WO2010054843A1 - Method and system for accessing private and/or commercially owned wireless access points - Google Patents

Method and system for accessing private and/or commercially owned wireless access points Download PDF

Info

Publication number
WO2010054843A1
WO2010054843A1 PCT/EP2009/008142 EP2009008142W WO2010054843A1 WO 2010054843 A1 WO2010054843 A1 WO 2010054843A1 EP 2009008142 W EP2009008142 W EP 2009008142W WO 2010054843 A1 WO2010054843 A1 WO 2010054843A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
wireless access
mobile terminal
mobile
access point
Prior art date
Application number
PCT/EP2009/008142
Other languages
French (fr)
Inventor
Pierre Imai
Gottfried Punz
Bernd Lamparter
Stefan Schmid
Original Assignee
Nec Europe Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Europe Ltd. filed Critical Nec Europe Ltd.
Publication of WO2010054843A1 publication Critical patent/WO2010054843A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/042Public Land Mobile systems, e.g. cellular systems
    • H04W84/045Public Land Mobile systems, e.g. cellular systems using private Base Stations, e.g. femto Base Stations, home Node B

Definitions

  • the present invention relates to a method and a system for accessing private and/or commercially owned wireless access points, wherein a user has a subscription with a mobile network operator and wherein a mobile terminal of said user has established a radio connection and security association to said mobile network operator's macro network.
  • wireless access points and similar appliances are prevalent and can be found almost everywhere.
  • these wireless access points are not publicly accessible for mobile terminals, since they are either private or require a pre-existing account with a local operator.
  • current technology allows only for connections to wireless access points for which the user possesses valid login credentials. These credentials have to be either manually preconfigured or entered at connection time. As a result, high-speed coverage for mobile terminal data transfers is severely limited.
  • the aforementioned object is accomplished by a system comprising the features of claim 1.
  • a method comprising the features of claim 1.
  • said mobile network operator's macro network is used to negotiate and/or transfer access credentials and/or authorization data between said mobile terminal and said wireless access point on demand.
  • CONFIRMATION COPT negotiate and/or transfer access credentials and/or authorization data between said mobile terminal and said wireless access point on demand.
  • the present invention proposes to utilize the mobile terminal's established secure radio connection and security association to a network operator's macro network for accessing private and/or commercially owned wireless access points.
  • a network operator's macro network for accessing private and/or commercially owned wireless access points.
  • the home operator's subscription and infrastructure can be used for authentication & authorization towards the macro network operator.
  • the macro network operator's infrastructure can be used to negotiate/transfer the necessary access credentials/authorization information between the mobile terminal and the wireless access point on demand.
  • the term "macro network” will be used for generally denoting a network of a mobile network operator that provides a kind of long-term security association and that typically provides wide area coverage.
  • Example networks include, but are not limited to, 3GPP, 3GPP2 or WiMAX based networks.
  • the term “Wireless Access Point (WAP)” will be used for denoting network-side equipment under 3 rd party control that resides for example in a home or public location.
  • the WAP terminates the radio/L2 link. It may operate in unlicensed (e.g. WLAN) or licensed (e.g. 3GPP home NB/eNB) radio spectrum. It may be integrated with or separated from a L3 device.
  • Access Credentials will be used for generally denoting information that allows the mobile terminal to gain access through the WAP.
  • the access credentials are temporary credentials, which can e.g. be based on permanent credentials known to the mobile terminal and mobile network operator.
  • the access credentials may be of various forms depending on the specific situation and may include, e.g. a shared secret, a public key. However, it is in no way intended to restrict the present invention to any specific form of access credentials, and the above given examples are rather intended to illustrate the diversity of implementations of the present invention.
  • Authorization Data will be used for generally denoting information provided to the WAP and to the mobile terminal after successful authentication of the mobile terminal. They are linked to the access credentials of the mobile terminal. Again, it is in no way intended to restrict the present invention to any specific form of authorization data.
  • the present invention utilizes the network access over one (wireless) access technology (e.g. 3G macro network) and the established security association between the mobile terminal/device and the operator to gain secure access to another (wireless) access network (e.g. a WLAN access point or a Femtocell).
  • wireless access technology e.g. 3G macro network
  • another (wireless) access network e.g. a WLAN access point or a Femtocell.
  • the mobile terminal might employ a specific access technology with respect to the macro network operator's infrastructure, and might possibly use a different access technology for accessing the wireless access point.
  • the macro network may include a dedicated network entity that provides access network discovery and possibly selection support.
  • the network entity may be a server, which will be referred to as WAS (wireless access server) in the following. Assuming the user is located with his mobile terminal in a certain place where coverage of the macro network is limited, and he wishes to establish a high-speed connection. In this case it may be provided that the user's mobile terminal sends an access request via radio to said dedicated network entity in order to learn whether one or more wireless access points are available.
  • WAS wireless access server
  • the dedicated network entity of the macro network may generate a list of possible wireless access points. Based on this information, the mobile terminal may initiate a selective scan for the wireless access points and may select the most appropriate one. For instance, a selection criterion may be the signal quality, i.e. the mobile terminal may select the wireless access point that offers the highest signal strength. In a next step the mobile terminal may inform the dedicated network entity of said macro network about the selected wireless access point.
  • the dedicated network entity of the macro network may contact the selected wireless access point or an associated AAA (Authentication, Authorization, Accounting) entity, for instance a Radius server.
  • AAA Authentication, Authorization, Accounting
