In 3GPP (3rd Generation Partnership Project) and the WiMAX Forum, there have been discussions related to user equipment authorization.
Namely, WiMAX networks have been specified by the WiMAX Forum Networking Group (NWG). These WiMAX networks provide e.g. broadband IP connectivity to mobile stations via an air interface as defined e.g. by the IEEE (Institute of Electrical and Electronics Engineers) 802.16e-2005 standard. The IMS is a multi-media architecture for both mobile and fixed-line IP services. Originally, the IMS has been defined by 3GPP, and was largely adopted e.g. by 3GPP2 (Third Generation Partnership Project 2) or by ETSI (European Telecommunications Standards Institute) TISPAN (Telecoms and Internet Converged Services and Protocols for Advanced Network).
For example, FIG. 1 shows a method for access authorization to IMS services as specified e.g. by 3GPP TS (Technical Specification) 33.203. The methods defined by TS 33.203 are based on the requirement that a UICC (Universal Integrated Circuit Card) is inserted into the UE. Generally put, an ISIM (IMS Services Identity Module, an application running on the UICC) and the IMS HN (Home Network) of the ISIM authenticate each other based on a long-term key being secretly shared by both ISIM and HN.
As shown in FIG. 1, a communication system 100 comprises a UE 101 and a network 102. The network 102 in turn comprises a P-CSCF (Proxy Call Session Control Function) 1021, an I-CSCF (Interrogating CSCF) 1022, an S-CSCF (Serving CSCF) 1023 and a HSS (Home Subscriber Server) 1024. Signalling between elements is indicated in horizontal direction, while time aspects between signalling are reflected in the vertical arrangement of the signalling sequence as well as in the sequence numbers.
The message flow as shown in FIG. 1 depicts the IMS access authorization procedure as defined e.g. by TS 33.203. This procedure is commonly referred to as IMS-AKA (Authentication and Key Agreement).
In step S1, a SIP (Session Initiation Protocol) REGISTER request is sent from the UE 101 to the P-CSCF 1021. This request contains the domain name <HN> of the Home Network as read from the ISIM of the UE 101, the subscriber's private and public IMS identities <IMPI> and <IMPU>, as well as the IP address (obtained prior to IMS AKA) of the UE 101. Besides the IP address, all these data are read from the ISIM.
In step S2, the SIP REGISTER request is sent from the P-CSCF 1021 to the I-CSCF 1022. The P-CSCF 1021 resolves the address of the I-CSCF 1022 in the HN and forwards the identities IMPI, IMPU and the IP address received in step S1 to the I-CSCF 1022 of the HN.
In step S3, the SIP REGISTER request is sent from the I-CSCF 1022 to the S-CSCF 1023. The I-CSCF 1022 in turn forwards these identities IMPI, IMPU and the IP address to the S-CSCF 1023 serving this request.
In step S4, a MAR (Multimedia Access Request) is sent from the S-CSCF 1023 to the HSS 1024. In this MAR, the S-CSCF 1023 requests authentication data from the HSS with respect to the IMS subscriber identified by <IMPI>.
In step S5, a MAA (Multimedia Access Answer) is sent from the HSS 1024 to the S-CSCF 1023. The HSS 1024 sends an Authentication Vector (AV) to the S-CSCF 1023 containing the following types of data: random challenge RAND, expected answer XRES, network authentication token AUTN that contains a message integrity code MAC, integrity key IK, and ciphering key CK.
In step S6, a SIP Unauthorized 401 message is sent from the S-CSCF 1023 to the I-CSCF 1022. At this point in time, the S-CSCF 1023 denies the UE authentication. Instead, the S-CSCF 1023 sends the SIP Unauthorized message with a WWW-Authenticate header to the I-CSCF 1022. This header contains RAND, AUTN, IK and CK. The value XRES, however, is held back by the S-CSCF 1023.
In step S7, a SIP Unauthorized 401 message is sent from the I-CSCF 1022 to the P-CSCF 1021. The I-CSCF 1022 forwards RAND, AUTN, IK and CK to the P-CSCF 1021 as received in the previous step S6.
In step S8, a SIP Unauthorized 401 message is sent from the P-CSCF 1021 to the UE 101. The P-CSCF 1021 sends RAND and AUTN to the UE 101, i.e., the P-CSCF 1021 does not forward IK and CK to the UE 101, but stores IK and CK for later use.
In step S9, a SIP REGISTER request is sent from the UE 101 to the P-CSCF 1021. The ISIM of the UE 101 computes the value RES by means of input of its version of the secret key K. Then, the UE 101 sends a new SIP REGISTER request to the P-CSCF 1021, this time alongside with RES as response to the challenge initiated by the S-CSCF 1023 in step S6. This SIP REGISTER request is protected by IPSec (Internet Protocol Security) (integrity protection mandatory, encryption depends on UE 101 and P-CSCF 1021 capabilities and P-CSCF 1021 policy). To this end, the UE 101 has calculated the keys IK and CK on input of RAND and the secret key K.
