[0001] This invention relates to mobile packet networks and is particularly, but not necessarily, related to authentication of a mobile node connecting to a mobile IP (Internet Protocol) network.
[0002] In mobile IP networking, a terminal, such as a laptop computer having a Wireless Local Area Network (WLAN) adapter coupled thereto, connects to its home agent via a foreign agent. In functional terms, the terminal acts as a mobile node in the network. The terms mobile node, home agent and foreign agent are explained in publication Request For Comments 2002 as follows:
[0003] Mobile Node (MT): A host or router that changes its point of attachment from one network or sub-network to another. A mobile node may change its location without changing its IP address; it may continue to communicate with other Internet nodes at any location using its (constant) IP address, assuming that link-layer connectivity to a point of attachment is available.
[0004] Home Agent (HA): A mobile node belongs to a home network to which belongs a home agent of the mobile node. The HA is a router on a mobile node's home network which tunnels datagrams for delivery to the mobile node when it is away from home, and maintains current location information for the mobile node.
[0005] Foreign Agent: A router on a network being visited by the mobile node which provides routing services to the mobile node whilst it is registered. The foreign agent detunnels and delivers datagrams to the mobile node that were tunneled by the mobile node's home agent. For datagrams sent by a mobile node, the foreign agent may serve as a default router for mobile nodes registered with it.
[0006] Mobility Agent: Either a home agent or a foreign agent.
[0007] In the publication RFC2002, it is further explained that a mobile node is given a long-term IP address or home address in its home network. This home address is administered in the same way as a “permanent” IP address which is provided to a stationary host. When away from its home network, a “care-of address” is associated by the home agent with the mobile node and indicates the mobile node's current point of attachment. The mobile node may use its home address as the source address of IP datagrams that it sends.
[0008] It is often desirable for a mobile node to be authenticated on connection to an IP network. One way for an IP network to recognise a mobile node is by using a shared secret key known by both the IP network and the mobile node. The shared secret is to be used as the cryptographic key. The shared secret can be first known by the IP network and then be stored in a mobile node if the management of the IP network gets a secure access to the mobile node. In the interest of security, the shared secret should not be sent over a network susceptible to eavesdropping. Therefore, the mobile node should be supplied to the management of the IP network. In the future, there are likely to be many different IP networks. According to the present arrangement, a mobile node would need to be provided with a database of secret keys in order to have one for each of the different IP networks with which it could be connected.
[0009] WO00/02406 discloses an authentication method intended for a telecommunications network, especially for an IP network. From a terminal in the network a first message containing an authenticator and a data unit is transmitted to the network, the data unit containing information relating to the manner in which the authen- ticator is formed. For carrying out authentication in the network, the data unit contained in the first message is used for determining a check value, which is compared with the said authenticator. To make it unnecessary for the terminal to perform any complicated and heavy exchange of messages when attaching to the network and for still obtaining the desired security characteristics for use, such an identification unit is used in the terminal which receives as input a challenge from which a response and a key can be determined essentially in the same manner as in the subscriber identity module of a known mobile communications system, a set of authentication blocks is generated into the network, of which each contains a challenge, a response, and a key, whereby the generation is performed in the same manner as in the said mobile communication system, at least some of the challenges contained by the authentication blocks are transmitted to the terminal:
[0010] one of the challenges is chosen for use at the terminal, and, based on it, a response and a key for use are determined with the aid of the terminal's identification unit, in the said first message the network is notified with the aid of the said data unit of which key corresponding to which challenge was chosen, and the authenticator of the first message and the said check value are determined with the aid of the chosen key.
[0011] WO00/02407 concerns authentication to be performed in a telecommunications network, especially in an IP network. To allow a simple and smooth authentication of users of an IP network in a geographically large area, the IP network's terminal (TE
[0012] This document discloses sending a set of challenges in case some of the challenges would conflict with reserved Security Parameter Index (SPI) values, which wastes data transmission bandwidth and is a potential security risk as it provides more data for hacking a mobile communications system's secret using which the subscriber-specific authentication information is formed.
[0013] In both WO00/02406 and WO00/02407, the terminal needs to send the response without having any assurance of the challenges being fresh and received from a bona fide network. Therefore, the terminal is not able to determine whether the challenges are part of a replay attack.
[0014] According to a first aspect of the invention there is provided an authentication method for authenticating a mobile node to a packet data network, comprising the steps of:
[0015] providing the mobile node with a mobile node identity and a shared secret specific for the mobile node identity and usable by a telecommunications network;
[0016] providing the mobile node with a protection code;
[0017] sending the mobile node identity and the protection code from the mobile node to the packet data network;
[0018] providing the packet data network with authentication information usable by the telecommunications network, the authentication information comprising a challenge and a session secret corresponding to the mobile node identity and derivable using the challenge and the shared secret;
[0019] forming cryptographic information using at least the protection code and the session secret;
[0020] sending the challenge and the cryptographic information from the packet data network to the mobile node;
[0021] checking at the mobile node the validity of the cryptographic information using the challenge and the shared secret;
[0022] generating at the mobile node the session secret and a first response corresponding to the challenge, based on the shared secret;
[0023] sending the first response to the packet data network; and checking the first response for authenticating the mobile node.
[0024] Preferably, the method further comprises the steps of:
[0025] providing the mobile node with a subscriber identity for the telecommunications network; and
[0026] forming from the subscriber identity a Network Access Identifier as the mobile node identity by the mobile node.
[0027] Preferably, the method further comprises the step of recognising the telecommunications network at the packet data network directly from the mobile node identity.
[0028] Preferably, the method further comprises the step of providing the packet data network with a shared session key based on at least one session secret.
[0029] Preferably, the method further comprises the step of providing a communications link between the packet data network and the mobile node for communicating said challenge between them, the communications link not being a link of the telecommunications network.
[0030] Preferably, the method further comprises the step of using a Subscriber Identity Module for the providing the mobile node with a mobile node identity. Preferably, the Subscriber Identity Module is used in generating of the session secret based on a shared secret specific for the mobile node identity.
[0031] Preferably, the method further comprises the steps of:
[0032] obtaining a second response by the telecommunications network; and
[0033] using the second response in the checking the first response.
[0034] Preferably, the method further comprises the step of sending the challenge from the telecommunications network to the mobile node via the packet data network.
[0035] Preferably, the protection code is based on time.
[0036] Preferably, the challenge is based on RAND codes of at least two authentication triplets of the telecommunications network.
