WO2008001988A1 - System and method for managing network/service access for linkage between network access and application service - Google Patents

System and method for managing network/service access for linkage between network access and application service Download PDF

Info

Publication number
WO2008001988A1
WO2008001988A1 PCT/KR2006/005713 KR2006005713W WO2008001988A1 WO 2008001988 A1 WO2008001988 A1 WO 2008001988A1 KR 2006005713 W KR2006005713 W KR 2006005713W WO 2008001988 A1 WO2008001988 A1 WO 2008001988A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
service
shared key
wireless connection
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2006/005713
Other languages
French (fr)
Inventor
Dong-Hoon Kim
Hyeon-Suk Lee
Gyung-Mo Kang
Je-Min Jung
Eun-Sook Jin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
KT Corp
Original Assignee
KT Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by KT Corp filed Critical KT Corp
Publication of WO2008001988A1 publication Critical patent/WO2008001988A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • the present invention relates to a network/service connection management system and method for linkage between wireless connection and application service connection, and more particularly, to a network/service connection management system and method for linkage between wireless connection and application service connection, which allow a user to conveniently use supplementary application services without inputting any separate authentication information and also can provide a network provider with wireless connection service along with application services linked therewith to maximize profit creation effect, by interlinking between the wireless connection and the supplementary application service connection, that is, by managing the application service connection using wireless connection information.
  • Mobile communication networks such as existing CDMA (Code Division Multiple Access), PCS (Personal Communications Services) and so on are a kind of closed networks that providers who are not allowed by mobile communication companies (network provides) providing networks cannot offer services.
  • the next generation IP network such as WiBro and the like is AIl-IP based open network, and is under the environment that allows anyone to offer services, like the wired Internet.
  • OS general purpose operating system
  • ⁇ wireless connection (wireless connection service)' and 'service connection (supplementary application service connection) ' are dealt with separately.
  • the wireless connection service enables the use of IP-based services such as the Internet through connection between a user terminal and a network offered by a network provider with fee.
  • the supplementary application service is an application service with added value that is offered by various providers by using the web browser of the user terminal, application program or the like based on the wireless connection service.
  • the user on service user side, the user must to input ID/password separately even after wireless connection to use the supplementary application services under the existing Internet environment. Then, an application program in the user terminal executes a service connection authentication procedure with a service providing system in accordance with a service connection protocol through the use of the inputted authentication information.
  • the conventional connection management system which manages the wireless connection procedure and the supplementary application service connection procedure separately, requires the user to input the service authentication information (ID/password) separately for use of the corresponding supplementary application service even after wireless connection, thus causing any inconvenience.
  • the general purpose portable terminal such as PDA and so on is the main terminal used in the open network-based AIl-IP network of WLAN, WiBro, etc., it is required to take a separate user information input procedure for service authentication.
  • An embodiment of the present invention is directed to providing a network/service connection management system and method for linkage between wireless connection and application service connection, which allow a user to conveniently use supplementary application services without inputting any separate authentication information and also can provide a network provider with wireless connection service along with application services linked therewith to maximize profit creation effect, by interlinking between the wireless connection and the supplementary application service connection, that is, by managing the application service connection using wireless connection information.
  • a network/service connection management server for linkage between wireless connection and application service connection, including: a wireless connection managing unit for performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; an authentication gateway for receiving the terminal ID and the session information from the wireless connection managing unit, generating a shared key (server side' s shared key) by using the session information and storing it in connection with the terminal ID, and transferring the server side's shared key upon request of an application service providing unit; and the application service providing unit for accepting the terminal ID and a shared key (terminal side' s shared key) along with service authentication request from the user terminal, and comparing the server side's shared key received from the authentication gateway in response to its request with the terminal side' s shared key to execute the service connection authentication.
  • a wireless connection managing unit for performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure
  • a user terminal for linkage between wireless connection and application service connection, including: a wireless connection managing unit for performing a wireless connection authentication procedure with a network/service connection managing server and acquiring an inherent identification number
  • terminal ID of the user terminal and session information during the wireless connection authentication procedure
  • a wireless common session managing unit for receiving the terminal ID and the session information from the wireless connection managing unit, generating a shared key (terminal side' s shared key) by using the session information and storing it in association with the terminal ID, and transferring the terminal side' s shared key upon request of an application service request unit; and the application service request unit for transmitting the terminal ID and the terminal side' s shared key to the network/service connection management server along with a service authentication request.
  • a network/service connection management method for use in a network/service connection management server including steps of: (a) performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number
  • terminal ID of the user terminal and session information during the wireless connection authentication procedure
  • step (b) if the wireless connection is authenticated in the step (a) , generating a shared key (server side's shared key) by using the session information and managing the server side' s shared key in association with the terminal ID;