In step S10, a SIP REGISTER request is sent from the P-CSCF 1021 to the I-CSCF 1022. The P-CSCF 1021 forwards RES to the I-CSCF 1022.
In step S11, a SIP REGISTER request is sent from the I-CSCF 1022 to the S-CSCF 1023. The I-CSCF 1022 forwards RES to the S-CSCF 1023.
In step S12, in case of success, a SIP message OK 200 is sent from the S-CSCF 1023 to the I-CSCF 1022. That is, in case RES equals XRES, the S-CSCF 1023 considers the subscriber (i.e. the UE 101) authenticated, and binds <IMPU> to the IP address <IP address>. The S-CSCF 1023 informs the I-CSCF 1022 about this decision.
In step S13, a SIP message OK 200 is sent from the I-CSCF 1022 to the P-CSCF 1021. That is, the I-CSCF 1022 forwards the SIP message OK 200 to the P-CSCF 1021.
Finally, in step S14, a SIP message OK 200 is sent from the P-CSCF 1021 to the UE 101. That is, the P-CSCF 1021 forwards the SIP message OK 200 to the UE 101. This message is also protected by means of IPSec.
As an alternative, TS 33.203 also defines a slight variant of IMS-AKA that is suitable for UICCs without an ISIM, but in that case, an USIM (UMTS (Universal Mobile Telecommunications System) Subscriber Identity Module) application is running on the UICC of the UE 101. However, also in that variant, a UICC must be present in the UE 101.
According to the above, a problem is related to the issue of how to authorize WiMAX Mobile Stations to access IMS services without mandating a UICC to be inserted into the MS/UE.
In consideration of the above, it is an object of the present invention to overcome one or more of the above drawbacks. In particular, the present invention provides methods, apparatuses, a system and a related computer program product for user equipment or user authorization.
According to the present invention, in a first aspect, this object is for example achieved by a method comprising:
providing a relation of network access technology-specific identification information of a user equipment or user and network identity-related information of the user equipment;
receiving an inquiry comprising network identity-related inquiry information;
resolving the received network identity-related inquiry information based on the provided relation; and
sending a response comprising the network access technology-specific identification information according to a result of the resolved network identity-related inquiry information.
According to further refinements of the invention as defined under the above first aspect,                the network identity-related information and the network identity-related inquiry information respectively comprise an internet protocol address allocated to the user equipment;        the network identity-related information and the network identity-related inquiry information respectively comprise an internet protocol multimedia subsystem private identity and an internet protocol multimedia subsystem public identity.        
According to the present invention, in a second aspect, this object is for example achieved by a method comprising:
receiving a registration request comprising network identity-related inquiry information from a user equipment or user;
obtaining network access technology-specific identification information based on the received network identity-related inquiry information;
appending the received network identity-related inquiry information with the obtained network access technology-specific identification information; and
sending the appended network identity-related inquiry information.
According to the present invention, in a third aspect, this object is for example achieved by a method comprising:
receiving a registration request comprising first network access technology-specific identification information and network identity-related information;
obtaining second network access technology-specific identification information based on the received network identity-related information;
matching the received first network access technology-specific identification information against the obtained second network access technology-specific identification information; and
authorizing access for a user equipment based on a result of matching.
According to further refinements of the invention as defined under the above third aspect,                the received network identity-related information comprises an internet protocol multimedia subsystem private identity and an internet protocol multimedia subsystem public identity.        
According to further refinements of the invention as defined under the above first to third aspects,                the network access-technology-specific identification information comprises an identifier specific for worldwide interoperability for microwave access;        the network access-technology-specific identification information comprises one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session;        in the receiving, the received first network access technology-specific identification information comprises one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session, and the method further comprises        
obtaining, as the first network access technology-specific identification information, an actual identifier specific for worldwide interoperability for microwave access based on the received one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session;                in the receiving, the received first network access technology-specific identification information comprises one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session,        
wherein the obtaining is based on the received network identity-related information and the received first network access technology-specific identification information, and obtains, as the first network access-technology-specific identification information, a first actual identifier specific for worldwide interoperability for microwave access, and obtains, as the second network access-technology-specific identification information, a second actual identifier specific for worldwide interoperability for microwave access;                in the receiving, the received inquiry comprises both network identity-related information and one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session,        
wherein the method further comprises obtaining, from another network element, a first actual identifier specific for worldwide interoperability for microwave access based on the received one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session,
wherein, in the resolving, the received network identity-related information is resolved based on the provided relation to provide a second actual identifier specific for worldwide interoperability for microwave access, and
wherein, in the sending, the response comprises both the first obtained actual identifier specific for worldwide interoperability for microwave access and the resolved second actual identifier specific for worldwide interoperability for microwave access;                the network access technology-related identification information comprises at least one of a network access identifier, a security parameter index value, and an access, authorization and accounting server identification;        the network identity-related information comprises a mobile internet protocol home address;        the network identity-related information is a internet protocol address used by the user equipment, the internet protocol address being ensured to be constituted by the internet protocol address correspondingly allocated by a network to the user equipment.        