  • the AAA function can be integrated into the wireless access point or be provided as a separate entity. It can also be under a different control than the wireless access point (e.g. under the same or another operator's control). According to a specific embodiment, the access credentials and/or authorization data may then be provided either by the wireless access point or by the associated AAA entity.
  • the network entity of said macro network may provide information elements for the generation of the access credentials and/or authorization data to the mobile terminal.
  • the authorization data may also include additional information regarding a definition of the resources the mobile terminal can consume.
  • the additional information may specify a maximum data rate or a scheduling priority.
  • more complex data like firewall rules, can be included, in particular for restricting what entities/parts of the macro network the terminal can access. For instance, in case of a 4G mobile core network these rules may specify that the mobile terminal is granted access to the macro network operator's (e)PDG (evolved Packet Data Gateway) only. These rules may be service/flow dependent.
  • this data may include settings like membership in a user group by a white list (e.g. for the 3GPP Closed Subscriber Group mechanism used for femto cells).
  • the macro network should be informed of successful connection. This task can be performed either by the mobile terminal itself or by the wireless access point or by both.
  • the dedicated network entity of the macro network having negotiated the connection to the wireless access point that is informed of successful connection.
  • the successful connection information message could be directed to a dedicated charging entity within the macro network.
  • the mobile network operator's macro network keeps track of the connection duration and of the consumed bandwidth.
  • the user's mobile terminal is under the macro network operator's control and therefore considered trustworthy (based on permanent credentials). Therefore exact information about the duration of the connection to the wireless access point can be retrieved directly from the terminal.
  • the user of the mobile terminal i.e. the mobile subscriber, could be automatically charged by the mobile network operator's charging/billing infrastructure for the access service provided by the wireless access point, which is a third party entity from the viewpoint of the operator. For instance, it may be provided that the user pays via the normal phone bill issued by his provider.
  • the charging model could be based on a flat-rate, a charge per access, or charging according to the consumed data or online time and possibly in conjunction with the actual user/data services used.
  • the owner of the wireless access point may be provided that he profits by being compensated per use for providing access service by the mobile network operator, for instance based on micro payments, on a flatrate reimbursement or on exact accounting of access times and/or data volume consumed by customers of the mobile network operator.
  • the owner of the wireless access point gets a reimbursement based on rough accounting - e.g. just the number of users that gained access, rough estimate of traffic usage or online time.
  • the owner of the wireless access point may get incentives, e.g. earn some points, which he/she can for example use to get access at other wireless access points, or exchange into other services or products offered by the operator or others.
  • an efficient charging reporting is essential. For instance, according to one embodiment only final usage is reported to the charging entity of the macro network (i.e. time of access and data usage). Alternatively, it may be provided that the start and end time of access plus periodic intermediate reports of used bandwidth is reported.
  • the charging information may be provided either by the wireless access point or by the mobile terminal. However, according to a preferred embodiment it may be provided that both the wireless access point as well as the mobile terminal provide charging information. In such case the charging entity can use both reports to validate them. If the reports are significantly different, the macro network operator tries to identify the source of the problem. It may also start to "blacklist" the mobile terminal and/or the wireless access point. For the case that the user plane is routed through the mobile network operator's macro network (i.e. IPsec between UE and (e)PDG), charging can be applied there. Consequently, no charging reports will be needed from the mobile terminal and/or the wireless access point.
  • Fig. 1 schematically illustrates the principal architecture of a system for accessing private and/or commercially owned wireless access points according to an embodiment of the present invention
  • Fig. 2 schematically illustrates a message flow for access credential generation between a mobile terminal, a macro network and a wireless access point according to an embodiment of the present invention
  • Fig. 3 schematically illustrates a message flow for access credential generation between the same entities of Fig. 2 according to another embodiment of the present invention.
  • Fig. 1 shows a system for accessing a private and/or commercially owned wireless access point, in the following briefly denoted WAP, according to an embodiment of the present invention.
  • WAP wireless access point
  • the operator's macro network is used to negotiate and/or transfer access credentials and/or authorization data between the mobile terminal and the WAP on demand. That is, the invention utilizes the network access over one (wireless) access technology (e.g. 3G macro network) and the established security association between the mobile terminal/device and the operator to gain secure access to another (wireless) access network (e.g. a WLAN access point or a Femtocell) - possibly using a different (wireless) access technology.
  • wireless wireless access technology
  • the technology is not limited to WLAN - it applies equally to WiMAX APs and licensed band femto cells according to 3GPP or similar access technologies.
  • the technology can also be used to allow semi-open access. In this case the owner of the WAP may need to provide the mobile user a "shared secret", which allows the terminal to use this approach to gain access to the WAP.
  • the WAP (or AAA entity in case it is separate) may have a SIM or equivalent that can be used to secure communication between the WAP (or AAA entity) and the macro network operator network.
  • Access to a network can also be retrieved in advance (e.g. based on location and directional information), before the actual network becomes visible to the user. Furthermore, since the macro network operator is involved in the authorization process, the overall security of the operator network can be increased: The operator might restrict access to its infrastructure to devices which are connected via a network authorized as described in the present invention and/or deny access from/to networks that are considered insecure.
