TWI293844B - A system and method for performing application layer service authentication and providing secure access to an application server - Google Patents

A system and method for performing application layer service authentication and providing secure access to an application server Download PDF

Info

Publication number
TWI293844B
TWI293844B TW094100711A TW94100711A TWI293844B TW I293844 B TWI293844 B TW I293844B TW 094100711 A TW094100711 A TW 094100711A TW 94100711 A TW94100711 A TW 94100711A TW I293844 B TWI293844 B TW I293844B
Authority
TW
Taiwan
Prior art keywords
authentication
εαρ
sim
vpn
mobile device
Prior art date
Application number
TW094100711A
Other languages
Chinese (zh)
Other versions
TW200625905A (en
Inventor
Jen Shun Yang
Da Jiun Chou
Chun Chieh Wang
Original Assignee
Ind Tech Res Inst
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ind Tech Res Inst filed Critical Ind Tech Res Inst
Priority to TW094100711A priority Critical patent/TWI293844B/en
Priority to US11/240,308 priority patent/US20060155822A1/en
Publication of TW200625905A publication Critical patent/TW200625905A/en
Application granted granted Critical
Publication of TWI293844B publication Critical patent/TWI293844B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Description

1293844 九、發明說明: 【發明所屬之技術領域】 本發明係有關於行動網路,特別是有關於用於行動網路中 的應用層服務認證和安全存取應用伺服器之系統和方法。 【先前技術】 目月il無線區域網路(Wireless Local Area Network,以下簡稱 為WLAN)和蜂巢式電話(Cellular)的雙網架構已經逐漸成形,在 此架構之下,WLAN網路端存取的認證、授權與計費 (Authentication ’ Authority and Accounting,以下簡稱為,AAA) 可以在蜂巢狀網路系統業者(Cellular Network Operator)和無線 區域網路系統業者(WLAN operator)的協議下,利用用戶識別模 組可擴展認證協議(Extensible Authentication Protocol-Subscriber Identification Module,以下簡稱為, ΕΑΡ-SIM)為基礎的AAA來解決。不過,目前卻無任何機制可 以讓服務提供者(Service provider)(例如,網路電話(VoIP),網際 網路線上遊戲提供者(Internet Online Gaming providers))利用 ΕΑΡ-SIM完成應用層服務的AAA。試想當用戶的雙網手機進入 非用戶識別模組(Subscriber Identification Module,以下簡稱為 SIM)卡發行者的WLAN或公眾WLAN(PWLAN)時,即使應用層 服務的服務提供者擁有SIM卡的認證權,仍無法利用EAP-SIM 為基礎的認證機制辨識使用者的合法性。 第1圖為ΕΑΡ-SIM的認證封包流程圖。首先,認證者91發出 ΕΑΡ身分請求封包900。當被認證者90收到這個封包之後會回傳 ΕΑΡ身分回應封包902,這個封包中通常包含著被認證9〇端的國 際行動用戶識別(International Mobile Subscriber Identity,以下 0356-A20796TWF(N2)»*P11930068TWJkathy 5 1293844 簡稱為IMSI)或者是一個暫時性的識別(Temporary Identity)。在 ΕΑΡ身分回應封包902之後該被認證者90將會收到ΕΑΡ-SIM請 求開始封包904,其中將會包含著一個認證者91支援的認證版本 列表。該被認證者90端在收到了這個封包之後會以ΕΑΡ-SIM回 應開始封包906回應,其中包含了一個亂數,以及一個選定的認 證版本。接下來該認證者91就會去和泛歐數位式行動電話系統 (Global System for Mobile Communications,以下簡稱為 GSM) 網路端的認證中心(Authentication Center,以下簡稱為AuC)交換 訊息並且計算出金鑰,接著該認證者91送出ΕΑΡ-SIM詢問請求 封包908,其中包含著一個亂數選定的詢問(challenge),以及一 個用來保護該詢問的訊息認證碼(Message Authentication Code,以下簡稱為MAC)值。該被認證者90收到了該ΕΑΡ-SIM詢 問請求封包908後會啟動GSM端的認證演算法並且作認證的確 認,如果認證通過的話,該被認證者90回送ΕΑΡ-SIM詢問回應 封包912,其中包含了 MAC的演算結果。該認證者91會檢查該 MAC值是否和其之前計算出的MAC相符,若相符的話,貝J送ΕΑΡ 成功封包914表示。認證通過。 目前已有的技術包含使用網路連線認證由網路電話撥電話 的有效計費方案,如美國專利US2002/0146005A1。另一先前技 術則依據兩組認證參數做使用者及網路連線的認證,如美國專 利US6732105B1。但是上述先前技術於認證過程中皆沒有提供 安全機制,也並不支援ΕΑΡ-SIM為基礎的認證,且需要使用者 介入認證過程。因此,現存技術並不能支援雙網架構下的 ΕΑΡ-SIM為基礎的認證和安全存取應用層服務。 【發明内容】 0356-A20796TWF(N2);P11930068TW;kathy 6 1293844 本發明之目的主要就是針對上述的習知技術的問題設計出 一套認證和安全存取應用層服務的系統及方法,對於連線的安 全性方面,採用虛擬專用網路(Virtual Private Network,以下簡 稱為VPN)穿隧(tunneling)的方式達到高安全性,並且使用VPN 的隧道(tunnel)來傳送ΕΑΡ-SIM的封包,使得使用者可以在資料 被保護的情況下,利用原有的ΕΑΡ-SIM技術,完成應用層的認 證。而此採用ΕΑΡ-SIM技術的認證方式,無須使用者交談。 有鑑於此,本發明實施例中提供一種認證和安全存取應用 層服務的系統及方法。首先,在使用者和内部網路之間建立VPN 隧道。接著經由該VPN隧道執.行ΕΑΡ-SIM認證,完成應用層 的認證。 【實施方式】 於下揭露内容中所提出之不同實施例或範例,係用以說明 本發明所揭示之不同技術特徵,其所描述之特定範例或排列係 用以簡化本發明,然非用以限定本發明。 本實施例中先在移動裝置和内部網路的閘道間建立VPN隧 道的方式達到高安全性,並且使用VPN的隧道來傳送EAP-SIM 的封包。 第2圖為本實施例的存取系統之元件示意圖。如第2圖所 示,本系統的主要實體有移動裝置10(服務存取者),代理伺服器 20(service proxy),AAA伺服器22,本區位置登錄中心/認證中心 (Home Location Register / Authentication Center,以下簡稱為 HLR/AuC)伺服器24,以及應用祠服器26(application server)。移 動裝置10為應用服務的存取者,代理伺服器20為内部網路的閘 道伺服器,AAA伺服器22主要負責認證、授權、以及稽核, 0356-A20796TWF(N2);P11930068TW;kathy 7 1293844 HLR/AuC伺月艮器24負責用戶管理以及認證功能,應用伺服器26 提供内部網路的各式應用服務。 第3圖為本實施例的存取方法之訊息交換流程圖。對於整個 過程可以分為四個階段,第一階段P1是建立一個安全的安全通 訊端層協定(Secure Socket Layer,以下簡稱為SSL)連線於服務 存取者和服務代理伺服器之間,並以此SSL連線保護第二階段P2 的資料傳輸。第二階段則是建立由服務存取者到服務代表的 VPN連線,並以建立暫時的VPN隧道保護接下來的資料傳輸。 在這裡使用了 L2TP/IPSec來實作VPN。第三階段P3是利用 ΕΑΡ-SIM認證進行應用層的認證。如果ΕΑΡ-SIM認證成功,則 上述暫時的VPN隧道被合法化,且於第四階段P4由合法的VPN 隧道進行服務存取者和服務代理伺服器間資料的傳輸。 在第一階段P1建立了安全的SSL連線之後,便可以利用該 連線建立一個由服務存取者到服務代表的VPN隧道。 虛擬私有網路(Virtual Private Network,VPN)是指一種在公 有網路上利用穿隧以及加密技術來建立一個虛擬的私有網路, 在現在的VPN技術中,通常是利用隧道(tunnel)將不同的私有網 域或是遠端使用者透過網際網路(Internet)和欲連結的私有網路 連結起來,並在穿隧的資料加上加密以及認證機制的保護,以 達到和傳統私有網路一樣的安全性以及保密性,並且有低費 用,高安全性,高擴充性,且易維護等優點。1293844 IX. Description of the Invention: TECHNICAL FIELD OF THE INVENTION The present invention relates to mobile networks, and more particularly to systems and methods for application layer service authentication and secure access application servers for use in mobile networks. [Prior Art] The dual-network architecture of Wireless Local Area Network (WLAN) and Cellular has gradually taken shape. Under this architecture, WLAN access is available. Authentication 'Authorization and Authorization and Accounting (AAA) can use user identification under the protocol of Cellular Network Operator and WLAN operator. The AAA is based on the Extensible Authentication Protocol (Subscriber Identification Module, hereinafter referred to as ΕΑΡ-SIM). However, there is currently no mechanism for service providers (for example, VoIP, Internet Online Gaming providers) to use ΕΑΡ-SIM to complete AAA for application layer services. . Imagine that when the user's dual-network mobile phone enters the WLAN or public WLAN (PWLAN) of the Subscriber Identification Module (SIM) card issuer, even the service provider of the application layer service has the SIM card authentication right. It is still not possible to use the EAP-SIM-based authentication mechanism to identify the legitimacy of users. Figure 1 is a flow chart of the authentication packet of ΕΑΡ-SIM. First, the authenticator 91 issues an identity request packet 900. When the authenticator 90 receives the packet, it will return the identity response packet 902, which usually contains the authenticated 9-terminal international mobile subscriber identity (International Mobile Subscriber Identity, 0356-A20796TWF(N2)»*P11930068TWJkathy 5 1293844 is