[0037] Preferably, the challenge is cryptographically formed using at least the n RAND codes.
[0038] Preferably, the method further comprises the step of providing the packet data network with a shared session key based on n session keys Kc corresponding to n RAND codes of the challenge.
[0039] Preferably, the method further comprises the step of generating an authentication key based on the shared secret, the protection code, and on an algorithm known by the mobile node and by the packet data network. In this way, it is possible to authenticate communications between the mobile node and the packet data network. The higher the number of session keys Kc is used, the stronger a shared session key K becomes.
[0040] Preferably, the packet data network is an IP network. Most preferably, the packet data network is a mobile IP network.
[0041] In an alternative embodiment, the method further comprises the step of generating a shared session key for Internet Key Exchange, wherein the shared session key is based on the at least one session secret and the at least one challenge.
[0042] In an alternative embodiment, the step of providing the mobile node with the mobile node identity and the shared secret specific to the mobile node identity further comprises the steps of:
[0043] forming a local connection between the mobile node and a mobile station, whereby the mobile station has a mobile node identity and the shared secret specific to the mobile node identity;
[0044] forming a local connection between the mobile node and a mobile station having the mobile node identity and the shared secret specific to the mobile node identity; and
[0045] retrieving the mobile node identity and the shared secret from the mobile station to the mobile node.
[0046] Preferably, the step of providing the mobile node with the mobile node identity and the shared secret specific for the mobile node identity further comprises the sub-steps of:
[0047] forming a local connection between the mobile node and a subscriber identity module having the mobile node identity and the shared secret specific for the mobile node identity; and
[0048] retrieving from the subscriber identity module to the mobile node the mobile node identity and a session secret specific to the mobile node identity.
[0049] According to a second aspect of the invention there is provided an authentication method in a mobile node for authenticating a mobile node to a packet data network, comprising the steps of:
[0050] providing the mobile node with a mobile node identity and a shared secret specific to the mobile node identity and usable by a telecommunications network;
[0051] providing the mobile node with a protection code;
[0052] sending the mobile node identity and the protection code to the packet data network;
[0053] receiving a challenge and cryptographic information from the packet data network;
[0054] checking the validity of the cryptographic information using the challenge and the shared secret;
[0055] generating a session secret and a first response corresponding to the challenge, based on the shared secret; and
[0056] sending the first response to the packet data network.
[0057] According to a third aspect of the invention there is provided an authentication method in a packet data network for authenticating a mobile node to the packet data network, comprising the steps of:
[0058] receiving a mobile node identity and a protection code from a mobile node, the mobile node identity corresponding to a shared secret;
[0059] obtaining authentication information usable by the telecommunications network, the authentication information comprising a challenge and a session secret corresponding to the mobile node identity and derivable using the challenge and the shared secret;
[0060] forming cryptographic information using at least the protection code and the session secret;
[0061] sending the challenge and the cryptographic information to the mobile node;
[0062] receiving a first response from the mobile node; and
[0063] verifying the first response using the session secret.
[0064] According to a fourth aspect, there is provided a method for communicating between a packet data network and a mobile node having an access to a subscriber identity of a mobile telecommunication network, comprising the steps of:
[0065] providing a mobile node with a subscriber identity for the telecommunications network; and
[0066] forming, by the mobile node, of the subscriber identity a Network Access Identifier as a mobile node identity for use by the packet data network.
[0067] According to a fifth aspect, there is provided an authentication method in a gateway for acting as an interface between a packet data network and a telecommunications network having an access to an authentication server, comprising the steps of:
[0068] receiving a Network Access Identifier from the packet data network;
[0069] forming a subscriber identity suitable for use in a telecommunications network from the Network Access Identifier;
[0070] providing the telecommunications network with the subscriber identity;
[0071] receiving from an authentication server a challenge and a session secret that corresponds to the challenge and to the subscriber identity; and
[0072] providing the packet data network with the challenge.
[0073] According to a sixth aspect, there is provided a Gateway for acting as an interface between interfacing a packet data network and a telecommunications network having an access to an authentication server, the gateway comprising:
[0074] an input for receiving a mobile node identity and a protection code from the packet data network;
[0075] an output for providing the authentication server with the mobile node identity;
[0076] an input for receiving a challenge and a session secret corresponding to the mobile node identity from the authentication server;
[0077] a first processor for forming cryptographic information using at least the protection code and the session secret;
[0078] an output for providing the packet data network with the challenge and the cryptographic information for further transmission to a mobile node;
[0079] an input for receiving a first response corresponding to the challenge, based on a shared secret specific to the subscriber identity and known by the mobile node and the telecommunications network, from the mobile node via the packet data network; and
[0080] a second processor for verifying the first response for authenticating the mobile node.
[0081] According to a seventh aspect, there is provided a gateway for acting as an interface between a packet data network and a telecommunications network having an access to an authentication server, the gateway comprising:
[0082] a first input for receiving a Network Access Identifier from the packet data network;
[0083] a processor for forming a subscriber identity suitable for use in a telecommunications network from the Network Access Identifier;
[0084] a first output for providing the telecommunications network with the subscriber identity;
[0085] a first input for receiving from an authentication server a challenge and a session secret corresponding to the challenge and to the subscriber identity; and
[0086] a second output for providing the packet data network with the challenge.
[0087] According to an eighth aspect, there is provided a communication system comprising:
[0088] a telecommunications network;
[0089] a packet data network;
[0090] a mobile node;
[0091] the mobile node comprising a first processor for forming a protection code;
[0092] a gateway for acting as an interface between the packet data network with the telecommunications network;
[0093] a subscriber identity module accessible by the mobile node comprising a subscriber identity and a shared secret;
[0094] an authentication server for the telecommunications network comprising the shared secret mapped to the subscriber identity;
[0095] the authentication server being adapted to receive the subscriber identity and responsively to return a challenge;
[0096] the gateway comprising a second processor for forming cryptographic information based on the protection code;
[0097] the mobile node being adapted to receive from the gateway the challenge and the cryptographic information; and being adapted to provide the subscriber identity module with the challenge to responsively to receive a first response based on the challenge and the shared secret;
[0098] the first processor being further adapted to verify the protection code to authenticate the gateway to the mobile node; and
[0099] a third processor accessible by the gateway for verifying the first response in order to authenticate the mobile node.
