1. Field of the Invention
The present disclosure relates to authentication in a communications system, and more particularly, but not exclusively, to management of user security data.
2. Description of the Related Art
A communication system can be seen as a facility that enables communication sessions between entities such as user equipment and/or other nodes associated with the communication system. The communication may comprise, for example, communication of voice, data, multimedia and so on. An user equipment connected to a communication system may, for example, be provided with a two-way telephone call or multi-way conference call or with a data connection. In addition voice call services, various other services, for example enhanced content services such as multimedia services or other data services, may be provided for a user. An user equipment may communicate data to and from a server entity, or between two or more user equipments.
A communication system typically operates in accordance with a given standard or specification, which sets out what the various entities associated with the system are permitted to do and how that should be achieved. Communication protocols, parameters, reference points and interfaces, which shall be used for a connection are typically defined by the standards or specifications.
Communication systems proving wireless communication for user equipment are known. These systems are commonly referred to as mobile systems, although in certain systems the mobility may be restricted to substantially small areas. An example of the mobile systems is the public land mobile network (PLMN). Another example is a mobile system that is based, at least partially, on use of communication satellites. Mobile communications may also be provided by means of other types of systems, such as by means of wireless local area networks (WLAN) or Wide Area Networks (WAN).
In a wireless system an access node provides user equipment with access to the communication system. An user equipment may be in wireless communication with two or more access nodes at the same time. Communication on the wireless interface between the user equipment and the access node(s) can be based on an appropriate communication protocol. Examples of the various wireless access systems include the CDMA (Code Division Multiple Access), WCDMA (Wide-band CDMA), TDMA (Time Division Multiple Access), FDMA (Frequency Division Multiple Access), or SDMA (Space Division Multiple Access), Institute of Electrical and Electronics Engineers (IEEE) 802.11 and further developments and hybrids thereof.
The operation of the network apparatus is controlled by an appropriate control arrangement commonly including a number of various control entities. One or more gateways or intermediate servers may also be provided for connecting a network to other networks or hiding network internal details from external nodes. For example, a PLMN network may be connected to other mobile or fixed line communication networks or data communication networks such as an IP (Internet Protocol) and/or other packet data networks.
A user or the user equipment may need to be authenticated before he/she is allowed to access or otherwise use various applications and services. This may be required for security and privacy reasons, but also to enable correct billing of the service usage. For example, it may need to be verified that the user is whoever he/she claims to be, that the user has the right to use a certain service, that the user can be provided with an access to sensitive information and so on. In an authentication, a user can be identified based on various identifiers.
Various authentication mechanisms are already in place, or have been proposed. A non-limiting example is an authentication mechanism proposed by the third generation partnership project (3GPP) called the ‘Generic Authentication Architecture’ (GAA). The GAA is indented to be used as a security procedure for various applications and services for users of mobile user equipment, such as mobile stations for cellular systems. The GAA is intended to be based on secret user identities that are stored on specific secure storage entities provided in association with the user equipment and subscriber databases. The secure storage entity of a user equipment may be provided by an appropriate security function, for example a security module, an identification module or a trusted platform. The subscriber database may be provided by an appropriate network entity, for example a Home Location Register (HLR) or Home Subscriber Server (HSS). Typically user data for each user is stored in a user profile. The secure user identity storage entities and the subscriber database entities have been controlled by the operators who issue the user identities and who typically run and own the subscriber databases.
However, proposals for the authentication systems, such as the GAA, are based on subscriber databases that are under direct control of and manageable only by the operators. Operators are also assumed to have specific management arrangements of their own. User data, for example user security settings cannot be managed by other parties, for example service applications or other network application functions (NAFs) residing for example in trusted third party networks.
The management by other parties might, nevertheless, be desirable in certain occasions. For example, the burden to manage a subscriber database by non-standardized operator specific arrangements might become substantial, and an operator may not be prepared or even have the capability to take responsibility of the management. This situation can be exemplified with reference to application functions that also provide services such as those called Liberty Alliance Identity Provider services. A possibility to allow trusted third parties, for example partner operators, to update user security data in an operator database using for example GAA specific protocols might ease the maintenance burden of the operator for frequent management activities. Because of the unpredictability in the number and type of services and/or service provides the operators may not always have the resources to manage the subscriber databases in all occasions.
It is noted that the problem is not limited to wireless systems, but may occur in any communication environment wherein the user may access services and applications by user equipment.