The number of users who access private or public Packet Data Networks (PDNs), e.g., Internet, from remote locations is growing enormously. In addition, the vision of multimedia services that are available to people regardless of their location has driven the development of cellular networks using a packet-switched connection, e.g., using the Internet Protocol (IP), meaning that a virtual connection is always available to any other end point in the network. Standards of packet-based wireless communication services include General Packet Radio Service (GPRS), Enhanced Data Rate for GSM Evolution (EDGE), and Universal Mobile Telecommunications Service (UMTS).
Recently, due to the reduction of costs and to the ever-increasing connection capabilities more and more high-speed data communication systems are being installed at customer premises. These data communication systems work, for example, on the same twisted-pair copper lines of the Public Switched Telephone Network (PSTN) to connect to the Internet. Internet connections over ordinary telephone lines generally take place through Digital Subscriber Line (DSL) access technology, although other high-speed modems are also used. DSL uses a specialized modem to enable high-speed data transfer between the subscriber's home and the nearest telephone central office over the standard copper wiring used to bring phone service into the home. There are a number of DSL communication schemes (generally referred to as xDSL technologies), but one of the most common forms commercially available is ADSL (Asymmetric DSL), in which the downstream (i.e. to the subscriber) data rates are several times faster than the upstream (i.e. from the subscriber) data rates.
Another access technology that has gained interest in recent years is the fibre-to-the-home (FTTH), a high-speed broadband access system in which an optical fiber runs from the telephone switch to the subscriber's premises.
In short-range wireless Internet connections, a computer or handset (e.g., PDA) with built-in wireless capability uses radio technologies to send and receive data anywhere within the range of an access point or a gateway, which acts as broadcast-and-receive base station and as interface between the wireless network and a wired network. For example, radio technologies between the wireless device and the access point can be based on the IEEE 802.11 standard (Wi-Fi® specification) or on IEEE 802.16 standard (WiMAX specification).
Broadband access technologies have allowed service providers to expand their content and service offerings to both business and home users. For example, a user may subscribe to multiple services or applications, such as voice service, Internet access service, a video service, a gaming service, etc. from one or more service providers. These services and/or applications available through a private or public PDN (e.g., Internet) may be delivered over a single network connection, such as a DSL line.
On the other hand, a constantly growing number of services available on the PDNs grant access only to authorised users, such in the case of pay-per-session services, services that require subscription, or of services customized according to the profile of their users. Some conventional authentication procedures use passwords, e.g., strings of characters recognised by automatic means, which permit a user access to protected files, or input/output devices.
The applicant has made the following considerations. First, password-based authentication systems are naturally not transparent to the user, who has to enter his password when acceding a service. This may become particularly undesirable when a user wants to access a plurality of services during a session. Second, although being technologically simple to implement, passwords are easy to compromise as they are vulnerable to duplication or stealing.
Mobile communication systems control resources of a network that are utilised by mobile stations corresponding to authorised users. In a conventional Global System for Mobile communications (GSM), the mobile station (MS) includes a Subscriber Identity Module (SIM), which contains subscriber's information including data used to permit the MS to gain access to the network infrastructure of the GSM system. SIMs can be seen as security devices since they provide a unique means of identifying individual subscribers; they use cryptography and intrinsic computational capability to store secret information that is never divulged externally in a clear form.
In a conventional GSM network system, several databases are available for call control and for authentication and security purposes, which are typically: the home location register (HLR), the visitor location register (VLR), the authentication center (AUC), and the equipment identity register (EIR). For all users registered with a network operator, permanent data (such as the user's profile) as well as temporary data (such as the user's current location) are stored in the HLR. In case of a call to a user, the HLR is always first queried, to determine the user's current location. A VLR is responsible for a group of location areas and stores the data of those users who are currently in its area of responsibility. This includes parts of the permanent user data that have been transmitted from the HLR to the VLR for faster access. But the VLR may also assign and store local data such as a temporary identification. The AUC generates and stores security-related data such as keys used for authentication and encryption, whereas the EIR registers equipment data rather than subscriber data.
GSM distinguishes explicitly between user and equipment and deals with them separately. Several subscriber and equipment identifiers have been defined; they are needed for the management of subscriber mobility and for addressing of all the remaining network elements. The international mobile station equipment identity (IMEI), which is is a kind of serial number, uniquely identifies a mobile station (MS) internationally. The IMEI is allocated by the equipment manufacturer and registered by the network operator who stores it in the EIR. Each registered user, i.e., the subscriber, is uniquely identified by its international mobile subscriber identity (IMSI). The IMSI is typically stored in the SIM. A MS can only be operated if a SIM with a valid IMSI is inserted into equipment with a valid IMEI. The “real telephone number” of a mobile station is the mobile subscriber ISDN number (MSISDN). It is assigned to the subscriber (i.e., his or her SIM), such that a mobile station set can have several MSISDNs depending on the SIM.