  • the WAP owners register their SSID, MAC, keys (e.g. WEP, WPA or the like), their location, and payment details with any operator.
  • Inter-operator access to WAPs is handled using extended roaming agreements.
  • the WAS and/or a charging entity can be distributed across visited and home network, or only provisioned by the visited network. In the latter case, authentication by the home network can be accomplished via standard authentication mechanisms in the roaming case.
  • the present invention provides a unified approach for different types of wireless hotspots, e.g. WLAN and open access mode of future licensed band femto cells according to 3GPP.
  • WLAN/WiMAX access control to the WAP can be based on EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) using e.g. RADIUS or Diameter authentication.
  • RADIUS Remote Authentication Protocol-Transport Layer Security
  • Diameter authentication e.g. RADIUS or Diameter authentication
  • the WAP would authenticate the mobile terminal using the RADIUS or Diameter protocol.
  • the AAA function would be a RADIUS or Diameter server.
  • Pre- shared key authentication has to be avoided as access credentials should be of temporary nature. Certificates can be issued by the authentication entities and distributed as with public/private keys.
  • the authentication server can either be based in the macro network operator network or on the premises of the WAP owner, in which case the authentication has to involve another authentication entity within the macro network operator network (e.g. HSS, 3GPP AAA server or WAS).
  • the communication between the authentication servers can be based on RADIUS, Diameter, etc.
  • Web-based access control solutions offer an interface for authentication to e.g. RADIUS or Diameter Server, where the user can input his credentials or the terminal by itself provides the previously negotiated/generated temporary access credentials using HTTP(S) to the WAP.
  • RADIUS Remote Authentication Diameter
  • Diameter Server where the user can input his credentials or the terminal by itself provides the previously negotiated/generated temporary access credentials using HTTP(S) to the WAP.
  • HTTP(S) HyperText Transfer Protocol Secure
  • the mobile terminal In case of Femto cell/H(e)NB (Home NodeB) access control according to 3GPP, the mobile terminal (typically referred to as UE in 3GPP specifications), must first be configured to be aware of a H(e)NB. To this end, upon the access request sent from the mobile terminal to his provider/operator macro network, the mobile terminal is configured by the macro network provider/operator (e.g. triggered by the WAS) to become part of the user group (e.g. a Closed Subscriber Group) that is allowed to access the WAP. For this, the WAP is added to the list of allowed WAPs that the terminal can use. The management of membership may be achieved by a secure protocol between UE and macro network operator's network. In this case the WAS may be integrated or interface with the network entity managing these list of allowed H(e)NB/CSGCSGs.
  • the WAS may be integrated or interface with the network entity managing these list of allowed H(e)NB/CSGCSGs.
  • the present invention allows for wireless network access (e.g. Internet access or access to macro network operator services) through third-party wireless access points (WAPs) based on an established macro network operator subscription and established security association between a mobile terminal and the macro operator network; after authentication and authorization of the mobile terminal, the macro operator (i.e. the wireless access server) will setup the necessary access credentials on the mobile terminal and access point.
  • WAPs wireless access points
  • the present invention realizes a decoupling of WAP ownership and network provision, i.e. third-party owners of WAPs can provide mobile users local access to the Internet or macro network operator services; the charging/accounting facility supported by the invention provides the necessary incentives for WAP owners to offer their WAP to mobile users in a simple, easy and cost-effective manner (e.g. the macro network operator's accounting and charging facilities (incl. the billing infrastructure) can be used.
  • Fig. 2 exemplarily illustrates a specific scheme that can be implemented for the generation of access credentials which are employed for establishing a secure and trusted connection between the mobile terminal and the wireless access point of Fig. 1.
  • the only further entity being involved in the negotiation and/or transfer of the access credentials and the authorization data is a dedicated network entity located in the mobile network operator's macro network.
  • this dedicated network entity is a server that provides an access network discovery functionality and selection support. In the following this server is referred to as wireless access server WAS.
  • the access credentials are generated by the mobile terminal. More specifically, the mobile terminal generates temporary access credentials and provides them to the WAS entity, which in turn delivers it to the WAP. According to another embodiment, temporary access credentials may be generated by the WAS and may then be provided both to the mobile terminal and to the WAP. Alternatively, it may also be provided that the WAP generates access credentials and provides them to the WAS, which in turn delivers it to the mobile terminal.
  • access credentials are generated mutually by the WAP and the mobile terminal.
  • Both the mobile terminal and the WAP may provide a random number -number A from the mobile terminal and number B form the WAP - to the WAS, which in turns delivers it to the counter part.
  • both entities can compute the actual access credentials according to a well-known scheme, e.g. on the basis of a Diffie-Hellman algorithm. This way, the actual "secret" is never transmitted, only the WAP and mobile terminal know the access credentials.
  • the mobile terminal uses them for login to the WAP, as illustrated in Fig. 2.
  • the access credentials may be mutually generated involving the WAP, the mobile terminal and the WAS.
  • all involved entities i.e. mobile terminal, WAP and WAS
  • the WAS uses the information element obtained from the mobile terminal - number A - plus a self-generated key pair to generate the access credentials for the WAP and sends it to the WAP.
  • the WAS generates access credentials for the mobile terminal (i.e. based on an information element obtained from the WAP - number B - and the inverse key) and sends it to the mobile terminal.
  • the mobile terminal uses them for login to the WAP.
  • Non-Access Stratum NAS
  • NAS Non-Access Stratum
  • network security between the AAA and macro network operator network can also be based on a SIM included in the WAP or AAA.
  • network security can be terminated in an entity "before" the WAS - e.g. an (e)PDG.

