• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A method and apparatus for providing authentication to an application provided through a communication network. A connection is established between the application and the user interface through the communication network to allow a user to access the application. Authentication is provided to the application by a mobile station communicating over a mobile communication network.
    公开号:KR20010041363A
    申请号:KR1020007009479
    申请日:1999-02-05
    公开日:2001-05-15
    发明作者:트루티아이넨에사
    申请人:에를링 블로메, 타게 뢰브그렌;텔레폰아크티에볼라게트 엘엠 에릭슨;
    IPC主号:
    专利说明:

    METHOD, ARRANGEMENT AND APPARATUS FOR AUTHENTICATION THROUGH A COMMUNICATIONS NETWORK}
    There are various electronic devices that require authentication. For example, when a user accesses a particular application and / or when the user is already using an application and when there is a need to receive confirmation from the user to verify the user or allow the application to perform some additional procedure. Authentication may be required.
    Examples of applications that may require authentication include various commercial services obtained through a network such as the Internet, an intranet, or a local area network, payments and banking services accessed through the network, resource access, remote programming, Software reprogramming or updating. Even any free service obtained through the network may require authentication. The amount of services or applications that require at least some kind of authentication to users who want to access them (or who are already using them but need to check authentication during service use or need to verify something during use) Has increased greatly. The need for certification is expected to increase further.
    At present, some well-known solutions for communication authentication already exist. They typically use various encryption techniques between two computer communication devices. Following the basic scenario for authentication, a random challenge is provided to the encryption capabilities of these two computer devices. Both of these computers have a secret key, that is, an encryption key provided to the encryption function of the two computers. Then, the calculation results of the two encryption functions are compared, and if the comparison result is positive, the authentication is regarded as valid. If this comparison gives a negative result, this authentication check is considered failed.
    In addition, various existing authentication apparatuses already exist. Some drawbacks of the prior art apparatus are briefly described as examples below.
    password. Currently, the most frequently used method for authentication is to use one password or multiple passwords. This password is provided to the remote application via a user interface, for example, a computer terminal connected to a communication network. However, this solution did not take into account network vulnerabilities, that is, passwords could be exposed to anyone with access to the network (and an expert who could read them sufficiently).
    Secret. This may be described as an electronic password or signature or encryption key, for example, stored and used by the user interface. Even if this secret is not revealed on the net, it can be "wrong hand" and used by any party other than the users who originally wanted to grant the secret.
    Authentication software in the user interface. This is a more complicated way of authentication. This password is provided to the program in the user interface and then automatically authenticated to provide encrypted access to the requested application. Although this provides a more secure device than the above solution, there is still the possibility of capturing passwords from the user interface. You may modify the software without notifying the actual user.
    Smart card with associated reader. The smart card can communicate encrypted challenge-response messages but does not have a user interface for receiving authentication from the user himself. Such an interface may exist in smart card readers, but such readers must be sufficiently protected against any possibility of misuse, thus allowing ordinary users (ie the majority of users, ie public). Typically does not have physical access to these reader interfaces, but must have faith in the organization providing the smart card. In addition, smart card readers cannot be shared between organizations that do not trust each other.
    Smart card with user interface. They already exist, but they are expensive because each secure processor must have its own secure user interface. These are rare and the input / output performance is still very limited and therefore not an economically viable solution to the authentication problem.
    Each personal authentication device. In this way, the user is used as a "communication means" between the user interface and each authentication device. The user interface asks which user typed and entered the portable authentication device (pocket-calculator type device). The authentication device may, for example, provide a number as a response, in which the user may enter this number in the user interface. This leads to problems in purchasing, using and transporting each device. In some cases, there is typically the possibility of incorrectly typing long and complex character strings.
    Some parts that may be involved in carrying out this authentication system are mentioned above. These are briefly described in more detail below.
    A user is typically a person who uses various applications or services. A user can be identified by a password known only to him (public key method) or by a secret shared between the user and the application (secret key method).
    This application is a party that wants to authenticate a user. This application may also be called a service in some cases. From an application point of view, the authentication query has four different categories (contacts), 1) is the user on the other side at the moment (so-called peer-entity-authentication) , and 2) additional Is the message received from the same user (integrity of the message stream), 3) from which user the particular message is issued (data orgin authentication), and 4) from which user the third party It can be broken down into messages that are considered to have been issued (non-repudiation).