abbreviated as IMSI) or a temporary identification (Temporary Identity). After the identity response packet 902, the authenticated party 90 will receive a ΕΑΡ-SIM request to start the packet 904, which will contain a list of authentication versions supported by the authenticator 91. After receiving the packet, the authenticator 90 will respond with a ΕΑΡ-SIM response start packet 906, which contains a random number and a selected authentication version. Next, the authenticator 91 will exchange information with the Authentication Center (hereinafter referred to as "AuC") of the Global System for Mobile Communications (GSM) network and calculate the key. Then, the authenticator 91 sends a ΕΑΡ-SIM query request packet 908, which contains a random number selected challenge, and a message authentication code (MAC) value for protecting the query. . After the Authenticator 90 receives the ΕΑΡ-SIM query request packet 908, it will start the GSM end authentication algorithm and confirm the authentication. If the authentication is passed, the Authenticator 90 sends a ΕΑΡ-SIM query response packet 912, which includes The calculation result of MAC. The authenticator 91 checks whether the MAC value matches the previously calculated MAC, and if it matches, the success packet 914 is indicated. Certification passed. Current technologies include an efficient billing scheme for dialing a telephone number by using a network connection authentication, such as U.S. Patent No. 2002/0146005 A1. Another prior art is based on two sets of authentication parameters for user and network connection authentication, such as U.S. Patent 6,732,105 B1. However, the above prior art does not provide a security mechanism in the authentication process, nor does it support ΕΑΡ-SIM-based authentication, and requires the user to intervene in the authentication process. Therefore, existing technologies do not support ΕΑΡ-SIM-based authentication and secure access application layer services under dual-network architecture. SUMMARY OF THE INVENTION 0356-A20796TWF (N2); P11930068TW; kathy 6 1293844 The object of the present invention is mainly to design a system and method for authenticating and securely accessing application layer services for the above-mentioned problems of the prior art. In terms of security, a virtual private network (VPN) is used for tunneling to achieve high security, and a VPN tunnel is used to transmit the ΕΑΡ-SIM packet, so that the packet is used. The application layer authentication can be completed by using the original ΕΑΡ-SIM technology when the data is protected. This adopts the authentication method of ΕΑΡ-SIM technology, without the need for users to talk. In view of this, the system and method for authenticating and securely accessing application layer services are provided in the embodiments of the present invention. First, establish a VPN tunnel between the user and the internal network. Then, through the VPN tunnel, the authentication of the application layer is completed. The various embodiments and examples disclosed in the following disclosure are intended to illustrate various technical features disclosed herein, and the specific examples or arrangements described herein are used to simplify the invention, but not The invention is defined. In this embodiment, a VPN tunnel is established between the mobile device and the gateway of the internal network to achieve high security, and the VPN tunnel is used to transmit the EAP-SIM packet. Figure 2 is a schematic diagram of the components of the access system of the present embodiment. As shown in Fig. 2, the main entities of the system are mobile device 10 (service accessor), proxy server 20 (service proxy), AAA server 22, local location registration center/certification center (Home Location Register / The Authentication Center, hereinafter referred to as the HLR/AuC) server 24, and the application server 26 (application server). The mobile device 10 is an accessor of the application service, the proxy server 20 is a gateway server of the internal network, and the AAA server 22 is mainly responsible for authentication, authorization, and auditing, 0356-A20796TWF (N2); P11930068TW; kathy 7 1293844 The HLR/AuC server 24 is responsible for user management and authentication functions, and the application server 26 provides various application services for the internal network. FIG. 3 is a flow chart of message exchange of the access method of the embodiment. The whole process can be divided into four phases. The first phase P1 is to establish a secure secure communication layer protocol (Secure Socket Layer, hereinafter referred to as SSL) to connect between the service accessor and the service proxy server, and This SSL connection protects the data transmission of the second stage P2. The second phase is to establish a VPN connection from the service accessor to the service representative, and to establish a temporary VPN tunnel to protect the next data transmission. L2TP/IPSec is used here to implement VPN. The third stage P3 is the application layer authentication using ΕΑΡ-SIM authentication. If the ΕΑΡ-SIM authentication is successful, the temporary VPN tunnel is legalized, and in the fourth phase P4, the data is exchanged between the service accessor and the service proxy server by the legitimate VPN tunnel. After the secure SSL connection is established in the first phase P1, the connection can be used to establish a VPN tunnel from the service accessor to the service representative. Virtual Private Network (VPN) refers to the use of tunneling and encryption technology to establish a virtual private network on the public network. In today's VPN technology, tunnels are usually used to make different networks. The private domain or the remote user is connected to the private network to be connected through the Internet, and the tunneling data is encrypted and authenticated to achieve the same protection as the traditional private network. Security and confidentiality, and has the advantages of low cost, high security, high scalability, and easy maintenance.