General Packet Radio Service (GPRS) is a service designed for digital cellular networks (e.g., GSM or Personal Communication Service—PCS) and originally developed for GSM. The GPRS greatly improves and simplifies wireless access to packet data networks, e.g., to the Internet. It applies a packet radio principle to transfer user data packets in an efficient way between mobile stations and external packet data networks. Packets can be directly routed from/to the GPRS mobile stations to/from other GPRS terminals or to/from PDNs. Networks based on the Internet Protocol (IP) (e.g., the global Internet or private/corporate intranets) and X.25 networks are supported in the current version of GPRS.
GPRS optimises the use of network resources and radio resources and does not mandate changes to an installed Mobile Switching Centre (MSC) base of the GSM infrastructure. In order to integrate into the existing GSM architecture, the GPRS architecture generally comprises a Gateway GPRS Support Node (GGSN) and a Serving GPRS Support Node (SGSN). The GGSN, which is at the same hierarchical level as the MSC, acts as the gateway to other packet data networks such as the Internet. The SGSN is the serving node that enables virtual connections to the GPRS enabled mobile device and delivery of data. The SGSN sends data to and receives data from mobile stations, and maintains information about the location of a mobile station (MS). The SGSN communicates between the MS and the GGSN.
GPRS security functionality is typically equivalent to the existing GSM security. The SGSN performs authentication and cipher setting procedures based on the same algorithms, keys, and criteria as in existing GSM. GPRS uses a ciphering algorithm optimised for packet data transmission.
To exchange data packets with external PDNs after a successful GPRS attach, a MS must apply for one or more addresses used in the PDN, e.g., for an IP address in case the PDN is an IP network. This address is called PDP address (Packet Data Protocol address). For each session, a so-called PDP context is created, which describes the characteristics of the session. It contains the PDP type (e.g., IPv4), the PDP address assigned to the mobile station (e.g., 164.130.10.10), the requested Quality of Service (QoS), and the address of a GGSN that serves as the access point to the PDN. This context is stored in the MS, the SGSN, and the GGSN. With an active PDP context, the mobile station is “visible” for the external PDN and is able to send and receive data packets. The mapping between the two addresses, PDP and IMSI, enables the GGSN to transfer data packets between PDN and MS. A user may have several simultaneous PDP contexts active at a given time.
WO patent application No. 01/67716 describes a method for associating an MSISDN number of a mobile terminal with a temporarily assigned IP address for use in authentication, billing and personalization processes in a wireless application protocol (WAP) network.
WO patent application No. 01/03402 describes an authentication method for identifying a subscriber of a first network (i.e., the GPRS network) in a second network (e.g., an IP network), wherein an address of the second network is allocated to the subscriber. Information about a mapping between the address of the second network, e.g., the IP address, and a subscriber's identity is generated and transmitted to the second network. The subscriber's identity can be the IMSI and/or the MSISDN of the subscriber.
Applicant has noted that authenticating the access to an IP network by associating a subscriber's identity to the IP address is generally vulnerable to spoofing of IP packets, which allows an intruder on the Internet to effectively impersonate a local system's IP address. In addition, the two networks should be either directly connected (making the use of routable private IP addresses possible) or they need a compatible address plan.
WO patent application No. 01/17310 describes a system for authenticating a user requesting access to a PDN by applying GSM security principles. A remote host is connected to the PDN via an access network and an MS is coupled to a mobile network connected to the PDN. In response to receiving a user request to the PDN, the PDN generates and sends an authentication token to the user via the access network and the remote host, the user sends the authentication token back to the PDN over the mobile network, wherein the PDN compares the authentication tokens to determine whether to grant the user access to the PDN.
Applicant has observed that the disclosed authentication system is not transparent to the user, who has to wait for the authentication and has to send the received authentication token back to the PDN. Furthermore, since the remote server must know the telephone number of the user, the disclosed system can compromise the privacy of the user.
US patent application No. 2004/0132429 describes a method and system for providing access to an e-mail account via a mobile communication network, without special knowledge of mobile terminal programming or any POP3 or SMTP parameters. The mobile terminal is pre-configured with a default POP3/SMTP server address. For accessing an e-mail account a communication is built up between the mobile terminal client and a proxy server via the mobile network using standard POP3/SMTP. The user can be granted access to an e-mail account solely based on his MSISDN.
Universal Mobile Telecommunications Service (UMTS) can be seen as the direct evolution of GSM/GPRS networks. The security functions of UMTS are based on what was implemented in GSM, such as the authentication of subscriber, whereas some of the security functions have been added and some existing have been improved.