  • step (c) receiving the terminal ID and a shared key (terminal side's shared key) along with a service authentication request from the user terminal; and
  • searching the server side's shared key by using the terminal ID from the user terminal, and comparing the searched server side' s shared key with the terminal side' s shared key to perform the service connection authentication.
  • a network/service connection management method for use in a user terminal, including steps of: (a) performing a wireless connection authentication procedure with a network/service connection management server and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; (b) if the wireless connection is authenticated in the step (a) , generating a shared key (terminal side's shared key) by using the session information and managing the terminal side' s shared key in association with the terminal's ID; and (c) transmitting the terminal ID and the terminal side's shared key to the network/service connection management server to request service connection authentication.
  • a computer-readable storage medium which stores, in a network/service connection management server having a processor for linkage between wireless connection and application service connection, a software program for implementing the functions of: (a) performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; (b) if the wireless connection is authenticated in the function (a) , generating a shared key (server side's shared key) by using the session information and managing the server side' s shared key in association with the terminal ID; (c) receiving the terminal ID and a shared key (terminal side's shared key) along with a service authentication request from the user terminal; and (d) searching the server side's shared key by using the terminal ID received from the user terminal, and comparing the searched server side' s shared key with the terminal side' s shared key to perform service connection authentication.
  • a computer-readable storage medium which stores, in a user terminal having a processor for linkage between wireless connection and application service connection, a software program for implementing the functions of: (a) performing a wireless connection authentication procedure with a network/service connection management server and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; (b) if the wireless connection is authenticated in the function (a) , generating a shared key (terminal side' s shared key) by using the session information and managing the terminal side's shared key in association with the terminal ID; and (c) transmitting the terminal ID and the terminal side' s shared key to the network/service connection management server to request service connection authentication.
  • the present invention performs the service connection authentication by using he inherent information of the terminal (user terminal) and wireless connection session information that are acquired during the wireless connection procedure if only the wireless connection has been established, thereby enabling the user to conveniently receive desired application services without inputting any additional information for supplementary service authentication.
  • the present invention allows the provider (network provider) who offers wireless connection to process the wireless connection and service connection by SSO (Single-Sign-On) and thus can provide more convenient service to clients, and also enables service connection by using the results of wireless connection without any separate service procedure.
  • the present invention can allow the clients to create more profit by locking-in the service offered by the provider.
  • Fig. 1 is a diagram illustrating the structure of a network/service connection management system for linkage between wireless connection and application service connection in accordance with a preferred embodiment of the present invention.
  • Fig. 2 is a flowchart illustrating a network/service connection management method for linkage between wireless connection and application service connection in accordance with another preferred embodiment of the present invention.
  • Fig. 1 is a diagram illustrating the structure of a network/service connection management system for linkage between wireless connection and application service connection in accordance with a preferred embodiment of the present invention.
  • the network/service connection management system of the present invention largely includes a user terminal 100 and a network/service connection management server 110.
  • the user terminal 100 is constituted by a wireless connection manager (WCM) 101, a wireless common session manager (WCSM) 102, an APP (application) client 103
  • WCM wireless connection manager
  • WCSM wireless common session manager
  • APP application
  • the network/service connection management server 110 is constituted by a wireless connection management server 111, an authentication gateway (G/W) 112, and an APP (application) server 113.
  • the WCM 101 performs a wireless connection authentication procedure with the wireless connection management server 111 of the network/service connection management server, and acquires an inherent identification number (terminal ID) and session information (wireless connection session information) of the user terminal during the wireless connection authentication procedure.
  • the wireless connection service wireless connection authentication procedure
  • the authentication protocol which is international standard, such as EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) and the like.
  • the session information is shared with the network/service connection management server 110 during the wireless connection authentication procedure.
  • the same session information secret key called session key
  • This secret key is a value which is induced by calculation by each of the user terminal 100 and the wireless connection management server 111 by using information being communicated therebetween during the wireless connection procedure, rather than the information being communicated therebetween during the wireless connection procedure. Therefore, the secrete key is stable in view of security.
  • the WCSM 102 receives the terminal ID and session information from the WCM 101, generate a shared key (which is a key for service authentication and shared by the user terminal and the network/service connection management server) (hereinafter, referred to as ⁇ terminal side' s shared key' ) by using the session information, and stores it in association with the terminal ID. After that, if the WCSM 102 gets a request for service authentication factor from the APP (application) client 103, in response to this, it transfers ⁇ the corresponding terminal ID' and ⁇ encrypted terminal side' s ID' .
  • APP application
  • the APP client 103 serves as ⁇ application service request means' and transmits the terminal ID and terminal side's shared key to the APP server 103 of the network/service connection management server along with the service authentication request, and receives authentication result (including user information) in response to the transmission.
