With the widespread adoption of wireless communication devices, and the proliferation of Wi-Fi hotspots, or IEEE 802.11 WLANs (Wireless Local Area Networks), there is a growing demand for hybrid mobile communication devices that are capable of operating across networks implementing varied wireless technologies. Mobile communication devices, such as cellular telephones, personal digital assistants, and wireless-enabled laptop computers, are now becoming available with interfaces for multiple wireless networks, such as CDMA (Code Division Multiple Access) 1xRTT (1x Radio Transmission Technology), CDMA EVDO (Evolution-Data Optimized) networks, and Wi-Fi networks.
Generally, a mobile device user must be authenticated to a network prior to gaining access to the network services. Challenge-Handshake Authentication Protocol (CHAP) is a common authentication protocol used to effect such authentication. CHAP uses a three-way handshake to verify the identity of the client or user upon initial link establishment. After the link is established, the authentication server sends a challenge message to the mobile device. Using a shared secret, such as a password, the user device responds with a value calculated using a one-way hash function, such as MD5 (Message-Digest 5). The authentication server checks the response against its own calculation of the expected hash value, using the same shared secret. If the values match, the authentication is acknowledged; otherwise the connection is terminated.
When moving between networks, a handoff must occur, requiring an authentication to the new network. In current hybrid architectures, full authentication is repeated, often requiring the user to re-enter username and password information. Even in systems where the login information is passed directly to the new network, the challenge-based authentication can result in slow handoffs, which may be undesirable from a performance perspective. For example, in voice communications, latencies of greater than about 150 ms are considered unacceptable and may be perceptible to the user.
In addition to the speed of the handoff, the authentication to the second network can pose security risks. It is well recognized that some wireless networks are more secure and trusted than other wireless networks. For example, a CDMA 1xRTT network is generally considered to be more secure than an IEEE 802.11-based Wi-Fi network, due to the broader spectrum availability, and established security practices and policies. In less-secure environments, the known vulnerabilities in conventional authentication protocols, such as CHAP, may be exploited by rogue parties to intercept private information.
Certificate-based techniques, using IPSec VPNs (Internet Protocol Security Virtual Private Networks), to support transparent and more secure roaming have been proposed. A disadvantage of such techniques is that the user must be issued the necessary certificates, such as public and private key certificates, over a separately established secure channel, such as an https (HyperText Transfer Protocol Secure sockets) channel, prior to roaming. The use of temporary authentication identities, such as a Temporary Mobile Subscriber Identity (TMSI), have also been proposed to facilitate roaming to pre-authorized Wi-Fi access points within a cell. While such techniques would permit relatively seamless roaming, they require that the TMSI be provided in advance to each authorized access point.
It is, therefore, desirable to provide a method and system for quickly and securely authenticating to a new network, such as when roaming with a mobile communication device.