1. Field of the Invention
The present disclosure relates to authentication of a user in a communications system.
2. Description of the Related Art
A communication system can be seen as a facility that enables communication sessions between two or more entities such as user equipment and/or other nodes associated with the communication system. The communication may comprise, for example, communication of voice, data, multimedia and so on. A user equipment connected to a communication system may, for example, be provided with a two-way telephone call or multi-way conference call or with a data connection. In addition voice call services, various other services, for example multimedia services or other data services, may be provided for a user. A user equipment may communicate packet data to and from a server entity, or between two or more user equipments.
A communication system typically operates in accordance with a given standard or specification which sets out what the various entities associated with the system are permitted to do and how that should be achieved. Communication protocols and/or parameters which shall be used for the connection are also typically defined. In other words, a specific set of “rules” on which the communication can be based on needs to be defined to enable a user to communicate via the communication system.
Communication systems proving wireless communication for user equipment are known. These systems are commonly referred to as mobile systems, although in certain systems the mobility may be restricted to substantially small areas. An example of the mobile systems is the public land mobile network (PLMN). Another example is a mobile system that is based, at least partially, on use of communication satellites. Mobile communications may also be provided by means of other types of systems, such as by means of wireless local area networks (WLAN).
In a PLMN system a base station provides user equipment with access to the communication system. A user equipment may be in wireless communication with two or more base stations at the same time. Communication on the wireless interface between the user equipment and the base station(s) can be based on an appropriate communication protocol. Examples of the various wireless access systems include the CDMA (Code Division Multiple Access), WCDMA (Wide-band CDMA), TDMA (Time Division Multiple Access), FDMA (Frequency Division Multiple Access), or SDMA (Space Division Multiple Access) and hybrids thereof.
The operation of the network apparatus is controlled by an appropriate control arrangement commonly including a number of various control entities with different functions. One or more gateway nodes may also be provided for connecting a network to other networks. For example, a cellular network may be connected to other cellular or fixed line communication networks or communication networks such as an IP (Internet Protocol) and/or other packet data networks.
A user or the user equipment commonly needs to be authenticated before he/she is allowed to access or otherwise use various applications and services. This may be required for security and privacy reasons. The networks may need to be sure that the user is whoever he/she claims to be, that the user has the right to use a certain service, that the user can be provided with an access to sensitive information and so on.
A user can be identified based on various identifiers. These can be divided into public and private or secret identifiers. The secret identifiers are typically only known by the operator whereas the public identifiers may be made public. Examples of secret user identities include International Mobile Subscriber Identity (IMSI) and Internet Protocol Multimedia Private Identity (IMPI). Examples of public identities include Mobile Subscriber Integrated System Digital Number (MSISDN) and IP Multimedia Public Identity (IMPU).
Various authentication mechanisms are already in place, or have been proposed. An example is an authentication mechanism is the ‘Generic Authentication Architecture’ (GAA) as proposed by the third generation partnership project (3GPP). The GAA is indented to be used as a security procedure for various applications and services for users of mobile user equipment, such as mobile stations for cellular systems. The GAA is based on secret user identities that are stored on specific secure storage entities provided in association with the user equipment and subscriber databases. The secure storage entity of a user equipment may be provided by an appropriate security module or identification module. The subscriber database may be provided by a network entity such as a Home Location Register or Home Subscriber Server (HLR/HSS). The secure user identity storage entities and the subscriber database entities are typically directly controlled by the operators who issue the user identities and who typically run and own the subscriber databases. It is a commonly held view that use of the secret identities together with operator controlled databases provides a solid platform user authentication.
However, because proposals for the authentication systems, such as the GAA, are based on subscriber databases they are restricted by the necessity to use user identities originating from the operators. These identities are called in the following by terms such as home operator identities or network originated identities. Potential applications, however, may use their own user identities that are not known by the operators, or whose authenticity cannot be confirmed by the operators, and therefore the current authentication mechanisms may not be applicable. These identities are generally called in the following as the non-network originated identities. It is not possible at the moment to allow user identities to be authenticated which are not in the class of existing mobile user identities, i.e. the non-network originated identities. Such user identities are typically used by users of user equipment to access specific applications which for one reason or another do not use the network originated identity. It might nevertheless be advantageous if an existing operator based authentication mechanism could be used also for identities which originate outside the operator's domain.
It is noted that the problem is not limited to mobile systems, but may occur in any communication environment wherein the user may access services and applications by different types of user equipment and/or via different access systems.