  • the following is a description for each of the components in the network/service connection management server 110 for linkage between wireless connection and application service connection.
  • the wireless connection management server 111 performs a wireless connection authentication procedure with the user terminal 100, and acquires an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure.
  • the wireless connection service (wireless connection authentication procedure) is carried out depending on the authentication protocol, which is international standard, such as EAP-AKA and the like.
  • the session information is shared with the user terminal 100 during the wireless connection authentication procedure. That is, the same session information is shared between the user terminal 100 and the network/service connection management server 110.
  • the wireless connection management server 111 may be an AAA (Authentication, Authorization and Accounting) server (see Fig. 20).
  • the authentication G/W 112 receives the terminal ID and the session information (wireless connection session information) from the wireless connection management server 111, generates a shared key (server side's shared key) by using the session information, and stores it in association with the terminal ID.
  • the shared key generating procedure using the session information is performed by the user terminal 100 and the network/service connection management server 110, respectively, wherein the same algorithm is used.
  • the authentication G/W 112 gets a request for service authentication factor from the APP server 113, in response to this, it transfers ⁇ the corresponding terminal ID' and ⁇ encrypted server side's shared key'.
  • the APP server 113 serves as Application service providing means' , and if the server receives the terminal ID and the shared key (terminal side's shared key) from the APP client 103 of the user terminal along with the service authentication request, it requests the authentication G/W 112 to send the corresponding server side's shared key by using the ⁇ received terminal ID' as index. Then, the APP server 113 accepts the server side's shared key from the authentication G/W 112 and compares the terminal side' s shared key with the server side's shared key.
  • an authentication success message (which may contain user information such as user profile) is sent to the user terminal 100, and if they are different from each other, an authentication failure message is forwarded to the user terminal 100.
  • the authentication success message may contain user information such as user profile.
  • the present invention allows the user to conveniently and safely connect to the supplementary application services and use them by using the session information (secret key) created during the wireless connection procedure, without taking any separate ID/password.
  • Fig. 2 is a flowchart illustrating a network/service connection management method for linkage between wireless connection and application service connection in accordance with another preferred embodiment of the present invention.
  • the method of the invention may be applied to the wireless LAN services (open network environment) such as Fibro and so on as well as the wired Internet .
  • the WCM 101 carries out wireless connection authentication with the AAA server 111 by using the EAP- AKA protocol (200).
  • identification information (identifier) used is an ⁇ inherent identification number of the user terminal (terminal ID) ' , which is an inherent identifier of the terminal that is not exposed to the user and outside.
  • same session information (which is a session key as a secret key and corresponds to MSK (Master Session Key) ) is created between the WCM 101 and the AAA server 111.
  • This session information is not a value that is transmitted through the network during the wireless connection procedure, but a value that is derived by using information being communicated between the WCM 101 and the AAA server 111 during the authentication procedure by their respective calculation, in view of the nature of protocol.
  • the WCM 101 and the AAA server 111 acquire the terminal ID and the session information through the authentication procedure.
  • the step 202 of transferring the terminal ID and the session information (wireless connection session information) from the WCM 101 to the WCSM 102 is performed; and in the network/service connection management server 110, the step 204 of transferring the terminal ID and the session information (wireless connection session information) from the AAA server 111 to the authentication G/W 112 is carried out.
  • the WCSM 102 and the authentication G/W 112 hash and keep the received session information through the use of the same algorithm. So, the WCSM 102 and the authentication G/W 112 create the shared key that is not exposed to outside but known only to both sides (steps 206 and 208) . That is, the WCSM 102 and the authentication G/W 112 create the shared key by using the session information.
  • connection procedure 20 The following is a description for the service (supplementary application services) connection procedure 20.
  • the various APP clients 103 in the user terminal do not accept the ID and password from the user separately for service connection with the APP server 113, but receive the shared key (terminal side's shared key) and the terminal ID by requesting them to the WCSM 102 (steps 210 and 212) . Further, the APP client 103 requests the APP server 113 to execute service authentication (step 214). At this time, the algorithm for authentication may use various standards, and the shared key is encrypted and then sent to the APP server 113. The APP server 113 receiving the request for authentication requests the authentication G/W 112 to send the corresponding server side' s shared key by using the received terminal ID as index and then receives the same there from (steps 216 and 218).
  • the APP server 113 performs the service authentication through the procedure of confirming whether the terminal side's shared key is the same as the server side's shared key (step 220), and thereafter, sends the authentication result along with the user information which is provided from the authentication G/W 112 (step 222). At this time, the user information may be sent along with the authentication result, wherein the user information is provided from the authentication G/W 112.
  • the APP server 113 can know a person who requested the service authentication based on the user information provided by the authentication G/W 112, and responds the received authentication result to the APP client 103.
  • the APP server 113 does not receive the separate ID and password from the user, it succeeds in the service connection by employing the terminal's inherent ID and shared key, and can know the user information as well.
  • the method of the present invention as mentioned above may be implemented by a software program that is stored in a computer-readable storage medium such as CD- ROM, RAM, ROM, floppy disk, hard disk, optical magnetic disk, or the like. This procedure may be readily carried out by those skilled in the art; and therefore, details of thereof are omitted here.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

