 King Sep 2005 B2
6947772 Minear Sep 2005 B2
6950058 Davis Sep 2005 B1
6957073 Bye Oct 2005 B2
6961562 Ross Nov 2005 B2
6963557 Knox Nov 2005 B2
6965754 King Nov 2005 B2
6965767 Maggenti Nov 2005 B2
6968044 Beason Nov 2005 B2
6970917 Kushwaha Nov 2005 B1
6973320 Brown Dec 2005 B2
6975266 Abraham Dec 2005 B2
6978453 Rao Dec 2005 B2
6980816 Rohler Dec 2005 B2
6985747 Chithambaram Jan 2006 B2
6993355 Pershan Jan 2006 B1
6996720 DeMello Feb 2006 B1
6999782 Shaughnessy Feb 2006 B2
7024321 Deninger Apr 2006 B1
7024393 Peinado Apr 2006 B1
7047411 DeMello May 2006 B1
7065351 Carter Jun 2006 B2
7065507 Mohammed Jun 2006 B2
7072667 Olrik Jul 2006 B2
7079857 Maggenti Jul 2006 B2
7103018 Hansen Sep 2006 B1
7103574 Peinado Sep 2006 B1
7106717 Rosseau Sep 2006 B2
7110773 Wallace Sep 2006 B1
7136466 Gao Nov 2006 B1
7136838 Peinado Nov 2006 B1
7151946 Maggenti Dec 2006 B2
7174153 Ehlers Feb 2007 B2
7177397 McCalmont Feb 2007 B2
7177398 Meer Feb 2007 B2
7177399 Dawson Feb 2007 B2
7200380 Havlark Apr 2007 B2
7209758 Moll et al. Apr 2007 B1
7209969 Lahti Apr 2007 B2
7218940 Niemenna May 2007 B2
7221959 Lindquist May 2007 B2
7245900 Lamb Jul 2007 B1
7260186 Zhu Aug 2007 B2
7260384 Bales et al. Aug 2007 B2
7321773 Hines Jan 2008 B2
7330899 Wong Feb 2008 B2
7333480 Clarke Feb 2008 B1
7369508 Parantainen May 2008 B2
7369530 Keagy May 2008 B2
7382773 Schoeneberger Jun 2008 B2
7394896 Norton Jul 2008 B2
7428571 Ichimura Sep 2008 B2
7436785 McMullen Oct 2008 B1
7440442 Grabelsky et al. Oct 2008 B2
7573982 Breen Aug 2009 B2
7602886 Beech Oct 2009 B1
7711094 Olshansky May 2010 B1
7783297 Ishii Aug 2010 B2
20010011247 O'Flaherty Aug 2001 A1
20010014085 Johansson et al. Aug 2001 A1
20010040886 Jimenez Nov 2001 A1
20010049274 Degraeve Dec 2001 A1
20020037735 Maggenti Mar 2002 A1
20020052214 Maggenti May 2002 A1
20020061760 Maggenti May 2002 A1
20020069529 Wieres Jun 2002 A1
20020077083 Zellner Jun 2002 A1
20020077084 Zellner Jun 2002 A1
20020077118 Zellner Jun 2002 A1
20020077897 Zellner Jun 2002 A1
20020086676 Hendry Jul 2002 A1
20020098832 Fleischer Jul 2002 A1
20020102996 Jenkins Aug 2002 A1
20020102999 Maggenti Aug 2002 A1
20020111172 DeWolf Aug 2002 A1
20020112047 Kushwaha Aug 2002 A1
20020118650 Jagadeesan Aug 2002 A1
20020123327 Vataja Sep 2002 A1
20020126656 Park Sep 2002 A1
20020138650 Yamamoto Sep 2002 A1
20020156732 Odijk Oct 2002 A1
20020158777 Flick Oct 2002 A1
20020173317 Nykanen Nov 2002 A1
20020191595 Mar Dec 2002 A1
20030009277 Fan Jan 2003 A1
20030009602 Jacobs Jan 2003 A1
20030012148 Peters Jan 2003 A1
20030013449 Hose Jan 2003 A1
20030016804 Sheha Jan 2003 A1
20030026245 Ejzak Feb 2003 A1
20030037163 Kitada Feb 2003 A1
20030040272 Lelievre Feb 2003 A1
20030065788 Salomaki Apr 2003 A1
20030072318 Lam Apr 2003 A1
20030078064 Chan Apr 2003 A1
20030081557 Mettala May 2003 A1
20030086422 Klinker et al. May 2003 A1
20030096626 Sabo et al. May 2003 A1
20030100320 Ranjan May 2003 A1
20030101329 Lahti May 2003 A1
20030101341 Kettler May 2003 A1
20030103484 Oommen Jun 2003 A1
20030108176 Kung Jun 2003 A1
20030109245 McCalmont Jun 2003 A1
20030114157 Spitz Jun 2003 A1
20030119521 Tipnis Jun 2003 A1
20030119528 Pew Jun 2003 A1
20030125042 Olrik Jul 2003 A1
20030137961 Tsirtsis Jul 2003 A1
20030153340 Crockett Aug 2003 A1
20030153341 Crockett Aug 2003 A1
20030153342 Crockett Aug 2003 A1
20030153343 Crockett Aug 2003 A1
20030161298 Bergman Aug 2003 A1
20030196105 Fineberg Oct 2003 A1
