[go: up one dir, main page]

SE519072C2 - Method of access control in mobile communications - Google Patents

Method of access control in mobile communications

Info

Publication number
SE519072C2
SE519072C2 SE0200061A SE0200061A SE519072C2 SE 519072 C2 SE519072 C2 SE 519072C2 SE 0200061 A SE0200061 A SE 0200061A SE 0200061 A SE0200061 A SE 0200061A SE 519072 C2 SE519072 C2 SE 519072C2
Authority
SE
Sweden
Prior art keywords
policy
mobile
communication system
password
service provider
Prior art date
Application number
SE0200061A
Other languages
Swedish (sv)
Other versions
SE0200061L (en
SE0200061D0 (en
Inventor
Jonas Eriksson
Rolf Kaawe
Original Assignee
Telia Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telia Ab filed Critical Telia Ab
Priority to SE0200061A priority Critical patent/SE0200061L/en
Publication of SE0200061D0 publication Critical patent/SE0200061D0/en
Priority to AU2002359203A priority patent/AU2002359203A1/en
Priority to EP02793724A priority patent/EP1466438A1/en
Priority to PCT/SE2002/002424 priority patent/WO2003058880A1/en
Publication of SE519072C2 publication Critical patent/SE519072C2/en
Publication of SE0200061L publication Critical patent/SE0200061L/en
Priority to NO20042773A priority patent/NO20042773L/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present invention related to a method in a mobile radio communication system with mobile units and connected service providers who provide services over said communication system, where the access from a mobile terminal of a service at a service provider requires a password. The method includes the steps to: - from a service provider, or by him/her appointed certificate authority, electronically transmit/send a password policy to a mobile unit, - in a mobile unit electronically receive said policy and handle and create/configure password connected/associated with said service provider according to rules specified in, the from the service provider or by him/her appointed certificate authority, said policy. The method also includes that the mobile unit or a specific gateway authenticates and authorizes the transmitter/sender of the policy in order to prevent illegal utilization of the possibility to change a policy.

Description

nanm» 10 15 20 25 30 35 519 072 före, distribution av dessa enheter. nanm» 10 15 20 25 30 35 519 072 before, distribution of these units.

Sàväl mobiloperatörer som banker är intresserade av, och arbetar med att ta fram, lösningar där en användare skall kunna autentiseras (identifieras ha uppgiven identitet) och skapa oavvisliga digitala signaturer med sin mobila enhet. Typiskt utgörs den mobila enheten av en mobiltelefon med ett eller flera sa kallade smart card. Den mobila enheten (eller i regel ett smart card i den mobila enheten) innehåller i sin tur en eller flera privata nycklar, vilka är användbara för autenti- sering och för att skapa oavvislighet först när en CA (Certificate Authority) utfärdat certifikat som intygar att en specifik användare innehar dessa privata nycklar.Both mobile operators and banks are interested in, and are working to develop, solutions where a user can be authenticated (identified as having a stated identity) and create irrefutable digital signatures with their mobile device. Typically, the mobile device consists of a mobile phone with one or more so-called smart cards. The mobile device (or usually a smart card in the mobile device) in turn contains one or more private keys, which are only usable for authentication and to create non-repudiation when a CA (Certificate Authority) has issued a certificate that certifies that a specific user holds these private keys.

Användandet av de privata nycklarna skyddas sà gott som alltid av ett lösenord, som användare ofta själva har möjlighet att ändra eller välja. CA har i mánga fall synpunkter pà vilka regler som skall gälla för vilka lösenord en användare tilläts välja. CA har dä vad man kan kalla en lösenordspolicy.The use of private keys is almost always protected by a password, which users often have the opportunity to change or choose themselves. In many cases, CAs have opinions on what rules should apply to which passwords a user is allowed to choose. The CA then has what can be called a password policy.

Lösenordspolicyn kan t ex gälla regler avseende längd, tillàtna tecken och uppdateringsintervall. En sådan policy har endast kunnat tillämpas i de fall det redan vid kortets utgivande varit klarlagt vilken CA som skall utfärda certifikat kopplat till nycklarna pà kortet. I det mobila fallet kommer smartcardet ofta att distribueras till användaren innan någon vet vilken CA som kommer att utfärda certifikat kopplade till nyckelpar på kortet, varför metoden att lägga in CA:s lösenords-policy pà kortet innan det distribueras till användaren inte är tillämplig.The password policy can, for example, apply rules regarding length, permitted characters and update intervals. Such a policy has only been able to be applied in cases where it has already been clarified at the time of issuing the card which CA will issue certificates linked to the keys on the card. In the mobile case, the smartcard will often be distributed to the user before anyone knows which CA will issue certificates linked to key pairs on the card, which is why the method of adding the CA's password policy to the card before it is distributed to the user is not applicable.