According to the present invention, in a fourth aspect, this object is for example achieved by an apparatus comprising:
means for providing a relation of network access technology-specific identification information of a user equipment or user and network identity-related information of the user equipment;
means for receiving an inquiry comprising network identity-related inquiry information;
means for resolving the received network identity-related inquiry information based on the provided relation; and
means for sending a response comprising the network access technology-specific identification information according to a result of the resolved network identity-related inquiry information.
According to further refinements of the invention as defined under the above fourth aspect,                the network identity-related information and the network identity-related inquiry information respectively comprise an internet protocol address allocated to the user equipment;        the network identity-related information and the network identity-related inquiry information respectively comprise an internet protocol multimedia subsystem private identity and an internet protocol multimedia subsystem public identity.        
According to the present invention, in a fifth aspect, this object is for example achieved by an apparatus comprising:
means for receiving a registration request comprising network identity-related inquiry information from a user equipment or user;
means for obtaining network access technology-specific identification information based on the received network identity-related inquiry information;
means for appending the received network identity-related inquiry information with the obtained network access technology-specific identification information; and
means for sending the appended network identity-related inquiry information.
According to the present invention, in a sixth aspect, this object is for example achieved by an apparatus comprising:
means for receiving a registration request comprising first network access technology-specific identification information and network identity-related information;
means for obtaining second network access technology-specific identification information based on the received network identity-related information;
means for matching the received first network access technology-specific identification information against the obtained second network access technology-specific identification information; and
means for authorizing access for a user equipment based on a result of matching.
According to further refinements of the invention as defined under the above sixth aspect,                the received network identity-related information comprises an internet protocol multimedia subsystem private identity and an internet protocol multimedia subsystem public identity.        
According to further refinements of the invention as defined under the above fourth to sixth aspects,                the network access-technology-specific identification information comprises an identifier specific for worldwide interoperability for microwave access;        the network access-technology-specific identification information comprises one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session;        the means for receiving is configured to receive the first network access technology-specific identification information comprising one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session, and        
the means for obtaining is configured to obtain, as the first network access technology-specific identification information, an actual identifier specific for worldwide interoperability for microwave access based on the received one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session;                the means for receiving is configured to receive the first network access technology-specific identification information comprising one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session, and        
the means for obtaining is configured to obtain, based on the received network identity-related information and the received first network access technology-specific identification information, and to obtain, as the first network access-technology-specific identification information, a first actual identifier specific for worldwide interoperability for microwave access, and to obtain, as the second network access-technology-specific identification information, a second actual identifier specific for worldwide interoperability for microwave access;                the means for receiving is configured to receive the inquiry comprises both network identity-related information and one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session,        
the means for obtaining is configured to obtain, from another network element, a first actual identifier specific for worldwide interoperability for microwave access based on the received one of a temporary and a pseudo identifier specific for a worldwide interoperability for microwave access subscription or session,
the means for resolving is configured to resolve the received network identity-related information based on the provided relation to provide a second actual identifier specific for worldwide interoperability for microwave access, and
the means for sending is configured to send the response comprising both the first obtained actual identifier specific for worldwide interoperability for microwave access and the resolved second actual identifier specific for worldwide interoperability for microwave access;                the network access technology-related identification information comprises at least one of a network access identifier, a security parameter index value, and an access, authorization and accounting server identification;        the network identity-related information comprises a mobile internet protocol home address;        the network identity-related information is a internet protocol address used by the user equipment, the internet protocol address being ensured to be constituted by the internet protocol address correspondingly allocated by a network to the user equipment;        the apparatus according to the first aspect is a user profile binding entity being a portion of one of a home subscriber server and an access, authorization and accounting server or interfacing with at least one of the home subscriber server and the access, authorization and accounting server;        the apparatus according to the first aspect is an access control support entity being a portion of or interfacing with one of a mobile internet protocol home agent and an internet protocol router;        the apparatus is implemented as a chipset or module.        
According to the present invention, in a seventh aspect, this object is for example achieved by a system comprising:
a user equipment;
apparatuses according to the above fourth aspect;
an apparatus according to the above fifth aspect; and
an apparatus according to the above sixth aspect.
According to the present invention, in an eighth aspect, this object is for example achieved by a computer program product comprising code means for performing methods steps of a method according to any one of the above first to third aspects, when run on a computer.
In this connection, it has to be pointed out that the present invention enables one or more of the following:                UICC-free IMS access authorization for WiMAX mobile stations/user equipments.        Reducing costs for operators and customers to consume IMS services.        A low-cost network based security solution for IMS that is able to support any IMS capable user device and that offers an appropriate security level.        Possibility of parallel usage with any other security mechanisms securing IMS access e.g. through WiMAX to provide an additional security step, resulting in a more secure overall system.        