There is provided a network/service connection management server for linkage between wireless connection and application service connection, including: a wireless connection managing unit for performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number of the user terminal and session information; an authentication gateway for receiving the terminal ID and the session information from the wireless connection managing unit, and transferring the server side' s shared key upon request of an application service providing unit; and the application service providing unit for accepting the terminal ID and a shared key along with service authentication request from the user terminal.

Description

DESCRIPTION
SYSTEM AND METHOD FOR MANAGING NETWORK/SERVICE ACCESS FOR LINKAGE BETWEEN NETWORK ACCESS APPLICATION SERVICE
TECHNICAL FIELD
The present invention relates to a network/service connection management system and method for linkage between wireless connection and application service connection, and more particularly, to a network/service connection management system and method for linkage between wireless connection and application service connection, which allow a user to conveniently use supplementary application services without inputting any separate authentication information and also can provide a network provider with wireless connection service along with application services linked therewith to maximize profit creation effect, by interlinking between the wireless connection and the supplementary application service connection, that is, by managing the application service connection using wireless connection information.
BACKGROUND ART
Mobile communication networks such as existing CDMA (Code Division Multiple Access), PCS (Personal Communications Services) and so on are a kind of closed networks that providers who are not allowed by mobile communication companies (network provides) providing networks cannot offer services. But, the next generation IP network such as WiBro and the like is AIl-IP based open network, and is under the environment that allows anyone to offer services, like the wired Internet. Further, it is a general tendency that user terminals using this next generation wireless services employ such general purpose operating system (OS) as MS Windows provided by Microsoft Corp., Linux, or the like. Therefore, λwireless connection (wireless connection service)' and 'service connection (supplementary application service connection) ' are dealt with separately. Here, the wireless connection service enables the use of IP-based services such as the Internet through connection between a user terminal and a network offered by a network provider with fee. And, the supplementary application service is an application service with added value that is offered by various providers by using the web browser of the user terminal, application program or the like based on the wireless connection service.
It is however a recent tendency that network providers offer the supplementary application services with added value, in addition to the wireless connection service, so as to create more profit.
As mentioned above, in order for the network providers to offer both the wireless connection service and the supplementary application services, there is an urgent request of environment that the user terminal can conveniently receive the wireless connection service and the supplementary application services by using one identity. That is, it is required to establish environment for convenient use of services through connection management for linkage between the wireless connection service and the supplementary application services that are dealt with separately.
Meanwhile, on service user side, the user must to input ID/password separately even after wireless connection to use the supplementary application services under the existing Internet environment. Then, an application program in the user terminal executes a service connection authentication procedure with a service providing system in accordance with a service connection protocol through the use of the inputted authentication information. In other words, the conventional connection management system, which manages the wireless connection procedure and the supplementary application service connection procedure separately, requires the user to input the service authentication information (ID/password) separately for use of the corresponding supplementary application service even after wireless connection, thus causing any inconvenience. Specifically, although the general purpose portable terminal such as PDA and so on is the main terminal used in the open network-based AIl-IP network of WLAN, WiBro, etc., it is required to take a separate user information input procedure for service authentication.
DISCLOSURE
TECHNICAL PROBLEM
An embodiment of the present invention is directed to providing a network/service connection management system and method for linkage between wireless connection and application service connection, which allow a user to conveniently use supplementary application services without inputting any separate authentication information and also can provide a network provider with wireless connection service along with application services linked therewith to maximize profit creation effect, by interlinking between the wireless connection and the supplementary application service connection, that is, by managing the application service connection using wireless connection information. Other objects and advantages of the present invention can be understood by the following description, and become apparent with reference to the embodiments of the present invention. Also, it is obvious to those skilled in the art of the present invention that the objects and advantages of the present invention can be realized by the means as claimed and combinations thereof.
TECHNICAL SOLUTION
In accordance with an aspect of the present invention, there is provided a network/service connection management server for linkage between wireless connection and application service connection, including: a wireless connection managing unit for performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; an authentication gateway for receiving the terminal ID and the session information from the wireless connection managing unit, generating a shared key (server side' s shared key) by using the session information and storing it in connection with the terminal ID, and transferring the server side's shared key upon request of an application service providing unit; and the application service providing unit for accepting the terminal ID and a shared key (terminal side' s shared key) along with service authentication request from the user terminal, and comparing the server side's shared key received from the authentication gateway in response to its request with the terminal side' s shared key to execute the service connection authentication.
In accordance with another aspect of the present invention, there is provided a user terminal for linkage between wireless connection and application service connection, including: a wireless connection managing unit for performing a wireless connection authentication procedure with a network/service connection managing server and acquiring an inherent identification number
(terminal ID) of the user terminal and session information during the wireless connection authentication procedure; a wireless common session managing unit for receiving the terminal ID and the session information from the wireless connection managing unit, generating a shared key (terminal side' s shared key) by using the session information and storing it in association with the terminal ID, and transferring the terminal side' s shared key upon request of an application service request unit; and the application service request unit for transmitting the terminal ID and the terminal side' s shared key to the network/service connection management server along with a service authentication request.
In accordance with another aspect of the present invention, there is provided a network/service connection management method for use in a network/service connection management server, including steps of: (a) performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number