VPN的作法有許多不同種類,本實施例中的做法是利用第 二層隧道協定(Layer two Tunneling Protocol,以下簡稱為 L2TP) 搭配網際網路協定安全協定(Internet Protocol Security Protocol,以下簡稱為ipsec)達到VPN的需求。L2TP/IPSec的VPN 架構中兩個重要的網路實體分別稱為L2TP存取集中器(L2TP 0356-A20796TWF(N2);P11930068TW;kathy 8 1293844There are many different types of VPNs. In this embodiment, the Layer 2 Tunneling Protocol (L2TP) is used in conjunction with the Internet Protocol Security Protocol (IPsec). Meet the needs of the VPN. Two important network entities in the L2TP/IPSec VPN architecture are called L2TP access concentrators (L2TP 0356-A20796TWF(N2); P11930068TW; kathy 8 1293844

Access Concentrator,以下簡稱為LAC)以及L2TP網路伺服器 (L2TP Network Server,以下簡稱為LNS),這兩個實體分別為 L2TP隧道的兩端點,其中LNS為内部網路的閘道,而LAC則為 一個有公眾網路存取權的網路實體。在本實施例中的 L2TPAPSec的架構中,使用者為移動裝置,可以撥接至LAC或 是本身即為LAC。LAC會和LNS交換訊息建立一個乙2丁?的隧 道,接下來則是建立IPSec的SA以保護L2TP隧道内的資料,形 成一個VPN的隨道。 此處建議使用L2TP/IPSec的模式來建立VPN的連結。在此 案認證架構下使用此L2TP/IPSec認證架構有一個好處,就是在 建立IPSec IKE phase 1 安全協會(security association,以下簡稱 為SA)的時候,可以使用進取模式(aggressive mode)來縮短SA的 建立時間,並且提供身分(Identity)的保護。在進取模式中,將 身分與KE同時傳遞,有別於主要模式(main mode)將身分與1^ 分兩個訊息傳遞,因此可以縮短IPSec建立SA時所需的時間’但 缺點是身分無法受到KE的保護。在本實施例中並沒有限制VPN 連線的建立方法,實作者可以選用適當的VPN實作方式’皆適 用於本實施例。 第三階段P3主要是對於服務存取者的SIM卡以及脈療^^ 者對於應用服務的存取權做認證,若是服務存取者通 卡的認證以及存取權的認證之後,便可以利用之前建炎Μ,# 隧道存取應用服務,保障應用服務存取於公眾網路的安测 是認證不通過的話,之前建立用以認證的VPN隧遂牌 除,服務存取者將無法再存取内部網路的資源。 g中戶斤 在一般的ΕΑΡ-SIM認證流程中,ΕΑΡ回應身分封包11岫於 傳遞的身分通常必須包含了 IMSI資訊,但是只有_ 0356-A20796TWF(N2);P11930068TW;kathy 9 1293844 AAA飼服器22判斷服務存取者是否有存取服務的權限是不夠 的,因此在傳送身分的時候除TIMSI之外,還要再加上應用服 務清求資訊,例如應用伺服器26的位址,及應用服務所使用的 通訊蜂…等。 此外’當AAA祠服器22收到了回應質詢封包129且確認了服 務存取者的SIM卡正確性了之後,原本的eap-SIM認證流程是直 接回送成功封包134告知服務存取者以通過認證。在這裡為了要 對應用服務做認證’因此在AAA伺服器22回送成功封包134之 前,必須先以AAA協定詢問服務存取者的應用服務存取資訊。 在第3圖實施例的第3階段中,先由aaa伺服器22送封包130給 HLR/AuC伺服器24認證該服務存取者的應用服務存取資訊,即 存取應用伺服器26的權利。若有,fjLR/AuC伺服器24會回覆存 取接受封包131,AAA伺服器22在收到這個訊息之後,會回將送 成功封包134,並且把剛剛的存取接受封包ui送給應用伺|器 26,通知應用伺服器26服務存取者已通過認證。應用伺服器26 收到存取接受封包133後便會依據該訊息内夾帶的服務存取者 資訊向HLR/AuC飼服器24要求使用者的設定檔(user profile),根 據用戶設定檔設定好服務存取者的使用環境之後,便讓服務存 取者進行認證服務的存取。應用伺服器26也可以利用該存取接 受封包133中所夾帶的資訊做後續的稽核動作。 上述ΕΑΡ-SIM認證和正式VPN隧道建立後,第四階段P4即 會在服務存取者和服務代表間進行應用資料的傳輸。VPN連線 將會保護所有由服務存取者與内部網路的應用層資料封包,達 到存取應用服務之安全性,確認性,以及一致性。 第4圖為本實施例中移動裝置之組成方塊圖。如第4圖所 示,該移動裝置10由虛擬專用網路隧道模組00和ΕΑΡ-SIM認 0356- A20796TWF(N2);P11930068TW;kathy 10 1293844 證模組01組成。該虛擬專用網路隧道模組00用於建立虛擬專 用網路隨道’且該ΕΑΡ-SIM認證模組01經由該虛擬專用網路 執行ΕΑΡ-SIM認證。上述虛擬專用網路隧道模組包括安全連線 (security session)模組000和虛擬私有網路加密協商模組002。 該安全連線模組〇〇〇使用網際網路加密演算建立安全通話,接 著該虛擬專用網路加密協商模組002於該安全連線交換虛擬私 有網路的加密協商。若此虛擬專用網路加密協商通過,則虛擬 專用網路隧道形成。本實施例中使用的網際網路加密演算為 SSL,且由L2TP和IPSec達成該虛擬私有網路加密協商。上 述ΕΑΡ-SIM認證模組02,除了提供第1圖中標準ΕΑΡ-SIM認 證流程的被認證者動作之外,更傳送該移動裝置10的服務存取 者身分和存取應用資訊。 第4圖實施例中接露了該移動裝置10的模組。任何熟習此 技藝者,在不脫離本發明之精神和範圍内,可由軟體,硬體, 或軟體和硬體的組合實現該移動裝置的模組。 雖然本發明之實施例揭露如上,然其並非用以限定本發 明,任何熟習此技藝者,在不脫離本發明之精神和範圍内,當 可作些許之更動與潤飾,因此本發明之保護範圍當視後附之申 請專利範圍所界定者為準。 0356-A20796TWF(N2);P11930068TW;kathy 11 1293844 【圖式簡單說明】 第1圖為ΕΑΡ-SIM的認證封包流程。 第2圖係本實施例系統元件部署圖。 第3A及3B圖係本實施例之系統交換訊息,其中VPN的 建立選用L2TP/IPSec。 第4圖係本實施例之移動裝置的組成方塊圖。 【主要元件符號說明】 90〜被認證者; • 91〜認證者; 900〜ΕΑΡ身分請求封包; 902〜ΕΑΡ身分回應封包; 904〜ΕΑΡ-SIM請求開始封包; 906〜EAP-SIM回應開始封包; 908〜ΕΑΡ-SIM詢問請求封包; 910〜被認證者產生金鑰; ® 912〜EAP_SIM詢問回應封包; 914〜ΕΑΡ成功封包; 10〜移動裝置; 2〜内部網路; 20〜代理伺服器; 22〜ΑΑΑ伺服器; 24〜HLR/AuC伺服器; 0356-A20796TWF(N2);P11930068TW;kathy 12 1293844 26〜應用伺服器; 100〜103〜SSL封包; 104〜115〜L2TP/IPSec 封包; 117〜134〜ΕΑΡ-SIM 封包; 129〜ΕΑΡ-SIM詢問請求封包; 118〜ΕΑΡ回應身分封包; 130〜存取請求封包; 131〜存取接受封包; 134〜ΕΑΡ成功封包; 134〜139〜資料傳輸封包; 00〜VPN隧道模組; 02〜認證模組; 000〜安全通話期模組; 002〜VPN協商模組。 0356-A20796TWF(N2);P11930068TW;kathy 13Access Concentrator (hereinafter referred to as LAC) and L2TP network server (L2TP Network Server, hereinafter referred to as LNS), which are the two ends of the L2TP tunnel, where LNS is the gateway of the internal network, and LAC It is a network entity with public network access. In the architecture of the L2TPAPSec in this embodiment, the user is a mobile device, and can be dialed to the LAC or the LAC itself. Will the LAC exchange information with the LNS to create a B2? The tunnel is followed by the establishment of an IPSec SA to protect the data in the L2TP tunnel to form a VPN. It is recommended to use the L2TP/IPSec mode to establish a VPN connection. The advantage of using this L2TP/IPSec authentication architecture in this authentication architecture is that when the IPSec IKE phase 1 security association (SA) is established, the aggressive mode can be used to shorten the SA. Establish time and provide protection for identity. In the aggressive mode, the identity is transmitted simultaneously with the KE, which is different from the main mode (the main mode) to transfer the identity and 1^ two messages, so the time required for IPSec to establish the SA can be shortened'. However, the disadvantage is that the identity cannot be accepted. Protection of KE. In this embodiment, the method for establishing a VPN connection is not limited, and the actual VPN implementation mode can be applied to the present embodiment. The third stage P3 mainly authenticates the SIM card of the service accessor and the access rights of the pulse therapy device to the application service, and can be utilized after the authentication of the service accessor card and the authentication of the access right. Before the construction of Yan Yan, # tunnel access application service, to ensure that the application service access to the public network security test is not certified, if the VPN tunnel card used to establish the authentication, the service accessor will not be able to save Take resources from the internal network. In the general ΕΑΡ-SIM authentication process, ΕΑΡ ΕΑΡ ΕΑΡ 身 身 身 身 岫 岫 岫 岫 岫 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常 通常22 It is not enough to determine whether the service accessor has the right to access the