SAMMANFATTNING AV UPPFINNINGEN Syftet med uppfinningen är att tillhandahålla en metod för att elektroniskt distribuera en lösenordspolicy över ett mobilt kommunikationssystem till en mobila enhet så att nämnda policy direkt kan börja tillämpas i den mobila enheten eller en tilläggsenhet. Uppfinningen innefattar sàledes en metod inom ett mobilt radiokommunikationssystem med mobila enheter och anslutna tjänstetillhandahàllare som tillhandahåller tjänster 10 15 20 25 30 35 519 072 över nämnda kommunikationssystem, där åtkomsten fràn en mobil terminal av en tjänst hos en tjänstetillhandahàllare kräver ett lösenord. Metod innefattar stegen att - frán en tjänstetillhandahàllare, eller av honom utpekad certifikat-myndighet elektroniskt avsända en lösenordspolicy mot en mobil enhet - i en mobil enhet, elektroniskt ta emot nämnda policy och hantera och utforma lösenord sammanhängande med nämnda tjänstetillhandahàllare i enlighet med regler specificerade i den fràn tjänstetillhandahàllaren eller av honom utpekad certifikat-myndighet, nämnda avsända policy.SUMMARY OF THE INVENTION The object of the invention is to provide a method for electronically distributing a password policy over a mobile communication system to a mobile device so that said policy can immediately begin to be applied in the mobile device or an additional device. The invention thus comprises a method within a mobile radio communication system with mobile devices and connected service providers providing services 10 15 20 25 30 35 519 072 over said communication system, where access from a mobile terminal to a service of a service provider requires a password. Method includes the steps of - electronically sending a password policy from a service provider, or a certificate authority designated by him, to a mobile device - in a mobile device, electronically receiving said policy and managing and designing passwords associated with said service provider in accordance with rules specified in the policy sent from the service provider or a certificate authority designated by him.

Metoden innefattar även att den mobila enheten eller en speciell gateway autentiserar och auktoriserar avsändaren av policyn för att förhindra oseriöst utnyttjande av möjligheten att ändra en policy.The method also includes the mobile device or a special gateway authenticating and authorizing the sender of the policy to prevent fraudulent use of the ability to change a policy.

KORTFATTAD BESKRIVNING AV RITNINGARNA Uppfinningen kommer att beskrivas närmare i det följande under hänvisning till bifogade ritningar, i vilka: figur l visar en administrationsväg enligt en utföringsform av uppfinningen för PIN-policy, figur 2 visar en administrationsväg för PIN-policy enligt en annan utföringsform av uppfinningen, och figur 3 visar ett flödesschema för en metod enligt upp- finningen.BRIEF DESCRIPTION OF THE DRAWINGS The invention will be described in more detail below with reference to the accompanying drawings, in which: Figure 1 shows an administration path according to an embodiment of the invention for PIN policy, Figure 2 shows an administration path for PIN policy according to another embodiment of the invention, and Figure 3 shows a flow chart of a method according to the invention.

Figur 4A och 4B visar schematiskt placeringen av autentiserings- och auktoriserings-enheter enligt tvà utföringsformer av uppfinningen.Figures 4A and 4B schematically show the placement of authentication and authorization units according to two embodiments of the invention.

BESKRIVNING Av FÖREDRAGNA UTFÖRINGSFORMER En utföringsform av uppfinningen avser en metod för att distribuera ett lösenord i form av en PIN-policy för kryptografiska nycklar i mobila enheter "over-the-air", dvs via det kommunikationssystem som enheten är avsedd att verka i.DESCRIPTION OF PREFERRED EMBODIMENTS One embodiment of the invention relates to a method for distributing a password in the form of a PIN policy for cryptographic keys in mobile devices "over-the-air", i.e. via the communication system in which the device is intended to operate.

Nycklarna förvaras i typfallet i en "manipulationssäker" anordning/smartcard i den mobila enheten, men det är inte nödvändigt. De kryptografiska nycklarna är i typfallet privata nycklar i asymmetriska nyckelpar. Det kryptografiska nycklarna, unna. 10 15 20 25 30 35 519 072 eller den enhet i vilken dessa genereras, har distribuerats till användaren redan innan det är känt vilken part som kommer att utfärda certifikat som kopplar användaren till ett visst nyckelpar.The keys are typically stored in a "tamper-proof" device/smartcard in the mobile device, but this is not necessary. The cryptographic keys are typically private keys in asymmetric key pairs. The cryptographic keys, unna. 10 15 20 25 30 35 519 072 or the device in which they are generated, have been distributed to the user even before it is known which party will issue certificates linking the user to a particular key pair.

