Mobile access networks are often designed as cellular networks including a plurality of base stations being connected together by means of switching nodes such as Base Station Controllers (BSCs) and/or Mobile Switching Centres (MSCs). Each base station provides radio coverage over an area known as a cell, for communication over radio channels with mobile terminals located in the cell. When a communicating mobile terminal moves across a cell border, its radio connection switches between the corresponding base stations by means of a “handover” or “handoff” procedure. Each mobile network operator is allocated a certain limited radio frequency spectrum for transmissions, and efforts are made by network designers to provide a high traffic capacity within the allocated spectrum.
When setting up radio connections with mobile terminals, standardised communication protocols and radio channels are used, such as those defined for GSM, TDMA, PDC, UMTS, etc, for transmission of speech and/or data over the air interface as well as within the network, providing a certain data rate. Digital circuit switched radio channels of today, e.g., according to the GSM standard, are primarily designed for communication of encoded speech, providing data rates of less than 10 kbit/s.
Existing GSM networks are currently being extended with packet based GPRS (General Packet Radio Service) technology, providing packet switched radio communication with enhanced data rates ranging between 10 and 120 kbit/s for mobile terminals having GPRS capabilities. Further switching nodes, such as Gateway GPRS Service Nodes (GGSNs) and Serving GPRS Service Nodes (SGSNs), are included in GPRS networks. GSM/GPRS networks and other cellular networks typically provide radio coverage over large areas, often covering entire countries, more or less.
Currently, enhanced wireless access technologies are emerging having far greater data rates, such as WLAN (Wireless Local Area Network), covering much smaller areas and providing so-called “spot coverage” over distances around 100 meters. WLAN stands for a plurality of high-speed wireless technologies, e.g., employing frequency hopping and spread-spectrum radio technologies not further discussed here, for packet based radio communication with data rates ranging between approximately 2-54 Mbit/s. Radio channels are used in freely available frequency bands, such as 2,4 GHz and beyond, requiring no operator licence.
A WLAN may use one or more radio stations as access points to which mobile terminals having WLAN capabilities may be connected over predefined radio channels. A WLAN radio station may be directly connected to a extension of a fixed LAN (Local Area Network) which in turn, through various gateways and/or routers, may provide access to the global Internet or to a company intranet. In the case of Internet, a service is normally utilised from a public telecommunication operator.
WLAN typically provides a limited spot coverage geographically overlapping the larger coverage of cellular networks, such as GSM/GPRS networks. The cellular networks can offer connectivity in urban areas as well as in rural areas, whereas WLAN can offer high speed connections in small hot spot areas. WLAN for public access is currently used mainly in airports, hotels and conference venues, providing fast Internet access and other data services to visitors.
Today, work is in progress for developing a multitude of new mobile services, which will be possible to employ in particular as new technologies with greater capacity and higher data rates are introduced. The contents of the new services include voice, text, images, audio files and video files in various different formats and combinations. Internet browsing is also becoming very popular, and in recent years, the wireless and Internet domains are converging.
More sophisticated mobile terminals are also becoming available on the market, provided with functionality matching the new services. Furthermore, it is possible to combine different mobile terminals. For example, a portable laptop computer may be connected to a mobile phone by means of a cable or a wireless interface, such as a Bluetooth radio interface. The mobile phone can then be used as a radio unit providing access over a cellular network, such as a GSM/GPRS network, and the laptop is utilised as an enhanced user interface, whereas the mobile phone acts as a “modem”. Laptop computers may also be provided with a radio device, e.g., implemented as a PCCARD or the like, for radio access to a WLAN. Alternatively, plural radio devices may be integrated in a single terminal, e.g., a laptop computer, for radio communication with different networks, such as a WLAN and a GSM/GPRS network.
For users having a mobile terminal equipment capable of radio communication over multiple access networks, either as a single integrated device or as plural interconnected devices, it is desirable that the mobile terminal is automatically connected to the access network providing the highest data rates, if more than one network is currently available. The user will then benefit from the best available communication possibilities in any given location. For example, a user having a laptop with WLAN capabilities interconnected with a mobile phone with GSM/GPRS capabilities, will want to switch access to a WLAN when entering its coverage area, instead of being connected to the more limited GSM/GPRS network.
In applicant's own PCT application WO 01/35585, it is described a mechanism for selecting the “best” and optimal network connection, when more than one network is available to one or more end devices. The selection is made with respect to factors such as available bandwidth, charge rate, quality, individual preferences, etc.
An access switch between two networks requires that a new radio connection is established with the new network, involving the creation of a new communication session context. The present invention aims at facilitating the switching of access between different networks with maintained security.
Creating a communication session context includes performing certain pre-defined routines for authentication, authorisation and accounting, sometimes referred to as AAA for short. Cellular networks employ AAA routines according to their standardised communication protocols, which are regarded as having a fairly high level of security. For example, each mobile phone may be provided with a secret identity code or the like which is known in the network and is used for authentication and/or for generating encryption keys. The identity code may be stored in a smart card, such as a SIM (Subscriber Identity Module) card as used in GSM, which is movable between different terminals.
A WLAN connection may be secured by means of a certificate stored in the terminal, which is regarded as trustworthy and is used to verify the identity of the user or subscriber. The certificate may also be used for generating various encryption keys and/or session keys to authenticate the terminal and to protect an ongoing session according to well-known techniques, which will not be described here further. The certificate may be issued by a certification authority and may comprise one or more secret codes. However, such secret codes, certificates and encryption keys are cumbersome to administrate and distribute, in particular to subscribers of the general public.
In addition to using stored codes and certificates in the terminal, some services, e.g., Internet services, require a login procedure involving a shared secret, normally a user ID/password combination.
In present solutions, when a mobile terminal with multiple capabilities switches from a first network to a second network, it is a problem that the session context of the first connection is lost and a new session context must be established with the second network, involving a new authentication procedure, among other things. This is the case when, for example, switching between a GSM/GPRS network and a WLAN in either direction. The new session context may further determine different user interface features, available services and charge rates, as dictated by the second network.
Establishing a session context is a fairly complex procedure, and if two different networks are to be accessed, two separate authentication mechanisms having a certain level of security are required, each involving the distribution and storing of secret codes and/or certificates. Further, both networks need one or more nodes with protected links for performing authentication routines.
It is desirable to reduce the handling of shared secrets between a subscriber and network operators, at the same time maintaining security. It is also desirable that the amount of exchanged information and processing work are minimised when switching between networks for reducing the load on transmission resources and to reduce delays.