[0100] According to a ninth aspect, there is provided a communication system comprising:
[0101] a telecommunications network;
[0102] a packet data network;
[0103] a mobile node having a mobile node identity;
[0104] a gateway for acting as an interface between the packet data network with the telecommunications network;
[0105] a subscriber identity module accessible by the mobile node comprising a subscriber identity and a shared secret;
[0106] an authentication server for the telecommunications network comprising the shared secret mapped to the subscriber identity;
[0107] a first processor accessible by the gateway for forming the subscriber identity of the mobile node identity for the telecommunications network;
[0108] the authentication server being adapted to receive the subscriber identity and responsively to return a challenge;
[0109] the subscriber identity module being adapted to receive the challenge and responsively to form a first response based on the challenge and the shared secret; and
[0110] a second processor accessible by the gateway for verifying the first response in order to authenticate the mobile node.
[0111] According to a tenth aspect, there is provided a mobile node comprising:
[0112] a subscriber identity module having a subscriber identity for identifying the subscriber to a telecommunication network and a shared secret specific to the subscriber identity module and known by an authentication server accessible by the telecommunication network;
[0113] a processor for forming a mobile node identity based on the subscriber identity; and
[0114] a communication block for communicating with a packet data network, adapted to send the mobile node identity to the packet data network and to receive responsively a challenge from the packet data network;
[0115] wherein the subscriber identity module is adapted to form a first response corresponding to the challenge, based on the shared secret.
[0116] According to an eleventh aspect, there is provided a computer program product for controlling a mobile node for authenticating the mobile node to a packet data network, comprising:
[0117] computer executable code to enable the mobile node to obtain a mobile node identity and a shared secret specific to the mobile node identity and usable by a telecommunications network;
[0118] computer executable code to enable the mobile node to obtain a protection code;
[0119] computer executable code to enable the mobile node to send the mobile node identity and the protection code to the packet data network;
[0120] computer executable code to enable the mobile node to receive a challenge and cryptographic information from the packet data network;
[0121] computer executable code to enable the mobile node to check the validity of the cryptographic information using the challenge and the shared secret;
[0122] computer executable code to enable the mobile node to generate a session secret and a first response corresponding to the challenge, based on the shared secret; and
[0123] computer executable code to enable the mobile node to send the first response to the packet data network.
[0124] According to a twelfth aspect, there is provided a computer program product for controlling a packet data network to authenticate a mobile node to the packet data network, comprising:
[0125] computer executable code to enable the packet data network to receive a mobile node identity and a protection code from a mobile node, the mobile node identity corresponding to a shared secret;
[0126] computer executable code to enable the packet data network to obtain authentication information usable by the telecommunications network, the authentication information comprising a challenge and a session secret corresponding to the mobile node identity and derivable using the challenge and the shared secret;
[0127] computer executable code to enable the packet data network to form cryptographic information using at least the protection code and the session secret;
[0128] computer executable code to enable the packet data network to send the challenge and the cryptographic information to the mobile node;
[0129] computer executable code to enable the packet data network to receive a first response from the mobile node; and
[0130] computer executable code to enable the packet data network to verify the first response using the session secret.
[0131] According to a thirteenth aspect, there is provided a computer program product for controlling a mobile node to communicate with a packet data network, the mobile node having an access to a subscriber identity usable by a telecommunications network, the computer program product comprising:
[0132] computer executable code to enable the mobile node to provide a mobile node with the subscriber identity; and
[0133] computer executable code to enable the mobile node to form a Network Access Identifier of the subscriber identity as a mobile node identity for use by the packet data network.
[0134] According to a fourteenth aspect, there is provided a computer program product for controlling a gateway for acting as an interface between a packet data network and a telecommunications network having an access to an authentication server, the computer program product comprising:
[0135] computer executable code to enable the gateway to receive a Network Access Identifier from the packet data network;
[0136] computer executable code to enable the gateway to form of the Network Access Identifier a subscriber identity suitable for use in a telecommunications network;
[0137] computer executable code to enable the gateway to provide the telecommunications network with the subscriber identity;
[0138] computer executable code to enable the gateway to receive from an authentication server a challenge and a session secret corresponding to the challenge and to the subscriber identity; and
[0139] computer executable code to enable the gateway to provide the packet data network with the challenge.
[0140] According to a fifteenth aspect there is provided a memory medium containing a computer program product according to any of the previous aspects.
[0141] In an alternative embodiment, the method comprises the step of authenticating the mobile node to the packet data network with a preliminary authentication method before authenticating the mobile node to the packet data network.
[0142] Advantageously, by utilising the secret shared between the telecommunications network and the mobile node, subscriber identity modules can be used for strong mutual authentication. This provides a straightforward trustworthy authentication procedure in which existing authentication data of the telecommunications network can be used.
[0143] The embodiments of one aspect also apply to various other aspects of the invention. In sake of briefness, the embodiments have not been repeated in connection with every aspect of the invention. A skilled reader will appreciate the advantages of the various aspects based on the advantages of the first aspect of the invention.
[0144] The invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161] In the following, a preferred embodiment of the invention will be described applied to a Global System for Mobile Communications (GSM) telecommunications network. For authenticating a mobile node to a packet data network, Subscriber Identity Module (SIM) cards normally used for authenticating GSM subscribers GSM networks are utilised. During authentication process, the SIM and the GSM telecommunications network communicate across the packet data network rather than the GSM telecommunications network.
[0162] The actual type of the telecommunications network is irrelevant. GSM is used as an example, but the network type could as well be Universal Mobile Telecommunications System (UMTS) or GSM with General Packet Radio Service (GPRS). Actually, GPRS can be understood as an extension to GSM rather than an independent network in the sense that GPRS operates using GSM radio access network and GSM authentication methods.
[0163] The invention will be described using three examples. Example 1 relates to a mobile IP implementation, where existing mobile IP extensions are utilised. Example 2 relates to a wireless LAN environment with roaming from one sub-network to another sub-network. Example 3 relates to generation of IKE keys for Internet nodes.
[0164] In the preferred embodiment of the invention, mobile nodes are identified by an International Mobile Subscriber Identity (IMSI) in the form of a string of digits. The IMSI is by definition a unique subscription identifier consisting of a national mobile subscriber identity and a mobile country code. For example, in the GSM, the IMSI is represented by bytes fewer than the number of digits in the IMSI.