    A user interface is a device that allows a user to access an application or service. In most cases, this may be referred to as a terminal and may be a computer (for example, a personal computer, a PC), a workstation, a telephone terminal, a mobile station such as a mobile phone or radio or pager, an automated teller machine and / or a banking machine, or the like. It may be made of devices such as. The user interface can provide input / output facilities and even provide application parts.
    A personal authentication device (PAD) is a piece of hardware carried by the user himself. This PAD may have some basic input / output functionality and may even have some processing facilities. The above mentioned smart card and each authentication device can also be regarded as a PAD. In most cases, the user relies on his or her PAD because he (almost) always carries it and is in continuous control. All possible passwords or secrets are hidden in hardware, so there is no easy way to expose them. The device itself is not easily modified, which could jeopardize the communication path between the user and the secure processor. In addition, PAD typically has a minimal amount of stored state and its program cannot be easily modified.
    The present invention relates to a method for providing authentication to an application. The invention also relates to a device for providing authentication to an application and a device used for authentication.
    1 illustrates one possible apparatus of a communication network that may implement the present invention.
    2 is a schematic diagram illustrating an embodiment for authenticating a user according to the present invention;
    3 schematically illustrates one possible mobile station and embodiment of the present invention;
    4 and 5 are flow charts in accordance with two embodiments of the present invention.
    Figure 6 illustrates another embodiment for authentication in accordance with the present invention.
    7 is a diagram related to another embodiment of the present invention;
    Although there exists a solution of the above-mentioned prior art for authentication, this technique still has a drawback in authentication in addition to the above.
    If access to the application must be absolutely or as secure as possible, the application is easily and very complex from the architecture, and also complex and time consuming to access and use. Increased security levels increase the amount of hardware and software required, which can increase the overall cost of authentication by increasing the need to maintain and update it. This complexity and cost can be reduced by lowering the security level, but this results in an insufficient security level in the communication. In addition, because hackers can solve even the most complex security devices, it is believed that an "absolute security" state does not exist in the network.
    Passwords or secrets are a problem for users in that they are very complex, too long or too many. Therefore, it is too difficult for users to remember them. Typically, the secret considered as secure in the secret key method is 128 bits and in the public key method is 1024 bits. It is impossible for most people to remember this kind of key.
    In addition, users cannot perform the calculations required for authentication without an external device. As mentioned above, basic authentication is often done by question and answer methods. This is necessary for a user (ie a person) to encrypt something with his secret. This is not really possible.
    In addition to the possibility of capturing passwords or secrets during transmission over an open communication network as described above, current solutions do not pay sufficient attention to the vulnerability of the user interface. Terminal devices have been developed with complex technology and software, so most users cannot fully control the terminal and cannot understand its operation. In addition, it often happens that many users share the same terminal device (eg, a commonly used PC) and that external maintenance personnel have access to a computer in a closed organization.
    The computer terminal contains stored states and programs that can be modified in its memory means. In modern computers, software can be modified via a communication path without any physical access to the device itself so that even a user does not notice it. As an example of such a risk, by modifying a program on a computer terminal, a user can modify, for example, data sent to a bank so that the computer can modify all bank names with another account that is different from the one specified by the user on a certain day. Such modifications or reprogramming without notice can result in serious and significant losses when used for typical individual users and in particular for organizations such as companies or public institutions. All of this means that conventional terminal devices and communication paths are unreliable.
    It is therefore an object of the present invention to overcome the disadvantages of the prior art solutions and to provide a new type of solution for authentication.
    It is also an object of the present invention to provide a method and apparatus that can authenticate a user wishing to access an application in a more secure manner than in the prior art. It is also an object of the present invention to provide authentication when a need arises for authentication during the use of an already accessed application.
    It is also an object of the present invention to provide a method and apparatus which can utilize a mobile station in authentication.
    Another object of the present invention is to provide a solution that can utilize the identification mode of the mobile station in authentication.
    Other objects and advantages of the present invention will be described below with reference to the accompanying drawings.
    These objectives are achieved by a new method of providing authentication to an application provided over a network. According to the present invention, a connection between an application and a user interface is established through the communication network to allow a user access to an application provided through the communication network, while authentication to the application is provided by a mobile station communicating through a mobile communication network. .
    According to one additional embodiment, the authentication method includes establishing a connection between the application and the user interface via the communication network to allow access of the user to an application provided via the communication network. Authentication to the application is provided by the mobile station such that the secret of the mobile station's subscription identification module (SIM) is utilized in the encryption operation of authentication.