(terminal ID) of the user terminal and session information during the wireless connection authentication procedure; (b) if the wireless connection is authenticated in the step (a) , generating a shared key (server side's shared key) by using the session information and managing the server side' s shared key in association with the terminal ID; (c) receiving the terminal ID and a shared key (terminal side's shared key) along with a service authentication request from the user terminal; and (d) searching the server side's shared key by using the terminal ID from the user terminal, and comparing the searched server side' s shared key with the terminal side' s shared key to perform the service connection authentication.
In accordance with another aspect of the present invention, there is provided a network/service connection management method for use in a user terminal, including steps of: (a) performing a wireless connection authentication procedure with a network/service connection management server and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; (b) if the wireless connection is authenticated in the step (a) , generating a shared key (terminal side's shared key) by using the session information and managing the terminal side' s shared key in association with the terminal's ID; and (c) transmitting the terminal ID and the terminal side's shared key to the network/service connection management server to request service connection authentication.
In accordance with another aspect of the present invention, there is provided a computer-readable storage medium which stores, in a network/service connection management server having a processor for linkage between wireless connection and application service connection, a software program for implementing the functions of: (a) performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; (b) if the wireless connection is authenticated in the function (a) , generating a shared key (server side's shared key) by using the session information and managing the server side' s shared key in association with the terminal ID; (c) receiving the terminal ID and a shared key (terminal side's shared key) along with a service authentication request from the user terminal; and (d) searching the server side's shared key by using the terminal ID received from the user terminal, and comparing the searched server side' s shared key with the terminal side' s shared key to perform service connection authentication. In accordance with another aspect of the present invention, there is provided a computer-readable storage medium which stores, in a user terminal having a processor for linkage between wireless connection and application service connection, a software program for implementing the functions of: (a) performing a wireless connection authentication procedure with a network/service connection management server and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; (b) if the wireless connection is authenticated in the function (a) , generating a shared key (terminal side' s shared key) by using the session information and managing the terminal side's shared key in association with the terminal ID; and (c) transmitting the terminal ID and the terminal side' s shared key to the network/service connection management server to request service connection authentication.
ADVANTAGEOUS EFFECTS
As mentioned above and will be discussed below, the present invention performs the service connection authentication by using he inherent information of the terminal (user terminal) and wireless connection session information that are acquired during the wireless connection procedure if only the wireless connection has been established, thereby enabling the user to conveniently receive desired application services without inputting any additional information for supplementary service authentication.
In addition, the present invention allows the provider (network provider) who offers wireless connection to process the wireless connection and service connection by SSO (Single-Sign-On) and thus can provide more convenient service to clients, and also enables service connection by using the results of wireless connection without any separate service procedure. As a result, the present invention can allow the clients to create more profit by locking-in the service offered by the provider.
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a diagram illustrating the structure of a network/service connection management system for linkage between wireless connection and application service connection in accordance with a preferred embodiment of the present invention.
Fig. 2 is a flowchart illustrating a network/service connection management method for linkage between wireless connection and application service connection in accordance with another preferred embodiment of the present invention.
BEST MODE FOR THE INVENTION The advantages, features and aspects of the invention will become apparent from the following description of the embodiments with reference to the accompanying drawings, which is set forth hereinafter. Thus, the present invention will be easily carried out by those skilled in the art. Further, in the following description, well-known arts will not be described in detail if it seems that they could obscure the invention in unnecessary detail. Hereinafter, preferred embodiments of the present invention will be set forth in detail with reference to the accompanying drawings.
Fig. 1 is a diagram illustrating the structure of a network/service connection management system for linkage between wireless connection and application service connection in accordance with a preferred embodiment of the present invention. The network/service connection management system of the present invention largely includes a user terminal 100 and a network/service connection management server 110. Here, the user terminal 100 is constituted by a wireless connection manager (WCM) 101, a wireless common session manager (WCSM) 102, an APP (application) client 103, and the network/service connection management server 110 is constituted by a wireless connection management server 111, an authentication gateway (G/W) 112, and an APP (application) server 113.
First, each of the components in the user terminal 100 for linkage between wireless connection and application service connection will be described below.
The WCM 101 performs a wireless connection authentication procedure with the wireless connection management server 111 of the network/service connection management server, and acquires an inherent identification number (terminal ID) and session information (wireless connection session information) of the user terminal during the wireless connection authentication procedure. Here, the wireless connection service (wireless connection authentication procedure) is carried out depending on the authentication protocol, which is international standard, such as EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) and the like. And, the session information is shared with the network/service connection management server 110 during the wireless connection authentication procedure. In result of wireless connection success, the same session information (secret key called session key) is shared between the user terminal 100 and the wireless connection management server 111. This secret key is a value which is induced by calculation by each of the user terminal 100 and the wireless connection management server 111 by using information being communicated therebetween during the wireless connection procedure, rather than the information being communicated therebetween during the wireless connection procedure. Therefore, the secrete key is stable in view of security. Meanwhile, the WCSM 102 receives the terminal ID and session information from the WCM 101, generate a shared key (which is a key for service authentication and shared by the user terminal and the network/service connection management server) (hereinafter, referred to as ^terminal side' s shared key' ) by using the session information, and stores it in association with the terminal ID. After that, if the WCSM 102 gets a request for service authentication factor from the APP (application) client 103, in response to this, it transfers λthe corresponding terminal ID' and ^encrypted terminal side' s ID' .