När en CA skall utfärda ett certifikat, knyts användaren till en privat nyckel pà sedvanligt sätt via en "over-the-air-proof- of possession"-procedur. Före, efter eller under denna procedur distribuerar CA sin PIN-policy via det cellulära mobila kommunikationssystemet till den mobila enheten vilken inne- häller den privata nyckeln. En applikation i den mobila enheten ser till att PIN-policyn träder i kraft, och tvingar användaren att välja en PIN-kod enligt policyn för nyttjande av den certifierade nyckeln. I figur 1 illustreras flödet: l.CA 101 har beslutat sig för att distribuera sin PIN-policy till en viss mobil enhet. 2.CA adresserar PIN-policyn till en viss mobil enhet och en viss privat nyckel i den mobila enheten 115 och skickar denna till en gateway 105 för ändamålet. Denna gateway 105 autentiserar CA 101 och avgör om CA 101 har rätt att distribuera en PIN-policy till den mobila enheten 115 (auktorisering). Nämnda gateway 105 är företrädesvis anordnad hos operatören av det mobila kommunikations- systemet. 3.Gateway 105 skickar PIN-policyn vidare över det mobila kommunikationsnätet 110. 4.Den mobila enheten 115 mottar PIN-policyn, säkerställer att den kommer fràn mobiloperatörens gateway 105 samt aktiverar policyn för aktuell nyckel. Om användaren sedan tidigare har en PIN-kod som inte uppfyller policyn, uppmanas han att välja en ny PIN-kod enligt policyn. 5.Alternativt, när användaren byter PIN-kod nästa gang mäste den uppfylla kraven i PIN-policyn.When a CA issues a certificate, the user is bound to a private key in the usual way via an "over-the-air-proof-of-possession" procedure. Before, after or during this procedure, the CA distributes its PIN policy via the cellular mobile communication system to the mobile device which contains the private key. An application in the mobile device ensures that the PIN policy takes effect, and forces the user to choose a PIN code according to the policy for use of the certified key. Figure 1 illustrates the flow: 1. CA 101 has decided to distribute its PIN policy to a certain mobile device. 2. CA addresses the PIN policy to a certain mobile device and a certain private key in the mobile device 115 and sends this to a gateway 105 for the purpose. This gateway 105 authenticates the CA 101 and determines whether the CA 101 has the right to distribute a PIN policy to the mobile device 115 (authorization). Said gateway 105 is preferably arranged at the operator of the mobile communication system. 3. The gateway 105 forwards the PIN policy over the mobile communication network 110. 4. The mobile device 115 receives the PIN policy, ensures that it comes from the mobile operator's gateway 105 and activates the policy for the current key. If the user already has a PIN code that does not meet the policy, he is prompted to choose a new PIN code according to the policy. 5. Alternatively, when the user changes the PIN code the next time, it must meet the requirements of the PIN policy.

Steg 1 föregås företrädesvis av en förfrågan fràn klienten/ användaren till CA om utfärdande av ett klientcertifikat. 10 15 20 25 30 35 519 072 5 En lösenordspolicy innehàller företrädesvis regler om, i det generella fallet: - antal tecken (min, max) - förbjudna tecken - förbjudna teckenkombinationer - intervall för hur ofta byte av lösenord mäste ske (t ex antal gànger ett lösenord får användas).Step 1 is preferably preceded by a request from the client/user to the CA for the issuance of a client certificate. 10 15 20 25 30 35 519 072 5 A password policy preferably contains rules regarding, in the general case: - number of characters (min, max) - prohibited characters - prohibited character combinations - interval for how often a password must be changed (e.g. number of times a password may be used).

Policyn kan givetvis vara generell för alla användare, men också personaliserad, t ex innehálla kontroller pà att en viss användare inte nyttjar sitt personnummer som PIN osv.The policy can of course be general for all users, but also personalized, for example containing controls to ensure that a certain user does not use their social security number as a PIN, etc.

I en utföringsform bestàr en PIN-policy av en datastruktur som tolkas av en applikation för ändamålet som anordnats i den mobila enheten. I en annan utföringsform realiseras en PIN- policy som en exekverbar applikation som skickas till den mobila enheten. I det första fallet kan man tänka sig att flera PIN-policy kan vara aktiva samtidigt, men någon mekanism för att lösa eventuellt motstridiga policy krävs dà.In one embodiment, a PIN policy consists of a data structure that is interpreted by an application for the purpose provided in the mobile device. In another embodiment, a PIN policy is implemented as an executable application that is sent to the mobile device. In the first case, it is conceivable that multiple PIN policies can be active simultaneously, but some mechanism for resolving possibly conflicting policies is then required.

Den mobila enheten 115 innehåller företrädesvis ett eller flera integrerade eller löstagbara smartcard eller någon annan form av manipulationssäker anordning. Uppfinningen är givetvis tillämplig även i de fall den privata nyckeln inte är lagrad i en manipulationssäker anordning, utan pá nàgot annat sätt i den mobila enheten.The mobile device 115 preferably contains one or more integrated or removable smart cards or some other form of tamper-proof device. The invention is of course also applicable in cases where the private key is not stored in a tamper-proof device, but in some other way in the mobile device.