service. Therefore, in addition to the TIMSI, the application service request information, such as the address of the application server 26, and the application are added when transmitting the identity. The communication bee used by the service...etc. In addition, after the AAA server 22 receives the response challenge packet 129 and confirms the correctness of the service accessor's SIM card, the original eap-SIM authentication process directly returns the successful packet 134 to inform the service accessor to pass the authentication. . In order to authenticate the application service here, the application service access information of the service accessor must first be queried by the AAA agreement before the AAA server 22 sends back the successful packet 134. In the third stage of the embodiment of FIG. 3, the packet 130 is sent by the aaa server 22 to the HLR/AuC server 24 to authenticate the application service access information of the service accessor, that is, the right to access the application server 26. . If so, the fjLR/AuC server 24 will reply to the access packet 131. After receiving the message, the AAA server 22 will send a successful packet 134 and send the just-received packet ui to the application server. The device 26 notifies the application server 26 that the service accessor has passed the authentication. After receiving the access packet 133, the application server 26 requests the user profile of the user according to the service accessor information carried in the message to the HLR/AuC feeder 24, and sets the user profile according to the user profile. After the service accessor's usage environment is used, the service accessor is allowed to access the authentication service. The application server 26 can also use the information carried in the access packet 133 for subsequent auditing operations. After the above-mentioned ΕΑΡ-SIM authentication and formal VPN tunnel establishment, the fourth phase P4 will transfer the application data between the service accessor and the service representative. The VPN connection will protect all application layer data packets from the service accessor and the internal network to achieve security, confirmability, and consistency of access to the application service. Figure 4 is a block diagram showing the composition of the mobile device in the embodiment. As shown in Fig. 4, the mobile device 10 is composed of a virtual private network tunnel module 00 and a ΕΑΡ-SIM recognize 0356-A20796TWF (N2); P11930068TW; kathy 10 1293844 certificate module 01. The virtual private network tunnel module 00 is used to establish a virtual private network channel and the UI-SIM authentication module 01 performs ΕΑΡ-SIM authentication via the virtual private network. The virtual private network tunnel module includes a security session module 000 and a virtual private network encryption negotiation module 002. The secure connection module uses the Internet encryption algorithm to establish a secure call, and the virtual private network encryption negotiation module 002 exchanges the encrypted negotiation of the virtual private network with the secure connection. If this virtual private network encryption negotiation is passed, a virtual private network tunnel is formed. The Internet encryption algorithm used in this embodiment is SSL, and the virtual private network encryption negotiation is achieved by L2TP and IPSec. The ΕΑΡ-SIM authentication module 02 transmits the service accessor identity and access application information of the mobile device 10 in addition to the certifier action of the standard ΕΑΡ-SIM authentication process in Fig. 1. The module of the mobile device 10 is exposed in the embodiment of Fig. 4. The module of the mobile device can be implemented by a combination of software, hardware, or a combination of software and hardware, without departing from the spirit and scope of the present invention. Although the embodiments of the present invention are disclosed above, they are not intended to limit the present invention, and those skilled in the art can make some modifications and refinements without departing from the spirit and scope of the present invention, and thus the scope of protection of the present invention. This is subject to the definition of the scope of the patent application. 0356-A20796TWF(N2); P11930068TW; kathy 11 1293844 [Simple description of the diagram] Figure 1 shows the authentication packet flow of ΕΑΡ-SIM. Fig. 2 is a diagram showing the system component deployment of this embodiment. The 3A and 3B diagrams are the system exchange messages of the embodiment, wherein the VPN is established by using L2TP/IPSec. Fig. 4 is a block diagram showing the composition of the mobile device of the embodiment. [Main component symbol description] 90~ certifier; • 91~ certifier; 900~ ΕΑΡ identity request packet; 902~ΕΑΡ identity response packet; 904~ΕΑΡ-SIM request to start packet; 906~EAP-SIM response start packet; 908~ΕΑΡ-SIM query request packet; 910~ authenticated person generates key; ® 912~EAP_SIM query response packet; 914~ΕΑΡ successful packet; 10~ mobile device; 2~ internal network; 20~ proxy server; ~ΑΑΑ server; 24~HLR/AuC server; 0356-A20796TWF(N2); P11930068TW; kathy 12 1293844 26~ application server; 100~103~SSL packet; 104~115~L2TP/IPSec packet; 117~134 ~ΕΑΡ-SIM packet; 129~ΕΑΡ-SIM query request packet; 118~ΕΑΡ response identity packet; 130~ access request packet; 131~ access accept packet; 134~ΕΑΡ successful packet; 134~139~ data transmission packet; 00~VPN tunnel module; 02~ authentication module; 000~ secure call period module; 002~VPN negotiation module. 0356-A20796TWF(N2); P11930068TW; kathy 13