The APP client 103 serves as ^application service request means' and transmits the terminal ID and terminal side's shared key to the APP server 103 of the network/service connection management server along with the service authentication request, and receives authentication result (including user information) in response to the transmission.
The following is a description for each of the components in the network/service connection management server 110 for linkage between wireless connection and application service connection.
The wireless connection management server 111 performs a wireless connection authentication procedure with the user terminal 100, and acquires an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure. Here, the wireless connection service (wireless connection authentication procedure) is carried out depending on the authentication protocol, which is international standard, such as EAP-AKA and the like. And, the session information is shared with the user terminal 100 during the wireless connection authentication procedure. That is, the same session information is shared between the user terminal 100 and the network/service connection management server 110. Upon system implementation, the wireless connection management server 111 may be an AAA (Authentication, Authorization and Accounting) server (see Fig. 20). The authentication G/W 112 receives the terminal ID and the session information (wireless connection session information) from the wireless connection management server 111, generates a shared key (server side's shared key) by using the session information, and stores it in association with the terminal ID. Here, the shared key generating procedure using the session information is performed by the user terminal 100 and the network/service connection management server 110, respectively, wherein the same algorithm is used. Next, if the authentication G/W 112 gets a request for service authentication factor from the APP server 113, in response to this, it transfers λthe corresponding terminal ID' and ^encrypted server side's shared key'.
The APP server 113 serves as Application service providing means' , and if the server receives the terminal ID and the shared key (terminal side's shared key) from the APP client 103 of the user terminal along with the service authentication request, it requests the authentication G/W 112 to send the corresponding server side's shared key by using the ^received terminal ID' as index. Then, the APP server 113 accepts the server side's shared key from the authentication G/W 112 and compares the terminal side' s shared key with the server side's shared key. In result of comparison, if the shared keys are identical to each other, an authentication success message (which may contain user information such as user profile) is sent to the user terminal 100, and if they are different from each other, an authentication failure message is forwarded to the user terminal 100. Here, the authentication success message may contain user information such as user profile.
As set forth above, the present invention allows the user to conveniently and safely connect to the supplementary application services and use them by using the session information (secret key) created during the wireless connection procedure, without taking any separate ID/password.
Fig. 2 is a flowchart illustrating a network/service connection management method for linkage between wireless connection and application service connection in accordance with another preferred embodiment of the present invention. The method of the invention may be applied to the wireless LAN services (open network environment) such as Fibro and so on as well as the wired Internet .
First, the wireless connection procedure 200 being executed between the WCM 101 and the AAA server 111 (corresponding to the wireless connection management server in Fig. 1) will be described below. The WCM 101 carries out wireless connection authentication with the AAA server 111 by using the EAP- AKA protocol (200). At this time, identification information (identifier) used is an λinherent identification number of the user terminal (terminal ID) ' , which is an inherent identifier of the terminal that is not exposed to the user and outside.
If the wireless connection authentication has been completed, same session information (which is a session key as a secret key and corresponds to MSK (Master Session Key) ) is created between the WCM 101 and the AAA server 111. This session information is not a value that is transmitted through the network during the wireless connection procedure, but a value that is derived by using information being communicated between the WCM 101 and the AAA server 111 during the authentication procedure by their respective calculation, in view of the nature of protocol.
For example, the WCM 101 and the AAA server 111 acquire the terminal ID and the session information through the authentication procedure.
The following is a description for each of the steps 202, 204, 206 and 208 of creating a shared key between the WCSM 102 and the authentication G/W 112.
If the wireless connection has been completed, in the user terminal 100, the step 202 of transferring the terminal ID and the session information (wireless connection session information) from the WCM 101 to the WCSM 102 is performed; and in the network/service connection management server 110, the step 204 of transferring the terminal ID and the session information (wireless connection session information) from the AAA server 111 to the authentication G/W 112 is carried out.
The WCSM 102 and the authentication G/W 112 hash and keep the received session information through the use of the same algorithm. So, the WCSM 102 and the authentication G/W 112 create the shared key that is not exposed to outside but known only to both sides (steps 206 and 208) . That is, the WCSM 102 and the authentication G/W 112 create the shared key by using the session information.
The following is a description for the service (supplementary application services) connection procedure 20.
The various APP clients 103 in the user terminal do not accept the ID and password from the user separately for service connection with the APP server 113, but receive the shared key (terminal side's shared key) and the terminal ID by requesting them to the WCSM 102 (steps 210 and 212) . Further, the APP client 103 requests the APP server 113 to execute service authentication (step 214). At this time, the algorithm for authentication may use various standards, and the shared key is encrypted and then sent to the APP server 113. The APP server 113 receiving the request for authentication requests the authentication G/W 112 to send the corresponding server side' s shared key by using the received terminal ID as index and then receives the same there from (steps 216 and 218). The APP server 113 performs the service authentication through the procedure of confirming whether the terminal side's shared key is the same as the server side's shared key (step 220), and thereafter, sends the authentication result along with the user information which is provided from the authentication G/W 112 (step 222). At this time, the user information may be sent along with the authentication result, wherein the user information is provided from the authentication G/W 112. In other words, the APP server 113 can know a person who requested the service authentication based on the user information provided by the authentication G/W 112, and responds the received authentication result to the APP client 103. As a result, while the APP server 113 does not receive the separate ID and password from the user, it succeeds in the service connection by employing the terminal's inherent ID and shared key, and can know the user information as well. The method of the present invention as mentioned above may be implemented by a software program that is stored in a computer-readable storage medium such as CD- ROM, RAM, ROM, floppy disk, hard disk, optical magnetic disk, or the like. This procedure may be readily carried out by those skilled in the art; and therefore, details of thereof are omitted here.
While the present invention has been described with respect to the particular embodiments, it will be apparent to those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the following claims.