    The present invention provides an apparatus for providing authentication to an application provided by an application provider through a communication network. The device has a first connection between the application and the user interface via a user interface and a communication network to use the application. The device also has a second connection between the application and the mobile station via a mobile station and a second communication network to allow authentication. The apparatus also includes means for authenticating the user to the application via a second communication network.
    According to another embodiment, the present invention provides a mobile station for providing authentication to an application provided over a communication network, in which the application is accessed by a user interface connected to the communication network and the mobile station is used for communication other than the user interface. Using a communication network, the mobile station is used to authenticate the use of an application accessed by a user interface.
    Various advantages are obtained by the present invention, because this solution introduces a new reliable way for authentication. The authentication method and apparatus of the present invention can be easily implemented in an existing communication network without excessively replacing or adding a device. The device can be used to connect with a variety of applications, and in fact can be used to connect with any application provided via a communication system that requires some sort of authentication.
    The user does not have to carry each authentication device (PAD) or many other authentication devices. Because the mobile station is always with it and the user tends to pay attention to his mobile station, the user can be trusted with a personal authentication device (PAD) according to the present invention. In addition, if a mobile station is stolen, for example, the mobile station subscription and / or SIM can be easily erased by the operator. All the secrets of the mobile station are well hidden in hardware, making it difficult to figure out. In addition, the mobile station device itself is difficult to modify in such a way that the communication path between the user and the secure processor is at risk.
    The system contains a minimal amount of stored state and the program cannot be easily modified. The existing SIM and more strictly secret of the mobile station can be utilized for the encryption procedure required. Thus, the SIM can be utilized as a security card for a new purpose, and there is an existing party that controls the use of the SIM, a mobile network operator that can immediately cancel the SIM in case of suspicion of fraud.
    In the following, the present invention and other objects and advantages of the present invention are described with reference to the accompanying drawings, wherein like reference numerals refer to like elements throughout. It is to be understood that the following description of the invention is not intended to limit the invention to the particular form but rather covers all modifications, analogues and alternatives included within the spirit and scope of the appended claims.
    1 is a schematic diagram of one network device that may be used in implementing the present invention. The apparatus of FIG. 1 has a public switched telephone network (PSTN) schematically shown as box 20. A typical PSTN is a fixed line telephone network (or plain old telephone service (POTS)) that forms a network, which allows the user interface 16 to access the application. According to this embodiment, the user (not shown) is the desired service at one of the WWW servers 45 which can be obtained via an internet connection using the user terminal 16 connected to the PSTN as a user interface. To access The terminal 16 described is a personal computer (PC), but other types of user interface may also be used, such as workstations, automated public teller machines, and the like.
    Public Land Mobile Networks (PLMNs) are also described. This may be for example a cellular telephone network or similar mobile communication system. Two mobile stations MS 1 and MS + PC 2 are also described. MS + PC 2 can be defined as an integrated mobile phone and a portable computer. Both can communicate with the PLMN via one of the base stations (BS) 4 of the PLMN via the air interface 3.
    One type of PLMN is the Global System for Mobile Communications (GSM), which is defined in the GSM Recommendation by the European Telecommunications Standard Institute (ETSI), whose network architecture is GSM 01.02 or GSM 03.02 or a revised version. It is described in detail in Although the present invention has been described in connection with a typical cellular telephone network primarily using GSM, those skilled in the art will appreciate that the present invention may be implemented in any mobile system. In addition, it will be appreciated that only parts of the mobile network structure that are considered necessary for describing the operation of this system for the sake of brevity are shown. Those skilled in the art may also include other necessary devices other than the devices in which the telephone network is typically shown, and the described embodiments of the PLMN or PSTN may be omitted or replaced by any other type of elements, and a large number of mobile networks and conventional It can be seen that fixed landline networks can cooperate and exchange with each other. Those skilled in the art will also appreciate that a connection to the Internet may be directly connected between the user terminal 16 and the Internet 43 without any PSTN or similar network device. However, these alternatives are well known to those skilled in the art and have not been shown or described in detail.