Claims (1)

1293844 十、申請專利範圍: 1 · 一種移動裝置和内部網路(intranet)之間的通訊方法,執 行應用層服務認證和提供安全存取應用,包括·· 建立該移動裝置和該内部網路之間的虛擬專用網路 (Virtual Private Network,以下簡稱為 VPN)隧道;以及 經由該VPN隧道執行用戶識別模組可擴展認證協議 (Extensible Authentication Protocol - Subscriber Identification Module,以下簡稱為 ΕΑΡ-SIM)。 2·如申請專利範圍第1項所述之通訊方法,其中上述建立 VPN隧道包括: 使用網際網路加密演算(internet encryption algorithm)建立 安全連線(security session);以及 於該安全連線中交換 VPN加密協商(encryption negotiation) 〇 3·如申請專利範圍第2項所述之通訊方法,其中上述安全 連線加密演算為安全通訊端層協定(Secure Socket Layer)。 4·如申請專利範圍第2項所述之通訊方法,其中上述VPN 加密協商由第二層隧道協定(Layer two Tunneling Protocol,以下 簡稱為L2TP)和網際網路協定安全協定(Internet Protocol Security Protocol,以下簡稱為 IPSec)達成。 5.如申請專利範圍第2項所述之通訊方法,其中上述 L2TP/IPSec 包括使用進取模式(aggressive mode)。 6·如申請專利範圍第1項所述之通訊方法,其中上述 ΕΑΡ-SIM認證包括,該内部網路由該移動裝置接受應用服務請 求資訊。 7.如申請專利範圍第1項所述之通訊方法,其中上述移動 0356-A20796TWF(N2);P11930068TW;kathy 14 1293844 裝置為無線電子裝置。 8. 如申請專利範圍第1項所述之通訊方法,更包括: 如果ΕΑΡ-SIM認證失敗,撤除該虛擬專用網路隧道; 如果ΕΑΡ-SIM認證成功,經由該VPN隧道傳送該移動裝 置的用戶設定檔(user profile)到該内部網路的應用伺服器;以及 如果ΕΑΡ-SIM認證成功,經由該VPN隧道傳送應用資料。 9. 如申請專利範圍第6項所述之通訊方法,更包括: 由該内部網路的認證、授權、以及稽核(Authentication, Authorization,and Accounting,以下簡稱為 AAA)伺服器,提出 查詢該移動裝置的應用服務存取資訊,到該内部網路的本區位 置登錄中心 /認證中心(Home Location Register / Authentication Center,以下簡稱為HLR/AuC)伺服器; 如果該内部網路的HLR/AuC伺服器,拒絕該移動裝置的應 用存取資訊,該ΕΑΡ-SIM認證便為失敗;以及 如果該内部網路的HLR/AuC伺服器,確認該移動裝置的應 用存取資訊,該ΕΑΡ-SIM認證便為成功。 10. —種執行應用層服務認證和提供安全存取應用的通訊 糸統’包括· 移動裝置,送出應用服務請求;以及 内部網路,由該移動裝置接收該應用服務請求,和該移動 裝置建立虛擬私有網路(Virtual Private Network,以下簡稱為 VPN)隧道,使用用戶識別模組可擴展認證協議(Extensible Authentication Protocol - Subscriber Identification Module,以下 簡稱為ΕΑΡ-SIM)認證經由該VPN隧道認證該移動裝置,可經 由該VPN隧道,提供ΕΑΡ-SIM認證成功移動裝置應用服務。 11·如申請專利範圍第10項所述之通訊系統,其中上述内 0356-A20796TWF(N2);P11930068TW;kathy 15 1293844 部網路包括: 代理伺服器(proxy server),經由該VPN竊接該移動裝置, 作為内部網路的閘道(gateway)和ΕΑΡ-SIM認證者; 認證、授權、以及稽核(Authentication,Authorization,and Accounting,以下簡稱為AAA)伺服器,耦接該代理伺服器,提 供ΕΑΡ-SIM認證資訊到該代理伺服器; 本區位置登錄中心/認證中心(Home Location Register / Authentication Center,以下簡稱為HLR/AuC)伺服器,耦接該 AAA伺服器,儲存使用者應用服務資訊;以及 應用伺服器,接收ΕΑΡ-SIM認證資訊狀態,如果EAP-SIM 認證成功,由該HLR/AuC伺服器接收該使用者應用服務資訊, 且執行該應用服務如果EAP_SIM認證成功。 12·如申請專利範圍第11項所述之通訊系統,其中上述 AAA伺服器由HLR/AuC伺服器,查詢該使用者應用服務資訊 的應用服務存取資訊。 13. —種執行應用層服務認證和提供安全存取應用的移動 裝置,包括: 虛擬私有網路隧道(Virtual Private Network,以下簡稱為 VPN)模組,建立VPN隧道;以及 ΕΑΡ-SIM認證模組,經由該虛擬私有網路執行ΕΑΡ-SIM認 證。 14. 如申請專利範圍第13項所述之移動裝置,其中上述VPN 模組,包括: 安全連線(security session)模組,使用網際網路加密演算 (internet encryption algorithm)建立安全連線;以及 VPN加密協商模組,於該安全連線中交換VPN加密協商。 0356-A20796TWF(N2);P11930068TW;kathy 16 1293844 15. 如申請專利範圍第14項所述之移動裝置,其中上述網 際網路加密演算為安全通訊端層協定(Secure Socket Layer)。 16. 如申請專利範圍第14項所述之移動裝置,其中上述VPN 加密協商由第二層隧道協定(Layer Two Tunneling Protocol)和網 際網路協定安全協定(Internet Protocol Security Protocol)達成。 17. 如申請專利範圍第14項所述之移動裝置,其中上述 ΕΑΡ-SIM認證模組傳送該移動裝置的使用者身分和存取應用資 訊01293844 X. Patent application scope: 1 · A communication method between a mobile device and an intranet, performing application layer service authentication and providing secure access applications, including: establishing the mobile device and the internal network A virtual private network (hereinafter referred to as VPN) tunnel; and an Extensible Authentication Protocol (Subscriber Identification Module) (hereinafter referred to as ΕΑΡ-SIM) is executed through the VPN tunnel. 2. The communication method according to claim 1, wherein the establishing the VPN tunnel comprises: establishing an internet connection (security session) using an internet encryption algorithm; and exchanging in the secure connection Encryption negotiation 〇3. The communication method described in claim 2, wherein the secure connection encryption algorithm is a Secure Socket Layer (Secure Socket Layer). 4. The communication method according to claim 2, wherein the VPN encryption negotiation is performed by a Layer 2 Tunneling Protocol (L2TP) and an Internet Protocol Security Protocol (Internet Protocol Security Protocol). The following is referred to as IPSec). 5. The communication method of claim 2, wherein the L2TP/IPSec comprises using an aggressive mode. 6. The communication method of claim 1, wherein the ΕΑΡ-SIM authentication comprises the intranet routing the mobile device to accept application service request information. 7. The communication method according to claim 1, wherein the moving 0356-A20796TWF (N2); P11930068TW; kathy 14 1293844 device is a wireless electronic device. 8. The communication method as claimed in claim 1, further comprising: removing the virtual private network tunnel if the ΕΑΡ-SIM authentication fails; and transmitting the mobile device user via the VPN tunnel if the ΕΑΡ-SIM authentication is successful A user profile to the application server of the internal network; and if the ΕΑΡ-SIM authentication is successful, the application profile is transmitted via the VPN tunnel. 