New wireless LAN standards IEEE 802.11i and Wi-Fi Protected Access (WPA) use Extensible Authentication Protocol (EAP) for network access authentication and key agreement. In this situation, the wireless LAN station implements an EAP peer, which communicates with an EAP server implementation on the network side. During the EAP authentication exchange, the EAP peer and the EAP server exchange EAP packets. The EAP authentication server is usually a backend element which is separate from the wireless LAN access point. EAP has been designed to easily support several different authentication algorithms so that a separate EAP method implementation can be used for each authentication algorithm.
A new 3GPP Wireless LAN interworking standard enables a wireless LAN terminal to use the 3GPP smart card based authentication mechanisms for wireless LAN network access authentication. In the basic case, a single piece of user equipment is equipped with both the smart card and the wireless LAN interface. The wireless LAN terminal uses the Extensible Authentication Protocol method for GSM Subscriber Identity Modules (EAP-SIM) or the Extensible Authentication Protocol for 3G Authentication and Key Agreement (EAP-AKA) protocols to perform network access authentication. These protocols require access to the smart card of the device. Smart cards are widely used in portable electronics devices and are discussed in detail in UK Patent No. 2,370,659, assigned to Nokia Corporation and incorporated herein by reference.
In split user equipment (UE) situations, the wireless LAN network interface and the smart card reside in separate pieces of equipment. Typically in this case, a laptop equipped with a wireless LAN interface uses a mobile telephone, equipped with a smart card, for EAP-SIM and EAP-AKA authentication. As discussed above, these protocols require access to a smart card located on the mobile telephone. The laptop uses a Bluetooth connection to the mobile telephone in order to access the smart card for the wireless LAN authentication. Other possible communication connections could also be used to connect the laptop to the mobile telephone, such as RFID, WLAN (802.11x), infrared, UWB, or even a cabled connection such as a serial, parallel, or USB cable.
In the split UE case, there are three different ways to implement the EAP peer for EAP-SIM and EAP-AKA protocols. In the first implementation, the laptop implements the EAP peer and only uses the mobile phone for the smart card operations. In this scenario, EAP packets received from the wireless LAN network are processed by the laptop, and the laptop also generates all EAP packets that need to be transmitted to the network.
In the second implementation, the EAP-SIM and EAP-AKA peers are implemented by the mobile phone. The laptop passes through EAP packets from its wireless LAN interface to the mobile phone, and the mobile phone processes the EAP packets. The mobile phone uses the smart card for 3GPP authentication primitives only. The mobile phone generates the EAP packets that are to be transmitted to the wireless LAN network and sends them to the laptop. The laptop then forwards the outgoing EAP packets to the network.
In the third implementation, the smart card implements the EAP-SIM and EAP-AKA peers. In this case, special EAP capable smart cards are used. The laptop passes through EAP packets from its wireless LAN interface to the mobile phone, which again passes the EAP packet to the special smart card for processing. The smart card processes incoming EAP packets and generates outgoing EAP packets. The smart card passes its outgoing EAP packets to the mobile phone which further passes them to the laptop. The laptop then transmits the EAP packets to the wireless LAN network.
In 3GPP standardization, it is desired that the Bluetooth SIM Access Profile (SAP) be used in the split user equipment scenario. However, SAP is a low-level interface for accessing the smart card over a Bluetooth connection. SAP contains operations for exchanging application protocol data units (APDU), so it assumes that the smart card, rather than the mobile telephone, performs all the processing. This implies that if APDUs were used to send EAP packets to the mobile telephone, the EAP SIM and EAP AKA protocols would have to be implemented by the smart card.
It is currently desirable to implement EAP methods on the smart card, and they have product plans for special EAP smart cards. However, it may also be desirable for EAP methods to be implemented by the mobile telephone.