[0165] The IMSI is transmitted in mobile IP messages as a Network Access Identifier (NAI). The NAI is in form of imsi@sonera.fi (for example “1234567@sonera.fi”) or imsi@gsm.org (for example “1234567@gsm.org”). Hence, the NAI carries an identity (for example as text or as an identifier number) of the mobile telecommunications network whose subscriber the mobile node is and an identification of the domain of the mobile node. This allows recognising the telecommunications network directly from the NAI.
[0166] The latter of those two examples of NAI, the gsm.org domain, is an example on an upper level domain that is adapted to seek for the appropriate domain relating to the relevant GSM telecommunications network operator.
[0167] The forming of the NAI from the IMSI allows later determination by the packet data network of the relevant GSM telecommunications network operator, based on the NAI alone. This removes need to maintain at the packet data network any local database mapping together different telecommunications network operators and their subscribers.
[0168] In general, identifying mobile nodes with NAIs is known to a person ordinarily skilled in mobile IP. An NAI extension can be included in a Registration Request or a Registration Reply, both of which are described later.
[0169] Operation of the SIM card in the GSM telecommunications network will now be explained. In GSM, there are known authentication algorithms which are referred to as A3 and A8. These algorithms run on the SIM and in the GSM telecommunications network. These algorithms and a GSM shared secret K
[0170] In authentication, the GSM telecommunications network operator generates a challenge RAND that is a 128 bit random code, which is to be used as a challenge, a corresponding 64 bit GSM session key Kc and a 32 bit signed response SRES for verifying the response to the challenge. The 64 bit session GSM session key Kc is generated by the A8 algorithm as A8(K
[0171]
[0172] The MIP comprises a plurality of Access Points AP for providing the MT with a wireless connection, a Public Access Controller PAC for controlling the APs and a Foreign Authentication, Authorisation and Accounting server FAAA.
[0173] The GSM network GSM_B is a home GSM network of the SIM_B. The GSM_B comprises a Home Authentication, Authorisation and Accounting server HAAA, which has a subscriber data database comprising accounting and authorisation data the subscribers of the GSM_B. These data include the IMSI and GSM shared secret K
[0174] The MIP is connected to the GSM_B by a GSM Authentication Gateway GAGW. The GAGW is a server and it has a memory MEM
[0175] An overview of the authentication process will now be briefly described. In order to authenticate a mobile node for a packet data network, a shared session key K is generated both in the MT and in the FAAA server. Authentication is carried out using GSM_B and its SIM, SIM_B. In this case the authentication procedure will be similar to that described above in relation to a basic GSM network. Authentication utilises the K
[0176] The SIM_B is accessed by providing the MT (for example a laptop computer with a wireless local area network adapter) with a SIM card reader. Alternatively, the MIP does not directly access the K
[0177]
[0178] 1. The MT sends to the FAAA a Network Access Identifier NAI and a protection code MT_RAND (also known in Mobile IP terminology as nonce) generated by the MT. The MT_RAND remains the same during an authentication session and it is meant to hinder replay attacks. The MT_RAND is typically a random number or based on time (a timestamp with certain resolution).
[0179] 2. The FAAA sends to the HAAA an initial identification message containing the IMSI or NAI of the MT, and the MT_RAND.
[0180] 3. The HAAA retrieves n GSM triplets, each comprising a RAND, a Kc, and a SRES. Then, the HAAA computes the K=H(n*Kc,MT_RAND) for the MT. Here n is an integer greater than or equal to 1, * represents the number of parameters (n*Kc refers to n different Kcs) and H ( ) represents a one-way hash function. The HAAA also computes a value SIGNrand which is calculated from MAC(K,n*RAND,MT_RAND), where MAC denotes a message authentication code. SIGNrand is a cryptographic checksum to verify that the n RANDs really originate from an entity that has access to the K
[0181] 4. The HAAA sends the n RANDs, the SIGNrand and optionally the IMSI to the FAAA. The IMSI itself need not be used if another session identifier has been sent with the IMSI in step 1 of this procedure. In this case, this session identifier would be used instead of the IMSI.
[0182] 5. The FAAA sends at least one RAND and SIGNrand to the MT.
[0183] 6. Using the i stored on the SIM_B, the MT calculates the K. Using the K, the n RANDs and the MT_RAND, the MT then tests SIGNrand. If SIGNrand is correct, the MT generates a copies of the n SRESs (one for each RAND). The MT computes a cryptographic checksum SIGNsres=HASH2(K,n*SRES) for the K and the SRESs.
[0184] 7. The MT sends the SIGNsres to the FAAA. In the MT, the calculation of the K is the same as the calculation of the K in the HAAA.
[0185] 8. The FAAA sends the SIGNsres to the HAAA.
[0186] 9. The HAAA verifies that SIGNsres is valid by checking that the equation SIGNsres=HASH2(K,n*SRES) applies with the values the MT has received. The HAAA sends the result (whether the SIGNsres is valid) to the FAAA. If the SIGNsres is valid, the HAAA sends also the K to the FAAA.
[0187] 10.Authentication is complete and the FAAA and the MT share the K.
[0188] The FAAA is functionally connected to several HAAAs and the FAAA selects the correct HAAA based on the domain part of the user's NAI, for example “sonera.fi”. The HAAA uses a HAAA-HAAA protocol to send the initial identification message to the correct HAAA or to GSM infrastructure such as a Mobile Switching Centre (MSC). According to an alternative embodiment, the FAAA is configured to communicate with a single HAAA and always sends the message in step 1 to that HAAA.
[0189] The procedure of
[0190] The MA then sends a Registration Reply with a New Session Key Reply extension to the MT. The Registration Reply contains the MT_RAND and the SIGNrand, so that the MT is able to verify that the RANDs are current and that they were generated by the GSM infrastructure. The Registration Reply also contains the remaining key lifetime, which can be equal to, or smaller than, the key lifetime proposed by the MT.
[0191] If the MT and the MA do not share a security context, the authentication of the first Registration Request and the Registration Reply will fail. The reply code in the Registration Reply is “mobile node failed authentication” or “identification mismatch”. In mobile IP, an authentication extension is used. The authentication extension has a special value for a security parameter index (SPI) field, meaning “New Session Key Exchange”. The SPI and the IP address of the MT are used as an index for managing authentication procedures regarding different mobile nodes. The authentication extension has also a field for an authenticator, that is typically a MAC code. The authenticator can be empty. Thus, if the MA does not support authentication according to the present invention, it will simply reply with the reply code “Mobile node failed authentication”. If the MA is a foreign agent, the MT should omit the authentication extension altogether.
