This invention relates to a method of authentication via a secure wireless communication system.
In wireless local area network (WLAN) and cellular standards, there are two ways of authenticating a user terminal for use on a network. These are commonly known as open and closed security types. Conventional WLAN hotspot authentication, commonly using a user name and password, allows users to access the hotspot infrastructure before authentication occurs, i.e. the access points (APs) do not implement any access control measures on user data entering the network. This is the ‘open security’ model. Typically, in the open system a user device detects the presence of a network in an area by its radio signal and then automatically connects to the system by opening up a web browser or otherwise starting an application and all further actions are at application level. The WLAN hotspot authentication utilises a web browser portal page on which the user typically types in their username and password, but this is inherently insecure since it is possible for someone to tap into the radio signal, without the service provider being aware of this. This web browsing transaction, initially has very little security, leaving both the user's equipment and that of the hotspot vulnerable to external attack.
This model is slowly being rejected in favour of a ‘closed security’ model where APs themselves implement access control, restricting user access to the network infrastructure until a successful authentication exchange has been carried out. This alternative ‘closed’ system operates in the radio layer and requires the mobile device to provide security information before opening an application, such as a web browser. This authentication is arranged to occur automatically, as soon as the mobile device comes into range of the network using a security framework protocol standardised by IEEE 802.11i. A problem of this ‘closed’ solution is that the user may not wish to share this security information via a network which is not known to him, such as at a foreign airport, or where he might incur costs when he does not need to use his mobile device.
As more and more of the closed-type secure systems appear, there is a requirement for the user to be able to prevent his authentication credentials being exchanged automatically. Under the current arrangement, if the mobile device is switched on, then the wireless card detects a network on entry to the area of operation and automatically tries to log in.
In accordance with the present invention, a method of authentication via a secure wireless communication system comprises sensing that a mobile device has come within range of a secure network; initiating a program within the mobile device offering the user a plurality of authentication options; processing the chosen authentication option and providing requested user data to a service provider for the secure network, only if the chosen authentication option within the mobile device permits provision of the requested user data.
The invention ensures that the user's data is transferred via a secure route, but prevents automatic connection before the user has given permission and allows the user to control the time of data exchanged.
The user data may be any soft data, such as a user ID and PIN number, but preferably, the user data comprises a user name and password.
This maintains the ‘open security’ look and feel without the risk of open systems.
Optionally, the method further comprises exchanging authentication credentials via link layer specific protocols.
Specific protocols such as EAP can be used to exchange authentication credentials, such as SIM card data or credit card number, in accordance with the closed security aspects of the network, but if the user is concerned about releasing such data, then authentication can take place with only the soft data are exchanged.
The mobile device may be any electronic communication device, but preferably, the mobile device is one of a laptop, personal digital assistant or mobile phone.
The method is suitable for various types of networks, but preferably, the network is a wireless local area network.
Preferably, the offer of authentication options to the user is carried out by a local proxy on the user's mobile device.
Preferably, the local proxy encapsulates or decapsulates user data.