1. Field of the Invention
The invention relates to a computer method and system for performing user authentication and access control of data traffic at wireline and wireless entry points to the Internet.
2. Background of the Related Art
The popularity of the Internet has made a vast amount of information readily available to anyone with an Internet connection. Internet-enabled electronic mail has become an essential form of business communication. Currently, connections to the Internet are predominantly made with landline access links such as dial-up modems, digital subscriber lines, and cable modems.
These types of connections, although pervasive, offer limited mobility to a user and make the sharing of an Internet connection difficult. For example, many libraries offer Internet access at dedicated computer terminals and some universities provide network access jacks at multiple buildings on their campuses for convenient access by students using laptop computers. Both of these approaches offer a means for accessing the Internet at locations other than one's own landline access link, but both require that one remain stationary at the publicly-provided access point and both require a substantial infrastructure investment on the part of the institution providing the network connection. Since it is not generally possible to have multiple users sharing the same network access jack or dedicated terminal, the institution must provide a separate access point for each patron it wishes to service. Additionally, those institutions offering access jacks to their network, such as universities, typically require that the user have a registered network account before being given access to the network, which further limits the network's accessibility to the public.
Similarly, when a vendor visits a customer site on whose computer network the vendor does not have an account, the vendor will find it very difficult to gain access to the network, and hence to the Internet, email accounts, and other vital data. Should the vendor be fortunate enough to gain access to a network jack, the vendor will still be at the mercy of the customer site's network administrator. For security reasons, it is customary for companies to set up their computer networks to deny access to anyone not already present in their access list of registered users.
Thus, mobile access to the Internet is limited by two factors. The first is the physical requirement for a user to maintain a line connection to sparsely located network access jacks. The second is the difficulty in gaining access to a network on which one does not have a registered account. The first of these factors has begun to be overcome by the introduction of wireless data networks, which do not require that a user maintain an access line plugged into a network access jack and thus do not require that the user remain stationary. Additionally, because the network connections are made wirelessly, it is relatively easy for multiple users to connect and disconnect from a network using the same access point. Overcoming the second factor is not so straightforward, and is addressed more fully below.
An example of a currently widely available wireless data network is the low speed personal communication service (PCS) network. The primary access devices of this type of network are cellular telephones with built-in Wireless Application Protocol (WAP) features. These wireless networks operate in a licensed frequency band, are centrally planned, and are built by large telecommunication carriers. Typically, each cell has a large radius of about 2–10 miles and operates at a slow speed of about 19 Kbps. In any given geographical region there are only a handful of telecommunication carriers servicing the area, and each network is proprietary and closed to competing networks. Thus, to some degree one is not free to roam from one network to another. Additionally, their slow speed makes full access to the Internet impractical and such network devices are typically restricted to abridged textual displays.
An emerging new class of wireless data networks offer higher speeds of about 1–11 Mbps. These networks operate in an unlicensed frequency band and are based on emerging wireless communication protocol standards such as IEEE 802.11, Bluetooth and homeRF. A common characteristic of these types of networks is a small cell radius of about 200 feet. The cells are radio or infrared base stations that function as access points to a network. Several of these access points may be distributed in close proximity to each other to expand the overall range of this type of wireless network. An introduction to such networks can be found in U.S. Pat. Nos. 5,771,462 and 5,539,824.
Various network configurations may be formed using these types of wireless network devices. FIG. 1 shows multiple computers 11 to 17 equipped with wireless network radio devices characterized by respective antennas 19–25. When computers 11–17 are within close proximity to each other, they can form a type of ad hoc network and communicate among themselves. Absent from this type of ad hoc network, however, is a base station cell that can connect their ad hoc network to a wireline network having landline access to the Internet. Therefore, this type of ad hoc network does not have access to the Internet.
