A variety of wireless access networks are currently in use, each having different characteristics and primary applications. One way to organize these wireless access networks is by their (typical maximum inter-node) range capabilities. Wireless Global Area Networks (WGAN) have a range of 500-1500 km (user to satellite). An example WGAN is the Iridium GlobalStar system. Wireless Metropolitan Area Networks (WMAN) have a range of 30 km. An example WMAN is the Sprint fixed wireless service. Wireless Wide Area Networks (WWAN) have a range of 2-3 km. WWANs include TDMA-derivative or CDMA-derivative networks based on any of the existing or proposed 2G, 2.5G, and 3G (second, enhanced-second, and third generation) mobile voice and data systems. Wireless Local Area Networks (WLAN) have a range of 100 m. An example WLAN is the IEEE 802.11b system, discussed below. Wireless Personal Area Networks (WPAN) have a range of 10 m. An example WPAN is the Bluetooth System, discussed below. Other example WPAN systems are the IrDA system, backed by the Infrared Data Association, and the Shared Wireless Access Protocol (SWAP), backed by the HomeRF working group. It will be recognized that the above distances are merely suggestive of how a particular wireless access network might be categorized and categorizing a given wireless access networks as belonging to one category or another can be subjective and arbitrary.
The Bluetooth System is described in “Specification of the Bluetooth System, Volumes 1 and 2, Version 1.1, Feb. 22, 2001”, from the Bluetooth SIG. The term Bluetooth will be used to refer to wireless access mechanisms compliant with the aforementioned specification, and any future revisions thereof. Bluetooth finds broad applicability wherever any two devices have previously required interconnection via cables. Thus, Bluetooth has been described as principally a “cable replacement” solution, meaning that it often can completely eliminate the need for cabling between connected nodes. LAN access is an important applications category for Bluetooth, but only one out of many. Bluetooth excels in providing automatic or semi-automatic connections for information exchange (frequently deferred) between devices that are regularly in close proximity (roughly 10 m of separation) and where low-power consumption is a priority for at least one of the devices.
A large number of Bluetooth-enabled devices have been proposed for use in homes, offices, and in cars. The proposed wireless-enabled devices include PCs, laptops, PDAs, keyboards, pointing devices (e.g. mice), mobile phones, pagers, cordless phones, fax machines, scanners, projectors, headsets, TVs, entertainment systems, appliances, LAN gateways, set-top boxes, point-of-sale terminals, and ATMs.
The IEEE 802.11 standard, which includes the 802.11b system, is described in detail in “IEEE Std 802.11-1997”, from the IEEE 802.11 working group. The term 802.11b will be used to refer to wireless access mechanisms compliant with the aforementioned specification, and any future revisions thereof. 802.11b has been described as principally a “cable extension” solution, meaning that it often extends (wirelessly) the reach of existing cables but does not entirely eliminate the need for some cabling between connected nodes. 802.11b excels in providing a wireless Ethernet-like supplement to an existing LAN (providing Internet and Intranet access), particularly for wireless connections for multiple-hour continuous-use portable hosts that may move about anywhere within the general vicinity (roughly 100 m in radius) around the access-point coupling the 802.11b extension to the LAN.
The Global System for Mobile Communications (GSM) is a 2G WWAN system widely used throughout much of the world for digital mobile phones. GSM-based phones make use of a special removable smart card called a Subscriber Identity Module (SIM). The SIM contains a microcontroller with ROM and EEPROM. The SIM holds a variety of information including the International Mobile Subscriber Identity (IMSI), which uniquely identifies the subscriber, a subscriber private-key (Ki), a copy of the user PIN code, a user phone book, and other data.
Access is not granted to the GSM network unless the mobile phone is properly authenticated using a process that relies upon the SIM. (See the portion of FIG. 5A labeled “prior art.”) The SIM identifies the mobile phone's user, not the mobile phone per se. If the user wants to change phones, the user is expected to do so by moving their SIM to the phone they want to use. As a first step in the authentication process, the user must enter their PIN for comparison by the SIM with the stored PIN value. The mobile phone will not grant access to the user unless the two instances of the PIN match.