[0192] After receiving the Registration Reply with the New Session Key Reply extension, the MT is able to verify the validity of the SIGNrand. If the SIGNrand is valid, the MT generates the key K and the SIGNsres and creates a new security context for the MA or, if such already exists, updates the context with the new K. This key will used as the Mobile IP authentication key in subsequent registration messages.
[0193] The MT includes the SIGNsres in an SRES extension in the next registration request it sends to the MA. The MA sends the SIGNsres to the HAAA, which verifies it and sends an indication to the MA. If the SIGNsres is valid, the HAAA also sends the K to the MA. Now the MA can create/update the security context for the MT.
[0194] If the MA is the FA, the K could now be distributed to all the foreign agents in the visited domain.
[0195] Since the MA may need to get the SRES extension quickly, it is advantageous that the MT sends the Registration Request with the SRES extension immediately after reception of the RAND.
[0196] The security context created by the K exchange mechanism described above has an SPI. Here, another well-known SPI is used for the SIM-generated security context. A value is reserved for the SPI “SIM-generated security context” and for the SPI “new session key exchange”.
[0197] According to the preferred embodiment, the default algorithm in Mobile IP authentication is keyed MD5 in prefix+suffix mode. In this mode, an authentication digest for a message is calculated by running MD5 over the following stream of bytes: a first occurrence of the K and the protected fields from the Registration Request and a second occurrence the K.
[0198] The authentication digest is transmitted in an authentication extension as shown in
[0199] In Mobile IP authentication according to the preferred embodiment, the security contexts (including the K) are generated by using the SIM_B. Because the RANDs are generated by the GSM_B, for example by the HAAA, the MT needs first to send its IMSI to the MA with which it is registering. Then the MA is able to use the FAAA-HAAA protocol in order to obtain GSM authentication information for the MT (as described above) and use this information for generating the K, with the MT. After the K has been generated, the MT is able to register with/through the MA. The K can be used for several subsequent registrations. However, there is a lifetime for this K and before the lifetime expires, a new K can be generated by a similar procedure.
[0200] The K exchange messages between the MT and the MA are transmitted as extensions to the Registration Request and Registration Reply. Three new extensions to registration messages between the MT and the MA are needed in order to agree upon the K. These extensions are a New Session Key Request extension, a New Session Key Reply extension and an SRES extension.
[0201] Typically, the MT knows that its HA supports the authentication according to the present invention. However, the MT may not know which authentication method or methods the FA supports. To test whether the FA supports the authentication method according to the invention, the MT includes the New Session Key Request extension for the foreign agent in the first Registration Reply and omits the Mobile-Foreign authentication extension. The New Session Key Request extension is optional. If the FA does not support it, the FA should ignore it and remove it before forwarding the request to the HA. When the MT receives the Registration Reply, it implements the following logic:
[0202] If the Registration Reply contains a New Session Key Reply extension and the reply code from the FA is the error code “mobile node failed authentication”, the FA supports authentication according to the present invention. If the New Session Key Reply is valid, the MT creates a security context for the FA and includes an SRES extension for the FA in the next Registration Request.
[0203] If the FA did not set the reply code to an error code and the Registration Reply does not contain a New Session Key Reply extension and the reply code from the FA is not set, the FA does not support the authentication but alternatively allows registrations without Mobile-Foreign authentication. The MT can carry out subsequent registrations with the FA without any authentication extensions being required.
[0204] If the Registration Reply does not contain a New Session Key Reply extension and the reply code from the foreign agent is the error code “mobile node failed authentication”, the FA does not support authentication according to the present invention and so requires a different kind of authentication. In this case, if the MT has only the authentication functionality according to the present invention, it cannot register with the FA.
[0205] When the FAAA receives a Registration Request from a mobile node with which the FA does not share a security context, the FA has the following options:
[0206] If there is an invalid Mobile-Foreign authentication extension in the Registration Request, the FA replies with the error code “mobile node failed authentication”. This is the standard Mobile IP behaviour.
[0207] If the Registration Request does not contain a Mobile-Foreign authentication extension and if the local policy does not require Mobile-Foreign authentication, the FA forwards the Registration Request to the HA. The FA does not include a New Session Key Reply extension in the Registration Reply even if there was a New Session Key Request extension in the Registration Request. This is the standard Mobile IP behaviour. This configuration could be useful, for example, in corporate access zones.
[0208] If the local policy in the FA requires Mobile-Foreign authentication, and there is no Mobile-Foreign Authentication extension nor New Session Key Request extension in the Registration Request, the FA replies with the error code “mobile node failed authentication”. This is the standard Mobile IP behaviour.
[0209] If the local policy in the FA requires Mobile-Foreign authentication, and the Registration Request contains a New Session Key Request extension and no Mobile-Foreign Authentication extension, then the FA does not forward the Registration Request to the home agent but instead replies with the error code “mobile node failed authentication” and includes a New Session Key Reply extension in the Registration Reply. If the MT then sends another Registration Request with a valid SRES extension and a valid Mobile-Foreign Authentication extension, the FA forwards the request to the HA.
[0210] Only certain GSM subscribers are authorised to register through a particular MA. User authorisation may be done in any of the following entities:
[0211] the GSM infrastructure. The GSM telecommunications network (MSC/HLR) may support authentication according to the present invention for certain subscribers only.
[0212] the HAAA. The HAAA may be configured with a list of authorised IMSIs. The HAAA may have a separate list for each access controller with which it is connected. This allows the HAAA to decide which subscribers are authorised users of a certain MA. If the HA is operated by the GSM telecommunications network operator, the HAAA may conveniently store this kind of authorisation information.
[0213] the FAAA. If a corporation operates the FAAA, for example for its employees, the corporation might want to control which GSM subscribers are allowed to register with the FAAA. In this case, the MA needs to maintain a list of authorised GSM subscribers. The MA also needs to see the IMSI in cleartext. If public key cryptography is used between the MS and HAAA to protect the IMSI, the HAAA may need to send the cleartext IMSI to the MA so that the MA can check whether the MT is authorised to register to the FAAA.
[0214] The new session key exchange extensions are normal (non-critical) extensions, preferably stored in an MT-AAA authentication extension. Alternatively, the session vendor-specific extensions can be used. If the receiver of the Registration Request does not recognise the extension, the extension is skipped.