Claims

WHAT IS CLAIMED IS:
1. A network/service connection management server for linkage between wireless connection and application service connection, comprising: a wireless connection managing unit for performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number- (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; an authentication gateway for receiving the terminal ID and the session information from the wireless connection managing unit, generating a shared key (server side' s shared key) by using the session information and storing it in connection with the terminal ID, and transferring the server side's shared key upon request of an application service providing unit; and the application service providing unit for accepting the terminal ID and a shared key (terminal side' s shared key) along with service authentication request from the user terminal, and comparing the server side' s shared key received from the authentication gateway in response to its request with the terminal side' s shared key to execute the service connection authentication.
2. The network/service connection management server of claim 1, wherein the wireless connection managing unit performs wireless connection authentication with the user terminal depending on an EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) protocol.
3. The network/service connection management server of claim 2, wherein the wireless connection managing unit is an AAA (Authentication, Authorization and Accounting) server.
4. The network/service connection management server of claim 1, wherein the application service providing unit compares the server side's shared key with the terminal side' s shared key, and transmits an authentication success message to the user terminal if the shared keys are identical to each other and transmits an authentication failure message to the user terminal if they are different from each other.
5. The network/service connection management server of claim 4, wherein the application service providing unit transmits user information in' addition to the authentication success message.
6. The network/service connection management server of claim 4, wherein the session information is shared with the user terminal during the wireless connection authentication procedure of the wireless connection managing unit.
7. A user terminal for linkage between wireless connection and application service connection, comprising: a wireless connection managing unit for performing a wireless connection authentication procedure with a network/service connection managing server and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure; a wireless common session managing unit for receiving the terminal ID and the session information from the wireless connection managing unit, generating a shared key (terminal side' s shared key) by using the session information and storing it in association with the terminal ID, and transferring the terminal side' s shared key upon request of an application service request unit; and the application service request unit for transmitting the terminal ID and the terminal side' s shared key to the network/service connection management server along with a service authentication request.
8. The user terminal of claim 7, wherein the wireless connection managing unit performs wireless connection authentication with the network/service connection managing server depending on an EAP-AKA protocol .
9. The user terminal of claim 7, wherein the session information is shared with the network/service connection managing server during the wireless connection authentication procedure of the wireless connection managing unit .
10. The user terminal of claim 7, wherein the application service request unit encrypts and transmits the terminal side's shared key.
11. The user terminal of claim 10, wherein the application service request unit further performs the function of receiving a service authentication result from the network/service connection managing unit.
12. A network/service connection management method for use in a network/service connection management server, comprising steps of:
(a) performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure;
(b) if the wireless connection is authenticated in the step (a), generating a shared key (server side's shared key) by using the session information and managing the server side's shared key in association with the terminal ID;
(c) receiving the terminal ID and a shared key (terminal side's shared key) along with a service authentication request from the user terminal; and
(d) searching the server side's shared key by using the terminal ID from the user terminal, and comparing the searched server side' s shared key with the terminal side's shared key to perform the service connection authentication .
13. The network/service connection management method of claim 12, further comprising the step (e) of transmitting the service authentication result in the step (d) to the user terminal.
14. The network/service connection management method of claim 13, wherein the step (e) transmits user information in addition to the service authentication result .
15. The network/service connection management method of claim 12, wherein the wireless connection authentication procedure in the step (a) is carried out depending on an EAP-AKA protocol.
16. The network/service connection management method of claim 15, wherein the session information is shared with the user terminal during the wireless connection authentication procedure in the step (a) .
17. A network/service connection management method for use in a user terminal, comprising steps of:
(a) performing a wireless connection authentication procedure with a network/service connection management server and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure;
(b) if the wireless connection is authenticated in the step (a), generating a shared key (terminal side's shared key) by using the session information and managing the terminal side' s shared key in association with the terminal's ID; and
(c) transmitting the terminal ID and the terminal side' s shared key to the network/service connection management server to request service connection authentication.
18. The network/service connection management method of claim 17, further comprising the step (d) of receiving a service authentication result from the network/service connection management server.
19. The network/service connection management method of claim 17, wherein the wireless connection authentication procedure in the step (a) is carried out depending on an EAP-AKA protocol.
20. The network/service connection management method of claim 19, wherein the session information is shared with the network/service connection management server during the wireless connection authentication procedure in the step (a) .
21. The network/service connection management method of claim 20, wherein the step (c) encrypts and transmits the shared key.
22. A computer-readable storage medium which stores, in a network/service connection management server having a processor for linkage between wireless connection and application service connection, a software program for implementing the functions of:
(a) performing a wireless connection authentication procedure with a user terminal and acquiring an inherent identification number (terminal ID) of the user terminal and session information during the wireless connection authentication procedure;
(b) if the wireless connection is authenticated in the function (a), generating a shared key (server side's shared key) by using the session information and managing the server side's shared key in association with the terminal ID;
(c) receiving the terminal ID and a shared key (terminal side's shared key) along with a service authentication request from the user terminal; and (d) searching the server side's shared key by using the terminal ID received from the user terminal, and comparing the searched server side' s shared key with the terminal side's shared key to perform service connection authentication .
23. The computer-readable storage medium of claim 22, further comprising the function (e) of transmitting a service authentication result in the function (d) to the user terminal.
24. A computer-readable storage medium which stores, in a user terminal having a processor for linkage between wireless connection and application service connection, a software program for implementing the functions of: (a) performing a wireless connection authentication procedure with a network/service connection management server and acquiring an inherent identification number
(terminal ID) of the user terminal and session information during the wireless connection authentication procedure;
(b) if the wireless connection is authenticated in the function (a) , generating a shared key (terminal side's shared key) by using the session information and managing the terminal side' s shared key in association with the terminal ID; and
(c) transmitting the terminal ID and the terminal side' s shared key to the network/service connection management server to request service connection authentication.
PCT/KR2006/005713 2006-06-30 2006-12-26 System and method for managing network/service access for linkage between network access and application service Ceased WO2008001988A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2006-0061185 2006-06-30
KR1020060061185A KR100837817B1 (en) 2006-06-30 2006-06-30 Network / service access management system and method for linkage between network access and application service access

Publications (1)