20030204640 Sahinoja Oct 2003 A1
20030223381 Schroderus Dec 2003 A1
20040002326 Maher Jan 2004 A1
20040032485 Stephens Feb 2004 A1
20040043775 Kennedy Mar 2004 A1
20040044623 Wake Mar 2004 A1
20040047461 Weisman Mar 2004 A1
20040068665 Fox et al. Apr 2004 A1
20040068724 Gardner Apr 2004 A1
20040092250 Valloppillil May 2004 A1
20040098497 Banet May 2004 A1
20040132465 Mattila Jul 2004 A1
20040148357 Corrigan et al. Jul 2004 A1
20040181689 Kiyoto Sep 2004 A1
20040184584 McCalmont Sep 2004 A1
20040185875 Diacakis Sep 2004 A1
20040190497 Knox Sep 2004 A1
20040198332 Lundsgaard Oct 2004 A1
20040198386 Dupray Oct 2004 A1
20040203922 Hines Oct 2004 A1
20040205151 Sprigg Oct 2004 A1
20040229632 Flynn Nov 2004 A1
20040235493 Ekerborn Nov 2004 A1
20040242238 Wang Dec 2004 A1
20040267445 De Luca Dec 2004 A1
20050028034 Gantman Feb 2005 A1
20050039178 Marolia Feb 2005 A1
20050041578 Huotari Feb 2005 A1
20050043037 Loppe Feb 2005 A1
20050053209 D'Evelyn Mar 2005 A1
20050071671 Karaoguz Mar 2005 A1
20050083911 Grabelsky Apr 2005 A1
20050086467 Asokan Apr 2005 A1
20050090236 Schwinke Apr 2005 A1
20050107673 Ball May 2005 A1
20050112030 Gaus May 2005 A1
20050119012 Merheb Jun 2005 A1
20050132200 Jaffe Jun 2005 A1
20050134504 Harwood Jun 2005 A1
20050135569 Dickinson et al. Jun 2005 A1
20050136885 Kaltsukis Jun 2005 A1
20050149430 Williams Jul 2005 A1
20050149626 Manchester et al. Jul 2005 A1
20050169248 Truesdale Aug 2005 A1
20050174991 Keagy Aug 2005 A1
20050192822 Hartenstein Sep 2005 A1
20050201529 Nelson Sep 2005 A1
20050209995 Aksu Sep 2005 A1
20050213716 Zhu Sep 2005 A1
20050232252 Hoover Oct 2005 A1
20050243778 Wang Nov 2005 A1
20050250516 Shim Nov 2005 A1
20050259675 Tuohino Nov 2005 A1
20050265318 Khartabil Dec 2005 A1
20050266864 Chen et al. Dec 2005 A1
20050271029 Iffland Dec 2005 A1
20050282518 D'Evelyn Dec 2005 A1
20050287979 Rollender Dec 2005 A1
20050287990 Mononen Dec 2005 A1
20050289097 Trossen Dec 2005 A1
20060008065 Longman et al. Jan 2006 A1
20060023747 Koren et al. Feb 2006 A1
20060026288 Acharya Feb 2006 A1
20060036680 Shim Feb 2006 A1
20060053225 Poikselka Mar 2006 A1
20060058042 Shim Mar 2006 A1
20060058102 Nguyen et al. Mar 2006 A1
20060064307 Pakkala Mar 2006 A1
20060068753 Karpen Mar 2006 A1
20060079249 Shim Apr 2006 A1
20060120517 Moon Jun 2006 A1
20060128395 Muhonen Jun 2006 A1
20060135177 Winterbottom Jun 2006 A1
20060188083 Breen Aug 2006 A1
20060193447 Schwartz Aug 2006 A1
20060212558 Sahinoja Sep 2006 A1
20060212562 Kushwaha Sep 2006 A1
20060225090 Shim et al. Oct 2006 A1
20060234639 Kushwaha Oct 2006 A1
20060234698 Fok Oct 2006 A1
20060239205 Warren Oct 2006 A1
20060242230 Smith Oct 2006 A1
20060258380 Liebowitz Nov 2006 A1
20060293024 Benco Dec 2006 A1
20060293066 Edge Dec 2006 A1
20070003024 Olivier Jan 2007 A1
20070019614 Hoffmann Jan 2007 A1
20070022011 Altberg Jan 2007 A1
20070026854 Nath Feb 2007 A1
20070026871 Wager Feb 2007 A1
20070027997 Polk Feb 2007 A1
20070030539 Nath Feb 2007 A1
20070036139 Patel Feb 2007 A1
20070037585 Shim Feb 2007 A1
20070041513 Gende Feb 2007 A1
20070049288 Lamprecht Mar 2007 A1
20070072624 Niemaenmaa Mar 2007 A1
20070081635 Croak Apr 2007 A1
20070082681 Kim Apr 2007 A1
20070082682 Kim Apr 2007 A1
20070115941 Patel May 2007 A1
20070121601 Kikinis May 2007 A1
20070149213 Lamba Jun 2007 A1
20070160036 Smith Jul 2007 A1
20070162228 Mitchell Jul 2007 A1
20070167177 Kraufvelin Jul 2007 A1