I en utföringsform finns ej den speciella gateway som nämns i I stället skickar CA 201 sin policy via (GGSN steg 2, jämför figur 2. en generell trafikal gateway för mobilkommunikationsnätet för GPRS/UMTS) 210, auktorisering av CA 201. utan mekanismer för autentisering och I denna utföringsform implementeras i stället mekanismer för autentisering och auktorisering i den mobila enheten 215.In one embodiment, the special gateway mentioned in (GGSN step 2, compare Figure 2. a general traffic gateway for the mobile communication network for GPRS/UMTS) 210, without mechanisms for authentication and authorization of CA 201, is not present. Instead, CA 201 sends its policy via (GGSN step 2, compare Figure 2. In this embodiment, mechanisms for authentication and authorization are implemented in the mobile device 215 instead.

I figur 3 visas metodstegen motsvarande distributionsvägen i figur l och figur 2. CA skapar 310 en policyspecifikation, samt adresserar 320 en mobil enhet och adresserar 330 en privat nyckel inom nämnda mobila enhet. Vidare skickas 340 ~u aßua» 10 15 20 25 30 35 519 072 specifikationen över mobilnätet, eventuellt via en speciell gateway sàsom nämnts ovan. Specifikationen mottages 350 och avsändaren autentiseras 360 respektive i förekommande fall auktoriseras 370. Beroende pà antal mellanliggande enheter mellan CA och mobil enhet som behöver egen autentisering och auktorisering upprepas 375 stegen skicka 340, ta emot 350, autentisera 360 och auktorisera 370. Slutligen lagras och aktiveras policyn i den mobila stationen.Figure 3 shows the method steps corresponding to the distribution path in Figure 1 and Figure 2. The CA creates 310 a policy specification, and addresses 320 a mobile device and addresses 330 a private key within said mobile device. Furthermore, the specification is sent 340 ~u aßua» 10 15 20 25 30 35 519 072 over the mobile network, possibly via a special gateway as mentioned above. The specification is received 350 and the sender is authenticated 360 or, if applicable, authorized 370. Depending on the number of intermediate units between the CA and the mobile device that need their own authentication and authorization, the steps send 340, receive 350, authenticate 360 and authorize 370 are repeated 375. Finally, the policy is stored and activated in the mobile station.

Givetvis kan i alternativa utföringsformer andra parter än CA ladda ned en PIN-policy. Speciellt är i en utföringsform operatören av den mobila kommunikationstjänsten kapabel att ladda ned sin PIN-policy till de mobila enheterna i sitt nät.Of course, in alternative embodiments, parties other than the CA may download a PIN policy. In particular, in one embodiment, the operator of the mobile communication service is capable of downloading its PIN policy to the mobile devices in its network.

PIN-policy för andra syften än upplåsning/användning av privata nycklar kan givetvis ocksa distribueras till den mobila enheten enligt uppfinningen. T ex PIN-koder och lösenord för: - användande av symmetriska nycklar - skriv-/läsrättigheter till datafiler - GSM - applikationsexekvering osv.PIN policies for purposes other than unlocking/using private keys can of course also be distributed to the mobile device according to the invention. For example, PIN codes and passwords for: - using symmetric keys - writing/reading rights to data files - GSM - application execution, etc.

I det fall det finns flera CA (vi kallar dessa A respektive B) som certifierar samma nyckel, är följande metod en utförings- form av uppfinningen: - Bàde A och B kan ladda ned sin policy till den mobila enheten. Bàde policy fràn CA A och policy fràn CA B tillämpas varje gàng PIN ändras. Detta kräver en mekanism i den mobila enheten för att lösa motstridiga krav.In the case where there are multiple CAs (we call these A and B respectively) that certify the same key, the following method is an embodiment of the invention: - Both A and B can download their policy to the mobile device. Both the policy from CA A and the policy from CA B are applied every time the PIN is changed. This requires a mechanism in the mobile device to resolve conflicting requirements.

- Bàde A och B skickar sin policy till operatören av det mobila kommunikationsnätet. Operatören skapar en "summering" av dessa regler och bestämmer över vilken policy som till slut skickas till den mobila enheten.- Both A and B send their policy to the operator of the mobile communication network. The operator creates a "summary" of these rules and decides which policy is ultimately sent to the mobile device.

- Bàde A och B kan ladda ned sin policy till den mobila enheten. Separata Pin används för samma nyckel beroende pà vilket av sina certifikat användaren vill àberopa. Policy fràn CA A gäller när användaren àberopar sitt certifikat 519 072 ana... fràn CA A, och policy fràn CA B gäller när användaren àbe- ropar sitt certifikat fràn CA B.- Both A and B can download their policy to the mobile device. Separate Pins are used for the same key depending on which of their certificates the user wants to invoke. Policy from CA A applies when the user invokes their certificate 519 072 ana... from CA A, and policy from CA B applies when the user invokes their certificate from CA B.

