1. Field of the Invention
The present invention relates to a method and system for wireless connecting a mobile device to a service provider through a hosting wireless access node, in order to transmit/receive data between the mobile device and the service provider.
2. Background Art
Today an increasing number of electronic mobile devices 1, n are equipped with at least one physical wireless network interface, for connecting and transmitting data over a wireless network channel. Such mobile devices 1, n like Notebook PCs, netbook PCs, e-books, PDAs, smart-phones and also handheld game consoles, digital cameras and other similar devices can communicate over a wireless network channel of the type WiFi (IEEE 802.11 standard), WiMax (IEEE 802.16 standard), Bluetooth (IEEE 802.15.1 standard), ZigBee (IEEE 802.15.4 standard), Ultra-wideband (IEEE 802.15.3a standard) or similar others.
To provide a comfortable Internet access to the above mentioned mobile devices 1, n it is very common to install one or more wireless access nodes at home, at the office, at places of social aggregation, at lifestyle or entertainment locations or similar, as schematically represented in FIG. 1. The wireless access node can be coupled with a broadband Internet connection modem on the same appliance or on a different appliance. In this latter case it can be directly or indirectly connected to the broadband Internet connection modem; indirectly for instance in case of wireless mesh networks or ad hoc networks or piconets or scatternets or when a wireless distribution system is used to interconnect the access nodes.
Usually the IP address assigned to a mobile device 1, n connected wirelessly is NATted (i.e. translated by a Network Address Translator) behind the WAN IP address of the modem and so each service provider available in Internet, like web servers or ftp servers or email servers or communication servers or database servers or game servers or peer-topeer servers, identifies the modem and not the NATted mobile device as the source of the traffic.
A drawback of this method of wireless connecting is that all the traffic generated by a mobile device 1, n connected to a wireless access node is identified as being generated by the broadband Internet connection modem owner which, in this way, is responsible of the traffic generated according to the applicable current local and international regulations and laws.
This, each time a broadband Internet connection modem owner allows a mobile device 1, n to connect to Internet through one of his/her wireless access nodes, he/she takes the responsibility of its traffic and this can be very dangerous in case of illegal behaviors.
To prevent this problem, known prior art methods provide to authenticate and eventually encrypt the wireless connection in order to grant the Internet connection only to authorized mobile devices 1, n. The eventual encryption is usually handled by a cryptography module available on the mobile device and a cryptography module available on the wireless access node, as schematically represented in FIGS. 1 and 2. The authentication instead can be handled by at least two different prior art methods:                by a client authentication module available on the mobile device and a server authentication module available on the wireless access node (FIG. 1);        by a client authentication module available on the mobile device and an authenticator module interacting with an authentication server available locally or eventually in Internet (FIG. 2).        
The first method is usually managed by the wireless access node owner while the second method can be managed by an entity different from the access node owner. More particularly, in the first method the authentication is provided by a pre-shared key and if WiFi is the wireless technology used the encryption is provided for instance by using WEP (Wired Equivalent Pricacy), WPA-PSK (WiFi Protected Access—Pre-Shared Key) or WPA2-PSK (IEEE 802.11i standard—Pre-Shared Key). Instead in the second method the authentication is provided by a IEEE 802.1X like system and if WiFi is the wireless technology used the authentication and the encryption are provided for instance by using WPA-Enterprise or WPA2-Enterprise and so by using one of the EAP methods (Extensible Authentication Protocol defined in RFC 3748 and RFC 5247) like EAP-TLS (Transport Layer Security—RFC 5216), EAPTTLS (Tunneled Transport Layer Security—RFC 5281), PEAPvO/EAPMSCHAPv2, PEAPv1/EAP-GTC or EAP-SIM (GSM Subscriber Identity Modules—RFC 4186).
An example of the second method cited above, providing only authentication but not encryption, is the captive portal implementation in which the client authentication module is represented by any web browser. The captive portal technique forces an HTTP client on a mobile device to see an authentication web page before accessing the Internet normally. This is done by dropping all packets until the user opens a browser and tries to access the Internet. At that time the browser is redirected to a web page which require authentication.
However, the second method is subject to identity-theft and usurpation. For instance if WiFi is the technology used, once the captive portal authentication is completed, the IP and MAC addresses of the connecting mobile devices are authorized to reach the Internet through the hosting wireless access node. Hence it is possible to easily commit identity-theft and usurpation by spoofing the MAC and IP addresses of the authenticated target and using the hosting wireless access node to reach the Internet. In addition to the security risk for the broadband Internet connection modem owner since all traffic generated by the connected mobile device is identified as being generated by the broadband Internet connection modem owner itself, also the guest mobile device owner is risking that his/her spoofed MAC and IP addresses can be used to commit potential illegal actions and crimes in his/her name.
The above indicated method is not able to grant a high level of confidence to the broadband Internet connection modem owners and guests mobile device owners. This is clear from FIG. 1 and FIG. 2, wherein it is schematically represented the traffic generated by the guest mobile devices (mobile devices 1, n) and exchanged with an Internet service provider (Service provider) which has, as source address, the WAN IP address assigned to the owners.
The problem at the base of the present invention is that the IP and MAC addresses of connecting mobile devices are authorized to reach the Internet through the hosting wireless access node and it is possible to easily commit identity-theft and usurpation by spoofing the MAC and IP addresses of the authenticated target and using the hosting wireless access node to reach the Internet. At the same time, the guest mobile device owner risks that his/her spoofed MAC and IP addresses can be used to commit potential illegal actions and crimes in his/her name.