Currently, Wi-Fi hotspots are deployed globally by various Wireless Internet Service Providers (WISPS). Electronic devices with Wi-Fi chipsets and capabilities are able to connect to these Wi-Fi hotspots to access data networks, such as the Internet. These devices include, but are not limited to, personal laptops, mobile handsets, televisions, digital cameras, and DVD players. Normally these hotspots require the users to be authenticated and authorized before accessing their network services. The users must supply their own credentials for the Wi-Fi networks to authenticate against the users' home service providers. A typical credential that is widely used in current public hotspot is a username and password combination.
For mobile networks, user credentials are issued as Subscriber Identity Module (SIM) for Global System for Mobile Communications (GSM) networks. A SIM card securely stores a secret authentication key (Ki) identifying a mobile phone service subscriber, as well as subscription information, preferences, and other information. The SIM card also securely stores A3 and A8 programmable algorithms, the same logic as the A3/A8 algorithm stored in the mobile network's Home Location Register (HLR). The SIM card also stores the International Mobile Subscriber Identity (IMSI), which is used to uniquely identify the mobile phone service subscriber. When the SIM card is manufactured, the IMSI is paired with an authentication key Ki, a 128-bit number used for authentication and cipher key generation. The Ki is stored only on the SIM card and at the HLR and is never transmitted across the network, on any link.
The SIM card has corresponding components in different mobile networks. For example, the corresponding component in Universal Mobile Telecommunications System (UMTS) networks is the Universal SIM (USIM) card. The corresponding component in Code Division Multiple Access (CDMA) networks is the Removable User Identity Module (R-UIM) card.
The user credential, as a SIM card, is needed in the smartphone to complete the authentication and service registration procedure in mobile networks. Utilizing the existing user credential for the authentication, authorization, and accounting (AAA) in Wi-Fi/WiMAX networks is a challenge for seamless roaming when offloading mobile data to Wi-Fi/WiMAX networks.
IEEE specification 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802 LAN/WLAN which is known as “EAP over LAN,” or EAPOL. The standard formats and procedures to implement SIM-based authentication protocol (Extensible Authentication Protocol (EAP) Method for GSM Subscriber Identity Module, or EAP-SIM, for authentication and session key distribution using the SIM from the GSM) is defined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 4186. IETF RFC 4187 defines the EAP method for UMTS Authentication and Key Agreement (EAP-AKA) authentication.
The 802.1X protocol operates on top of the Network Link Layer, which introduces a high entry barrier for such solutions to be widely adopted by the Wi-Fi hotspots. The protocol requests support from the network side, which requires major changes to the network infrastructure. It also requires support from the client side, which imposes significant demands for the end user's electronics capability enhancement to support 802.1X, and also introduce complex settings that are not easy for normal users to correctly configure. Thus, currently, only a few Wi-Fi hotspots are able to support 802.1X.
Produced in February 2003 and chartered by the Wi-Fi Alliance, “Wireless ISP roaming (WISPr) 1.0” (hereinafter, the “WISPR 1.0 document”) is considered the defacto best practices document for implementing roaming between Wi-Fi service providers. Most commercial Wi-Fi networks have been able to support WISPr 1.0, and accordingly, those networks are able to support the Universal Access Method (UAM) protocol that is defined in Appendix D of the WISPr 1.0 document. The WISPr 1.0 document is herein incorporated by reference in its entirety.
UAM authentication for accessing a wireless network is based on the concept of a “walled garden.” A walled garden is a “reversed” intranet that prevents a device connected within the walled garden from accessing the Internet prior to being authenticated. This technique, unlike 802.1X, allows the device to bring up all networking layers, including layer 3 (i.e., the IP layer) prior to being authenticated and charged for the session. An Authentication System in the walled garden can be used to perform different types of authentication, including authentication via browser and payment by credit card (not possible with 802.1X). The wireless network operator can also define special policies to allow the end user to access designated Authentication Systems that are not sitting within the walled garden.
But the UAM protocol defined in WISPr 1.0 has known limitations with regard to supporting various authentication protocols. It is not designed to support EAP protocols, and thus cannot be used to support SIM, USIM, and various credentials for Wi-Fi access authentication.