9. The communication method described in claim 6 of the patent scope further includes: querying the mobile by the authentication, authorization, and accounting (Authentication, Authorization, and Accounting, AAA) server of the internal network The application service of the device accesses the information to the home location register/authentication center (HLR/AuC) server of the internal network; if the internal network has the HLR/AuC servo Rejecting the application access information of the mobile device, the ΕΑΡ-SIM authentication is a failure; and if the HLR/AuC server of the internal network confirms the application access information of the mobile device, the ΕΑΡ-SIM authentication For success. 10. A communication system that performs application layer service authentication and provides a secure access application 'includes a mobile device, sends an application service request; and an internal network, the mobile device receives the application service request, and the mobile device establishes A virtual private network (Virtual Private Network (VPN) tunnel) is authenticated by the VPN device using an Extensible Authentication Protocol (Authentication Authentication Protocol) (hereinafter referred to as ΕΑΡ-SIM) authentication. The ΕΑΡ-SIM authenticated successful mobile device application service can be provided via the VPN tunnel. 11. The communication system of claim 10, wherein the internal 0356-A20796TWF (N2); P11930068TW; kathy 15 1293844 network comprises: a proxy server, the mobile is stolen via the VPN The device, as a gateway of the internal network and a ΕΑΡ-SIM certifier; an authentication, authorization, and audit (Authoration, Authorization, and Accounting, hereinafter referred to as AAA) server, coupled to the proxy server, providing ΕΑΡ The SIM authentication information is sent to the proxy server; the Home Location Register/Authentication Center (HLR/AuC) server is coupled to the AAA server to store user application service information; And the application server receives the status of the ΕΑΡ-SIM authentication information. If the EAP-SIM authentication succeeds, the HLR/AuC server receives the user application service information, and executes the application service if the EAP_SIM authentication succeeds. 12. The communication system of claim 11, wherein the AAA server is used by the HLR/AuC server to query the application service access information of the user application service information. 13. A mobile device that performs application layer service authentication and provides a secure access application, including: a virtual private network tunnel (Virtual Private Network, hereinafter referred to as VPN) module, establishes a VPN tunnel; and a ΕΑΡ-SIM authentication module ΕΑΡ-SIM authentication is performed via the virtual private network. 14. The mobile device of claim 13, wherein the VPN module comprises: a security session module, using an internet encryption algorithm to establish a secure connection; The VPN encryption negotiation module exchanges VPN encryption negotiation in the secure connection. 15. The mobile device of claim 14, wherein the internet encryption algorithm is a Secure Socket Layer (Secure Socket Layer). 16. The mobile device of claim 14, wherein the VPN encryption negotiation is achieved by a Layer Two Tunneling Protocol and an Internet Protocol Security Protocol. 17. The mobile device of claim 14, wherein the ΕΑΡ-SIM authentication module transmits the user identity of the mobile device and accesses application information. 0356-A20796TWF(N2);P11930068TW;kathy 170356-A20796TWF (N2); P11930068TW; kathy 17
TW094100711A 2005-01-11 2005-01-11 A system and method for performing application layer service authentication and providing secure access to an application server TWI293844B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW094100711A TWI293844B (en) 2005-01-11 2005-01-11 A system and method for performing application layer service authentication and providing secure access to an application server
US11/240,308 US20060155822A1 (en) 2005-01-11 2005-09-29 System and method for wireless access to an application server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW094100711A TWI293844B (en) 2005-01-11 2005-01-11 A system and method for performing application layer service authentication and providing secure access to an application server

Publications (2)

Publication Number Publication Date
TW200625905A TW200625905A (en) 2006-07-16
TWI293844B true TWI293844B (en) 2008-02-21

Family

ID=36654552

Family Applications (1)

Application Number Title Priority Date Filing Date
TW094100711A TWI293844B (en) 2005-01-11 2005-01-11 A system and method for performing application layer service authentication and providing secure access to an application server

Country Status (2)

Country Link
US (1) US20060155822A1 (en)
TW (1) TWI293844B (en)