    GSM-based public landline mobile networks (PLMNs) typically include several mobile telephone switching centers (MSCs) 10. Each of these is in turn connected to a number of base station subsystems (BSS) 6 (only one MSC and BSS are shown for brevity). The base station subsystem 6 is typically equipped with a base station controller (BSC) and the necessary interface arrangements and connected to a number of base stations (BS) 4, each of which is shown in FIG. 7 for a cell. Manages an area called)
    The mobile service switching center 10 of FIG. 1 is connected or connected to a public switched telephone network (PSTN) 20 via an exchange 12 and a line 12. The MSC 10 is connected to a global communication network, which is for example the Internet 43. The MSC may be connected to an Integrated Services Digital Network (ISDN) or any other type of appropriate network. The necessary links themselves between the various components of several telecommunications network systems are well known.
    The PLMN network has an additional database, the so-called Home Location Register (HLR) 9, which is connected to the MSC. These mobile terminals 1 and 2, which are mobile telecommunication network subscribers, are registered with the HLR 10. Each local mobile switching center 10 has an additional local database called a visitor location register (VLR) 8, at which point one of the cells handled by the local mobile switching center (MSC). All such mobile stations 1 and 2, which are located in the area of, are registered with the VLR.
    Mobile stations are typically identified by a Subscriber Identification Module (SIM) installed in each mobile station or otherwise physically connected to it. The SIM is a module containing various user (subscription) related information and secrets. This may also include additional information relating to the encryption of the wireless communication. The SIM may be assembled fixedly or removable for the mobile station. The use of SIM as well as HLR and / or VLR registers in the present invention will be described in more detail herein below.
    As described, the user may be connected to the Internet 43 via a fixed or mobile network or through a direct connection. However, there may be some differences between connections, for example when a General Packet Radio System (GPRS) is involved, but services from the Internet network may be utilized for users of both the PSTN and PLMN systems. In this example, the PSTN 20 as well as the mobile switching center (MSC) 10 is provided with access to the multiprotocol internet 43 by access nodes (AN) 14 and 40. Although only one AN is described per network, it will be appreciated that in practice the number of ANs can necessarily be made larger and the number of ANs also continues to increase. According to one solution, a particular Internet Access Server (IAS) capable of converting the signal into data packets is used as the AN facing the Internet.
    Users of the Internet 43 contract with an Internet Service Provider (ISP) 42, which provides a communication connection from the user terminal 1, 2 or 16 to the Internet. When a user wants to connect to the Internet, he calls an Internet Service Provider (ISP) 42 to connect his terminal 16 to a desired address (so-called Internet Protocol address). This call connection passes through perhaps one or several transit exchanges that are established by the PSTN 20 and are connected or interconnected through at least the local exchange 18 and trunk lines (not shown). Although only one ISP that communicates two networks towards the Internet is shown in FIG. 1, it will be appreciated that communication can be through multiple ISPs.
    1 shows a WWW server (World Wide Web Server) including server databases (x, y and z) providing various services. This shows the connection from the ISP via router 44 to the server 45 via the Internet 43. It should be understood that the service may be any service such as banking service, electronic shopping service, etc., which requires authentication that can be obtained through any communication network.
    The mobile station 1 or 2 is used as a personal authentication device (PAD) when the user accesses or already accesses the service (x) provided by the WWW server 45 via the user interface 16 and the PSTN 20. do. The mobile station 1 communicates with the service x via a channel or respective communication path other than that used by the actual user interface 16. Since the user always carries the mobile station, the mobile station can be trusted. The ergonomic and functional requirements for the mobile station and conventional PAD must be identical and the MS has a user interface suitable for the PAD. Modern MSs even have a secure processor interface suitable for authentication.
    Various alternatives exist for achieving authentication by a mobile station and examples of this will be described in more detail below.
    Reference is now made to Figures 2 and 4, in which Figure 2 schematically illustrates one authentication device and Figure 4 is a flow chart for operation according to one basic embodiment. The user 22 sends a request by the user terminal 16 to establish a desired application, such as a banking service, via a connection established by the communication network (arrow 21 in FIG. 2, steps 102 and 104 in FIG. 4). 45). This application 45 may include a database 46, or may be connected to each database, such as the HLR 9 of the MSC 10 of FIG. 1, from which the application may retrieve necessary user information. have. Based on this information, the application establishes a connection to the mobile station of the user 22 (arrow 26; step 106) for authentication. In this step, the user sends the acknowledgment signal 29 (i.e. confirmation) again using the mobile station 1 indicating that access is granted and the actual use of the service can be started (steps 108 and 112). It is possible to accept the connection 21 made by the interface 16. If authentication fails, for example based on the application being unable to reach MS 1, all connections are closed (step 110). In addition, the user may be instructed by the user interface 16 to retry the access immediately after a certain time period has elapsed or the user may take some additional action due to a failed authentication.
