Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
2000-01-24
2004-06-01
Barron, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C455S411000, C455S433000, C380S247000, C380S248000
Reexamination Certificate
active
06745326
ABSTRACT:
BACKGROUND OF THE INVENTION
The field of this invention is to provide security for data transfers through one or several telecommunications networks.
In this case security means the capacity to authenticate parties that wish to communicate, and then if necessary to setup a secure communication channel between them.
It is particularly but not exclusively, suitable for applications in which a subscriber to a telecommunications network connects through a Mobile Equipment, for example using the GSM (Global System for Mobile communications) telecommunications standard or an equivalent or competitive standard such as DCS 1800 (Digital Cellular at 1800 MHz), PCS 1900 (Personal Communication System at 1900 MHz), DECT (Digital European Cordless Telecommunications) or UTMS (Universal Mobile Telecommunication System).
These communications networks with mobile equipment are managed by “mobile network operators”, hereinafter referred to as “operators”, that perform all subscription management and communication routing functions, and negotiation of access conditions for their subscribers to service providers (or “services or contents servers”) accessible through communications networks.
The process according to the invention is preferably applicable to the case in which the subscriber to the telecommunications network through a mobile terminal would like to connect to a correspondent (typically a service provider) in a secure manner, the service provider being accessible on another telecommunications network interconnected with the subscriber's network.
But the security process according to the invention is advantageously applicable in any other context in which a subscriber who has taken out a subscription to a service accessible through a telecommunications network would like to communicate with a remote third party in a secure manner without transferring secret elements through the network, within a data communication involving either a single network, or two or several interconnected networks, when the transfer from one network to the other involves a protocol change.
Although the invention is originally applicable to communications set up between firstly a closed (GSM type) network to which the subscriber is attached, and an open (Internet type) network; the nature (open or closed) of each of the transmission networks involved is not a restrictive characteristic of the general principle of the invention.
Many content services are usually accessible through an open communications network (typically Internet) that has its own communications protocol. Therefore when a GSM mobile terminal would like to access a service of this type, there is a protocol change at the interface between the GSM network and the access network to the Internet type service provider. The role of telecommunications operators is to perform and manage these mediation and interfacing elements.
At the present time, there are authentication and confidentiality processes specific to each of these two networks. Therefore, known solutions consist of implementing available procedures end to end firstly on one and then on the other network, at the time that each data stream is transmitted. The result is usually a loss of confidentiality at the interface. In particular, the use of secure protocols on each upstream and downstream segment makes it necessary for the operator to be in possession of secret elements, keys and/or cryptographic algorithms required by each authentication and confidentiality process. This responsibility introduces an obligation on the operator to respect confidentiality, which may be undesirable for the service provider, for the subscriber and even for the operator himself.
Another known solution consists of using a third party (usually called a “trusted third part”) for management of secrets, but this solution is also complex and therefore inappropriate in some situations in which the cost and management complexity are not justified.
BRIEF SUMMARY OF THE INVENTION
One purpose of the invention is to overcome these various disadvantages in the state of the art.
More precisely, a first objective of the invention is to provide an authentication procedure that may be implemented independently of the successive networks used by a communication. This type of authentication procedure must at least enable the service provider to authenticate the subscriber, and preferably also enable the subscriber to identity the service provider, during each session.
Another purpose of the invention is to provide a process for transferring data through an encrypted channel so that a subscriber and a service provider can communicate in a secure manner without any action, and possibly even unknown to, the operator of the network to which the subscriber is attached.
Another purpose of the invention is to provide a process that enables the operator to define the security system and to guarantee the quality of authentication on the link that he controls, without the need for him to know the contents or the operating elements of the encrypted channel.
Another purpose of the invention is to enable the subscriber and the service provider to share knowledge of an encryption key for messages that they exchange on the network, each key advantageously being different for each communication session, without the encryption key being transmitted on the network at any time.
Another purpose of the invention is to make optimum use of security resources inherent to a GSM network, namely essentially the use of secret element(s) and algorithm(s) that exist (or can be possibly (re)programmed) in the terminals of network subscribers, typically in the Subscriber Identity Module (the SIM card) cooperating with the subscriber's radiotelephone terminal.
Another purpose of the invention is to provide the subscriber with a password and the means of calculating an encryption/decryption key, that are assigned and managed exclusively by the service provider, and therefore which do not need to be known to the operator or a third party.
Another purpose of the invention is to provide a process that provides genuine “compartmentalization” between the various service providers, from the communications security point of view, and any transactions initiated by the subscriber.
These purposes, and other purposes that will subsequently become evident, are achieved according to the invention by means of a process for ensuring the security of a communication between firstly a subscriber to a telecommunications network and secondly a service provider accessible through an operator of the said telecommunications network to which the subscriber is attached, this process being characterized in that it comprises firstly a process for initial registration of the said subscriber to the said service provider through the said operator, and secondly a process in which each of the communication sessions between the subscriber and the service provider takes place.
A subscriber obviously means not only the user, but also and particularly his network equipment. Similarly, the service provider means mainly the computer server connected to the network. However, as will be seen below, some information transfers may take place outside the network (for example by letter or fax, etc.) and therefore involve other entities, particularly persons, for their execution.
According to the invention, the initial registration process comprises:
firstly, the telecommunications operator provides the service provider with an identifier (Device ID) of the subscriber in his attachment network, and an authenticator (R
1
) of the said subscriber composed of a first numeric value calculated from an identifier (Idx) of the service provider in the operator's network, the said identifier (Device ID) of the subscriber in his attachment network, and a secret element (Sec. Op.) characterizing the subscriber;
secondly, the service provider provides the subscriber with data for identification authentication (Login, mdp) of the subscriber with the said service provider.
Furthermore, according to t
Barron Gilberto
Dinh Minh
Kinney & Lange , P.A.
Societe Francaise du Radiotelephone
LandOfFree
Authentication process including setting up a secure channel... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Authentication process including setting up a secure channel..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Authentication process including setting up a secure channel... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3345580