[0215] Session key exchange between the MT and the FA is independent of the K exchange between the MT and the HA. Thus, a Registration Request contains any one of the following:
[0216] A New Session Key Request extension for the FA,
[0217] a New Session Key Request extension for the HA,
[0218] a New Session Key Request extension for both the FA and the HA,
[0219] an SRES extension for the FA,
[0220] an SRES extension for the HA,
[0221] an SRES extension for both the FA and the HA,
[0222] a New Session Key Request extension for the FA and an SRES extension for the HA, and
[0223] an SRES extension for the FA and a New Session Key Request for the HA.
[0224] Typically, the Registration Reply contains any one of the following:
[0225] a New Session Key Reply extension from the FA,
[0226] a New Session Key Reply extension from the HA, and
[0227] a New Session Key Reply extension from both the FA and the HA.
[0228] The format of the New Session Key Request Extension is shown in
[0229] The MT may place the New Session Key Request extension with a sub-type 2 (MT-HA) before the Mobile-Home authentication extension.
[0230] As can be seen from
Type Value 134 (skippable) Length The length of this extension in bytes, not including the Type and Length fields. For the New Session Key Request extension, the length is 26 bytes. Reserved Reserved for future use. To be set to 0. Vendor/Org-ID The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of a vendor of a mobile networking service, in network byte order. Vendor Type NEW_SESSION_KEY_REQUEST _VENDOR_TYPE. This value indicates that the particular type of this extension is a New Session Key Request extension. The administration of the Vendor-Types is done by the Vendor Subtype 1: MT-FA New Session Key Request extension 2: MT-HA New Session Key Request extension Key Lifetime Maximum key lifetime in seconds, two bytes long. MT_RAND A random number generated by the MT (16 bytes or 8 bytes).
[0231] This is an example on use of a vendor specific extension. Alternatively, another type of mobile IP specified extension can be used.
[0232] The format of the New Session Key Reply Extension is shown in
[0233] As can be seen from
Type Value 134 (skippable) Length The length of this extension in bytes, not including the Type and Length fields. For the New Session Key Reply extension, the length is 42 bits plus the length of n RANDs. Reserved Reserved for future use. To be set to 0. Vendor/Org-ID Value, for example 94 (Nokia). The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of vendor in network byte order. Vendor-Type This value indicates that the particular type of this extension is a New Session Key Reply extension. The administration of the Vendor-Types is done by the Vendor. Subtype 1: FA-MT New Session Key Reply extension 2: HA-MT New Session Key Reply extension Key Lifetime Remaining key lifetime in seconds SIGNrand The authenticator for n RANDs, 16 bytes. n*RAND n GSM RANDs (length n· 16 bytes).
[0234] The format of the SRES extension is shown in
[0235] The MT may place the SRES extension with sub-type 2 (MT-HA) in a Registration Request before the Mobile-Home authentication extension.
[0236] As can be seen from
Type 134 (skippable) Length The length of this extension in bytes, not including the Type and Length fields. For the New SRES extension, the length is 23 bytes. Reserved Reserved for future use. To be set to 0. Vendor/Org-ID The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of vendor in network byte order, as defined in the Assigned Numbers RFC [Assigned numbers]. Vendor-Type This value indicates that the particular type of this extension is an SRES extension. The administration of the Vendor-Types is done by the Vendor. Subtype 1: MT-FA SRES extension 2: MT-HA SRES extension SIGNsres The response calculated by the MT, 16 bytes.
[0237] In another embodiment of the invention, the shared session key exchange messages between the MT and the FA are transmitted by extending agent discovery messages to include IMSIs and RANDs.
[0238] In yet another alternative embodiment, an opaque authenticator field is used in the authentication extension. The beginning of this extension is used for sending RANDs, key lifetimes and other shared session key exchange parameters. The key exchange parameters are included in the calculation of the authenticator.
[0239] If the parameters are transmitted in a separate extension before the authentication extension, the data for key exchange becomes automatically included in the computation of the authentication extension. Furthermore, using separate extensions makes the system easier to implement. The authenticator is the result of the MAC function, for example a SIGNrand as computed according to step 2.
[0240] In a further embodiment, instead of using well-known SPIs for the SIM-generated security contexts, SPIs are communicated in the new shared session key exchange messages.
[0241]
[0242] The public wireless IP access networks (WISP
[0243] The MT functions as a mobile node. It can connect to a WISP. The MT can also roam from one network to another using a known technique. In WLAN, the roaming from one WLAN hot spot to another is referred to as WLAN roaming service. The WISPs have access to the Internet INET.
[0244] The MT has an equipment part ME and SIM_B provided for use with the second GSM telecommunications network GSM_B. The MT may not be a GSM compliant mobile station. In this case a user of the MT can access the second GSM telecommunications network GSM_B by providing a GSM mobile station with the SIM_B. Indeed, in this example, the MT is a laptop computer equipped with a WLAN adapter card (not shown) and a smart card reader (not shown) that can use the SIM_B. Alternatively, the MT is a device having a GSM mobile station part for communicating with GSM telecommunications networks and a WLAN terminal part for communicating with WLANs.
[0245] Both GSM telecommunications networks GSM_A and GSM_B comprise respective Mobile Switching Centres MSC
[0246] GSM_B is connected to the GSMCORE and can further be connected through the GSMCORE and the GAGW to the WISP
[0247] A GSM/GPRS -SIM based user mobility management functionality (user authentication and billing) can be used for public WLAN access zone authentication and billing functions. The SIM based authentication provides a relatively trustworthy verification of the subscriber's identity (authentication) for charging of the use. The GSM core GSMCORE provides roaming services for a GSM mobile station roaming between various operator networks. Advantageously, the roaming service is implemented using existing SIM cards and the GSM infrastructure. Consequently, the WISP roaming should not require any extra security keys from the MT. Furthermore, all the GSM users who obtained WLAN roaming service from their home operator have requisite the MT, SIM and necessary roaming software to be able to access the public network. A home operator provides the roaming MT with SIM_B for authenticating with it. GSM_B is alternatively a GSM telecommunications network supporting GPRS.
[0248] The operation of the system of
[0249] A roaming user need not have a pre-established customer relationship with a WISP. Instead, the roaming user may rely on his customer relationship with his home GSM telecommunications network in order to provide authentication and billing in the WLAN. WISP access is charged to the roaming user's GSM bill via a GSM telecommunications network operators' authentication gateway.
[0250] Here, these roaming services are used for allowing an MT to be authenticated and charged using a SIM both for accessing the GSM core as well as public IP access networks. The GSM telecommunications network operator bills the user for both the authenticating/roaming services and for the use of public IP access networks. Then, the GSM telecommunications network operator reimburses the use of public IP access networks for their operators.