Publication Number Publication Date
WO2008001988A1 true WO2008001988A1 (en) 2008-01-03

Family

ID=38845728

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2006/005713 Ceased WO2008001988A1 (en) 2006-06-30 2006-12-26 System and method for managing network/service access for linkage between network access and application service

Country Status (2)

Country Link
KR (1) KR100837817B1 (en)
WO (1) WO2008001988A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103457954A (en) * 2013-09-11 2013-12-18 陈迪 Method and device for user password management
CN103747423A (en) * 2013-12-25 2014-04-23 华为技术有限公司 Registration method, apparatus and system of terminal application

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101038096B1 (en) * 2010-01-04 2011-06-01 전자부품연구원 Key Authentication Method in Binary CDMA

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275941B1 (en) * 1997-03-28 2001-08-14 Hiatchi, Ltd. Security management method for network system
WO2004032415A1 (en) * 2002-10-03 2004-04-15 Nokia Corporation Method and apparatus enabling reauthentication in a cellular communication system
WO2004034720A2 (en) * 2002-10-08 2004-04-22 Nokia Corporation Method and system for establishing a connection via an access network
US20050289643A1 (en) * 2004-06-28 2005-12-29 Ntt Docomo, Inc. Authentication method, terminal device, relay device and authentication server
US20060023682A1 (en) * 2004-07-28 2006-02-02 Nec Corporation Wireless communication network, wireless terminal, access server, and method therefor

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001312468A (en) * 2000-04-28 2001-11-09 Konami Co Ltd Network connection control method and connection control system
KR20010105705A (en) * 2000-05-17 2001-11-29 정문술 Method for providing integrated user management environment to multi-internet service and system for the same
KR101019849B1 (en) * 2004-02-20 2011-03-04 주식회사 케이티 User Information Sharing System and Method
KR100813791B1 (en) * 2004-09-30 2008-03-13 주식회사 케이티 Integrated authentication processing device and method for personal mobility in wired / wireless integrated service network
KR20070024116A (en) * 2005-08-26 2007-03-02 주식회사 케이티 Network service access management system and method based on terminal authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275941B1 (en) * 1997-03-28 2001-08-14 Hiatchi, Ltd. Security management method for network system
WO2004032415A1 (en) * 2002-10-03 2004-04-15 Nokia Corporation Method and apparatus enabling reauthentication in a cellular communication system
WO2004034720A2 (en) * 2002-10-08 2004-04-22 Nokia Corporation Method and system for establishing a connection via an access network
US20050289643A1 (en) * 2004-06-28 2005-12-29 Ntt Docomo, Inc. Authentication method, terminal device, relay device and authentication server
US20060023682A1 (en) * 2004-07-28 2006-02-02 Nec Corporation Wireless communication network, wireless terminal, access server, and method therefor

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103457954A (en) * 2013-09-11 2013-12-18 陈迪 Method and device for user password management
CN103747423A (en) * 2013-12-25 2014-04-23 华为技术有限公司 Registration method, apparatus and system of terminal application
US9680814B2 (en) 2013-12-25 2017-06-13 Huawei Technologies Co., Ltd. Method, device, and system for registering terminal application
CN103747423B (en) * 2013-12-25 2018-05-11 华为技术有限公司 A kind of register method of terminal applies, device and system

Also Published As

Publication number Publication date
KR100837817B1 (en) 2008-06-13
KR20080002382A (en) 2008-01-04

Similar Documents

Publication Publication Date Title
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
JP6612358B2 (en) Method, network access device, application server, and non-volatile computer readable storage medium for causing a network access device to access a wireless network access point
US8145193B2 (en) Session key management for public wireless LAN supporting multiple virtual operators
JP4701172B2 (en) System and method for controlling access to network using redirection
US7310307B1 (en) System and method for authenticating an element in a network environment
CN102550001B (en) User identity management for permitting interworking of a bootstrapping architecture and a shared identity service
US8275355B2 (en) Method for roaming user to establish security association with visited network application server
CN102369750B (en) Method and apparatus for managing authentication of users
US9686669B2 (en) Method of configuring a mobile node
KR20070032805A (en) System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks
US20050135622A1 (en) Upper layer security based on lower layer keying
DK2924944T3 (en) Presence authentication
WO2004034645A1 (en) Identification information protection method in wlan interconnection
JP2005519501A (en) System, method and apparatus for single sign-on service
JP2004241976A (en) Mobile communication network system and method for authenticating mobile terminal
WO2011026404A1 (en) Session updating method for authentication, authorization and accounting and equipment and system thereof
EP2206400A1 (en) Systems and methods for wireless network selection
CN1795656B (en) Method for safely initializing user and confidential data
WO2024186592A1 (en) Double blind private wireless local area networking
KR101002471B1 (en) Broker-based Federation with Hierarchical Authentication
CN1921682B (en) Enhancing the key agreement method in the general authentication framework
US8102762B2 (en) Communication control system and communication control method
CN115314895A (en) WAPI user identification method, system and access area AS
US20060190601A1 (en) Localized authentication, authorization and accounting (AAA) method and apparatus for optimizing service authentication and authorization in a network system
WO2008001988A1 (en) System and method for managing network/service access for linkage between network access and application service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06835417

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 06-04-2009

122 Ep: pct application non-entry in european phase

Ref document number: 06835417

Country of ref document: EP

Kind code of ref document: A1