1. Field of the Invention
This present invention relates to a method and apparatus for using mobile phone based generic authentication architecture credentials in personal computer environments.
2. Description of the Related Art
Universal subscriber identity module (USIM) based authentication is useful for many services, and in particular, where a user does not need to maintain passwords or certificates for client authentication. Shared keys using generic bootstrapping architecture (GBA), also known as GBA credentials, can be used in the mobile phone industry, and are useful for authenticating a mobile phone to network application functions (NAF). GBA generally includes the bootstrapping process, i.e., the establishment of a shared secret, while generic authentication architecture (GAA) includes both GBA and the usage of GBA credentials. As background, it would be helpful to refer to the Third Generation Participation Project (3GPP) specifications, such as 3GPP TS 33.220, 3GPP TS 24.109, and 3GPP TR 33.919 for additional description on the standards and specifications associated therewith. However, there are a large number of potential applications for this technology in the personal computer domain, and since it is generally convenient to use authentication-based services on personal computers, application of this technology to the personal computer domain is desirable.
Generally, if a user wants to use one set of GBA credentials for the same services on different devices, e.g., to use the authentication from a mobile phone for a personal computer, palm pilot, hand-held computer, or other electronic device, then there are two possibilities. The first possibility is to run GBA on the personal computer using a universal subscriber identity module placed in a smart card reader that is in communication with the computer. The second possibility is to run GBA on a mobile phone, and then transfer the GBA credentials from the mobile phone to the personal computer, where the GBA credentials will be used towards a network application function. The first option is difficult and generally impractical, as it requires the user to remove the universal subscriber identity module from the mobile phone and put the universal subscriber identity module into the personal computer. Although this may be possible for WCDMA (and SIMs of GSM devices), removal of a universal subscriber identity module from a first generation CDMA mobile device is generally not possible without substantial effort. This process would likely require not only redesign of the universal subscriber identity module for the mobile phone such that the module could be easily removed from the phone, but also, an interface for the removable universal subscriber identity module to communicate with the personal computer would also be required. As such, application of the first option is generally impractical and undesirable.
There have been other conventional proposals to use the split terminal configuration for GBA standardization. One implementation involves configuring a mobile phone to use an IP stack on a proximity interface like an infrared (IR) interface, a Bluetooth® connection, or a serial cable, that is connected to a personal computer, and the personal computer opens the Internet for the phone. However, this proposal presents challenges, in that the user would be required to know how to configure the stack setup for the mobile phone and the personal computer to make the proposal work properly.
Another possibility for a split terminal configuration setup would be to forward all of the bootstrapping messages from the mobile terminal to the personal computer, and then the personal computer would proxy the messages to the bootstrapping server function (BSF). This proposal, although simplistic in its explanation, has substantial implementation difficulties, as the mobile phone software and the personal computer operating system are highly organized, and as such, any modifications to this code or functionality requires substantial effort and presents a high likelihood of conflict with other operational characteristics of the respective devices.
The present invention addresses the problem of how GBA credentials could be used in a device that is not equipped with universal subscriber identity module (USIM), i.e., a device that is USIM less. Described herein is how third generation partnership project (3GPP) generic authentication architecture (GAA) could be used in a scenario where the user equipment has been split into two parts: first, mobile terminal that contains the universal subscriber identity module and GAA functionality; and second, a personal computer/laptop with applications that use GAA remotely for authentication purposes. This scenario is commonly referred to as the split terminal configuration.
Also described herein is how third generation partnership project (3GPP) generic authentication (GAA) could be used in a personal computer by passing the majority of the GAA functionality to the personal computer, so that the personal computer constructs the messages needed for HTTP-digest-AKA protocol that are used in generic authentication architecture bootstrapping.
Conventionally, there have been several mechanisms for authenticating to third party services from the personal computer environments. Some examples are combinations of usernames and passwords or personal identification numbers (PIN), secure Ids, client digital certificates, smart cards, etc. Some of these methods are generally weak from an authentication perspective, while some are relatively strong. Many of the methods and apparatuses that are strong in terms of authentication need either extra hardware (like smart card and a reader) or extra expenditure (client certificate needs to be bought). The alternative proposed by the present invention is much more cost effective and is a stronger authentication mechanism.
Once the supporting infrastructure for the 3GPP GAA is built and operational, then use of the credentials obtained for user equipment mobile terminals will be available for use in user equipment personal computers that are in a split terminal configuration with the user equipment mobile terminal.