    One way or verification feature to perform authentication is to use short messages in the PLMN's Short Message System (SMS). In a GSM system, an SMS MSC (SMS Message Service Center) indicated by (7) in FIG. 1 is provided for delivering short messages to and from a mobile station. The service center 7 sends a message to mobile station subscribers using the same network elements as defined in the above and referenced specification. SMS message signaling typically includes, for example, receiver identification, transmitter information, time stamps, and the like. .
    3 shows a solution for the mobile station MS1 to receive an SMS message. The method steps for this are shown in the flowchart of FIG. According to this embodiment, after accessing the banking service through the user interface 16, the user requests that the sum of the 200 FIMs should be changed from account number 1234-4567 to account number 4321-7654 (step 204). The application retrieves user-related authentication data from the appropriate database (step 206) and accordingly sends a text message to the mobile station 1 (step 208). MS 1 displays the text as shown and requires the user to approve or reject the transaction by pressing the "yes" or "no" key, respectively. This response is then sent back to the application and in the case of "yes", the transaction proceeds to step 214 and in the case of "no", some other action is taken.
    Arrows 27 and 28 in FIG. 2 may also be shown as illustrating the steps by which MS 1 and user 2 communicate. The information received by staring at the display 31 of the MS 1 is indicated by an arrow 27 and the response provided by the user to the MS 1 is indicated by an arrow 28. As described, the user can make an appropriate selection by pressing the MS's yes or no key 32. If the user accepts, i.e. signs a "transaction", the banking service will proceed accordingly. If the user does not approve the transaction, ie presses the "no" key, the application sends a request to the user interface to provide corrections, deletions, new designated accounts, etc. (steps 216 and 218).
    If the application does not receive any response within a certain time period, or if the response is somewhat inaccurate, the application sends a second request for approval or closes all connections.
    Once the user has accessed the application, he or she can process various next transactions and any other banking services. When the user finally responds to the user interface 16 at step 216 that the user does not want to continue, the connection is closed (step 220).
    According to one embodiment of the present invention, the information contained in the HLR and even the VLR of the PLMN of FIG. 1 may be utilized in implementing the authentication device of the present invention. This means that each mobile station's subscription relates to the aforementioned Subscriber Identification Module (SIM), International Mobile Subscriber Identity (IMSI) and Mobile Subscriber ISDN number (MSISDN), as well as location information (VLR number) and basic telecommunication service subscriber information. , Service suppression and supplementary services are enabled by the inclusion of the HLR 9 in FIG.
    Therefore, Figure 3 also shows a Subscriber Identification Module (SIM) card 34 inserted into the MS 1. Telephone companies typically use a SIM to control the user's payment and location. Thus, the SIM card 34 must be connected to the MS 1 before considering the use and making a telephone call. The MS 1 of FIG. 3 further includes an MS PAD controller 35 (Mobile Station Personal Authentication Device controller). From these, the SIM 34 can be used in the present invention by means of identifying a user and including a secret or several secrets, and the MS PAD controller 35 is used to control the authentication operation. In addition to controlling the general authentication procedure, the controller 35 may be arranged to make all calculations relating to various encryption operations, for example. The device in which the SIM 34 controlled by the MS PAD controller 35 can be utilized in the authentication procedure varies. Examples of this are briefly described below.
    Instead of the above-mentioned devices utilizing the SMS service, the transaction is also confirmed to allow an application, such as a banking service or another commercial service paid by electronic transaction, to send transaction details to the MS PAD as a data signal over the mobile network. do. The accuracy of the signal can be ensured by utilizing the checksum calculated by the MS PAD 35 and the secret of the SIM 34 according to a predetermined algorithm. This checksum must match the sum displayed by the user terminal 16. If the user accepts a transaction, the user can confirm this and use the secret shared with the application (eg, when it is necessary to use public key encryption and non-repudiatioan) or the application. Allow MS PAD 35 to sign message signal 26 from the application. Thereafter, the application will proceed as requested by the user interface. According to one embodiment, the secret or secrets of the SIM 34 may also be used for encryption of the message and / or signaling between the application and the MS.
