Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1997-02-11
2003-06-03
Barrón, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C380S257000
Reexamination Certificate
active
06574730
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to terminal authentication in a communications network such as in a telecommunications network.
2. Description of the Related Art
In a typical network providing telephony, fax and associated services, such as a public switched telephone network (PSTN), customer premises equipment (CPE) is connected via network termination equipment (NTE) to the PSTN for mutual intercommunication via switches or exchanges which constitute nodes in the network. There are various levels of exchange. The exchange functionally nearest a customer's NTE, through which all calls to and from that customer may be routed, is known as the local exchange.
A telephone service is usually ‘post-payment’ in nature, i.e. billing is carried out retrospectively over a period since the last billing date. Apart from the basic security aspect, it is desirable to be able to authenticate the use of service user equipment to minimise the opportunity for unauthorised access to the network, as this may lead to billing disputes with the customer. For example, if an unauthorised user taps into a customer's line between the NTE and the local exchange, any chargeable service provided to the unauthorised user will be recorded as used by the authorised customer and billed accordingly.
Various systems are known for providing authentication. For example, a calling-card-based system involves the user keying in, through the telephone, a sequence of numbers to establish the user's identity. Another example is the use of a button, programmed to send a personal identification number (PIN), on the telephone equipment which allows access to an enhanced level of service, or an alternative network, through the same local exchange. For more specialist services this may be acceptable. However, such systems require the user to establish his or her identity as part of the call set-up procedure.
Although this added complexity may not be a severe problem on more specialist or less frequently used services, it is still an inconvenience which it would be advantageous to remove from that part of the call set-up procedure carried out by the customer. This is particularly so when the customer is using a standard service on a frequent basis. Removing the authentication steps from the customer would streamline the procedure considerably.
SUMMARY OF THE INVENTION
The present invention provides a method of authenticating a network terminal on a communications network, the method comprising the steps of:
indicating to a security node associated with the network that a user of the terminal requires use of the network;
calculating an authentication code at the terminal, the authentication code being a function of a transaction number encrypted by means of a first key associated with the terminal, and a first algorithm;
transmitting the authentication code to the security node;
calculating an expected transaction number at the security node based on the transaction number, the first algorithm and the first key;
comparing the expected authentication code with the received authentication code; and
denying unrestricted access to the network for the terminal unless the expected and received authentication codes match.
The terminal may be part of an NTE with which the security node communicates to establish authentication or not. Alternatively, the terminal may be part of the actual customer equipment connected with the network through the NTE.
Preferably, the security node calculates at least one first key for the terminal, the or each first key being a function of a security algorithm stored within the node, the terminal identification code and a second key, the or each first key being loaded into the terminal for later use with the first algorithm in authenticating a terminal. Advantageously, the first key is a function of the terminal identification code encrypted by the second key using the security algorithm.
In a preferred embodiment, the transaction number is a variable number which is changed after each authentication attempt.
The security node may generate the transaction number, which is sent as a challenge to the terminal in response to the indication received by the security node that the user requires use of the network.
Conveniently, the security node prevents access to the network for the terminal in the event that no match between the expected and received authentication codes is made within a predetermined duration.
Preferably, the terminal transmits a negative acknowledgement to the security node in the event that no challenge, or an invalid challenge, is received following an indication that the user requires use of the network.
The first key may be loaded into the terminal remotely by the security node, or locally from storage means connected temporarily to the terminal.
Advantageously, the or each first key is identified at the security node by calculation from the terminal identification code. Alternatively, the or each first key is identified at the security node by means of a look-up table based on the terminal identification code.
Preferably, the security node permits a dial tone to be established with the terminal independent of the result of the authentication. In this case, the security node may permit access to the network for identifiable emergency traffic and/or non-chargeable traffic in the event that the expected and received authentication codes do not match.
The telecommunications network may have a plurality of exchanges, each for routing traffic to, and from, a plurality of terminals, at least one of the exchanges having the security node associated therewith.
The invention also provides a system for authenticating terminals on a communications network comprising a security node and a plurality of terminals connected to the network through the node, at least one of the terminals comprising processing means including a memory, and terminal signalling means operably connected to the network and enabled by the processing means, the terminal signalling means being arranged to transmit to the security node an authentication code after a potential user initiates a use of the network, the authentication code being calculated by the processing means as a function of a transaction number encrypted by means of a first algorithm and a first key associated with that terminal, the security node being operable to calculate an expected authentication code from that terminal using the transaction number, the first algorithm also stored in the security node, and the first key, and to deny unrestricted access to the network for that terminal unless the expected and received authentication codes match.
The invention further provides a customer terminal for a communications network, the terminal comprising a customer port for customer equipment compatible to the network, a network port for connecting the terminal to the network, processing means including a memory, the processing means being arranged to receive signals through the network port, and signalling means arranged to transmit signals through the network port, the processing means being operable, following initiation of use of the network by a user, to calculate an authentication code which is a function of a transaction number encrypted by means of a first algorithm and a first key associated with the terminal, and to enable the signalling means to transmit the authentication code through the network port.
Preferably, the signalling means is a modem, for example a FSK modem for data transmission on the network. However, other signalling means may be used. For example, a dual tone multi-frequency (DTMF)-based system could be employed.
The present invention requires only the authenticating equipment to be connected between the user's equipment, for example a telephone, and the security node governing authentication for the local exchange associated with the NTE. The authenticating equipment communicates cryptographically with the security node to provide authentication of the equipment ini
Bissell Robert Andrew
Bosworth Kevin Paul
Britnell Michael John
Harding Peter Maxwell
Hicks Richard Middleton
Barrón Gilberto
British Telecommunications plc
Nixon & Vanderhye P.C.
LandOfFree
User authentication in a communications network does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with User authentication in a communications network, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and User authentication in a communications network will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3143428