Abstract

A method for accessing private and/or commercially owned wireless access points, wherein a user has a subscription with a mobile network operator and wherein a mobile terminal of said user has established a radio connection and security association to said mobile network operator's macro network, is characterized in that said mobile network operator's macro network is used to negotiate and/or transfer access credentials and/or authorization data between said mobile terminal and said wireless access point on demand. Furthermore, a corresponding system is disclosed.

Description

METHOD AND SYSTEM FOR ACCESSING PRIVATE AND/OR COMMERCIALLY OWNED WIRELESS ACCESS POINTS
The present invention relates to a method and a system for accessing private and/or commercially owned wireless access points, wherein a user has a subscription with a mobile network operator and wherein a mobile terminal of said user has established a radio connection and security association to said mobile network operator's macro network.
Nowadays, wireless access points and similar appliances (like for instance hotspots and femtocells) are prevalent and can be found almost everywhere. However, in most cases these wireless access points are not publicly accessible for mobile terminals, since they are either private or require a pre-existing account with a local operator. As regards the latter case, current technology allows only for connections to wireless access points for which the user possesses valid login credentials. These credentials have to be either manually preconfigured or entered at connection time. As a result, high-speed coverage for mobile terminal data transfers is severely limited.
It is therefore an object of the present invention to improve and further develop a method and a system for accessing private and/or commercially owned wireless access points of the initially described type in an efficient way such that the user experience in terms of high-speed wireless access in many places is enhanced.
In accordance with the invention, the aforementioned object is accomplished by a system comprising the features of claim 1. According to this claim, such a method is characterized in that said mobile network operator's macro network is used to negotiate and/or transfer access credentials and/or authorization data between said mobile terminal and said wireless access point on demand.
Furthermore, the aforementioned object is accomplished by a system comprising the features of independent claim 15. According to this claim, such a system is characterized in that said mobile network operator's macro network is used to
CONFIRMATION COPT negotiate and/or transfer access credentials and/or authorization data between said mobile terminal and said wireless access point on demand.
According to the invention it has been recognized that today, on principle, a tremendous number of wireless access points would be available which, however, are either not accessible for mobile terminals or only in special cases with certain prerequisites, thereby wasting a significant amount of existing resources. Starting from this, the present invention proposes to utilize the mobile terminal's established secure radio connection and security association to a network operator's macro network for accessing private and/or commercially owned wireless access points. For instance, the home operator's subscription and infrastructure can be used for authentication & authorization towards the macro network operator. In a next step, the macro network operator's infrastructure can be used to negotiate/transfer the necessary access credentials/authorization information between the mobile terminal and the wireless access point on demand.
In connection with the present invention the term "macro network" will be used for generally denoting a network of a mobile network operator that provides a kind of long-term security association and that typically provides wide area coverage. Example networks include, but are not limited to, 3GPP, 3GPP2 or WiMAX based networks. The term "Wireless Access Point (WAP)" will be used for denoting network-side equipment under 3rd party control that resides for example in a home or public location. The WAP terminates the radio/L2 link. It may operate in unlicensed (e.g. WLAN) or licensed (e.g. 3GPP home NB/eNB) radio spectrum. It may be integrated with or separated from a L3 device.
In connection with the present invention the term "Access Credentials" will be used for generally denoting information that allows the mobile terminal to gain access through the WAP. The access credentials are temporary credentials, which can e.g. be based on permanent credentials known to the mobile terminal and mobile network operator. The access credentials may be of various forms depending on the specific situation and may include, e.g. a shared secret, a public key. However, it is in no way intended to restrict the present invention to any specific form of access credentials, and the above given examples are rather intended to illustrate the diversity of implementations of the present invention.
In connection with the present invention the term "Authorization Data" will be used for generally denoting information provided to the WAP and to the mobile terminal after successful authentication of the mobile terminal. They are linked to the access credentials of the mobile terminal. Again, it is in no way intended to restrict the present invention to any specific form of authorization data.
By automating the credential generation process huge usability improvements can be achieved, as dynamic negotiation/transfer and configuration of access credentials on mobile terminal and wireless access points are achieved via the macro operator network. In other words, the necessary wireless access credentials are retrieved and set up automatically; hence no manual registration and/or configuration of different accounts for different wireless access points are needed. Furthermore, more access points and higher bandwidth (local access points - or micro cells - typically provide higher bandwidth than the macro- network) are made available to the user so that users can have high-speed wireless access in many places where it is not possible now. As a side action the reduced wireless radiation is worth mentioning, which is important for health conscious people who oppose every additional AP in their neighborhood. Another advantage of the present invention is that the macro network operator can reduce investments in the infrastructure.
The present invention utilizes the network access over one (wireless) access technology (e.g. 3G macro network) and the established security association between the mobile terminal/device and the operator to gain secure access to another (wireless) access network (e.g. a WLAN access point or a Femtocell). In this regard it is important to note that the mobile terminal might employ a specific access technology with respect to the macro network operator's infrastructure, and might possibly use a different access technology for accessing the wireless access point. - A -
According to a preferred embodiment the macro network may include a dedicated network entity that provides access network discovery and possibly selection support. For instance, the network entity may be a server, which will be referred to as WAS (wireless access server) in the following. Assuming the user is located with his mobile terminal in a certain place where coverage of the macro network is limited, and he wishes to establish a high-speed connection. In this case it may be provided that the user's mobile terminal sends an access request via radio to said dedicated network entity in order to learn whether one or more wireless access points are available.
Upon receiving the request from the mobile terminal, the dedicated network entity of the macro network may generate a list of possible wireless access points. Based on this information, the mobile terminal may initiate a selective scan for the wireless access points and may select the most appropriate one. For instance, a selection criterion may be the signal quality, i.e. the mobile terminal may select the wireless access point that offers the highest signal strength. In a next step the mobile terminal may inform the dedicated network entity of said macro network about the selected wireless access point.