    6 illustrates an alternative embodiment to FIG. In this embodiment, the user interface 16 is in the form of a conventional telephone terminal connected to the PSTN 20 in a known manner. The PSTN is also connected to the intelligent network service (IN) 60 that forms the application in this embodiment. The mobile station 1 has a PAD controller 35 and a SIM 34 as described above in connection with FIG. According to one embodiment, MS PAD pairs containing a private secret and a given pair of service identifiers for a given service are stored in the PAD controller. These pairs can be used, for example, in the following manner.
    The user accesses the service at the IN by setting a telephone call to the service (arrow 21). The application asks the user at the given number as a voice message or a possible display on the telephone terminal (arrow 61). The user keys are queried by the keypad with the specific number for the service (arrow 61), and the PAD controller then receives the additional number string by performing the necessary calculations according to a predetermined algorithm. In this calculation, the secret stored in the SIM for a particular user may form part of the algorithm. This secret can be either a PLMN secret or an application specific secret. This calculation result is then supplied to the user interface 16 (arrow 62) and sends a question to the IN service via the PSTN 20. If this matches the predicted value, the IN service 60 allows the user to start using it by the fixed line terminal 16.
    The above-described embodiments can be used, for example, in paying for services or telephone calls obtained via any conventional POTS line telephone. For example, this enables a device where a call by any telephone terminal is billed from a mobile phone subscription (ie, from the owner of a particular SIM card). Mobile station subscribers may use this service, for example, when calls made by mobile phones are more expensive than calls made by conventional POTS phones, or when the MS 1 is not in the area of any such mobile network where the user is properly wirelessly connected. Can be found.
    According to one additional embodiment (not shown), the mobile station 1 and the user interface 16 are directly connected to each other via a suitable operative connection such as a wireless connection, an infrared connection or a fixed conduit connection with the necessary coupling. Can communicate. This reduces the typographical error a user can make when acting as a "link" between the MS 1 and the user interface 16.
    According to one alternative, the mobile station is arranged to receive one or more SIM cards 34. According to this, one single mobile station can be used for various authentications. For example, a user may have three different SIMs, one for authentication required by his or her work, one for personal needs, and also one for additional needs, such as a "chairman of the association". have. Each SIM can have its own phone number, alarm tone.
    According to a further alternative, the MS 1 communicates with the application via the PLMN and the messages and / or signaling required for this communication are encrypted using the secret or secrets of the SIM. Because the secret of the SIM is specified, it allows secure communication using only one network, i.e., the PLMN, and does not allow a third party to obtain information contained in the signaling or to intrude into this signaling.
    Additional embodiments of the invention are now described with reference to FIGS. 1 and 7. 7 shows a schematic cell map of an area, which is divided into a number of adjacent wireless coverage areas or cells. Although the system of FIG. 7 is shown to include only ten cells C1 to C10, the number of cells may actually be larger. Base stations are associated with each of the cells and located within each of these cells, each of which is designated as BS1 through BS10. This base station is connected to a base station subsystem (BSS 6 in FIG. 1). The cell may also cover one or several base stations. The cells are grouped into four groups A through D, each group comprising one or more cells as indicated by the corresponding indicia.
    Each group is shown by the system as one unit, one area, resulting in four different cell categories (A through B). This purpose is to indicate that cells can be divided into several authentication categories, i.e. classes. This background concept is that authentication data in the authentication database may include restricting the user from accessing the application if the user is not located in any given cell area. For example, if a company uses an employee's MS for authentication, the area may be restricted to only be allowed in cells near the company's office (eg, within area A) by limiting the possibility of authentication.
    This can be easily implemented by the visitor location register (VLR) designated by (8) in FIG. The mobile station (MS) 1 or 2 roaming in the area of the MSC is controlled by the VLR 8 which is responsible for this area. When MS 1 or 2 is in the location area, the VLR starts the update procedure. The VLR 8 also has a database containing, for example, IMSI, MSISDN and has a location area where the MS is registered, for example according to the GSM 09.02 specification. The so-called cell global identification further includes a cell identity and is included in the message between the MS 1 and the MSC 10. This information is used as an identification indicator to locate the mobile station MS 1, which is utilized in this embodiment.
    It is known herein that the mobile station can be any kind of device that provides mobile communication to a user other than the mobile phone 1 or the integrated device of the mobile phone and the computer 2. The latter device is sometimes referred to as a "communicator". One example of another suitable mobile station is a pager, a "beeper" that can display a string. It is important for the mobile station to receive and / or transmit the desired information, which in some cases may be in the form of a text or voice message instead of a specific authentication signal or code.