[0251] In an alternative embodiment of the invention, the GSM telecommunications network operator may provide the subscriber with a WISP roaming SIM, which does not allow use of the GSM radio services. Such a dedicated SIM can be used to authenticate and debit services provided by a WLAN.
[0252] As is known from the GSM, the home GSM network stores customer information, such as authentication codes and user identity. Typically, this information is stored in a GSM Home Location Register (HLR) of an MSC. The GSM telecommunications network operator provides the IP based authentication and charging interface for one or several WISP operators, possibly also or only for corporate access solutions.
[0253] The GAGW supports seamless roaming between various GSM telecommunications network operators. The WISPs send all the authentication and billing information to the GAGW. The GAGW uses GSM core signaling known from GSM to convey the authentication and billing information to the corresponding home GSM telecommunications network operator. The signalling of billing information between different GSM telecommunications networks can be arranged in a manner similar to conventional roaming of a mobile telephone in a foreign GSM telecommunications network. In this case, the foreign GSM telecommunications network charges the home GSM telecommunications network for its service in arranging the telephone call.
[0254] In the system of
[0255] The MT supports authentication by using a SIM card. In an alternative embodiment, the MT supports one or more other authentication mechanisms, for example smart card authentication for corporate network access. Such an MT contains authentication software and the smart card but need not have keys for public access or any other security association.
[0256]
[0257] The PAC is the WISP's network entity which controls access from the radio access network to the Internet services. In this example, the PAC allocates an IP address to the MT and authenticates the MT before connection to the Internet is established. The PAC relays the authentication messages between the MT and the GAGW, collects the billing record and sends it to GAGW. The PAC also relays user data traffic between the MT and the Internet.
[0258] The SIM authentication is a complementary service for the PAC and the PAC supports additionally other authentication mechanisms such as password based authentication.
[0259] The interfaces of the system will now be described.
[0260] The MT-PAC interface is an IP based interface that is provided with authentication functionality. The authentication is designed so that it can be embedded in a well-known standard IP protocol or implemented as an extension to the existing protocol. The MT and PAC are identified using their IP addresses in this interface.
[0261] The PAC-GAGW interface is an IP based interface that uses a suitable authentication protocol. Typically, a single GAGW supports several PACs simultaneously. The GAGW identifies various PACs by using their IP addresses. In this interface, the MT identification is based on an IMSI code stored on the SIM_B.
[0262] The GAGW-HLR interface is implementation and vendor specific. The GAGW hides the cellular infrastructure from PACs. Therefore, the PAC-GAGW interface is always the same although the underlying cellular network may be of a different type (GSM, GPRS) or provided by a different vendor.
[0263]
[0264] An overview of the authentication is next explained by reference to the messages used during the authentication process:
[0265] 301. The MT communicates with the PAC to connect to the WISP
[0266] 302. The PAC sends information concerning the supported authentication mechanisms, such as SIM authentication, Public Key Infrastructure (PKI) or pre-shared key.
[0267] 303. The MT detects that SIM authentication is supported. The ME requests the IMSI from the SIM_B.
[0268] 304. The SIM_B responds to the IMSI request 303 by sending the IMSI to the ME.
[0269] 305. The MT forms a Network Access Identifier that is the IMSI in a Network Access Identifier (NAI) format, as explained in beginning of description of the example 1. The MT establishes a dynamic security association with the PAC, for example using Diffie-Hellman, and sends the NAI encrypted over the temporary secure channel. In an alternative embodiment, the NAI is sent as cleartext without encryption.
[0270] 306. The PAC decrypts the NAI, and forwards it in a data packet, again encrypted, to the GAGW over the secure PAC-GAGW interface. The IP address of the GAGW is statically configured in the PAC. A secure channel is formed between the PAC and the GAGW using their previously arranged shared secret.
[0271] 307. The GAGW verifies that the data packet came from a valid PAC, decrypts the packet, checks the NAI, extracts the IMSI and sends the IMSI with an authentication request to the nearest MSC. Next, the MSC analyses the IMSI to find out the home HLR of the subscriber indicated by the IMSI. Then, the MSC forwards the authentication request to the home HLR.
[0272] 308. The home HLR forms a set of one or more GSM authentication triplets (RAND, SRES, Kc) and sends the set to the originator MSC which forwards the set to the GAGW.
[0273] 309. The GAGW forms a packet containing the RANDs and a cryptographic checksum of the RANDs, generated using at least the Kcs. The GAGW preserves the SRESs for later use in a subsequent step 314.
[0274] 310. The PAC decrypts the packet and relays the RANDs and the cryptographic checksum to the MT.
[0275] 311. The MT inputs the RANDs to the SIM_B, which calculates corresponding Kc and SRES values.
[0276] 312. The MT checks that the Kcs match with the cryptographic checksum given by the PAC. If they match, the MT knows that the PAC has a connection to the HLR and so the PAC can be trusted.
[0277] 313. The MT generates a cryptographic checksum for the SRESs with Kcs and sends the checksum to the PAC.
[0278] 314. The PAC relays the checksum of the SRES to the GAGW. The GAGW checks whether the checksum matches with the SRESs it received from the MSC in step 308. If it matches, the GAGW sends an acknowledge message ACK to the PAC. If it does not match, then the GAGW sends a negative acknowledge NACK to the PAC.
[0279] 315. If the PAC receives a positive acknowledge message ACK confirming successful authentication, it completes the authentication by opening the access to the Internet. If the PAC receives a negative acknowledge message NACK, it refuses to open access to the Internet.
[0280] In an alternative embodiment, the IMSI is used in the preceding steps instead of the NAI.
[0281] The following tables list the parameters that are carried between elements of the system:
TABLE 1 Main parameters transferred between the MT and the GAGW Parameter Direction to Encryption Explanation IMSI/NAI GAGW Yes User ID for cellular network side RAND MT No Random authentication Challenge SRES GAGW Yes Authentication response to the HLR Hash(K_MT) MT Yes Authentication checksum for the MT Hash(K_GAGW) GAGW Yes Authentication checksum for the GAGW
[0282]
TABLE 2 Main parameters transferred between the MT and the PAC Parameter Direction to Encrypted? Explanation IMSI/NAI PAC Yes User ID for cellular network side Bill_ind MT Information of the costs
[0283]
TABLE 3 Main parameters transferred between the PAC and the GAGW Parameter Direction to Encrypted? Explanation Bill_ind PAC No Access pricing information User_class PAC Yes User class/profile (business, consumer, ...) K_RAN PAC Yes Air interface encryption key CDR GAGW Yes User's billing record (structure tbd)
[0284] Advantageously, an optional user_class parameter is used for defining the quality of service, for example the maximum bandwidth for a particular user.