Packet switching utilizes data packets which are comparatively short blocks of message data. The packets may be of fixed length as in asynchronous transfer mode (ATM), or may be of variable length as in frame relay or the Internet protocol (IP). One desirable scenario is that packet-switched wireless network infrastructures support Internet telephony. Internet telephony, or IP telephony, refers to a class of applications that merge Internet capabilities with PSTN functions. IP telephony applications enable the transmission of real-time voice traffic over the Internet infrastructure and the seamless integration with the existing PSTN infrastructure. While IP telephony primarily focuses on voice calls, generally referred to as Voice over IP or VoIP, it can also be used to carry other voice-band or multimedia applications, such as fax, video and modem data.
A protocol that has been developed to support IP telephony is the Session Initiation Protocol (SIP). SIP is a signaling protocol for handling the setup, modification, and teardown of multimedia sessions, and in combination with the protocols with which it is used, describes the session characteristics of a communication session to potential session participants. These sessions include Internet multimedia conferences, Internet telephone calls and multimedia distribution. SIP invitations used to create sessions carry session descriptions which allow participants to agree on a set of compatible media types. SIP supports user mobility by proxying or redirecting requests to the user's current location. Usually, Real-Time Protocol (RTP) is used to exchange the multimedia (audio, voice or data) during the communication session, but SIP allows any transport protocol to be used. SIP uses a client-server model, where the client initiates SIP requests and the server responds to requests. In SIP, the end-point entity is called User Agent, which is both a client (User Agent Client), i.e., the initiator of a SIP request, and a server (User Agent Server) that returns the responses.
SIP is deployed in the Internet that can be considered hostile environment, in which SIP elements and messages may be exposed to a variety of security threats and attacks. In a SIP-based system, authentication measures can be enabled at different layers, including application layer, transport layer and network layer.
H. Tschofenig et al. in “Using SAML for SIP”, downloaded from Internet on Aug. 31, 2004, at http://www.ietf.org/internet-dratfs/draft-tschofenig-sip-saml-00._txt, proposes a method for using the Security Assertion Markup Language (SAML) in collaboration with SIP to accommodate an authorisation mechanism. An enhanced network asserted identity scenario is described, in which the enhancement is based on the attributes asserted by an Authentication Service (AS). A first user that wants to communicate with a second user sends a SIP INVITE to her preferred AS. Depending on the chosen SIP security mechanism, either digest authentication, S/MIME or Transport Layer Security is used to provide the AS with a strong assurance about the identity of the first user. After the first user is authenticated and authorized, a SAML assertion is attached to the SIP message.
As an increasing number of services begin to be offered over the Internet, the ability to provide an effective and secure single sign-on (SSO) mechanism for access to such services has become important. Services offered over the Internet are often distributed on a plurality of servers that are in remote locations with respect to each other. With a SSO mechanism, a user can authenticate his identity and authorisation to use a plurality of services distributed over the plurality of remote servers through an authentication procedure running on one or a small number of servers.
WO patent application No. 01/72009 discloses a SSO authentication mechanism, in which a token is transmitted to a user who has requested authorisation to access a service. The token may be valid only for a period of time. The authentication-related functionality is separated from the services and authentication needs not to be renegotiated for access to a new service from the plurality of services during a session. The user registers to for authorisation to access the service by communicating his credentials, e.g., username and password, before the token is transmitted.
The Liberty Alliance Project is an open standard organisation for federated identity and identity-based services. It provides a standard for a SSO that allows a user to sign-on once at a Liberty-enabled site and to be seamless signed-on when navigating to another Liberty-enabled site without the need to authenticate again. “Liberty ID-WSF—Web Services Framework” published at http://www.projectliberty.org/resources/whitepapers, offers an overview of the components of the Liberty ID-WSF. Message protection mechanisms can include token-based mechanisms, such as the propagation of a SAML assertion in a SOAP header block according to the Web Service Security (WS-Security) specification.
WO patent application No. 2004/064442 discloses a telecommunication method and system for providing SSO services for a user roaming in a packet radio network of a multinational mobile network operator that includes a federation of national network operators, one of these national network operators holding the user's subscription. This telecommunication system further comprises a number of service providers that have signed service agreements with the multinational mobile network operator federation for offering SSO services to users that are subscribers of any national network operator included in the federation. Each service provider comprises means for redirecting a user to a global SSO front end infrastructure as entry point in the federation; means for receiving a token from the user, the token being either an authentication assertion (a SAML assertion) or a reference thereof; means for retrieving an assertion from a site where the assertion was generated and means for checking that such site is trusted.
US patent application 2003/0163733 discloses a telecommunication system comprising means for redirecting a user accessing a service provider, the user having a subscription with a first mobile network operator, toward an Authentication Broker of a second mobile network operator having an agreement with said second mobile network operator: The first and the second mobile network operators belong to a federation and the Authentication Broker acts as entry point of the federation toward an Authentication Provider. Users present an unambiguous identity to their Authentication Provider for performing an SSO service request, e.g., MSISDN/IMSI.