    In addition, in the above example, the application 45 is arranged to connect between two networks, so that both can be used to connect a user to the application. However, this can be accomplished by some other party. For example, an ISP or similar service provider or telecommunications network operator can operate as an authentication organization, connect two networks and provide secure connections to real applications.
    Accordingly, the present invention is to provide an apparatus and method that can achieve significant improvements within the authentication area. The device according to the invention can be economically and easily realized by known components and reliable in use. It should be noted that the foregoing embodiments of the invention are not intended to inhibit the scope of the invention as defined in the appended claims. All additional embodiments, modifications and applications apparent to those skilled in the art are included within the spirit and scope of the invention as described by the appended claims.
    权利要求:
    Claims (20)
    [1" claim-type="Currently amended] A method of authenticating a user for an application, wherein the application may be utilized by a user through a first communication network.
    Establishing a connection between the application and the user interface through the first communication network to allow a user to access the application;
    Authenticating a user for the application by a mobile station communicating with the application over a second communication network.
    [2" claim-type="Currently amended] 2. The method of claim 1, wherein the authenticating step includes using the mobile station to verify the identity of the user when the user is accessed by the user interface.
    [3" claim-type="Currently amended] 2. The method of claim 1, wherein the authenticating step comprises using the mobile station to confirm a transaction or proceeding that a user has been previously requested from the application via the user interface.
    [4" claim-type="Currently amended] 4. A method as claimed in any preceding claim, wherein said mobile station is a cellular telephone and said second communication network comprises a digital cellular network.
    [5" claim-type="Currently amended] A method according to any one of the preceding claims, comprising utilizing the secret of a subscription identification module (SIM) of the mobile station for encryption of the signaling associated with the authentication step.
    [6" claim-type="Currently amended] 6. A method according to any one of the preceding claims, wherein the mobile station's subscription identification module (SIM) is used to provide the user's identity.
    [7" claim-type="Currently amended] 7. The method of claim 6, comprising paying the owner of the subscription identified by the SIM a connection fee from the user interface to the application.
    [8" claim-type="Currently amended] 8. A method as claimed in any preceding claim, wherein at least the signaling portion between the application and the mobile station is in the form of short message system text messages.
    [9" claim-type="Currently amended] 9. A method according to any one of the preceding claims, comprising using the area location information of the mobile station as one parameter of the authentication procedure.
    [10" claim-type="Currently amended] In a method for providing authentication to an application that can be utilized by a user through a network,
    Establishing a connection between the application and a user interface over the communication network to allow a user to access the application;
    Providing authentication by the mobile station to the application such that the secret of the mobile station's subscription identification module (SIM) is utilized in the encryption operation of the authentication.
    [11" claim-type="Currently amended] An apparatus for providing authentication to an application provided by an application provider via a communication network, the apparatus comprising:
    User interface,
    A connection portion between the application and the user interface through the communication network to enable the application;
    Means for authenticating use of said application, said authentication means comprising a mobile station communicating over a mobile communication network and a link between an application performed by said communication network and said mobile communication network.
    [12" claim-type="Currently amended] 12. The apparatus of claim 11, wherein the mobile station is a cellular telephone and the mobile communication network is a digital cellular network.
    [13" claim-type="Currently amended] 13. The apparatus of claim 11 or 12, wherein the authentication signaling to and from the mobile station is in the form of a text message provided by a short message system (SMS) of the mobile communication network.
    [14" claim-type="Currently amended] 14. A subscription identification module according to any one of claims 11 to 13, wherein the mobile station comprises a mobile station personal authentication device (MS PAD) and a secret arranged to control the authentication procedure and operatively connected to the MS PAD (14). SIM), wherein the secret of the SIM is arranged to be utilized in the authentication procedure.
    [15" claim-type="Currently amended] 15. The apparatus of any one of claims 11 to 14, wherein the application is a banking service, an electronic shopping service, or other commercial service that requires confirmation for electronic transactions.
    [16" claim-type="Currently amended] A mobile station providing authentication to an application provided over a communication network,
    The application is accessed by a user interface connected to the network,
    The mobile station uses a communication network different from the user interface and the mobile station is used to authenticate the use of the application accessed by the user interface.
    [17" claim-type="Currently amended] 17. The mobile station of claim 16, comprising an integrated mobile station personal authentication device (MS PAD) arranged to control the authentication procedure.
    [18" claim-type="Currently amended] 18. The mobile station of claim 16 or 17, wherein the mobile station is a digital mobile phone and has a subscription identification module (SIM) comprising a secret, wherein the secret of the SIM is arranged to be utilized in the authentication procedure.