Upon being informed by the mobile terminal the dedicated network entity of the macro network may contact the selected wireless access point or an associated AAA (Authentication, Authorization, Accounting) entity, for instance a Radius server. The AAA function can be integrated into the wireless access point or be provided as a separate entity. It can also be under a different control than the wireless access point (e.g. under the same or another operator's control). According to a specific embodiment, the access credentials and/or authorization data may then be provided either by the wireless access point or by the associated AAA entity.
According to another embodiment the network entity of said macro network may provide information elements for the generation of the access credentials and/or authorization data to the mobile terminal. Regardless of the specific implementation the authorization data may also include additional information regarding a definition of the resources the mobile terminal can consume. For instance, the additional information may specify a maximum data rate or a scheduling priority. Furthermore, more complex data, like firewall rules, can be included, in particular for restricting what entities/parts of the macro network the terminal can access. For instance, in case of a 4G mobile core network these rules may specify that the mobile terminal is granted access to the macro network operator's (e)PDG (evolved Packet Data Gateway) only. These rules may be service/flow dependent. Furthermore, this data may include settings like membership in a user group by a white list (e.g. for the 3GPP Closed Subscriber Group mechanism used for femto cells).
Advantageously, after successful authentication and/or authorization all data transfer from the mobile terminal and to the mobile terminal is going through the wireless access point. If the user desires access to the macro network operator network, a secure tunnel to the (e)PDG can be established over this network connection.
To allow for a smooth data transfer via the wireless access point, the macro network should be informed of successful connection. This task can be performed either by the mobile terminal itself or by the wireless access point or by both. Within the macro network it proves to be advantageous that it is the dedicated network entity of the macro network having negotiated the connection to the wireless access point that is informed of successful connection. However, alternatively the successful connection information message could be directed to a dedicated charging entity within the macro network. When the connection is terminated the respective entities should again be informed of the disconnection so that the macro network can continue to serve the mobile terminal in a usual way.
With respect to an efficient settlement of charging and billing issues it may be provided that the mobile network operator's macro network keeps track of the connection duration and of the consumed bandwidth. The user's mobile terminal is under the macro network operator's control and therefore considered trustworthy (based on permanent credentials). Therefore exact information about the duration of the connection to the wireless access point can be retrieved directly from the terminal. According to a specific implementation the user of the mobile terminal, i.e. the mobile subscriber, could be automatically charged by the mobile network operator's charging/billing infrastructure for the access service provided by the wireless access point, which is a third party entity from the viewpoint of the operator. For instance, it may be provided that the user pays via the normal phone bill issued by his provider. The charging model could be based on a flat-rate, a charge per access, or charging according to the consumed data or online time and possibly in conjunction with the actual user/data services used.
Concerning the owner of the wireless access point it may be provided that he profits by being compensated per use for providing access service by the mobile network operator, for instance based on micro payments, on a flatrate reimbursement or on exact accounting of access times and/or data volume consumed by customers of the mobile network operator. Alternatively, it may be provided that the owner of the wireless access point gets a reimbursement based on rough accounting - e.g. just the number of users that gained access, rough estimate of traffic usage or online time. According to still another embodiment the owner of the wireless access point may get incentives, e.g. earn some points, which he/she can for example use to get access at other wireless access points, or exchange into other services or products offered by the operator or others.
To enable correct charging, an efficient charging reporting is essential. For instance, according to one embodiment only final usage is reported to the charging entity of the macro network (i.e. time of access and data usage). Alternatively, it may be provided that the start and end time of access plus periodic intermediate reports of used bandwidth is reported. The charging information may be provided either by the wireless access point or by the mobile terminal. However, according to a preferred embodiment it may be provided that both the wireless access point as well as the mobile terminal provide charging information. In such case the charging entity can use both reports to validate them. If the reports are significantly different, the macro network operator tries to identify the source of the problem. It may also start to "blacklist" the mobile terminal and/or the wireless access point. For the case that the user plane is routed through the mobile network operator's macro network (i.e. IPsec between UE and (e)PDG), charging can be applied there. Consequently, no charging reports will be needed from the mobile terminal and/or the wireless access point.
There are several ways how to design and further develop the teaching of the present invention in an advantageous way. To this end, it is to be referred to the patent claims subordinate to patent claims 1 and 15 on the one hand, and to the following explanation of a preferred example of an embodiment of the invention illustrated by the drawing on the other hand. In connection with the explanation of the preferred example of an embodiment of the invention by the aid of the drawing, generally preferred embodiments and further developments of the teaching will be explained. In the drawings
Fig. 1 schematically illustrates the principal architecture of a system for accessing private and/or commercially owned wireless access points according to an embodiment of the present invention,
Fig. 2 schematically illustrates a message flow for access credential generation between a mobile terminal, a macro network and a wireless access point according to an embodiment of the present invention, and
Fig. 3 schematically illustrates a message flow for access credential generation between the same entities of Fig. 2 according to another embodiment of the present invention.
Fig. 1 shows a system for accessing a private and/or commercially owned wireless access point, in the following briefly denoted WAP, according to an embodiment of the present invention. It is assumed that a user has a subscription with a mobile network operator, wherein a mobile terminal of the user has established a radio connection and security association to the mobile network operator's macro network. According to the invention the operator's macro network is used to negotiate and/or transfer access credentials and/or authorization data between the mobile terminal and the WAP on demand. That is, the invention utilizes the network access over one (wireless) access technology (e.g. 3G macro network) and the established security association between the mobile terminal/device and the operator to gain secure access to another (wireless) access network (e.g. a WLAN access point or a Femtocell) - possibly using a different (wireless) access technology.
The technology is not limited to WLAN - it applies equally to WiMAX APs and licensed band femto cells according to 3GPP or similar access technologies. The technology can also be used to allow semi-open access. In this case the owner of the WAP may need to provide the mobile user a "shared secret", which allows the terminal to use this approach to gain access to the WAP. The WAP (or AAA entity in case it is separate) may have a SIM or equivalent that can be used to secure communication between the WAP (or AAA entity) and the macro network operator network.
In prior art solutions exist which allow access to networks based on credentials retrieved from other providers using the same channel (or over the same access). The solution according to the present invention, however, uses a different channel (or different access network) to locate the "target" access point and retrieve the necessary access credentials for the "target" access - e.g. by utilizing a mobile operator's macro network's infrastructure.