20070182547 Wachter Aug 2007 A1
20070202897 Smith Aug 2007 A1
20070206568 Silver Sep 2007 A1
20070206613 Silver Sep 2007 A1
20070242660 Xu Oct 2007 A1
20070243885 Shim Oct 2007 A1
20070244987 Pedersen et al. Oct 2007 A1
20070263610 Mitchell Nov 2007 A1
20070270164 Maier Nov 2007 A1
20080014931 Yared Jan 2008 A1
20080020733 Wassingbo Jan 2008 A1
20080037715 Prozeniuk Feb 2008 A1
20080063153 Krivorot Mar 2008 A1
20080065775 Polk Mar 2008 A1
20080109650 Shim May 2008 A1
20080117859 Shahidi May 2008 A1
20080173709 Ghosh Jul 2008 A1
20080186164 Emigh Aug 2008 A1
20080214202 Toomey Sep 2008 A1
20080263169 Brabec et al. Oct 2008 A1
20090137244 Zhou et al. May 2009 A1
20090158136 Rossano et al. Jun 2009 A1
20090158397 Herzog et al. Jun 2009 A1
20090172804 Spies et al. Jul 2009 A1
20090205027 Salazar et al. Aug 2009 A1
20090265552 Moshir et al. Oct 2009 A1
20090265763 Davies et al. Oct 2009 A1
20090320123 Yu Dec 2009 A1
20100094996 Samaha Apr 2010 A1
20100100928 Gasparini et al. Apr 2010 A1
20100162371 Geil Jun 2010 A1
20100205242 Marchioro, II Aug 2010 A1
20100311447 Jackson Dec 2010 A1
20110053618 Lin et al. Mar 2011 A1
20110145564 Moshir et al. Jun 2011 A1
20110159862 Jackson Jun 2011 A1
20110252146 Santamaria et al. Oct 2011 A1
20110300830 Ramrattan Dec 2011 A1
20110307947 Kariv Dec 2011 A1
20120150968 Yasrebi et al. Jun 2012 A1
20120192287 Cai et al. Jul 2012 A1
20130111550 Naveh May 2013 A1
20130171971 Fujii Jul 2013 A1
20130191908 Klein Jul 2013 A1
20130202108 Kao Aug 2013 A1
Foreign Referenced Citations (9)
Number Date Country
1387239 Feb 2004 EP
PCTSE9801887 Oct 1998 SE
PCTUS9928848 Dec 1999 WO
WO0145342 Jun 2001 WO
PCTUS0146666 Nov 2001 WO
WO2004025941 Mar 2004 WO
PCTUS2005022090 Jun 2005 WO
WO2005051033 Jun 2005 WO
WO2006075856 Jul 2006 WO
Non-Patent Literature Citations (14)
Entry
Intrado Inc., Qwest Detailed SR/ALI to MPC/GMLC Interface Specification for TCP/IP Implementation of TIA/EIA/J-STD-036 E2 with Phase I Location Description Addition, Intrado Informed Response; Apr. 2004; Issue 1.11; pp. 1-57.
International Search Report in PCT/US2007/23243 dated Apr. 2, 2008.
PCT International Search Report (PCTUS2007/23714) and Written Opinion of International Searching Authority, Apr. 18, 2008.
Le-Pond Chin, Jyh-Hong Wen, Ting-Way Liu, The Study of the Interconnection of GSM Mobile Communication System Over IP based Network, May 6, 2001, IEEE, Vehicular Technology Conference, vol. 3, pp. 2219-2223.
Location Based Services V2 Roaming Support (non proprietary), 80-V8470-2NP A, dated Jan. 27, 2005, pp. 1-56.
Qualcomm CDMA Technologies, MS Resident User Plane LBS Roaming—80-VC718-1 E, 2006, pp. 1-37.
Qualcomm CDMA Technologies, LBS Control Plane/User Plane Overview—80-VD378-1 NP B, 2006, pp. 1-36.
Bhalla et al, TELUS, Technology Strategy—LBS Roaming Summit, Sep. 19, 2006.
Alfredo Aguirre, Iusacell, First and Only Carrier in Mexico with a 3G CDMA Network, 2007.
Mike McMullen, Sprint, LBS Roaming Summit, Sep. 19, 2006.
Andrew Yeow, BCE, LBS Roaming Summit, Sep. 19, 2006, pp. 1-8.
Qualcomm CDMA Technologies, LBS Control Plane Roaming—80-VD377-1 NP A, 2006, pp. 1-10.
International Search Report received in PCT/US2013/21199 dated Mar. 26, 2013.
International Search Report received in PCT/US2012/068083 dated Feb. 8, 2013.
Related Publications (1)
Number Date Country
20130291078 A1 Oct 2013 US
Provisional Applications (1)
Number Date Country
61622829 Apr 2012 US