    [19" claim-type="Currently amended] 19. The mobile station of claim 18, having at least one additional SIM.
    [20" claim-type="Currently amended] 20. A mobile station as claimed in claim 16 or 19, comprising means for interfacing directly with the user interface by means of an infrared or wireless transceiver capable of communicating with the user interface.
    类似技术:
    公开号 | 公开日 | 专利标题
    ES2306759T3|2008-11-16|Pki function validation procedure in an intelligent card.
    KR0181566B1|1999-05-15|Method and apparatus for efficient real-time authentication and encryption in a communication system
    KR100412510B1|2004-01-07|An instant log-in method for authentificating a user and settling bills by using two different communication channels and a system thereof
    CA2744971C|2019-08-06|Secure transaction authentication
    DE69830175T2|2006-01-26|Method for controlling applications stored in a subscriber module
    EP1621035B1|2007-06-06|Method for secure downloading of applications
    US7065341B2|2006-06-20|User authentication apparatus, controlling method thereof, and network system
    EP1153376B1|2008-12-17|Telepayment method and system for implementing said method
    ES2233316T3|2005-06-16|Authentication method establishing a safe channel between a subscriber and a service access provider through a telecommunications operator.
    US8265600B2|2012-09-11|System and method for authenticating remote server access
    US8646051B2|2014-02-04|Automated password reset via an interactive voice response system
    AU2003285357B2|2010-12-02|Method and system for the authentication of a user of a data processing system
    US7756748B2|2010-07-13|Application of automatic internet identification methods
    CN1102016C|2003-02-19|Preventing misure of copied subscriber identity in mobile communication system
    EP1288765B1|2007-11-21|Universal authentication mechanism
    AU2004307800B2|2009-01-08|Method for managing the security of applications with a security module
    KR100231743B1|1999-11-15|Communication method and device
    US7697920B1|2010-04-13|System and method for providing authentication and authorization utilizing a personal wireless communication device
    FI101507B|1998-06-30|Wireless telephone service access method
    DE60312911T2|2007-09-06|Mobile authentication system with reduced authentication delay
    EP1305926B1|2008-12-31|Arrangement for authenticating a user and authorizing use of a secured system
    ES2265694T3|2007-02-16|Procedure to verify in a mobile device the authenticity of electronic certificates issued by a certificating authority and corresponding identification module.
    EP1504561B1|2018-01-10|Methods and systems for secure transmission of information using a mobile device
    US6799155B1|2004-09-28|Replacement of externally mounted user interface modules with software emulation of user interface module functions in embedded processor applications
    US8752125B2|2014-06-10|Authentication method
    同族专利:
    公开号 | 公开日
    MY121040A|2005-12-30|
    BR9908246A|2000-10-31|
    KR100683976B1|2007-02-15|
    AU755054B2|2002-12-05|
    JP4364431B2|2009-11-18|
    AU2831699A|1999-09-15|
    FI980427D0|
    US6430407B1|2002-08-06|
    DE69904570T2|2003-05-15|
    HK1036344A1|2009-02-06|
    CN1292108A|2001-04-18|
    JP2002505458A|2002-02-19|
    DE69904570D1|2003-01-30|
    EP1058872B1|2002-12-18|
    WO1999044114A1|1999-09-02|
    DE69904570T3|2012-05-10|
    EE04444B1|2005-02-15|
    EE200000491A|2002-02-15|
    FI980427A|1999-08-26|
    EP1058872A1|2000-12-13|
    IL138007A|2005-07-25|
    EP1058872B2|2011-04-06|
    CN100380267C|2008-04-09|
    IL138007D0|2001-10-31|
    FI980427A0|1998-02-25|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    法律状态:
    1998-02-25|Priority to FI980427A
    1998-02-25|Priority to FI980427
    1999-02-05|Application filed by 에를링 블로메, 타게 뢰브그렌, 텔레폰아크티에볼라게트 엘엠 에릭슨
    2001-05-15|Publication of KR20010041363A
    2003-08-18|First worldwide family litigation filed
    2007-02-15|Application granted
    2007-02-15|Publication of KR100683976B1
    优先权:
    申请号 | 申请日 | 专利标题
    FI980427A|FI980427A|1998-02-25|1998-02-25|Procedure, arrangement and device for verification|
    FI980427|1998-02-25|
    [返回顶部]