I fig. 4 A och 4 B visas hur enheter för autentisering och auktorisering anordnats i föredragna utföringsformer. Fig. 4 A visar en autentiseringsenhet 402 och en auktoriseringsenhet 404 anordnad i gateway 105. Fig. 4 B visar en autentiseringsenhet 402 och en auktoriseringsenhet 404 anordnad i en mobil enhet 115.Fig. 4A and 4B show how authentication and authorization units are arranged in preferred embodiments. Fig. 4A shows an authentication unit 402 and an authorization unit 404 arranged in gateway 105. Fig. 4B shows an authentication unit 402 and an authorization unit 404 arranged in a mobile device 115.

Givetvis krävs det i de flesta fall en säker transportmekanism för att överföra en PIN-policy fràn CA, eller annan utgivare av policyn, till den mobila enheten. Det finns mànga metoder för att realisera detta, men det faller utanför uppfinningens ram.Of course, in most cases a secure transport mechanism is required to transfer a PIN policy from the CA, or other issuer of the policy, to the mobile device. There are many methods for realizing this, but it falls outside the scope of the invention.

Uppfinningens skyddsomfáng är endast begränsat av nedanstående patentkrav.The scope of protection of the invention is limited only by the following claims.

Claims (1)

1. annas 10 15 20 25 30 35 519 072 PATENTKRAV 3. _ En metod enligt krav l, .En metod inom ett mobilt radiokommunikationssystem med mobila enheter och anslutna tjänstetillhandahállare som tillhandahåller tjänster över nämnda kommunikationssystem, där àtkomsten via en specifik mobil terminal av en specifik tjänst hos en specifik tjänstetillhandahállare kräver ett lösenord, kännetecknad av att nämnda metod innefattar stegen att - fràn en tjänstetillhandahàllare, eller av honom utpekad certifikat-myndighet elektroniskt avsända en lösenordspolicy mot en mobil enhet - i en mobil enhet, elektroniskt ta emot nämnda policy och hantera och utforma lösenord sammanhängande med nämnda tjänstetillhandahàllare i enlighet med regler specificerade i, frän tjänstetillhandahàllaren eller av honom utpekad certifikat-myndighet, nämnd avsänd policy_ kännetecknad av följande steg: - skapande av en lösenordspolicyspecifikation hos en tjänstetillhandahàllare eller av honom utpekad certifikat- myndighet (CA) - framtagning av adressen till en mobil enhet, - framtagning av adressen till en privat nyckel i nämnda, mobila enhet, - avsändande av specifikationen, specifikationen, av CA, av CA, - mottagande av - autentisering - auktorisering - lagring av en policy som svarar mot specifikationen, och - aktivering av nämnda policy. En metod enligt krav 1, kännetecknad av att den innefattar följande steg: - skapande av en lösenordspolicyspecifikation hos en CA, - framtagning av adressen till en mobil enhet, - framtagning av adressen till en privat nyckel inom nämnda 10 15 20 25 30 35 519 072 9 mobila enhet, - distribution av policyspecifikationen till en gateway för policynedladdning, autentisering av CA i nämnda gateway, - auktorisering av CA i nämnda gateway, - distribution av specifikationen fràn gateway till mobil enhet över ett mobilt kommunikationsnät, - mottagande av specifikationen, - säkerställande av att specifikationen kommer fràn godkänd gateway, - lagring av en policy som svarar mot specifikationen, och - aktivering av nämnda policy. En metod enligt krav 3, kännetecknad av att den vidare innefattar steget: - tvingande av användaren att omedelbart byta lösenord till ett som uppfyller den nya policyn. En metod enligt krav 3, kännetecknad av att den vidare innefattar steget: - avvaktande av att insätta policyn tills användaren byter lösenord nästa gäng. En metod enligt något av kraven l - 5, kännetecknad av att nämnda lösenord är en PIN-kod. Ett mobilt radiokommunikationssystem med mobila enheter och anslutna tjänstetillhandahàllare som tillhandahåller tjänster över nämnda kommunikationssystem, där åtkomsten via en specifik mobil terminal av en specifik tjänst hos en specifik tjänstetillhandahàllare kräver ett lösenord, kännetecknat av att nämnda system innefattar medel för att fràn en tjänstetillhandahàllare sända en policyspecifika- tion för lösenord till en mobil enhet. Ett mobilt kommunikationssystem enligt krav 7, kännetecknat av att nämnda system innefattar medel för att i en mobil enhet ta emot en policyspecifikation för lösenord. 10 15 20 25 lO. ll. 12. 13 14. 519 072 10 Ett mobilt kommunikationssystem enligt krav 8, kännetecknat av att i nämnda system har anordnats medel för autentise- ring av en policyavsändare. Ett mobilt kommunikationssystem enligt krav 8, kännetecknat av att i nämnda system har anordnats medel för auktorise- ring av en policyavsändare. Ett mobilt kommunikationssystem enligt krav 7, kännetecknat av att en gateway innefattande medel för autentisering och auktorisering av en policyavsändare anordnats för att ansluta en CA till mobilkommunikationssystemet, samt för att auktorisera och autentisera nämnda CA Ett mobilt kommunikationssystem enligt krav 9 eller 10, kännetecknat av att medel för auktorise-ring av en policyavsändare anordnats i en mobil enhet. .Ett mobilt kommunikationssystem enligt nagot av kraven 7 - 12, kännetecknat av att nämnda policyspecifikation är anordnad