Families Citing this family (70)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6732105B1 (en) * 2001-07-27 2004-05-04 Palmone, Inc. Secure authentication proxy architecture for a web-based wireless intranet application
EP3570178B1 (en) 2002-01-08 2020-05-27 Seven Networks, LLC Secure transport for mobile communication network
US7853563B2 (en) 2005-08-01 2010-12-14 Seven Networks, Inc. Universal data aggregation
US7917468B2 (en) 2005-08-01 2011-03-29 Seven Networks, Inc. Linking of personal information management data
US8468126B2 (en) 2005-08-01 2013-06-18 Seven Networks, Inc. Publishing data in an information community
WO2006045102A2 (en) 2004-10-20 2006-04-27 Seven Networks, Inc. Method and apparatus for intercepting events in a communication system
US7706781B2 (en) 2004-11-22 2010-04-27 Seven Networks International Oy Data security in a mobile e-mail service
FI117152B (en) 2004-12-03 2006-06-30 Seven Networks Internat Oy E-mail service provisioning method for mobile terminal, involves using domain part and further parameters to generate new parameter set in list of setting parameter sets, if provisioning of e-mail service is successful
US7877703B1 (en) 2005-03-14 2011-01-25 Seven Networks, Inc. Intelligent rendering of information in a limited display environment
US8438633B1 (en) 2005-04-21 2013-05-07 Seven Networks, Inc. Flexible real-time inbox access
WO2006136660A1 (en) 2005-06-21 2006-12-28 Seven Networks International Oy Maintaining an ip connection in a mobile network
DE202005020364U1 (en) * 2005-12-29 2006-02-23 Csb-System Ag Arrangement for using ERP systems on preferably mobile terminals
US7769395B2 (en) 2006-06-20 2010-08-03 Seven Networks, Inc. Location-based operations and messaging
AT504581B1 (en) * 2006-12-01 2009-03-15 Efkon Mobility Gmbh METHOD AND SYSTEM FOR READING DATA FROM A MEMORY OF A REMOTE DEVICE THROUGH A SERVER
US20080268815A1 (en) * 2007-04-26 2008-10-30 Palm, Inc. Authentication Process for Access to Secure Networks or Services
US8693494B2 (en) 2007-06-01 2014-04-08 Seven Networks, Inc. Polling
US8805425B2 (en) 2007-06-01 2014-08-12 Seven Networks, Inc. Integrated messaging
US8364181B2 (en) 2007-12-10 2013-01-29 Seven Networks, Inc. Electronic-mail filtering for mobile devices
US9002828B2 (en) 2007-12-13 2015-04-07 Seven Networks, Inc. Predictive content delivery
US8107921B2 (en) 2008-01-11 2012-01-31 Seven Networks, Inc. Mobile virtual network operator
US8862657B2 (en) 2008-01-25 2014-10-14 Seven Networks, Inc. Policy based content service
US20090193338A1 (en) 2008-01-28 2009-07-30 Trevor Fiatal Reducing network and battery consumption during content delivery and playback
US8787947B2 (en) 2008-06-18 2014-07-22 Seven Networks, Inc. Application discovery on mobile devices
US8078158B2 (en) 2008-06-26 2011-12-13 Seven Networks, Inc. Provisioning applications for a mobile device
EP2144460B1 (en) * 2008-07-10 2015-11-11 TeliaSonera AB Method, system, packet data gateway and computer program for providing connection for data delivery
US8909759B2 (en) 2008-10-10 2014-12-09 Seven Networks, Inc. Bandwidth measurement
WO2011106769A2 (en) * 2010-02-26 2011-09-01 General Instrument Corporation Dynamic cryptographic subscriber-device identity binding for subscriber mobility
US8838783B2 (en) 2010-07-26 2014-09-16 Seven Networks, Inc. Distributed caching for resource and mobile network traffic management
WO2012018477A2 (en) 2010-07-26 2012-02-09 Seven Networks, Inc. Distributed implementation of dynamic wireless traffic policy
EP2599280A2 (en) 2010-07-26 2013-06-05 Seven Networks, Inc. Mobile application traffic optimization
EP2599003B1 (en) 2010-07-26 2018-07-11 Seven Networks, LLC Mobile network traffic coordination across multiple applications
US8607316B2 (en) * 2010-08-31 2013-12-10 Blackberry Limited Simplified authentication via application access server
US8166164B1 (en) 2010-11-01 2012-04-24 Seven Networks, Inc. Application and network-based long poll request detection and cacheability assessment therefor
GB2499534B (en) 2010-11-01 2018-09-19 Seven Networks Llc Caching adapted for mobile application behavior and network conditions
US8843153B2 (en) 2010-11-01 2014-09-23 Seven Networks, Inc. Mobile traffic categorization and policy for network use optimization while preserving user experience
US9330196B2 (en) 2010-11-01 2016-05-03 Seven Networks, Llc Wireless traffic management system cache optimization using http headers
US8484314B2 (en) 2010-11-01 2013-07-09 Seven Networks, Inc. Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
WO2012060995A2 (en) 2010-11-01 2012-05-10 Michael Luna Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
US8326985B2 (en) 2010-11-01 2012-12-04 Seven Networks, Inc. Distributed management of keep-alive message signaling for mobile network resource conservation and optimization
US9060032B2 (en) 2010-11-01 2015-06-16 Seven Networks, Inc. Selective data compression by a distributed traffic management system to reduce mobile data traffic and signaling traffic
CN103404193B (en) 2010-11-22 2018-06-05 七网络有限责任公司 The connection that adjustment data transmission is established with the transmission being optimized for through wireless network
GB2500327B (en) 2010-11-22 2019-11-06 Seven Networks Llc Optimization of resource polling intervals to satisfy mobile device requests
WO2012094675A2 (en) 2011-01-07 2012-07-12 Seven Networks, Inc. System and method for reduction of mobile network traffic used for domain name system (dns) queries
US20120271903A1 (en) 2011-04-19 2012-10-25 Michael Luna Shared resource and virtual resource management in a networked environment
EP2702500B1 (en) 2011-04-27 2017-07-19 Seven Networks, LLC Detecting and preserving state for satisfying application requests in a distributed proxy and cache system
GB2493473B (en) 2011-04-27 2013-06-19 Seven Networks Inc System and method for making requests on behalf of a mobile device based on atomic processes for mobile network traffic relief
US8984581B2 (en) 2011-07-27 2015-03-17 Seven Networks, Inc. Monitoring mobile application activities for malicious traffic on a mobile device
EP2789137A4 (en) 2011-12-06 2015-12-02 Seven Networks Inc SYSTEM OF REDUNDANTLY CLUSTERED MACHINES FOR PROVIDING TILTING MECHANISMS IN MOBILE TRAFFIC MANAGEMENT AND NETWORK RESOURCE PRESERVATION
US8918503B2 (en) 2011-12-06 2014-12-23 Seven Networks, Inc. Optimization of mobile traffic directed to private networks and operator configurability thereof
GB2498064A (en) 2011-12-07 2013-07-03 Seven Networks Inc Distributed content caching mechanism using a network operator proxy
WO2013086447A1 (en) 2011-12-07 2013-06-13 Seven Networks, Inc. Radio-awareness of mobile device for sending server-side control signals using a wireless network optimized transport protocol
WO2013090834A1 (en) 2011-12-14 2013-06-20 Seven Networks, Inc. Operation modes for mobile traffic optimization and concurrent management of optimized and non-optimized traffic
US9021021B2 (en) 2011-12-14 2015-04-28 Seven Networks, Inc. Mobile network reporting and usage analytics system and method aggregated using a distributed traffic optimization system
US8861354B2 (en) 2011-12-14 2014-10-14 Seven Networks, Inc. Hierarchies and categories for management and deployment of policies for distributed wireless traffic optimization
WO2013103988A1 (en) 2012-01-05 2013-07-11 Seven Networks, Inc. Detection and management of user interactions with foreground applications on a mobile device in distributed caching
WO2013116856A1 (en) 2012-02-02 2013-08-08 Seven Networks, Inc. Dynamic categorization of applications for network access in a mobile network
WO2013116852A1 (en) 2012-02-03 2013-08-08 Seven Networks, Inc. User as an end point for profiling and optimizing the delivery of content and data in a wireless network
US8812695B2 (en) 2012-04-09 2014-08-19 Seven Networks, Inc. Method and system for management of a virtual network connection without heartbeat messages
WO2013155208A1 (en) 2012-04-10 2013-10-17 Seven Networks, Inc. Intelligent customer service/call center services enhanced using real-time and historical mobile application and traffic-related statistics collected by a distributed caching system in a mobile network
US8775631B2 (en) 2012-07-13 2014-07-08 Seven Networks, Inc. Dynamic bandwidth adjustment for browsing or streaming activity in a wireless network based on prediction of user behavior when interacting with mobile applications
US20140082713A1 (en) 2012-09-18 2014-03-20 Broadcom Corporation System and Method for Location-Based Authentication
US9161258B2 (en) 2012-10-24 2015-10-13 Seven Networks, Llc Optimized and selective management of policy deployment to mobile clients in a congested network to prevent further aggravation of network congestion
US9307493B2 (en) 2012-12-20 2016-04-05 Seven Networks, Llc Systems and methods for application management of mobile device radio state promotion and demotion
US9241314B2 (en) 2013-01-23 2016-01-19 Seven Networks, Llc Mobile device with application or context aware fast dormancy
US8874761B2 (en) 2013-01-25 2014-10-28 Seven Networks, Inc. Signaling optimization in a wireless network for traffic utilizing proprietary and non-proprietary protocols
US8750123B1 (en) 2013-03-11 2014-06-10 Seven Networks, Inc. Mobile device equipped with mobile network congestion recognition to make intelligent decisions regarding connecting to an operator network
US9065765B2 (en) 2013-07-22 2015-06-23 Seven Networks, Inc. Proxy server associated with a mobile carrier for enhancing mobile traffic management in a mobile network
US9648019B2 (en) * 2014-04-15 2017-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Wi-Fi integration for non-SIM devices
WO2017035781A1 (en) 2015-09-01 2017-03-09 Telefonaktiebolaget Lm Ericsson (Publ) Methods and devices of authenticating non-sim mobile terminals accessing a wireless communication network
FR3071945B1 (en) * 2017-10-04 2019-10-25 Oberthur Technologies SECURING ACCESS TO SERVICE