Access to a network can also be retrieved in advance (e.g. based on location and directional information), before the actual network becomes visible to the user. Furthermore, since the macro network operator is involved in the authorization process, the overall security of the operator network can be increased: The operator might restrict access to its infrastructure to devices which are connected via a network authorized as described in the present invention and/or deny access from/to networks that are considered insecure.
In a specific embodiment the WAP owners register their SSID, MAC, keys (e.g. WEP, WPA or the like), their location, and payment details with any operator. Inter-operator access to WAPs is handled using extended roaming agreements. In the roaming case, the WAS and/or a charging entity can be distributed across visited and home network, or only provisioned by the visited network. In the latter case, authentication by the home network can be accomplished via standard authentication mechanisms in the roaming case.
As already pointed out above, the present invention provides a unified approach for different types of wireless hotspots, e.g. WLAN and open access mode of future licensed band femto cells according to 3GPP. In case of WLAN/WiMAX access control to the WAP can be based on EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) using e.g. RADIUS or Diameter authentication. In this case the WAP would authenticate the mobile terminal using the RADIUS or Diameter protocol. The AAA function would be a RADIUS or Diameter server. Pre- shared key authentication has to be avoided as access credentials should be of temporary nature. Certificates can be issued by the authentication entities and distributed as with public/private keys. The authentication server can either be based in the macro network operator network or on the premises of the WAP owner, in which case the authentication has to involve another authentication entity within the macro network operator network (e.g. HSS, 3GPP AAA server or WAS). The communication between the authentication servers can be based on RADIUS, Diameter, etc.
Web-based access control solutions offer an interface for authentication to e.g. RADIUS or Diameter Server, where the user can input his credentials or the terminal by itself provides the previously negotiated/generated temporary access credentials using HTTP(S) to the WAP. In this case, the distribution of the credentials is identical to the EAP-TLS case.
In case of Femto cell/H(e)NB (Home NodeB) access control according to 3GPP, the mobile terminal (typically referred to as UE in 3GPP specifications), must first be configured to be aware of a H(e)NB. To this end, upon the access request sent from the mobile terminal to his provider/operator macro network, the mobile terminal is configured by the macro network provider/operator (e.g. triggered by the WAS) to become part of the user group (e.g. a Closed Subscriber Group) that is allowed to access the WAP. For this, the WAP is added to the list of allowed WAPs that the terminal can use. The management of membership may be achieved by a secure protocol between UE and macro network operator's network. In this case the WAS may be integrated or interface with the network entity managing these list of allowed H(e)NB/CSGCSGs.
To summarize, the present invention allows for wireless network access (e.g. Internet access or access to macro network operator services) through third-party wireless access points (WAPs) based on an established macro network operator subscription and established security association between a mobile terminal and the macro operator network; after authentication and authorization of the mobile terminal, the macro operator (i.e. the wireless access server) will setup the necessary access credentials on the mobile terminal and access point. The present invention realizes a decoupling of WAP ownership and network provision, i.e. third-party owners of WAPs can provide mobile users local access to the Internet or macro network operator services; the charging/accounting facility supported by the invention provides the necessary incentives for WAP owners to offer their WAP to mobile users in a simple, easy and cost-effective manner (e.g. the macro network operator's accounting and charging facilities (incl. the billing infrastructure) can be used.
Fig. 2 exemplarily illustrates a specific scheme that can be implemented for the generation of access credentials which are employed for establishing a secure and trusted connection between the mobile terminal and the wireless access point of Fig. 1. The only further entity being involved in the negotiation and/or transfer of the access credentials and the authorization data is a dedicated network entity located in the mobile network operator's macro network. In the examples described in connection with Fig. 2 this dedicated network entity is a server that provides an access network discovery functionality and selection support. In the following this server is referred to as wireless access server WAS.
Generally, it may be provided that the access credentials are generated by the mobile terminal. More specifically, the mobile terminal generates temporary access credentials and provides them to the WAS entity, which in turn delivers it to the WAP. According to another embodiment, temporary access credentials may be generated by the WAS and may then be provided both to the mobile terminal and to the WAP. Alternatively, it may also be provided that the WAP generates access credentials and provides them to the WAS, which in turn delivers it to the mobile terminal.
Instead of the access credentials being generated by a single entity only, it may be provided that access credentials are generated mutually by the WAP and the mobile terminal. Such case is illustrated in Fig. 2. Both the mobile terminal and the WAP may provide a random number -number A from the mobile terminal and number B form the WAP - to the WAS, which in turns delivers it to the counter part. In a next step both entities can compute the actual access credentials according to a well-known scheme, e.g. on the basis of a Diffie-Hellman algorithm. This way, the actual "secret" is never transmitted, only the WAP and mobile terminal know the access credentials.
Once the access credentials have been established the mobile terminal uses them for login to the WAP, as illustrated in Fig. 2.
Alternatively, as illustrated in Fig. 3, the access credentials may be mutually generated involving the WAP, the mobile terminal and the WAS. In this case all involved entities (i.e. mobile terminal, WAP and WAS) contribute to the generation of the access credentials. More specifically, the WAS uses the information element obtained from the mobile terminal - number A - plus a self-generated key pair to generate the access credentials for the WAP and sends it to the WAP. Similarly, the WAS generates access credentials for the mobile terminal (i.e. based on an information element obtained from the WAP - number B - and the inverse key) and sends it to the mobile terminal.
Again, once the access credentials have been established the mobile terminal uses them for login to the WAP.
In both cases, i.e. in case of Fig. 2 and of Fig. 3, the following protocol options are considered for the negotiation and configuration of the access credentials and provisioning of the authorization data on the AP: - Diameter
- Radius
- TR069
- IETF or IMS SIP
- OMA DM
- IEEE 802.21
- HTTPS
As protocol options between the mobile Terminal and the WAS for negotiation and configuration of the access credentials and provisioning of the relevant authorization data, the following protocols are considered:
• Non-Access Stratum (NAS) - especially in case the WAP is based on a 3GPP defined radio technology, such as in case of a HNB or HeNB
• OMA DM
• IEEE 802.21
• HTTPS
Besides common network security mechanisms, i.e. key or certificate based encryption (e.g. based on IPsec, HTTPS, SSL) between the AAA function and the macro network operator, network security between the AAA and macro network operator network can also be based on a SIM included in the WAP or AAA. In this regard it is important to note that network security can be terminated in an entity "before" the WAS - e.g. an (e)PDG.
Many modifications and other embodiments of the invention set forth herein will come to mind the one skilled in the art to which the invention pertains having the benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