[0285]
[0286] (Step 401) The MT sends an MT originated authentication starting request MT_PAC_AUTHSTART_REQ containing the NAI having the IMSI. The request typically also contains a protection code MT_RAND (known also as nonce in the context of mobile IP).
[0287] (Step 402) The PAC receives the MT_PAC_AUTHSTART_REQ from the MT and requests for GSM triplets by sending to the GAGW a message PAC_GAGW_AUTHSTART_REQ, also containing the NAI and the MT_RAND.
[0288] (Step 403) The GAGW obtains the GSM triplets from the home GSM telecommunications network. One triplet suffices, but the GSM telecommunications network may return a plurality of triplets, in which case either some of the triplets are discarded or stored for later use, or more advantageously, they all are used to generate a stronger key. The home GSM telecommunications network is recognised using the NAI.
[0289] (Step 404) The GAGW generates K, using an encryption algorithm, of at least the GSM session key(s) Kc. Advantageously, the MT_RAND is also used in the encryption. The GAGW encrypts the GSM RAND(s) of the GSM triplets, computes a cryptographic checksum, or a Message Authentication Code MAC, based on the RAND(s) and the K, and prepares an authentication start response message GAGW_PAC_AUTHSTART_RESP. The encryption between the GAGW and the PAC is based on their own shared secret.
[0290] (Step 411) The GAGW sends to the PAC an authentication start response message GAGW_PAC_AUTHSTART_RESP containing the RANDs, the MAC, the MT_RAND, a billing information code and a billing information MAC computed for the billing information code. Typically, the authentication start response message additionally contains a field for a session timeout parameter for determining the validity period of the new K to be generated and a field for the state of the session.
[0291] (Step 412) The PAC forwards to the MT the authentication start response message GAGW_PAC_AUTHSTART_RESP as a PAC_MT_AUTHSTART_RESP message.
[0292] (Step 413) The MT tests with the SIGNrand that the parameters carried by the GAGW_PAC_AUTHSTART_RESP and by the PAC_MT_AUTHSTART_RESP indeed originate from the GSM telecommunications network.
[0293] (Step 414) The MT handles the billing information it received from the GAGW. Typically, it provides the user with information relating to the price of the service requested by the user. Usually, this price is based on at least one of the following: a flat rate fee, a time based billing, number of data packets sent to or from the MT, and the Quality of Service QoS. The MT then asks the user whether the service should be obtained with the price given. The MT receives an answer from the user.
[0294] (Step 415) The MT generates a MAC of the SRESs to be used for responding to the GAGW.
[0295] (Step 416) The MT generates then an access secret Kpac_MT using at least the Kcs.
[0296] (Step 421) The MT generates and sends an MT_PAC_AUTHANSWER_REQ message to the PAC. The message contains in the state field an answer of the user showing whether the user accepted the billing for the service, the MAC of the SRESs, a MAC of the billing code, and the MT_RAND (as all the messages sent during an authenticating session).
[0297] (Step 422) The PAC generates a PAC_GAGW_AUTHANSWER_REQ containing the data of the MT_PAC_AUTHANSWER_REQ message and additionally the NAI and the IP address of the PAC.
[0298] (Step 423) The GAGW tests the MAC of the SRESs to verify that the data sent by the MT carried by the PAC_GAGW_AUTHANSWER_REQ has not been tampered with.
[0299] (Step 424) If the GAGW gets a positive answer to the test of the previous step, it generates the access key Kpac_MT in a manner similar to that used by the MT in step 416 and then proceeds to the step 431.
[0300] (Step 431) The GAGW sends to the PAC a message GAGW_PAC_AUTHANSWER_RESP_OK. The message contains the MT_RAND and codes filter_id, Kpac_MT and SIGNresult. The filter_id code is optional and indicates the user class of the subscriber. This can be used in defining a QoS, for example a high quality connection for more paying business users. The SIGNresult is a MAC of the data in the message for ultimately verifying to the MT that the reply from the GAGW is not altered on the way to the MT.
[0301] (Step 441) The PAC responds to the GAGW by a PAC_GAGW_STARTBILLING_REQ message requesting the GAGW to start the billing. The message contains the NAI and a session ID (the MT_RAND).
[0302] (Step 442) The GAGW checks the answer from the MT for verifying that the MT has permitted the billing.
[0303] (Step 451) If the MT has permitted the billing, the GAGW sends to the PAC a message GAGW_PAC-STARTBILLING_RESP_OK to indicate the start of billing.
[0304] (Step 452) The PAC sends to the MT a PAC_MT_AUTHANSWER_RESP_OK message containing the SIGNresult.
[0305] (Step 453) The MT receives the PAC_MT_AUTHANSWER_RESP_OK message and checks the SIGNresult it contains. If the SIGNresult is correct, the MT can inform the user of the start of billing.
[0306] The MAC of the billing code is computed at least using the Kcs so that the PAC cannot tamper with the billing code.
[0307] In the message PAC_MT_AUTHANSWER_RESP_OK, the MT is notified of the term of the authentication. The MT re-authenticates itself before the authentication term expires. If it does not re-authenticate, the connection of the MT to the PAC is released and the MT can authenticate itself again.
[0308] Advantageously, the MT receives billing information and decides how to handle it. Advantageously, the user of the MT can define a billing information handling policy. This policy can be used to define, for example, that no billing information is presented to the user in a re-authentication or normal authentication case. The handling of the billing information does not affect the protocol of messaging between the different entities (MT, PAC, GAGW, MSC and HLR).
[0309]
[0310] The operation starts from block
[0311] After mapping (block
[0312] Next, the steps related to billing are explained. In block
[0313] In the next phase, the PAC remains idle and provides periodical billing updates. These updates are triggered by debited events, such as transmission or reception of data packets. The PAC may combine the charges and, only after a certain period of time or after reaching of a certain triggering amount of charge, perform a billing update corresponding to the lump sum thus gathered. When billing an event, the PAC sends a PAC_GAGW_UPDATEBILLING_REQ to notify the GAGW about the billing update. The GAGW receives (block
[0314]
[0315] Then, the MT authentication is started (block