It is becoming commonplace to use wireless packet data service networks for effectuating data sessions with mobile communications devices. In some implementations, unique indicia such as Personal Information Numbers or PINs are assigned to the devices in order to facilitate certain aspects of service provisioning, e.g., security, validation and service authentication, et cetera. In such scenarios, it becomes imperative that no two devices have the same indicium (i.e., collision). Further, such PIN indicia are mapped to individual Internet Protocol (IP) addresses used in packet-switched networks so that a mobile communications device continues to send and receive messages even if its IP address is changed for some reason. For example, wireless carriers may dynamically assign an IP address to a data-enabled mobile device, and if that device is out of coverage, the previously assigned IP address is reclaimed and recycled for another device requesting service.
Because of the mapping between IP addresses and PIN indicia assigned to the devices, a potential security issue such as, e.g., “identity theft” arises, however. By way of illustration, an attacker could create a packet with the PIN assigned to a legitimate device and transmit it from a different IP address that claims to be the legitimate device, i.e., one having the authorized PIN. This may cause routing of the messages intended for the legitimate device to the attacker's IP address (i.e., a Denial of Service or DoS attack).
In one embodiment, a mobile communications device comprises a processor configured to control at least one of a plurality of sub-systems for communicating with a network node operable with a wireless network. The processor is further configured to control at least one of the plurality of sub-systems for generating an authentication key for securing a personalized indicium assigned to the mobile communications device, wherein the personalized indicium comprises a Personal Information Number (PIN) that is mapped to at least one identifier associated with the mobile communications device. The processor is further configured to control at least one of the plurality of sub-systems for transmitting a registration request to the network node, the registration request having a registration request payload including the authentication key. The processor is further configured to control at least one of the plurality of sub-systems for receiving a challenge message from the network node, the challenge message generated when the network node detects a change of the IP address associated with the mobile communications device. The processor is further configured to control at least one of the plurality of sub-systems for executing a challenge response to the challenge message, the challenge response including an authentication value of a challenge string transmitted in the challenge message, wherein the authentication value is created using the authentication key.
In another embodiment, a method operable on a mobile communications device is disclosed, the method comprising generating an authentication key for securing a personalized indicium assigned to the mobile communications device, wherein the personalized indicium comprises a Personal Information Number (PIN) that is mapped to at least one identifier associated with the mobile communications device; transmitting a registration request to a network node operable with a wireless network, the registration request having a registration request payload including the authentication key; receiving a challenge message from the network node, the challenge message generated when the network node detects a change of the IP address associated with the mobile communications device, and responsive to receiving the challenge message, executing a challenge response including an authentication value of a challenge string transmitted in the challenge message, wherein the authentication value is created using the authentication key.
In another embodiment, a scheme is provided for securing a personalized indicium such as a Personal Information Number (PIN) assigned to a mobile communications device. Upon detecting at a network node that an address associated with the mobile communications device has changed, a challenge-and-response procedure is negotiated between the mobile communications device and the network node for authenticating the personalized indicium using a shared authentication key. In another embodiment, a method is disclosed which comprises: detecting at a network node that an address associated with packets from a mobile communications device has changed, wherein the mobile communications device's personalized indicium comprises a PIN that is mapped to at least one identifier (e.g., a device identifier or a subscriber identifier) relating to the mobile communications device; responsive to the detecting, issuing a challenge message to the mobile communications device by the network node, wherein a challenge response is operable to be generated by the mobile communications device using an authentication key; and based on the challenge response from the mobile communications device, determining at the network node whether the PIN is legitimately bound to the mobile communications device.
In another embodiment, a mobile communications device is disclosed which comprises: logic means operable to generate an authentication key for transmitting in a registration request to a network node interfaced with a wireless network, the authentication key for securing a personalized indicium assigned to the mobile communications device, wherein the personalized indicium comprises a PIN that is mapped to at least one identifier relating to the mobile communications device; and logic means operable to execute a challenge response when challenged by a challenge message from the network node, the challenge response including an authentication value (e.g., a signature) of a challenge string transmitted in the challenge message, wherein the authentication value is created using the authentication key. In yet another embodiment, a network system is disclosed for securing a personalized indicium assigned to a mobile communications device, which comprises: means for detecting at a network node that an address of packets from the mobile communications device has changed, wherein the mobile communications device's personalized indicium comprises a PIN that is mapped to at least one identifier relating to the mobile communications device; means, operable responsive to the detecting, for issuing a challenge message to the mobile communications device, wherein a challenge response is operable to be generated by the mobile communications device using an authentication key; and means, operable responsive to the challenge response from the mobile communications device, for determining at the network node whether the PIN is legitimately bound to the mobile communications device.