C l a i m s
1. Method for accessing private and/or commercially owned wireless access points, wherein a user has a subscription with a mobile network operator and wherein a mobile terminal of saOid user has established a radio connection and security association to said mobile network operator's macro network, c h a r a c t e r i z e d i n that said mobile network operator's macro network is used to negotiate and/or transfer access credentials and/or authorization data between said mobile terminal and said wireless access point on demand.
2. Method according to claim 1 , wherein said macro network includes a dedicated network entity that provides access network discovery.
3. Method according to claim 2, wherein said user's mobile terminal sends an access request via radio to said dedicated network entity.
4. Method according to claim 2 or 3, wherein said dedicated network entity of said macro network generates a list of possible wireless access points.
5. Method according to any of claims 2 to 4, wherein said mobile terminal performs a selective scan for possible wireless access points and informs said dedicated network entity of said macro network about the selected wireless access point.
6. Method according to claim 5, wherein said dedicated network entity of said macro network contacts said selected wireless access point or an associated AAA entity.
7. Method according to any of claims 1 to 6, wherein said access credentials and/or authorization data are provided by said wireless access point or said associated AAA entity.
8. Method according to any of claims 2 to 7, wherein said dedicated network entity of said macro network provides information elements for the generation of said access credentials and/or authorization data to said mobile terminal.
9. Method according to any of claims 1 to 8, wherein said authorization data includes information defining the resources said mobile terminal is allowed to consume.
10. Method according to any of claims 1 to 9, wherein after successful authentication and/or authorization all data transfer from/to said mobile terminal is going through said wireless access point.
11. Method according to any of claims 1 to 10, wherein either said mobile terminal or said wireless access point or both inform said dedicated network entity of said macro network of successful connection.
12. Method according to any of claims 1 to 11 , wherein said mobile network operator's macro network keeps track of the connection duration and consumed bandwidth.
13. Method according to any of claims 1 to 12, wherein the user of said mobile terminal is charged for the access service provided by said wireless access point by said mobile network operator.
14. Method according to any of claims 1 to 13, wherein the owner of said wireless access point is compensated by said mobile network operator, preferably based on accounting of access times and/or data volume consumed by customers of said mobile network operator.
15. System for accessing private and/or commercially owned wireless access points, wherein a user has a subscription with a mobile network operator and wherein a mobile terminal of said user has established a radio connection and security association to said mobile network operator's macro network, c h a ra ct e r i z e d i n that said mobile network operator's macro network is used to negotiate and/or transfer access credentials and/or authorization data between said mobile terminal and said wireless access point on demand.
16. System according to claim 15, wherein said macro network includes a network entity, preferably a server, that provides access network discovery functionality and selection support.
17. System according to claim 15 or 16, wherein said wireless access point has an integrated AAA functionality.
PCT/EP2009/008142 2008-11-14 2009-11-16 Method and system for accessing private and/or commercially owned wireless access points WO2010054843A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP08019905.2 2008-11-14
EP08019905 2008-11-14

