1. Field of the Invention
The present invention relates to a mobile wireless communication system for making communications between mobile terminals through a radio access point, and more particularly to a mobile terminal authentication technique for authenticating the validity of a mobile terminal.
2. Description of the Related Art
High-speed wireless data communication systems such as wireless LAN have become widespread for use in families and small offices for making communications between mobile terminals through a radio access point. An investigation is now under way to utilize this wireless technology for providing services in wider areas. However, for utilizing such a high-speed wireless data communication system as a public network, it is important to support advanced security and movements of mobile terminals.
On the other hand, an authentication method defined by IEEE802.1 has been known as a conventional authentication method for ensuring the security and supporting movements of mobile terminals. In this authentication method defined by IEEE802.1x, each time a mobile terminal moves to a coverage area under a different radio access point, i.e., each time a handover occurs, the mobile terminal sends a password to an authentication server which then authenticates the mobile terminal based on the password. However, the password-based authentication involves searching a database of the authentication server for user information registered therein, and therefore encounters difficulties in reducing the time required for the authentication.
To solve the foregoing problem, conventionally, JP-2003-188885-A, for example, has proposed a mobile wireless communication system as follows. This conventional mobile wireless communication system will be described with reference to a block diagram of FIG. 1.
Assume now that mobile terminal 101 exists in a coverage area under radio access point 102-1 of a plurality of radio access points 102-1-102-3 connected to network 104. For starting a communication in this state, mobile terminal 101 transmits its terminal ID to authentication server 103 through radio access point 102-1. Authentication server 103 determines whether or not it has preserved a WEP (Wired Equivalent Privacy) session key in correspondence to the terminal ID, i.e., mobile terminal 101 has already been authenticated. In this scenario, since mobile terminal 101 has not been authenticated, authentication server 103 requests mobile terminal 101 for a password. This causes mobile terminal 101 to transmit a password to authentication server 103 through radio access point 102-1. As authentication server 103 authenticates the validity of mobile terminal 101 based on the password, authentication server 103 generates a WEP session key which is transmitted to radio access point 102-1. In addition, authentication server 103 preserves the WEP session key in association with the terminal ID.
Afterwards, when mobile terminal 101 moves to a coverage area under radio access point 102-2, mobile terminal 101 sends the terminal ID to authentication server 103 through radio access point 102-2. In this way, authentication server 103 determines whether or not the WEP session key has been preserved therein in correspondence to the terminal ID. In this event, since authentication server 103 has preserved the WEP session key in correspondence to the terminal ID, i.e., the mobile terminal 101 has been authenticated, authentication server 103 instructs radio access point 102-1 to erase the WEP session key, and transmits the WEP session key to radio access point 102-2.
In the conventional mobile communication system described above, the transmission of a password and the password-based authentication are performed only at the start of communication, and a movement of a mobile terminal from one radio access point to another only entails the transmission of a terminal ID and a determination which is made as to whether or not the terminal ID has been registered. It is therefore possible to reduce the authentication processing time when a mobile terminal moves from one radio access point to another.
However, the conventional mobile communication system described above disadvantageously implies difficulties in preventing data transmission/reception through spoofing because once a mobile terminal is authenticated with a password, the mobile terminal transmits the terminal ID to the authentication server each time the mobile terminal moves from one radio access point to another, and the authentication server relies on the terminal ID for authentication. More specifically, in the conventional strategy described above, if a terminal ID can be intercepted, the intercepted terminal ID can be used to transmit/receive data, so that it is difficult to prevent the transmission/reception of data through spoofing.