i form av en datastruktur. Ett mobilt kommunikationssystem enligt nàgot av kraven 7 - 12, kännetecknat av att nämnda policyspecifikation är anordnad i form av en exekverbar applikation.A method according to claim 1, a method within a mobile radio communication system with mobile units and connected service providers providing services over said communication system, where the access via a specific mobile terminal of a specific service of a specific service provider requires a password, characterized in that said method comprises the steps of - from a service provider, or by a certificate authority designated by him, electronically send a password policy to a mobile device - in a mobile device, electronically receiving said policy and manage and design passwords associated with said service provider in accordance with rules specified in the service provider designated by the service provider or designated by him, said sent policy_ characterized by the following steps: - creation of a password policy specification by a service provider or CA designated by him ) - generating the address of a mobile device, - generating the address of a private key in said mobile device, - sending the specification, the specification, of the CA, of the CA, - receiving of - authentication - authorization - storing a policy corresponding to the specification, and - activation of said policy. A method according to claim 1, characterized in that it comprises the following steps: - creation of a password policy specification of a CA, - generation of the address of a mobile unit, - generation of the address of a private key within said 1019 20 25 30 35 519 072 9 mobile device, - distribution of the policy specification to a gateway for policy download, authentication of CA in said gateway, - authorization of CA in said gateway, - distribution of the specification from gateway to mobile device over a mobile communication network, - receipt of the specification, - ensuring that the specification comes from an approved gateway, - storage of a policy corresponding to the specification, and - activation of said policy. A method according to claim 3, characterized in that it further comprises the step of: - forcing the user to immediately change the password to one that complies with the new policy. A method according to claim 3, characterized in that it further comprises the step of: - waiting to insert the policy until the user changes the password the next time. A method according to any one of claims 1-5, characterized in that said password is a PIN code. A mobile radio communication system with mobile devices and connected service providers providing services over said communication system, where access via a specific mobile terminal of a specific service of a specific service provider requires a password, characterized in that said system comprises means for transmitting a policy from a service provider password for a mobile device. A mobile communication system according to claim 7, characterized in that said system comprises means for receiving in a mobile unit a policy specification for passwords. 10 15 20 25 10. ll. A mobile communication system according to claim 8, characterized in that means for authenticating a policy sender have been arranged in said system. A mobile communication system according to claim 8, characterized in that means for authorizing a policy sender have been arranged in said system. A mobile communication system according to claim 7, characterized in that a gateway comprising means for authenticating and authorizing a policy sender is arranged to connect a CA to the mobile communication system, and for authorizing and authenticating said CA A mobile communication system according to claim 9 or 10, characterized in that means for authorizing a policy sender are arranged in a mobile unit. A mobile communication system according to any one of claims 7 - 12, characterized in that said policy specification is arranged in the form of a data structure. A mobile communication system according to any one of claims 7 to 12, characterized in that said policy specification is arranged in the form of an executable application.
SE0200061A 2002-01-10 2002-01-10 Method of access control in mobile communications SE0200061L (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
SE0200061A SE0200061L (en) 2002-01-10 2002-01-10 Method of access control in mobile communications
AU2002359203A AU2002359203A1 (en) 2002-01-10 2002-12-20 Method at access right control within mobile communication
EP02793724A EP1466438A1 (en) 2002-01-10 2002-12-20 Method at access right control within mobile communication
PCT/SE2002/002424 WO2003058880A1 (en) 2002-01-10 2002-12-20 Method at access right control within mobile communication
NO20042773A NO20042773L (en) 2002-01-10 2004-07-01 Procedure for controlling access rights in mobile communications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
SE0200061A SE0200061L (en) 2002-01-10 2002-01-10 Method of access control in mobile communications

Publications (3)

Publication Number Publication Date
SE0200061D0 SE0200061D0 (en) 2002-01-10
SE519072C2 true SE519072C2 (en) 2003-01-07
SE0200061L SE0200061L (en) 2003-01-07