Publications (1)

Publication Number Publication Date
WO2010054843A1 true WO2010054843A1 (en) 2010-05-20

Family

ID=41531821

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/008142 WO2010054843A1 (en) 2008-11-14 2009-11-16 Method and system for accessing private and/or commercially owned wireless access points

Country Status (1)

Country Link
WO (1) WO2010054843A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2479376A (en) * 2010-04-07 2011-10-12 Toshiba Res Europ Ltd Negotiating with a femto-cell base station for access to a portion of a physical radio channel for communicating to a user station
WO2013130336A1 (en) * 2012-02-29 2013-09-06 Apple Inc. Seamless transition of a cellular telephone from cellular to wi-fi communication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2393083A (en) * 2002-09-10 2004-03-17 Hewlett Packard Development Co Checking authenticity of provider of location based (hotspot) service
US20050130627A1 (en) * 2003-11-26 2005-06-16 Benoit Calmels Authentication between a cellular phone and an access point of a short-range network
EP1565030A1 (en) * 2004-02-10 2005-08-17 Alcatel Method for selecting a communications network, based on information about wireless LAN access points transmitted by a cellular network
US20060221917A1 (en) * 2005-04-01 2006-10-05 Mcrae Matthew B Access point provisioning and mapping in dual mode devices
US20070256135A1 (en) * 2006-04-26 2007-11-01 Sbc Knowledge Ventures, L.P. Wireless local area network access controlled by cellular communications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2393083A (en) * 2002-09-10 2004-03-17 Hewlett Packard Development Co Checking authenticity of provider of location based (hotspot) service
US20050130627A1 (en) * 2003-11-26 2005-06-16 Benoit Calmels Authentication between a cellular phone and an access point of a short-range network
EP1565030A1 (en) * 2004-02-10 2005-08-17 Alcatel Method for selecting a communications network, based on information about wireless LAN access points transmitted by a cellular network
US20060221917A1 (en) * 2005-04-01 2006-10-05 Mcrae Matthew B Access point provisioning and mapping in dual mode devices
US20070256135A1 (en) * 2006-04-26 2007-11-01 Sbc Knowledge Ventures, L.P. Wireless local area network access controlled by cellular communications

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2479376A (en) * 2010-04-07 2011-10-12 Toshiba Res Europ Ltd Negotiating with a femto-cell base station for access to a portion of a physical radio channel for communicating to a user station
GB2479376B (en) * 2010-04-07 2012-05-02 Toshiba Res Europ Ltd Mechanism of mobility management through a group of femto-cell base stations on offloading data-packets
WO2013130336A1 (en) * 2012-02-29 2013-09-06 Apple Inc. Seamless transition of a cellular telephone from cellular to wi-fi communication
CN104205933A (en) * 2012-02-29 2014-12-10 苹果公司 Seamless transition of a cellular telephone from cellular to Wi-Fi communication
JP2015512220A (en) * 2012-02-29 2015-04-23 アップル インコーポレイテッド Seamless transition of cellular telephone from cellular communication to Wi-Fi communication
CN104205933B (en) * 2012-02-29 2020-01-07 苹果公司 Seamless transition of cellular phone from cellular communication to Wi-Fi communication

Similar Documents

Publication Publication Date Title
US9648019B2 (en) Wi-Fi integration for non-SIM devices
EP2016750B1 (en) Simplified dual mode wireless device authentication apparatus and method
EP2643996B1 (en) Automatic remote access to ieee 802.11 networks
EP2445143B1 (en) Method and system for accessing a 3rd generation network
US9847988B2 (en) Single-SSID and dual-SSID enhancements
JP5280447B2 (en) Heterogeneous wireless ad hoc network
CN107005919B (en) Methods and apparatus for a standalone LTE RAN using unlicensed frequency bands
US20100251330A1 (en) Optimized relaying of secure network entry of small base stations and access points
KR101190908B1 (en) Method for a heterogeneous wireless ad hoc mobile service provider
JP4687788B2 (en) Wireless access system and wireless access method
CN103297968B (en) A kind of method, equipment and the system of wireless terminal certification
WO2016023262A1 (en) Resource sharing method and resource sharing system
US20080031214A1 (en) GSM access point realization using a UMA proxy
US20090196424A1 (en) Method for security handling in a wireless access system supporting multicast broadcast services
WO2010054843A1 (en) Method and system for accessing private and/or commercially owned wireless access points
Samhat et al. Security and AAA architecture for WiFi-WiMAX mesh network
Passpoint Deployment Guidelines
Gondi et al. Low latency handover and roaming using security context transfer for heterogeneous wireless and cellular networks
Popescu Integrating Wi-Fi and femtocells a feasibility study based on a techno economic comparison of the two technologies
Lee et al. A context-aware seamless interoperator roaming management framework in 4g networks
Li Handover mechanisms in next generation heterogeneous wireless networks
Tukkensæter User Friendly Access Solutions for Mobile WiMAX
Panken et al. IST 6FP Contract No 001889
Interworking 1 Over All Description
Smithinunt The seamless access wireless LAN of a GSM network in Thailand

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09793453

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09793453

Country of ref document: EP

Kind code of ref document: A1