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6539483B1 (en) * 2000-01-12 2003-03-25 International Business Machines Corporation System and method for generation VPN network policies
US7406306B2 (en) * 2001-03-20 2008-07-29 Verizon Business Global Llc Method for billing in a telecommunications network
US6732105B1 (en) * 2001-07-27 2004-05-04 Palmone, Inc. Secure authentication proxy architecture for a web-based wireless intranet application
FI114276B (en) * 2002-01-11 2004-09-15 Nokia Corp Arranging online visits
US7149287B1 (en) * 2002-01-17 2006-12-12 Snowshore Networks, Inc. Universal voice browser framework
US8972582B2 (en) * 2002-10-03 2015-03-03 Nokia Corporation Method and apparatus enabling reauthentication in a cellular communication system
CA2508526A1 (en) * 2002-12-03 2004-06-17 Funk Software, Inc. Tunneled authentication protocol for preventing man-in-the-middle attacks
US7298702B1 (en) * 2002-12-20 2007-11-20 Sprint Spectrum L.P. Method and system for providing remote telephone service via a wireless local area network
US20040162105A1 (en) * 2003-02-14 2004-08-19 Reddy Ramgopal (Paul) K. Enhanced general packet radio service (GPRS) mobility management
EP1575238A1 (en) * 2004-03-08 2005-09-14 Nokia Corporation IP mobility in mobile telecommunications system
US7546459B2 (en) * 2004-03-10 2009-06-09 Telefonaktiebolaget L M Ericsson (Publ) GSM-like and UMTS-like authentication in a CDMA2000 network environment

Also Published As

Publication number Publication date
US20060155822A1 (en) 2006-07-13
TW200625905A (en) 2006-07-16

Similar Documents

Publication Publication Date Title
TWI293844B (en) A system and method for performing application layer service authentication and providing secure access to an application server
JP4394682B2 (en) Apparatus and method for single sign-on authentication via untrusted access network
Aboba et al. Extensible authentication protocol (EAP) key management framework
Koien et al. Security aspects of 3G-WLAN interworking
JP4801147B2 (en) Method, system, network node and computer program for delivering a certificate
JP4723158B2 (en) Authentication methods in packet data networks
EP2445143B1 (en) Method and system for accessing a 3rd generation network
CN101371550B (en) Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service
Faria et al. DoS and authentication in wireless public access networks
CN101616410B (en) Access method and access system for cellular mobile communication network
CN1910877B (en) Mobile radio terminal device, virtual private network relay device, wireless LAN access point and connection authentication server, local proxy
US20090063851A1 (en) Establishing communications
CN101304319A (en) Mobile communication network and method and apparatus for authenticating mobile node therein
US8275987B2 (en) Method for transmission of DHCP messages
CN104518874A (en) Network access control method and system
Tseng et al. Authentication and Billing Protocols for the Integration of WLAN and 3G Networks
CN1602107A (en) Roaming Access Method of Mobile Node in Wireless IP System
Sithirasenan et al. EAP-CRA for WiMAX, WLAN and 4G LTE Interoperability
KR101023605B1 (en) Subscriber ID Acquisition Method Using Tunneled Transport Layer Security Scheme
WO2008086747A1 (en) Mobile ip system and method for updating home agent root key
Kambourakis et al. Support of subscribers’ certificates in a hybrid WLAN-3G environment
Iyer et al. Public WLAN Hotspot Deployment and Interworking.
Asokan et al. Man-in-the-middle in tunnelled authentication
Mizikovsky et al. CDMA 1x EV-DO security
Lee et al. Performance of an efficient performing authentication to obtain access to public wireless LAN with a cache table

Legal Events

Date Code Title Description
MK4A Expiration of patent term of an invention patent