Family

ID=20286626

Family Applications (1)

Application Number Title Priority Date Filing Date
SE0200061A SE0200061L (en) 2002-01-10 2002-01-10 Method of access control in mobile communications

Country Status (5)

Country Link
EP (1) EP1466438A1 (en)
AU (1) AU2002359203A1 (en)
NO (1) NO20042773L (en)
SE (1) SE0200061L (en)
WO (1) WO2003058880A1 (en)

Families Citing this family (60)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2107756A1 (en) 2008-03-31 2009-10-07 British Telecommunications Public Limited Company Policy resolution
US8924469B2 (en) 2008-12-18 2014-12-30 Headwater Partners I Llc Enterprise access control and accounting allocation for access networks
US8391834B2 (en) 2009-01-28 2013-03-05 Headwater Partners I Llc Security techniques for device assisted services
US8898293B2 (en) 2009-01-28 2014-11-25 Headwater Partners I Llc Service offer set publishing to device agent with on-device service selection
US8402111B2 (en) 2009-01-28 2013-03-19 Headwater Partners I, Llc Device assisted services install
US8346225B2 (en) 2009-01-28 2013-01-01 Headwater Partners I, Llc Quality of service for device assisted services
US8635335B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc System and method for wireless network offloading
US8924543B2 (en) 2009-01-28 2014-12-30 Headwater Partners I Llc Service design center for device assisted services
US8340634B2 (en) 2009-01-28 2012-12-25 Headwater Partners I, Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US8583781B2 (en) 2009-01-28 2013-11-12 Headwater Partners I Llc Simplified service network architecture
US8548428B2 (en) 2009-01-28 2013-10-01 Headwater Partners I Llc Device group partitions and settlement platform
US8626115B2 (en) 2009-01-28 2014-01-07 Headwater Partners I Llc Wireless network service interfaces
US8832777B2 (en) 2009-03-02 2014-09-09 Headwater Partners I Llc Adapting network policies based on device service processor configuration
US8275830B2 (en) 2009-01-28 2012-09-25 Headwater Partners I Llc Device assisted CDR creation, aggregation, mediation and billing
US8406748B2 (en) 2009-01-28 2013-03-26 Headwater Partners I Llc Adaptive ambient services
US8589541B2 (en) 2009-01-28 2013-11-19 Headwater Partners I Llc Device-assisted services for protecting network capacity
US9706061B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Service design center for device assisted services
US10248996B2 (en) 2009-01-28 2019-04-02 Headwater Research Llc Method for operating a wireless end-user device mobile payment agent
US9980146B2 (en) 2009-01-28 2018-05-22 Headwater Research Llc Communications device with secure data path processing agents
US10200541B2 (en) 2009-01-28 2019-02-05 Headwater Research Llc Wireless end-user device with divided user space/kernel space traffic policy system
US12166596B2 (en) 2009-01-28 2024-12-10 Disney Enterprises, Inc. Device-assisted services for protecting network capacity
US9557889B2 (en) 2009-01-28 2017-01-31 Headwater Partners I Llc Service plan design, user interfaces, application programming interfaces, and device management
US9954975B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Enhanced curfew and protection associated with a device group
US10779177B2 (en) 2009-01-28 2020-09-15 Headwater Research Llc Device group partitions and settlement platform
US11973804B2 (en) 2009-01-28 2024-04-30 Headwater Research Llc Network service plan design
US9858559B2 (en) 2009-01-28 2018-01-02 Headwater Research Llc Network service plan design
US8793758B2 (en) 2009-01-28 2014-07-29 Headwater Partners I Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US10715342B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US12452377B2 (en) 2009-01-28 2025-10-21 Headwater Research Llc Service design center for device assisted services
US10798252B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc System and method for providing user notifications
US8745191B2 (en) 2009-01-28 2014-06-03 Headwater Partners I Llc System and method for providing user notifications
US11218854B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US10237757B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc System and method for wireless network offloading
US10484858B2 (en) 2009-01-28 2019-11-19 Headwater Research Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US8893009B2 (en) 2009-01-28 2014-11-18 Headwater Partners I Llc End user device that secures an association of application to service policy with an application certificate check
US11985155B2 (en) 2009-01-28 2024-05-14 Headwater Research Llc Communications device with secure data path processing agents
US12432130B2 (en) 2009-01-28 2025-09-30 Headwater Research Llc Flow tagging for service policy implementation
US9351193B2 (en) 2009-01-28 2016-05-24 Headwater Partners I Llc Intermediate networking devices
US10326800B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Wireless network service interfaces
US12543031B2 (en) 2009-01-28 2026-02-03 Headwater Research Llc Adapting network policies based on device service processor configuration
US9270559B2 (en) 2009-01-28 2016-02-23 Headwater Partners I Llc Service policy implementation for an end-user device having a control application or a proxy agent for routing an application traffic flow
US10264138B2 (en) 2009-01-28 2019-04-16 Headwater Research Llc Mobile device and service management
US10492102B2 (en) 2009-01-28 2019-11-26 Headwater Research Llc Intermediate networking devices
US9647918B2 (en) 2009-01-28 2017-05-09 Headwater Research Llc Mobile device and method attributing media services network usage to requesting application
US10064055B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US9253663B2 (en) 2009-01-28 2016-02-02 Headwater Partners I Llc Controlling mobile device communications on a roaming network based on device state
US10841839B2 (en) 2009-01-28 2020-11-17 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US9572019B2 (en) 2009-01-28 2017-02-14 Headwater Partners LLC Service selection set published to device agent with on-device service selection
US9755842B2 (en) 2009-01-28 2017-09-05 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US9578182B2 (en) 2009-01-28 2017-02-21 Headwater Partners I Llc Mobile device and service management
US9392462B2 (en) 2009-01-28 2016-07-12 Headwater Partners I Llc Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy
US10783581B2 (en) 2009-01-28 2020-09-22 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US12388810B2 (en) 2009-01-28 2025-08-12 Headwater Research Llc End user device that secures an association of application to service policy with an application certificate check
US9955332B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Method for child wireless device activation to subscriber account of a master wireless device
US12389218B2 (en) 2009-01-28 2025-08-12 Headwater Research Llc Service selection set publishing to device agent with on-device service selection
US10057775B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Virtualized policy and charging system
US9565707B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Wireless end-user device with wireless data attribution to multiple personas
US9571559B2 (en) 2009-01-28 2017-02-14 Headwater Partners I Llc Enhanced curfew and protection associated with a device group
US9154826B2 (en) 2011-04-06 2015-10-06 Headwater Partners Ii Llc Distributing content and service launch objects to mobile devices
WO2014159862A1 (en) 2013-03-14 2014-10-02 Headwater Partners I Llc Automated credential porting for mobile devices