With reference to FIG. 2, in order to access the Internet, one needs to gain access to a network having a router 37 which in turn connects the network to the Internet 35. These types of networks are typically characterized by a server 31 which controls access to various services on the network, including Internet services. Workstations 33 connect to the server 31 by means of various types of hardware cabling media 53. The network may provide wireless access points 41 and 43 to respectively couple computers 47 and 49, which are equipped with wireless communication devices illustrated as antennas, to the hardwired network controlled by server 31. The access points 41 and 43 establish wireless connections with computers 47 and 49 by means of various communication systems such as radio and infrared waves, and have a hardwired connection to server 31 along cable 53. The function of access points 41 and 43 is to relay communication between server 31 and wireless network computers 47 and 49 respectively, but server 31 still controls what services are provided to computers 47 and 49. Thus, server 31 may deny Internet services to computers 47 and 49. Indeed, server 31 may refuse computers 47 and 49 entry to the network if they do not already have network accounts registered with server 31.
As was stated above, wireless networks have a short range, and so a second access point 45 may be used to function as a repeater between a more distant wireless network computer 51 and access point 43. This is an example of using multiple base station access points 43 and 45 to extend the range of a wireless network.
With reference to FIG. 3, many network layout configurations are known, and server 53 need not be located between a router 55 and the other network nodes 61 to 65. In the network layout of FIG. 3, access point 67 has direct access to router 55, which in turn has access to the Internet 59, but this does not mean that server 53 loses its control over the network. Regardless of the layout, server 53 may still be in charge of authenticating new users and assigning resources. Again, access point 67 is illustrated as a wireless access point due to its convenience in permitting multiple users 61 to 65 easy access to the network, but other hardwired access point connections are likewise typical.
In spite of their convenience, such wireless networks have been prohibitive in the past due to their relatively high costs. Until recently, the components required to implement a wireless network had been costly, but recent developments in technology have begun lowering the price of both the cell base stations and radio devices needed to implement a wireless network. Such wireless networks are now becoming more prevalent in the industry, and Applicants envision a time when many small businesses may operate their own autonomous wireless networks. The size of these autonomous wireless networks could range from a city block, to a small building, to a coffee shop. It would then be possible for a mobile user to always have access to a wireless network by means of a mobile computing device equipped with the proper radio communication devices. Thus, this type of wireless network would overcome the first factor limiting the free and mobile access to the Internet discussed above.
Nonetheless, one is still faced with the second factor mentioned above which restricts mobile access to the Internet. Since most autonomous wireless networks are independent, a mobile user would typically not be given access to a target network unless an access account had been setup ahead of time for the mobile user on the target network. Even if a user had access accounts at multiple wireless networks, the user would have to stop his activities and re-authenticate on a different wireless network every time he moved from one autonomous network to another.
Some prior art can be found in the areas describing methods of accessing foreign networks and methods of implementing multiple network transfers. U.S. Pat. No. 5,878,127, for example, shows a telephone system that facilitates remote access to a private network from non-network locations or stations. The system authorizes remote access to the private network based on a calling party number of the non-network station and/or an authentication code entered by the remote calling party. U.S. Pat. No. 6,016,318 describes various method of providing access to a private LAN and to the Internet via a “public mobile data network” including a location register, which serves as a database for storing location information of mobile data terminals and subscriber information. Along a similar note, U.S. Pat. No. 5,978,373 shows a method by which a remote user can gain secure access to a private WAN. A central authentication office acts as a proxy to authorize a remote user and establish a secure connection to the private network. The central office sends the remote user a service registration template HTML file to be filled by the remote user. Once the remote user has been authenticated, a connection is made with the private network. Similarly, U.S. Pat. No. 5,918,019 shows a system by which a remote user can establish a simulated direct dial-up connection to a private network via the Internet.
U.S. Pat. No. 6,000,033 describes a system wherein a user has accounts in multiple databases with different passwords in each of the databases. To access all of the databases, the user logs on to a master password database which then submits the appropriate password to whichever database the user wishes to access. U.S. Pat. No. 5,872,915 shows a method of permitting secure access to software on a web server via the Internet. A user enters data via a web browser, which is communicated to the web server application. The web server application then authenticates the web browser, and passes appropriate input data to an application gateway, including data to uniquely identify the web browser. The application gateway then uses authentication data received from the browser to determine whether the user of the browser is authorized to access the software application. U.S. Pat. No. 5,805,719 describes another method of authenticating a user wherein the system forgoes the use of ID tokens in favor of authorizing transactions by using the correlative comparison of a unique biometrics sample, such a finger print or voice recording, gathered directly from the person of an unknown user, with an authenticated biometrics sample of the same type obtained and stored previously.