Also held within the SIM are three authentication-related encryption algorithms. A8 is an algorithm used to generate a Signed Response (SRES) to a 128-bit random number (RAND). A5 is stream cipher algorithm that is used to encrypt the transmissions between the mobile phone and the base station to which it is connected. A3 is an algorithm used to generate a ciphering key (Kc), which is used as a session-key for the stream cipher.
A remote Authentication Center has one or more Authentication Servers that maintain copies of the IMSI and Ki for each subscriber and implements the same authentication-related encryption algorithms. When a GSM mobile-phone attempts to gain access to the GSM network via a base station, it provides the base station with the users IMSI. A pre-authentication Kc is used to stream cipher protect the transmission of IMSI, so the IMSI is never sent in the clear. The base station will forward the IMSI provided by the mobile-phone to the remote Authentication Server. The server uses the IMSI to lookup the Ki. The server also generates the 128-bit RAND. The server then generates instances of Kc and SRES that are functions of Ki and RAND. The server then sends RAND, Kc, and SRES to the base station, which provides the RAND to the mobile-phone.
Upon receiving the RAND, the mobile-phone's SIM uses its Ki and the stored encryption algorithms A8 and A3 to respectively generate its own instances of SRES and Kc. The mobile phone then passes its copy of SRES to the base station where it is compared with the SRES provided by the Authentication Server. If the two instances of SRES match, the mobile phone has been successfully authenticated and access is granted to the GSM network. Kc is subsequently used as a session-key for the A5 stream cipher. The foregoing authentication process is hereinafter referred to as SIM-based Authentication. Those skilled in the art will appreciate that the summary of SIM-based Authentication given above has been necessarily abridged.
Nokia (and possibly others) markets a Net Access Controller product that employs a derivative of the above-described SIM-based Authentication. (See the portion of FIG. 5B that is labeled “prior art.”) The Nokia product permits laptop users with special SIM-equipped WLAN PC Cards to gain access to another network via an authentication-protected gateway. By special arrangement, the same Authentication Server used by the GSM network is made accessible over a secure IP link to the Net Access Controller. Users on the WLAN take the same SIM that they use in their GSM mobile phone and place it into the special WLAN PC Cards.
For purposes of authentication, the Net Access Controller mimics the previously described role of the GSM base station. Specifically, the Net Access Controller receives user IMSIs via the WLAN and relays them over the secure IP link to the remote Authentication Server. Subsequently, the Net Access Controller receives the RAND, Kc, and SRES generated by the Server; provides the RAND to the WLAN device and thereby to the SIM; and compares the SIM-generated SRES to the Server-generated SRES. If the Net Access Controller determines that the two SRES copies match, it will authenticate the WLAN device and enable it to access the Internet (or an intranet).
Application development for wireless-enabled devices, including programming to communicate with the various levels of the wireless protocol stacks is known in the art. An example text that teaches such programming is “WAP, Bluetooth, and 3G Programming: Cracking the Code,” by the Dreamtech Software Team, published by Hungry Minds, Inc., 2002. More specifically, chapter nine of the text teaches Bluetooth programming and chapter eleven teaches 3G (Third-generation mobile-phone technology) programming. As described in the text, the application development generally is first carried out in C or C++ using developer kits running on Win32 platforms prior to porting the application to the mobile device. Teleca Comtec of Sweden distributes a variety of Bluetooth development kits that teach and support Bluetooth programming. A development platform for 3G programming is the Binary Runtime Environment for Wireless (BREW), distributed by Qualcomm.
In spite of the wealth of wireless-enabled devices and the advances in wireless access, the interaction between multiple wireless-enabled devices has to date been of a limited nature, offering little more than basic support for automatically connecting and exchanging data as a cable-replacement function. What is needed are more sophisticated and improved techniques that better exploit the interactions between multiple wireless-enabled devices.
Existing security and authentication policies require remembering multiple passwords, installation of dedicated security dongles, dedicated security fobs, physical movement of smart cards (such as SIMs) or similar dedicated authentication hardware between multiple devices, or combinations of the foregoing. The result is that security policies remain primitive, difficult to use, and require dedicated devices that serve no other purpose. Users may shun or even be purposefully disable security policies, because they are not transparent, they require effort to use, or they interfere with the user's enjoyment or productivity. What is needed are more sophisticated and improved techniques, yet easier to use, in the areas of functionality, security, and authentication.