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0354771B1 (en) * 1988-08-11 1995-05-31 International Business Machines Corporation Personal identification number processing using control vectors
US4924514A (en) * 1988-08-26 1990-05-08 International Business Machines Corporation Personal identification number processing using control vectors
US5944824A (en) * 1997-04-30 1999-08-31 Mci Communications Corporation System and method for single sign-on to a plurality of network elements
US6202157B1 (en) * 1997-12-08 2001-03-13 Entrust Technologies Limited Computer network security system and method having unilateral enforceable security policy provision
DK174672B1 (en) * 1999-11-09 2003-08-25 Orange As Electronic identification code delivery system

Also Published As

Publication number Publication date
EP1466438A1 (en) 2004-10-13
WO2003058880A1 (en) 2003-07-17
AU2002359203A1 (en) 2003-07-24
SE0200061L (en) 2003-01-07
NO20042773L (en) 2004-09-10
SE0200061D0 (en) 2002-01-10

Similar Documents

Publication Publication Date Title
SE519072C2 (en) Method of access control in mobile communications
US6718470B1 (en) System and method for granting security privilege in a communication system
US7890767B2 (en) Virtual smart card system and method
EP2442204B1 (en) System and method for privilege delegation and control
EP3522580B1 (en) Credential provisioning
US5602918A (en) Application level security system and method
US7362869B2 (en) Method of distributing a public key
US7231663B2 (en) System and method for providing key management protocol with client verification of authorization
KR20030074483A (en) Service providing system in which services are provided from service provider apparatus to service user apparatus via network
US20050120248A1 (en) Internet protocol telephony security architecture
US20110213959A1 (en) Methods, apparatuses, system and related computer program product for privacy-enhanced identity management
KR20210095093A (en) Method for providing authentification service by using decentralized identity and server using the same
NO311909B1 (en) Procedure for protected distribution protocol for key and certificate material
EP4295605B1 (en) User authentication by means of two independent security elements
CN102118385A (en) Security domain management method and device
CN112565294A (en) Identity authentication method based on block chain electronic signature
RU2007138849A (en) NETWORK COMMERCIAL TRANSACTIONS
KR20210095061A (en) Method for providing authentification service by using decentralized identity and server using the same
EP3685563A1 (en) Method for configuring user authentication on a terminal device by means of a mobile terminal device and for logging a user onto a terminal device
EP0645688A1 (en) Method for the identification of users of telematics servers
JP2003530739A (en) Network system
EP1878161A1 (en) Method and system for electronic reauthentication of a communication party
EP1323259B1 (en) Secured identity chain
EP3178073B1 (en) Security management system for revoking a token from at least one service provider terminal of a service provider system
EP2381712B1 (en) Secure Reading Data from a Mobile Device with fixed TPM

Legal Events

Date Code Title Description
NUG Patent has lapsed